Category: HIPAA

Overlapping Regulations for Confidentiality Regarding Substance Abuse Treatment

Our starting point is that privacy and confidentiality are important in any type of treatment but in connection with substance abuse and addiction treatment, there is a need for some enhanced protections. The United States Court of Appeals for the First Circuit has stated that “[t]he express purpose” of federal initiatives in this area was “to encourage patients to seek treatment for substance abuse without fear that by so doing their privacy will be compromised.” United States v. Cresta, 825 F.2d 538, 551-52 (1st Cir. 1987).  The collateral stigmas for an individual and the family are of such great concern that they can be obstacles to even seeking treatment. Reputations are at risk for having the disease and jobs or work opportunities may be jeopardized. Family members will be embarrassed. Federal regulations involving the HIPAA Privacy Rule and special provisions for substance abuse treatment programs recognize these concerns. While there have been efforts to align these two regulatory systems, it is important to recognize that these regulations intersect, overlap, and sometime supersede each other. In addition, state licensing or regulatory provisions may have stricter requirements or may, as in New Jersey (N.J.A.C. 10:161B-3.6(b)(5)), incorporate the Federal standards.

HIPAA is the first body of regulations concerning medical privacy that comes to mind for most persons. But historically speaking, it is not. The Health Insurance Portability and Accountability Act (HIPAA), 42 USC §1320d, enacted in 1996 directed the Secretary of Health and Human Services and the Attorney General to develop guidelines that “appropriately protect the confidentiality of the information and the privacy of individuals receiving health care services.”  This eventually led to the release of the Privacy Rule in 2002 with an April 13, 2003 effective date and codification at 45 CFR Parts 160 and 164. In contrast, the restrictions on disclosures concerning substance abuse treatment have their origins in the 1970 Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act and the 1972 Drug Abuse and Prevention, Treatment and Rehabilitation Act with implementing regulations issued by the then Department of Health, Education and Welfare in 1975 with various revisions and supplements. The pertinent statute is 42 USC §290dd-2 with regulations now codified at 42 CFR Part 2.

As with the HIPAA regulations, there have been some recent amendments to the 42 CFR Part 2 regulations. 82 Fed.Reg. 6052 (Jan. 18, 2017). The most recent update was to go into effect as of February 17, 2017 but was delayed to March 21, 2017 by virtue of the 60-day regulatory freeze issued by the Trump Administration on January 20. The amendments were intended to make the Part 2 regulations more consistent with HIPAA. Differences persist with the potential for resulting confusion.

Here is one starkly clear reality: violation of the substance abuse treatment restrictions is a federal crime with a fine to be imposed pursuant to Title 18 of the United States Code.  42 USC §290dd-2(f). While both sets of regulations cover similar material, there are points of difference. But a reasonably valid heuristic in choosing between HIPAA and Part 2, with a slight refinement, is: Whichever standard is stricter — usually 42 CFR Part 2 — and provides the greater privacy protection should be applied.

Here is the refinement to that problem-solving heuristic. While HIPAA covers the health care industry broadly, the provisions of 42 CFR Part 2 only apply to “federally assisted” drug and alcohol “programs.” These are defined terms in 42 CFR 2.11. Thus, the records of a primary care physician who is not held out as providing alcohol or drug abuse treatment is not covered. The special confidentiality provisions would not apply to a hospital except to an identified unit that has a “primary function” of providing substance abuse diagnosis, treatment or referral. Similarly, the rules would not apply to an emergency room. See generally Center for Legal Advocacy v. Earnest, 320 F.3d 1107 (10th Cir. 2003); United States v. Zamora, 408 F.Supp.2d 295 (S.D. Tex. 2006). The applicability of Part 2 requires not only a “program” as defined in the regulation but also that the program be “federally assisted.” Federal funding is, of course, endemic in health care and the definition in 42 CFR 2.12(b) is consistent with that reality but being “federally assisted” must be confirmed.

The basic HIPAA rule of thumb is that except in connection with disclosures to the individual whose health information is at issue or to HHS or its Office of Civil Rights enforcement arm, a covered entity should not make any use or disclosure without a patient’s authorization unless permitted by the Privacy Rule. However, in addition to the broad approval for use or disclosure for treatment, payment or operations (TPO) without patient authorization, there are quite a few permissive disclosures without patient authorization set forth in 45 CFR 164.512 including such circumstances as public health activities and oversight, judicial and administrative proceedings, law enforcement purposes, and reporting crimes. The Part 2 regulations on the other hand are much stricter and more limited than what is allowed under HIPAA. Disclosures without a patient’s consent are allowed in the following circumstances:

  • Communications among program personnel
  • Communications between a program and a Qualified Service Organization
  • Crimes on program premises or against program personnel but without an exception for the duty to warn others unless the threatened violence is against program personnel.
  • Reports of suspected child abuse and neglect limited to making the initial report with any disclosure for subsequent investigation not permitted in the absence of a court order or signed authorization.
  • Medical emergencies involving an immediate threat to the health of the patient requiring immediate medical intervention.
  • Scientific research
  • Audits and evaluation activities
  • Court order, which must comply with special requirements set forth in the regulations.

