Category: HIPAA

The Case for Breach Notification by Business Associates

A business associate is an individual or entity that performs functions or activities involving the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  HIPAA requires business associates to agree, in writing, to appropriately safeguard protected health information received or created on behalf of a covered entity.

HIPAA regards a breach involving a business associate as “discovered” by the covered entity on the date that the business associate knew or should have known about it, provided that the business associate is acting as the “agent” of the covered entity.  In performing covered functions or providing covered services (such as claims processing, billing, utilization review, PBM management, or clearinghouse duties), most business associates also exercise actual or apparent authority on behalf of the covered entity; that is, with either express or implied permission from the covered entity, the business associate holds itself out to third-parties as being able to act in the place of the covered entity.  By doing so, they may qualify under federal law as “agents” of the covered entity.  The only time that a covered entity will not be charged knowledge at the time of its business associate’s breach is in the exceedingly rare circumstance where the business associate was not acting as the “agent” of the covered entity.

Regardless of agency status, HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days.  This 60 day time period is extremely important because the HIPAA Breach Notification Rule requires individuals affected by breaches involving protected health information to receive notice of the breach within 60 days of its discovery, regardless of the number of individuals affected.  In addition, breaches involving 500 or more individuals must be reported to the media and the government, within 60 days of discovery

In most circumstances, the effect of these provisions is that a business associate does not have to notify the covered entity of a breach for up to 60 days, but each day that the covered entity remains unaware is one fewer day that it will have to report the breach to affected individuals, and possibly the government and media.  Unless the business associate contract requires the business associate to provide information regarding a breach to the covered entity within a few days, a dawdling business associate can potentially make it more difficult, if not impossible, for a covered entity to make all required notifications.  This is especially true in breaches involving 500 or more individuals which require all three forms of notification to occur within 60 days of discovery of the breach.

Because HIPAA will treat almost all breaches involving a business associate as “discovered” by the covered entity before the covered entity has actual knowledge of the breach, covered entities should consider delegating breach notification responsibility to business associates in these cases.  This can be easily done by including language in the business associate agreement to the effect that the covered entity reserves for itself the option of having the business associate provide all notifications required by HIPAA (and/or any applicable state breach notification laws) in the event of a breach.  The reason for this is twofold: first, while HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days, in most cases, the covered entity will be “deemed to have knowledge” of the breach at the time the business associate knew, or should have known of it through the exercise of reasonable diligence.  Second, the business associate is likely to be better positioned to investigate the breach because of its proximity to the facts and individuals involved.

A business associate agreement should reflect the reality that covered entities have the ultimate responsibility to ensure that proper and timely notifications are made after a breach.  From the covered entity’s perspective, this means requiring their business associates to promptly report any breaches to the covered entity and to take the lead concerning all aspects of breach notification.   If the business associate is unequipped to provide breach response on its own, it can always outsource such functions, provided it first enters into a business associate agreement with that vendor.  If a business associate is unwilling to do either, then the covered entity may want to rethink its relationship altogether with the business associate.

The Spectre of Strict Liability For An Employee’s HIPAA Breach

On May 7, 2015, the Supreme Court of Indiana denied any further review in the matter of Walgreen Company v. Hinchy  This denial of review leaves standing the opinion of the intermediate Court of Appeals that had upheld a $1.44 million verdict against Walgreen Company for a breach of confidentiality by an employed pharmacist. Walgreen Co. v. Hinchy, 21 N.E.3d 99 (Ind. Ct. App. 2014), 29 N.E.3d 748 (Ind. Ct. App.), transfer denied, 2015 Ind. LEXIS 374 (Ind. 2015).

The pharmacist had accessed the prescription records of a woman customer who had been romantically involved with the pharmacist’s boyfriend and eventual husband and divulged information she obtained to him.   The disclosed information related to birth control prescriptions and sexually transmitted diseases and was used by the boyfriend in an attempt to have the woman relent on her paternity claims against him.  All of this came to the knowledge of the woman’s family and friends.

Hinchy is notable not only for the size of the verdict but also as another instance of the expanding number of cases finding a state-law cause of action for a HIPAA breach.  This issue has previously been identified in this blog.

But the decision is more noteworthy in its imposition of vicarious liability on the employer.  The Indiana Court of Appeals rejected out of hand the Walgreen position that the pharmacist had acted on her own and outside the scope of her employment as a pharmacist.  It did not matter to the court that Walgreen had in place policies restricting the use and disclosure of HIPAA PHI and a computer audit trail that identified the pharmacist’s accessing of the records and confirmed the breach.   Walgreen also had a training program for employees to encourage adherence to the policies regarding non-disclosure of patient confidential information.  Before jury selection, the trial judge had granted partial summary judgment in favor of Walgreen on an allegation of negligent training.   While the trial judge had denied the part of that motion challenging negligent supervision of the pharmacist by Walgreen, the Court of Appeals stated that it was not considering the supervision claim at all and that its determination of liability was based solely on respondeat superior.  It approved of the following jury instruction:

An employer is liable for the wrongful acts of its employee which are committed within the scope of employment.