Moreover, in the absence of consent or the special court order, the regulations in 42 CFR  2.13(c) prohibit a substance abuse treatment facility from even acknowledging that a particular individual is a patient.

Another instance of a stricter standard in Part 2 can be found in connection with a consented-to disclosure. 42 CFR 2.31 requires written voluntary consent. A verbal consent is inadequate. The consent document must contain ten elements specified in the regulation. Furthermore, under the provisions of the HIPAA Privacy Rule found at 45 CFR 164.508(c)(2) information that is disclosed pursuant to an authorization has the potential for being re-disclosed and no longer subject to HIPAA privacy protection. In contrast, an authorized disclosure under Part 2 must be accompanied by an explicit statement that further disclosure of information that identifies a patient as having or being treated for a substance use disorder is prohibited. 42 CFR 2.32(a).

HIPAA covers “protected health information” (PHI) and “individually identifiable health information” (IIHI). The Part 2 regulations speak in terms of “records” which term is defined in 42 CFR 2.11 as “any information” whether recorded or not, created by, received, or acquired by a Part 2 program relating to a patient whether involving diagnosis, treatment, referral for treatment, billing, emails, voice mails, and texts. For the purpose of the regulations “records” include both paper and electronic records.

Both HIPAA and Part 2 address disclosures in connection with judicial proceedings and various law enforcement activities. Although there are few judicial decisions concerning 42 CFR Part 2, there is a lucid and helpful discussion by the Connecticut Superior Court in Briggs v. Winter, 2014 Conn. Super. LEXIS 1292, 2014 WL 2922643, of these “two discrete but complementary federal statutory schemes” in the civil context. The HIPAA approaches of “satisfactory assurances” concerning civil subpoenas and the effectiveness of grand jury subpoenas without a court order are inadequate for substance abuse records. The statutory standard found in 42 USC §290dd-2 requires a showing of “good cause.” The Part 2 regulations more specifically set forth separate requirements for what constitutes “good cause” as to the court orders to be issued in connection with disclosures for noncriminal purposes such as civil law suits and those for criminal investigations and prosecutions of patients as well as for investigations or prosecutions of Part 2 programs or employees including the use of undercover agents. Under 42 CFR 2.64, the criteria for entry of an order authorizing disclosure for a noncriminal matter require a finding of “good cause” with determinations (1) that other ways of obtaining the information are not available or would not be effective and (2) that the public interest and need for the disclosure outweigh the potential injury to the patient, the physician-patient relationship and the treatment services. In connection with disclosures for criminal matters, the criteria in 42 CFR 2.65 are more extensive and “all” must be met. The threshold is that the crime involved is extremely serious, such as one which causes or directly threatens loss of life or serious bodily injury including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect. Next, there must be a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution along with a demonstration that other ways of obtaining the information are not available or would not be effective. As part of the evaluation, the court must determine that the potential injury to the patient, to the physician-patient relationship and to the ability of the Part 2 program to provide services to other patients is outweighed by the public interest and the need for the disclosure. Lastly, if the applicant is a law enforcement agency or official, the person holding the records has been afforded the opportunity to be represented by independent counsel; and any person holding the records which is an entity within federal, state, or local government has in fact been represented by counsel independent of the applicant.

In connection with any contemplated disclosure, there are several questions to be posed which include at least the following. Can or should patient authorization be obtained? Is there an exception for disclosure without patient authorization? Is the recipient to whom the disclosure is to be made pursuant to an exception authorized under the regulations to receive the information?

American society has long placed significant value on a private sphere protected from intrusion. In addition, bioethical principles of nonmalefience — the doing of no harm — and respect for persons call for safeguarding personal privacy and placing importance on individual autonomy. In follow-up at another time or in another place, musings on whether or not privacy and confidentiality really exist in this era might be appropriate.

Breach of Medical Confidentiality and Privacy Claims

On July 12, 2017, the New Jersey Appellate Division issued an opinion in the case of Smith v. Datla, which involved the question of how much time a party has to file a lawsuit arising out of the unauthorized disclosure of private medical information. The court ruled that the appropriate statute of limitations period was two years.  In the opinion the court reiterated New Jersey’s adherence to the widely held rule that there is no private right of action under the Federal HIPAA rule but clarified that conduct that violates HIPAA regulatory provisions provides a state law claim for disclosure of the patient’s protected health information. While the decision is currently binding precedent in New Jersey, it could be appealed to the New Jersey Supreme Court for further review.

The appeal was presented on a somewhat limited factual record.  The plaintiff, identified by the pseudonym of John Smith, was a hospitalized patient.  The physician, a board-certified nephrologist, was treating the patient for acute kidney failure.  During an emergency bedside consultation with John Smith in his private hospital room, the doctor discussed his medical condition including the patient’s HIV-positive status.  It is not clear if this was an established diagnosis or newly conveyed information. The conversation took place while “an unidentified third party” was in the room.  In a footnote the court stated that “[t]he record does not reveal the third party’s identity nor his or her relationship to plaintiff.” Plaintiff claimed that the HIV disclosure was without his consent. The plaintiff further claimed that the disclosure caused him to endure pain and suffering, emotional distress, other emotional injuries and insult, and permanent injury with physiological consequences.

That third-party’s identity and relationship to the patient may become an important factor in the eventual outcome of this case.  The HIPAA Privacy Rule specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment that the patient does not object.

On an admittedly “limited record,” the court evaluated the consequences of this disclosure which took place on July 25, 2013 and with the lawsuit being filed on July 1, 2015.

Ultimately, following motion practice, the plaintiff’s amended complaint asserted three causes of action: (1) invasion of privacy based on public disclosure of private facts; (2) medical malpractice based on the improper disclosure; and (3) violation of the AIDS Assistance Act, N.J.S.A. 26:5C-1 to -14.

Defendant filed a new motion to dismiss on the grounds that all three claims were barred by the one-year statute of limitations found in N.J.S.A. 2A:14-3 where the complaint had been filed nearly two years after the incident.  Arguing that all three claims were predicated on the public disclosure of private facts, defendant contended that they should be subject to the same statute of limitations.  Defendant noted that there was no specific statute of limitations for the public disclosure of private facts, but analogized that type of invasion of privacy claim to claims for placing plaintiff in a false light in the public eye and defamation.  This motion was denied by the trial court with leave to appeal granted.

The Appellate Division engaged in an extended analysis leading to the rejection of defendant’s contention.  It invoked the classic comments of Professor William Prosser regarding invasion of privacy being “not one tort, but a complex of four.”

The law of privacy comprises four distinct kinds of invasion of four different interests of the plaintiff, which are tied together by the common name, but otherwise have almost nothing in common except that each represents an interference with the right of the plaintiff to “be left alone.” [Quoting William L. Prosser, The Law of Torts § 112 (3d ed. 1964).]

The four braches of Prosser’s taxonomy of the privacy tort included (1) intrusion, (2) public disclosure of private facts, (3) placing a person in a false light in the public eye, and (4) appropriation of the plaintiff’s name or likeness for the defendant’s benefit.  The court observed that the limitations period for the public disclosure of private facts was an “unresolved issue” in New Jersey.  In Rumbauskas v. Cantor, 138 N.J. 173 (1994), the Supreme Court had held that the limitations period for the intrusion on seclusion type of privacy tort was two years and approved the use of a six-year period for actions based on appropriation of a person’s name or likeness for the benefit of the defendant. In commenting on varying limitations periods for the different types of privacy torts, it had stated:

The limitation periods applicable to actions involving other types of invasion of privacy are not before us. … Regarding actions for public disclosure of private facts or placing one in a false light, case law in other jurisdictions indicates that such actions are subject to the limitations period for defamation claims, which is one year in New Jersey. [Id. at 183.]

 In rejecting the defense contention in Smith v. Datla for use of the one-year limitations period for public disclosure of private facts, the key factor in the court’s analysis is that the essential element of a defamation action is the dissemination of false information.  Here the private facts that were disclosed were true.  The court emphasized the heightened protection afforded to a person’s HIV and AIDS status in various contexts including the New Jersey Law Against Discrimination (LAD), the New Jersey Civil Rights Act, and actions under Section 1983 for deprivation of federally protected civil rights.  All of these claims were subject to a two-statute of limitations.

This heightened protection was also embodied in the AIDS’ Assistance Act which required that records regarding this infection were to be kept confidential and disclosed only with a person’s “prior written informed consent” in limited circumstances.  The Act provided for a private cause of action including compensatory and punitive damages as well as attorneys’ fees.  The Act did not set forth a particular statute of limitations but the court concluded that this statutory-based action was analogous to the public disclosure of private facts tort for which it had determined there was a two-year statute of limitations.

The court went through a similar analysis with regard to the medical malpractice claim.  Describing such a claim generally as a deviation from an accepted standard of care, it referred to the HIPAA requirements that health care providers protect personal medical information from unauthorized disclosure as well as the mandate of the AIDS’ Assistance Act.  Aside from these statutorily-based obligations, the court referred to “the common law duty “to maintain the confidentiality of patient records and information.”  It cited several prior cases involving breaches of physician-patient confidentiality.  Curiously, the court did not refer to Crescenzo v. Crane, 350 N.J. Super. 531, 541-44 (App. Div.), certif. denied, 174 N.J. 364 (2002) which had involved a physician releasing patient records to a lawyer in response to an improperly issued subpoena.  In concluding that there was “a viable cause of action” against the physician, the Crescenzo court had referred to the Board of Medical Examiners’ regulations mandating confidentiality of patient records.