An act is within the scope of employment if it is incidental to the employee’s job duties, that is to say, the employee’s wrongful act originated in activities closely associated with her job.

In deciding whether an employee’s wrongful act was incidental to her job duties or originated in activities closely associated with her job, you may consider:

1. whether the wrongful act was of the same general nature as her authorized job duties;

2. whether the wrongful act is intermingled with authorized job duties; and

3. whether the employment provided the opportunity or the means by which to commit the wrongful act.

Contrary to Hinchy is the outcome and analysis in Bagent v. Blessing Care Corp., 862 N.E.2d 985 (Ill. 2007), in which a hospital-employed phlebotomist received a fax from a facility that performed laboratory tests for the hospital at which she was employed.  The fax had the results of a pregnancy test for the plaintiff indicating that she was pregnant.  A few days later the phlebotomist was at a tavern with friends when she saw the plaintiff’s sister and asked how the sister was doing with the pregnancy assuming she knew of it.  She did not.  The Illinois Supreme Court ruled that this conduct was outside the scope of the phlebotomist’s employment.

The established doctrine of respondeat superior provides that an employer faces liability to persons harmed by employees acting in the course of their employment.  Generally, a master is not subject to liability for the torts of his or her servants acting outside the scope of their employment, unless: (a) the master intended the conduct or the consequences, or (b) the master was negligent or reckless, or (c) the conduct violated a non-delegable duty of the master, or (d) the servant purported to act or to speak on behalf of the principal and there was reliance upon apparent authority, or he or she was aided in accomplishing the tort by the existence of the agency relation. More particularly, intentional torts and crimes rarely fall within the scope of employment because an employer is not responsible for acts that are clearly inappropriate or unforeseeable in carrying out authorized tasks.  In Davis v. Devereux, 209 N.J. 269 (2010), the Supreme Court conducted an extensive review of the principles of respondeat superior with particular reference to the scope of employment issues.  In Davis as it had on several occasions, the Court noted that the determination of whether or not a particular act is within or outside the scope of employment involves a fact-specific inquiry.  That will be quite true in connection with allegations of tortious HIPAA breaches.

The Court in Davis also looked at the exception to employer vicarious liability based on a non-delegable duty.  Although the non-delegable duty doctrine has been used in a healthcare context, see Marek v. Professional Health Services, Inc., 179 N.J. Super. 433, 441-42 (App. Div. 1981), the Court underscored its reluctance to impose liability on the basis of this concept.  It results in liability regardless of whether the employer acted with care in hiring and training an employee and regardless of whether the employee acted within the scope of his or her employment.  Although the Indiana Court of Appeal did not use the terminology of “non-delegable duty,” its holding is consistent with that analysis.  Finding of a non-delegable duty in connection with HIPAA medical privacy issues will open expansive tort liability for employers.  There are a number of instances in which creative plaintiff’s attorneys have attempted to construct liability claims based on an asserted “non-delegable duty” arising out of Federal regulations.  This is something to watch out for in connection with HIPAA breach torts.  As illustrated in a number of recent state cases, including more recently Hinchy, while the source of a duty may be state law which provides the private cause of action, the standard of care is derived from the Federal regulation.  It is indeed something to watch out for.

OCR Provides More Information Regarding HIPAA Phase 2 Audits and Rulemaking

At the Healthcare Information and Management Systems Society (HIMSS) annual conference, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which is tasked for enforcing HIPAA, provided new information but no definitive timeline regarding the long-awaited “Phase 2” HIPAA Audits.   We recently discussed these initiatives in a prior blog post.

It is widely expected that these Phase 2 HIPAA Audits will focus on areas of non-compliance identified in OCR’s initial round of audits which occurred in 2012.  Unlike the first time, the Phase 2 Audits will include Business Associates as well as Covered Entities randomly selected by OCR.  The audit itself is expected to take the form of either a “desk audit,” where documents are submitted to OCR, or an actual or site visit.  It is also anticipated that these audits will be somewhat narrower in scope, and focus on the Security Rule, Privacy Rule or Breach Notification Rule.  