In concluding that this claim also was within the two-year statute of limitations in N.J.S.A. 2A:14-2, the court stated:

The breach of a physician’s duty to maintain the confidentiality of his patient’s medical records is a deviation from the standard of care, giving rise to a personal injury claim based upon negligence, not defamation or placing plaintiff in a false light.

 In addition, plaintiff’s claim for medical malpractice is most analogous to the category of invasion of privacy claims that are grounded on an allegation that defendant improperly disclosed private facts concerning the plaintiff to a third party.

 The court affirmed the denial of the motion to dismiss.

The Appellate Division in its comprehensive opinion nonetheless placed too much emphasis on the categorization of the privacy tort as articulated by Professor Prosser. Prosser’s contributions to the development of tort law regarding privacy are widely acknowledged.  However, his “taxonomy” of the privacy tort has been criticized as too restrictive and omitting other important interests.  Neil M. Richards & Daniel J. Solove, Prosser’s Privacy Law: A Mixed Legacy, 98 Calif. L. Rev. 1887, 1891 (2010).  One of these omissions is the tort of breach of confidence.  “This tort provides a remedy whenever a person owes a duty of confidentiality to another and breaches that duty.” Id. at 1909. See generally Daniel J. Solove & Neil M. Richards, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).  This tort is well recognized in a variety of professional settings.

At the end of the day, this case is a further illustration of the importance of sensitivity to a patient’s right of privacy.  It is difficult to accept that the defendant was informing the patient for the first time that he had AIDS and presumably the patient was already aware of that diagnosis as a backdrop for the discussion of his current condition. A brief time-out in which the physician either asked the third party to leave the room or during which the patient was asked if he wanted that person to remain during the discussion could have avoided this litigation.

OCR and FTC Detail Overlapping Interests Between HIPAA and the FTC Act

On October 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued joint guidance highlighting agencies’ common interest in protecting individuals’ health information.

The health care industry is familiar with the restrictions on use and disclosure of protected health information (PHI) imposed by HIPAA.  In general, other than as required by the HIPAA Privacy Rule or for treatment, payment or health care operations, HIPAA requires a valid, signed authorization from the individual before any further use or disclosure of their PHI can occur.   This authorization must be in “plain language,” not be combined with any other type of authorization, and include specific terms and descriptions of the information sought and the proposed use or disclosure.

The FTC’s interest in the healthcare sector’s information security practices is less well known, however.  Many may be surprised by the FTC’s longstanding position that its broad power to regulate unfair and deceptive practices under Section 5 of the FTC Act includes overlapping jurisdiction with OCR concerning the privacy and security practices of HIPAA-regulated entities.

The FTC Act prohibits a contemplated use or disclosure of health information from being a “deceptive or unfair” act or practice.  Among other things, this means that individuals may not be “mislead” about how their PHI may be being used or disclosed.   The FTC therefore recommends that entities consider all of their consumer-facing messaging to ensure it is free from any deceptive or misleading statements.   Moreover, the FTC explicitly cautions against burying key facts regarding use and disclosure of health information in links to a privacy policy, terms of use, or HIPAA authorizations.  It also warns against manipulating font sizes or colors online in a manner which would make disclosure statements deceptive.  Instead, it recommends that all disclosure statements be “clear and conspicuous” from a consumer’s perspective.

OCR and the FTC have a history of collaboration and joint enforcement in the security area.  In February 2009, OCR entered into a $2.25 million settlement agreement with CVS Pharmacy, Inc. (CVS) and required implementation of a detailed corrective action plan to ensure the proper disposal of PHI.  Simultaneously, in a separate but related agreement, CVS resolved FTC charges that it failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

A year later, in July 2010, Rite Aid Corporation entered into a similar resolution agreement, paying $1 million to OCR and implementing a corrective plan of action while simultaneously settling a FTC complaint which alleged it failed to properly dispose of personal information, inadequately trained employees, did not sufficiently assess compliance with its disposal policies, and did not employ a reasonable process for discovering and remedying risks to personal information.

In addition, the FTC has not hesitated to bring enforcement actions on its own against healthcare entities.  Most notably, the FTC has doggedly pursued LabMD, a former clinical laboratory which no longer operates, for failure to protect patients’ sensitive personal information.  This resulted in a July 2016 unanimous opinion from the FTC which found LabMD’s security practices unreasonable, “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”  A motion to stay the FTC’s enforcement order has recently been filed in the Eleventh Circuit by LabMD. See, LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, motion to stay filed, Oct. 7, 2016.

It remains to be seen whether this recent joint statement from OCR and FTC foreshadows a more robust collaboration between the two agencies which builds on their efforts in the CVS and Rite Aid cases and expands into the HIPAA Privacy Rule area.  Even if that does not immediately occur, the FTC remains active in pursuing cases on its own, such as LabMD.  Whatever the outcome, businesses in the healthcare sector should remain sensitive to the FTC’s mandates, along with those from OCR.

HIPAA Enforcement At All-Time High So Far in 2016

Still with four months to go, 2016 has been a record-setting year for HIPAA enforcement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Before September even begins, OCR has already levied over $20 million in fines resulting from its investigation of suspected HIPAA violations. This amount more than triples the $6.2 million in HIPAA penalties which it assessed for all of 2015. These enforcement actions included both first-ever settlement of possible HIPAA violations by a Business Associate and the largest single fine of $5.5 million for suspected HIPAA violations.

In addition, OCR has recently begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. While Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.   The factors that OCR’s Regional Offices will consider in this manner include:

  • The type and size of the breach, including the amount nature, and sensitivity of the PHI involved
  • Whether the breach involved theft or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • A particular covered entity or business associate’s breach history;
  • Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

This flurry of enforcement activity has occurred against the backdrop of “Phase 2” desk and onsite audits of approximately 200 – 250 covered entities and their business associates which will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. In particular, these audits will focus on Notice of Privacy Practices’ contents, individual’s rights to access protected health information, risk analysis, risk management, and timeliness and content of breach notification. There will also be a limited number of comprehensive on-site audits. All audits are expected to be completed by December 31, 2016.

Even if not selected for an audit, the covered entities and business associates would be well-advised to review the Audit Protocol available through the HHS website, ensuring their internal list of business associates is current, and reviewing, and if necessary, updating their risk analysis and risk management in light of recent developments, particularly the proliferation of ransomware attacks targeting the health industry.

OCR Issues HIPAA Guidance on Ransomware Threat to Health Care Industry

U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has published a HIPAA Fact Sheet, outlining the multi-faceted threat which ransomware poses to the health care sector and providing insights into how this threat may affect HIPAA compliance.  In this publication, OCR states that a ransomware attack, even on encrypted devices, may result in a reportable breach of electronic Protected Health Information (“ePHI”).  In light of this, covered entities and business associates should consider revisions to their risk assessment plans specifically directed at countering ransomware attacks.

Ransomware is an increasingly rampant type of malware that encrypts data with a complex “key” known only to the hacker, making data and possibly entire information systems such EHRs or scheduling programs, inaccessible to authorized users. Once ransomware has taken hold, hackers demand a payment before providing the key required to decrypt the affected files.  Ransomware frequently infects devices and systems when unsuspecting users click on malicious website links or open infected emails attachments.

OCR’s guidance states that ransomware infections of a computer system are a “security incident” under HIPAA. As a result, once ransomware is detected, the covered entity or business associate must initiate its HIPAA-mandated security incident and response and reporting procedures.  In addition, they should also assess whether or not a “breach” has occurred.  As defined by HIPAA regulations, a breach occurs with “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [rules governing PHI] which compromises the security or privacy of the PHI.” Whether ransomware infections meet this definition is a fact-sensitive question.

According to OCR’s recent guidance, ransomware represents an unauthorized user’s attempt to encrypt the data, which amounts to an “acquisition,” and therefore impermissible disclosure, under HIPAA. At this point, a risk assessment is required to determine whether there is a “low probability” that a breach has occurred, taking into account the following factors:  (1) the nature and extent of ePHI involved; (2) the unauthorized person who used ePHI or to whom the disclosure was made; (3) whether the ePHI was actually acquired or viewed; and (4) the extent to which the risk to ePHI has been mitigated.  If a “low probability” of compromise cannot be demonstrated, then a breach has occurred and HIPAA’s Breach Notification Rule is triggered.

If encrypted data is involved, the question of whether or not a breach has occurred becomes more complicated and depends, in part, of the technical aspects of the particular encryption used. Because the Breach Notification Rule only applies to  “unsecured PHI,” meaning PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary,”  properly encrypted PHI, even if stolen, usually does not constitute a “breach.”  However, additional analysis is still required to ensure that the encryption solution, as implemented, is effective.  For example, a full disk encryption solution may render the data on a computer system’s hard drive unreadable, unusable and indecipherable to unauthorized persons while the computer system is powered down. However, once the system is operational, many full disk encryption solutions will transparently decrypt and encrypt files accessed by the user.  Thus, an authenticated user who accidentally infects the system with ransomware may cause breach of ePHI.  Thus, despite having encryption protection in place, sophisticated ransomware can result in a breach of ePHI which is reportable under HIPAA

HIPAA already requires covered entities and business associates to implement security measures to prepare for, respond to, and recover from ransomware and other malware attacks. Some of these required security measures include: implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to ePHI and implementing security measures to mitigate or remediate those identified risks; implementing procedures to guard against and detect malicious software; training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

With respect to recovery from a ransomware infection, covered entities should maintain offline backups of data and conduct periodic test restorations to verify the integrity of backed-up data. HIPAA requires covered entities to have a data backup plan as well as security incident procedures.