Perhaps due to the change in leadership last July when Jocelyn Samuels was named as new OCR Director along with focus on developing the audit selection and protocols, OCR has been remarkably silent in recent months.  In the first seven months of 2014, OCR announced five Resolution Agreements totaling over $7.5 million.  Since then, it has announced only one other Resolution Agreement for the remainder of 2014, and none so far in 2015.

This silence should not be taken as any indication that OCR no longer regards enforcement as a useful compliance tool.   Given that OCR is expecting approximately 17,000 breach reports this year and the magnitude of high-profile health care data breaches in the news recently, OCR is appears to be focusing its enforcement efforts on situations that are likely to bring the largest compliance impact, on both in terms of the specific parties involved and the industry in general.  OCR’s relative silence regarding Resolution Agreement is not expected to last, and because most investigations take several years to complete is not reflective of actual inactivity at OCR.  In all likelihood, more Resolution Agreements will be announced later year along with the Phase 2 HIPAA Audits.

Now is the time for Covered Entities and their Business Associates to prepare for these Phase 2 Audits.  Some practical and cost-effective ways of doing this include:

  1. Conduct a Risk Assessment, with a particular focus on mobile devices, encryption, access control, data security, both while data is “at rest” and “in motion,” and user compliance with security protocols.
  2. Re-Evaluate Your Business Associates Relationships by creating an updated list of all BAs and insuring that you have current BA contracts with each that satisfy the HITECH Act and Omnibus Rule.  In addition, Covered Entities should ask all of their BAs for a list of their sub-BAs that may utilize or disclose PHI to, and copies of those BA Agreements.
  3. Review, Update, and Retrain Workforce Members on Current HIPAA Policies and Procedures.  To get the most out of the privacy policies and procedures established for your organization, all workforce members should receive regular refresher training that is documented and maintained for at least six years.

In addition to the Phase 2 HIPAA Audits, OCR is expected this year to issue rulemaking concerning the Breach Notification Rule, marketing initiatives which use PHI and HIPAA’s Accounting of Disclosures Rule.

 As we look forward to the warmer months, expect enforcement, rulemaking and Phase 2 HIPAA Audits to heat up as well.

Dealing with Insider Threats to HIPAA Security

While most Covered Entities rightly orient cyber security efforts against external threats, there has been a recent uptick in the intentional theft of protected health information (PHI) by employees and others from inside organizations. Although so-called “insider threats” are not the most common security problem, they are among the most costly and damaging. Because they originate from individuals who are trusted and therefore have a legitimate level of access to confidential data, they are also especially difficult to detect.

Illustrating this problem, in February 2015 a former hospital employee in Texas was sentenced to 18 months in federal prison after improperly obtaining PHI with the intent to use it for personal gain. More recently, a Blue Cross Blue Shield of Michigan (BCBSM) employee (and ten others in multiple states) was indicted on multiple counts of identity theft related crimes based on her alleged theft of BCBSM subscriber information.

According to the indictment, the BCBSM employee shared subscribers’ personal identifying information and distributed it to others who used it to apply for credit in subscribers’ names and make purchases across the country. Co-conspirators were arrested in Texas, Ohio and Michigan in possession of BCBSM subscriber information, counterfeit identification cards, and credit cards that were fraudulently obtained in the names of BCBSM subscribers. At other suspects’ homes, agents recovered BCBSM subscribers’ names, dates of birth and Social Security numbers in addition to counterfeit and re-encoded credit cards and gift cards. The indictment alleges that three of the co-conspirators used counterfeit credit cards at different stores and fraudulently obtained more than $742,000 worth of merchandise from Sam’s Club alone.

While indictments and prison sentences send a strong message from law enforcement about HIPAA protections, employers can also take important preventative steps to deter, thwart and detect potential insider threats. At a minimum, outbound data flows including email systems, printers, USB drives or other forms of removable media should be monitored for suspicious activity. This would not have necessarily stopped a group like those recently indicted in Michigan who used the low-tech method of taking screen shots of subscriber information, but it could detect other types of unauthorized data movements, such as those where data is removed directly from servers or corporate networks.

Most technological defenses, like passwords and other forms of user authentication, are designed to keep unauthorized users out, and consequently are of no use against insiders who, by definition, are authorized to access the systems that they target. As a result, combating insider threats requires a multidisciplinary approach. In addition to technological measures, employers should focus on deterrence by educating their workforce about security measures to detect unauthorized data exfiltration and possible consequences including jail time. Businesses should also think about who from the outside might target their data, which of their employees has access to that information, and how those individuals might pose a risk of data theft.   Employers should also get to know their employees’ regular workflows and routines. If someone who never accesses certain information or databases is suddenly doing so, that should be automatically flagged and investigated; so too if an employee is suddenly sending twice or three times the amounts of emails or data which could suggest that data theft is underway. From a HIPAA compliance standpoint, Covered Entities should consider the insider threat possibility as part of their regular risk assessment process and develop appropriate protocols in response.