An interagency U.S. Government report reveals that there have been 4,000 daily ransomware attacks since early 2016, a remarkable 300% increase from this period last year. With health information systems containing vital information for daily operation as well as highly personal information of their patients, the health care sector has been a growing target of ransomware.  The OCR’s new guidance recognizes this threat, and clarifies the implications that it carries for covered entities and business associates.

Questions Regarding “Minimum Necessary,” Physical Controls, and Encryption Follow Insurer’s “Ongoing Search” for Six Hard Drives Containing PHI of 950,000 Individuals

A major health insurer announced an “ongoing comprehensive internal search” for six hard drives containing the PHI including the name, address, date of birth, social security number, member ID number and “health information,” of approximately 950,000 individuals who received laboratory services from 2009 through 2015. According to the announcement, the hard drives were used in an internal data project which analyzed laboratory results with the goal of improving health outcomes.

This incident raises two potential topics of interest under HIPAA. First, whether a data set containing fewer identifiers, or de-identified data could have been used for this project.  If de-identified information were used, the loss of the hard drives would be less damaging and possibly not a “breach” under HIPAA.  The post-breach risk assessment should attempt to answer this question and make policy recommendations that require a critical assessment of whether and to what extent PHI beyond the “minimum necessary” is required for future similar projects.

If it was necessary to use the complete data set of PHI contained on the lost hard drives, additional security precautions, such as enhanced physical security tracking measures and encryption, should have been considered and implemented.  Physical security tracking that restricted or linked the physical movement of the hard drives to a particular location or individual could be enhanced with a requirement that the location and custody of media containing PHI be periodically verified, especially if the PHI of nearly a million individuals is potentially in play.  Although there seems to have been some process along these lines in place in light of the “ongoing comprehensive internal search,” there is no indication of the last date on which the location of the hard drives can be verified.

In addition, the decision to apparently not encrypt the hard drives should also be examined.  Encryption remains an addressable implementation standard under HIPAA, it must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. See, 45 CFR § 164.312(a)(2)(iv) and -(e)(2)(ii).  If the entity decides that encryption, as addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

With the relative ease and speed of modern encryption applications that are available across a variety of platforms, from smart phones and tablets, to flash drives and individual hard drives, to back-up media, not encrypting data, whether it is in use, in motion, or at rest, is becoming increasingly difficult to defend from a technical standpoint.

The unexplained disappearance of devices or storage media containing unencrypted PHI through inadvertence, malicious theft, or other physical loss remains a vexing problem for covered entities.  Two relatively simple strategies to avoid the serious harm that could result for such an occurrence are eliminating the use of PHI when possible, and implementing robust tracking and encryption protocols for those instances when PHI is truly necessary.

OCR Assess Over $5 Million in HIPAA Penalties, Formally Announces Phase 2 Audits

Coming in like the proverbial March lion, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced two Resolution Agreements and penalties totaling over $5 million and the launch of its long-awaited 2016 Phase 2 HIPAA Audit Program.

Lack of Encryption and Other Failings, Lead to Substantial HIPAA Fines

Both recently announced resolution agreements arise from familiar facts involving the theft of an unencrypted laptop computer containing electronic protected health information (ePHI) from a vehicle.

On March 17, 2016, OCR announced the $1.55 million settlement of potential HIPAA violations arising from the theft of an unencrypted, password-protected laptop containing the ePHI of 9,497 individuals from a business associate’s locked vehicle in September 2011. Upon investigation it was discovered that no business associate agreement existed between the covered entity and its business associate which was tasked with providing payment and health care operations activities and had access to almost 300,000 patients’ data. It was further determined that the covered entity had not performed a risk assessment as required by the Security Rule to address all potential risks and vulnerabilities to the ePHI which it maintained, accessed, or transmitted across its entire IT infrastructure. In addition to the $1.55 million fine, a two-year corrective action plan and workforce retraining are required under the settlement.

The next day, on March 17, 2016 OCR announced a near-record $3.9 million settlement resolving potential HIPAA violations with a research institute arising from a laptop computer stolen in September 2012 which contained the ePHI of approximately 13,000 patients and research participants. A subsequent investigation discovered that among other deficiencies, the institution had inadequate security practices, lacked policies and procedures regarding access to ePHI, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.

As we have previously noted on this blog, robust encryption is quickly becoming industry standard, and there are few reasons not to implement it for mobile devices such as laptops. Had the laptops been properly encrypted as part of a larger risk assessment and risk management plan, these losses would not have constituted reportable “breaches” for HIPAA purposes.

2016 Phase 2 HIPAA Audit Program Formally Launches

On March 21, 2016, OCR announced the formal beginning to the long-awaited 2016 Phase 2 HIPAA Audit Program (the “Phase 2 Audits”) through which it will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

As this blog previously reported, the Phase 2 Audits will primarily be “desk audits,” meaning that the will be conducted through information requests sent by OCR via email to selected covered entities and business associates, although a limited number of on-site audits will also be conducted.

The audit process will begin with verification of an entity’s address and contact information followed by a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools. If no response is received by email, OCR will use publically available information about the entity to create its audit subject pool. Thus, entities that do not respond to OCR emails may still be selected for an audit or be subject to a compliance review. Spam filters should be carefully reviewed to ensure that OCR communications are not inadvertently discarded.

OCR is expected to post updated audit protocols on its website which will reflect the 2013 enactment of the HIPAA Omnibus Rule. These can also be used by organizations to conduct their own internal self-audits as part of ongoing HIPAA compliance activities. More information about the 2016 Phase 2 Audits can be found on OCR’s website, including key information regarding audit selection criteria based on entity size, affiliations, type of entity, and geography and past enforcement history with OCR.

Audit selectees should keep in mind that information disclosed during the audit process may trigger a more thorough compliance review.

Two New HIPAA Enforcement Actions Emphasize Risk Analysis, Impose Multi-Year Compliance Monitoring

The Office for Civil Rights (OCR) recently announced two new HIPAA enforcement actions totaling over $4.3 million in penalties.  Both of these actions should remind Covered Entitles and their Business Associates of the importance of implementing a multi-layered approach to HIPAA compliance and serve as warning about the recent trend of OCR imposing multi-year HIPAA compliance monitoring programs.

Unsecured, Unencrypted Laptop Stolen Containing CT Images of 599 Individuals Results in $850,000 Fine and Two-Year Compliance Monitoring Program for Hospital

On November 30 2015, OCR announced a Resolution Agreement with a Massachusetts hospital arising from the overnight theft of a laptop in 2011 from an unlocked treatment room. The laptop, which was on a stand that accompanied a portable CT scanner, operated the scanner and produced CT images for viewing and contained the protected health information (PHI) of 599 individuals.  OCR’s subsequent investigation into this event indicated widespread non-compliance with the HIPAA rules, including:

  • Failure to conduct a thorough risk analysis of all of its ePHI;
  • Failure to physically safeguard a workstation that accessed ePHI;
  • Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
  • Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;
  • Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and
  • Impermissible disclosure of 599 individuals’ PHI.

In addition to the $850,000 settlement, the hospital was required to address its history of noncompliance with the HIPAA Rules by providing OCR with a two-year comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance to OCR.

The OCR press release and Resolution agreement are available at this link.

Multiple HIPAA Violations Result in $3.5 million Resolution Agreement, Three-Year Compliance Monitoring Program

A few days earlier, on November 24, OCR announced a Resolution Agreement with a publicly-traded insurance holding company and its subsidiaries that reported eight separate possible HIPAA breaches from 2010 through 2015. Five of these events affected 500 or more individuals.  The incidents included, but were not limited to: former employees whose intranet access was not properly terminated; vendor mistakes involving use and disclosure of PHI; former business associate employee misconduct; incorrectly stuffed envelopes which had mismatched beneficiary cards enclosed; and the improper use of beneficiary ID numbers on the exterior of mailing envelopes.

Following receipt of the aforementioned reports, the OCR initiated investigations to ascertain the entities’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.  This investigation concluded that the entity or its subsidiaries:

  • Impermissibly disclosed beneficiaries’ PHI;
  • Failed to implement appropriate administrative, physical, and technical safeguards to protect PHI;
  • Impermissibly disclosed PHI to outside vendors with which it did not have an appropriate business associate agreement;
  • Failed to adhere to HIPAA’s “minimum necessary” standard in making disclosures to outside vendors;
  • Failed to conduct an accurate and thorough risk analysis which incorporated all IT equipment, applications, and data systems utilizing ePHI;
  • Failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level; and
  • Failed to implement procedures for terminating access to ePHI when the employment of a workforce member ended.

OCR agreed to accept a $3.5 million Resolution Amount in conjunction with the implementation of a three-year Corrective Action Plan which includes annual HIPAA compliance reporting to the Government.

The OCR press release and Resolution agreement are available at this link.  This is the second Resolution Agreement which covered multiple breaches announced by OCR this year, and part of a recent trend in which multi-year Corrective Action Plans were imposed.

Improvements Needed Regarding OCR’s HIPAA Oversight and Breach Follow-Up

The Office of Inspector General (OIG) recently issued two reports regarding HIPAA oversight activities performed by the Office for Civil Rights (OCR).  The first of these reports examined OCR’s oversight of covered entities’ compliance with the Privacy Rule.  The second report looked at OCR’s handling of covered entities’ reported HIPAA breaches.   Both reports included recommendations to OCR for improvement in these areas.  OCR agreed with all of OIG’s recommendations, suggesting changes to OCR oversight and enforcement activities in the near future.

Both studies were conducted by reviewing statistical samples of OCR investigations by OCR from September 2009 through March 2014, surveying OCR staff, interviewing OCR officials, reviewing OCR’s investigation policies, and reviewing documentation provided by a statistical sample of Part B providers to determine the extent to which they addressed five selected privacy standards or three selected breach administrative standards, as appropriate.

Regarding Privacy Rule compliance, OIG’s primary findings included that OCR oversight remains “primarily reactive,” in that it investigates possible HIPAA non-compliance primarily in response to complaints, and that OCR has not yet fully implemented requirements under §§ 13411 and 13432 of the HITECH Act that it proactively conduct audits of covered entities to assess their HIPAA compliance efforts.  OIG also determined that in a significant number of cases, OCR failed to fully document corrective action or whether the covered entity had been the subject of a prior HIPAA investigation.  Furthermore, OIG’s review found that OCR’s case-tracking system has limited search functionality and lacks a standard way to enter covered entities’ names in the system.

Concerning HIPAA breaches, OIG also found that although OCR would usually document corrective action for most closed so-called “large” breaches involving 500 or more individuals, almost one-quarter of such cases nonetheless had inadequate documentation of corrective action taken.  OCR also did not record small-breach information in its case-tracking system, and that this failure to document “small” breaches limited OCR’s ability to track and identify covered entities with multiple small breaches.

As a result of these findings, OIG recommended that OCR: (1) fully implement a permanent audit system; (2) enter small-breach information into its case-tracking system; (3) maintain complete documentation of correction action; (4) develop a method in its case-tracking system to search and track covered entities that were previously investigated and/or reported prior breaches; (5) develop a policy requiring staff to check whether covered entities have been previously investigated or reported prior breaches; and (6) continue to expand outreach and education efforts to covered entities.

OCR concurred in all of these recommendations, and further stated that it is moving forward with a permanent audit program, including Phase 2 HIPAA audits in early 2016 which are designed to “test the efficacy of the combination of desk reviews of policies as well as on-site reviews,” and also “target specific common areas of non-compliance,” for both covered entities and business associates.

Now that the Phase 2 HIPAA audits, which have been previously discussed on this blog, are right around the corner, it is critical that covered entities and business associates ensure that their HIPAA compliance programs are in order.  Suggested activities in this regard might include:  performing an updated risk assessment and implementing a risk management plan; conducting an inventory and audit of all business associate agreements; review of any unimplemented “addressable” Security Standards, refresher workforce training, and a careful review of security policies in general.

For full text of the recent reports from OCR, please follow the links below:

 

OCR Settlement: Risk Assessment Required Prior to Using ePHI Cloud Storage

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with a major tertiary-care hospital that provided both inpatient and outpatient care (the “Hospital”) stemming from the Hospital’s use of “cloud” document storage of ePHI and a separate breach involving a laptop and USB drive.

In 2012, workforce members reported to OCR that the Hospital was using an internet-based document sharing application to store documents containing ePHI of at least 498 individuals and that the Hospital had not first analyzed the risks associated with this “software as a service.” OCR’s subsequent investigation determined that the Hospital failed to timely identify and respond to one security incident, mitigate its harmful effects, and document its outcome, all of which are required by HIPAA.

“Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” said OCR Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

Approximately two years later, in 2014, the Hospital notified OCR regarding a separate breach of unsecured ePHI stored on a workforce member’s personal laptop and USB drive, affecting 595 individuals.

On July 10, 2015, OCR announced that it and the Hospital agreed to a $218,400 settlement and implementation of a corrective plan of action as a result of these breaches which affected nearly 1,100 individuals in total.

This settlement agreement is significant for several reasons: first, it encompasses more than one breach. Although it had been widely believed that OCR would deal with multiple breaches from a single entity in a consolidated fashion, this is the first time that has actually occurred. Secondly, OCR’s investigation into the document sharing breach was prompted by reports from the Hospital’s workforce members.

That these employees reported privacy concerns to the government rather than the Hospital suggests that they were unaware, unwilling, or unable to share these concerns with the Hospital’s Privacy Officer. This could be indicative of a serious, fundamental breakdown of the privacy program at the Hospital. Third, the settlement here highlights the importance of first conducting a thorough risk assessment prior to implementing cloud-based storage or other “software as a service” programs when handling ePHI.

The full Resolution Agreement can be found at this link to the OCR website