While the insider threat, like many others, can never be completely eliminated, an active deterrence and monitoring strategy coupled with intelligent technical solutions can reduce it significantly.

New Encryption Requirements For New Jersey Health Insurers May Catch On In Connecticut, But Probably Would Not Have Protected Anthem Subscribers

New Jersey has enacted and Connecticut is considering a bill that would require health insurance companies to encrypt electronic information in their possession. These developments come as the massive breach of personal protected health information at Anthem Health continues to reverberate throughout the healthcare industry.

While the New Jersey law and Connecticut proposal requiring encryption are important steps that will protect individuals in cases where a laptop or flash drive is lost or stolen, they are unlikely to provide any serious defense to a determined attack such as that involving Anthem Health, which involves the compromise of administrator-level credentials.

The New Jersey law, which goes into effect on August 1, 2015, requires all health insurance carriers issuing benefits in the state to encrypt or otherwise render unreadable any “personal information” which they compile or maintain.  This “personal information” includes a first name or initial and last name linked with their Social Security Number, driver’s license or State ID number, address, or any other form of individually identifiable health information such as medical or billing records, medical record numbers, or a variety of other identifiers.

The Connecticut proposal, much like New Jersey’s law, would require insurance companies operating in Connecticut to encrypt all personal information records stored and transmitted by them.  Connecticut would also go further by requiring that any health insurance company who holds, uses or transmits personal information adopt secure user authentication protocols (such as mandatory user IDs, unique passwords, and other measures) and upgrade information safeguards to limit future risks.

While encryption of protected health information is strongly encouraged by changes to HIPAA made by the HITECH Act and subsequent regulations, it is not currently required by federal law.  However, as targeted attacks on health care data become more sophisticated and commonplace, encryption and other security measures are quickly becoming the industry standard.

It is unlikely that either New Jersey law or Connecticut proposal requiring encryption would have protected Anthem subscribers who have been affected by the most recent breach which was discovered by a system administrator who noticed that their own credentials were being used to log into the system and submit queries.  Unauthorized individuals, who gain access to an administrator account, can end-run around most, if not all, technical defenses.  No amount of encryption will protect against thieves who use phishing, social engineering or other means to steal the keys to the virtual kingdom.

OCR Director Discusses Upcoming HIPAA Audits, Additional Rulemaking in 2015

Audits of Covered Entities and their Business Associates which are required under the HITECH Act have been delayed into 2015, according to a comments made by Jocelyn Samuels, the Director of Health and Human Services’ Office for Civil Rights (OCR), because audit procedures have not been finalized. During a recent conference call with the media, Director Samuels would not commit to a specific timeline for the audits. These new audits will be done in-house by OCR and incorporate lessons learned from audits conducted in 2012 by KMPG of 115 covered entities in addition to changes following enactment of the Final Omnibus Rule in 2013.   Although all aspects of HIPAA compliance may be examined, it is expected that through these audits, OCR will closely scrutinize organizational Risk Assessment and Risk Management.   OCR anticipates that these audits will help it to identify best practices and uncover risks and vulnerabilities to privacy and security. Also according to OCR, the audits are expected to allow it to provide additional guidance and further refine future rulemaking regarding security and privacy.

In addition to the highly anticipated audits, OCR’s other plans for 2015 include:

  • A proposed rule that would allow individuals adversely affected by breaches of their protected health information to share in a percentage of the fine assessed by OCR against the party or parties responsible for the breach.
  • Additional guidance regarding the “minimum necessary” rule, which OCR views as intended to advance the policy goal that PHI only be used or disclosed when necessary for a particular purpose or to carry out a specific function.
  • Further clarification and guidance concerning the use of cloud storage and cloud computing services that have proliferated since the last major regulatory pronouncements related to the Security Rule.
  • Rulemaking related to the provision of an accounting of PHI disclosures upon request to patients.

ePHI Data Breach and the Consumer Fraud Act

The important protection against data breach liability by encrypting ePHI has been pointed out a number of times on this blog. Although not required by HIPAA or HITECH security rules, encryption is a practical solution to a potentially big problem. Indeed, the Office of Civil Rights has commented in the past that “[e]ncryption is an easy method for making lost information unusable, unreadable and undecipherable.” While not required, encryption is an “addressable” implementation that nonetheless becomes effectively required under the “reasonable and appropriate” standard of review applied to the retrospective evaluation of security measures utilized in data breach circumstances. The burden is on the covered entity to show that it was unreasonable and inappropriate to have used encryption.

In any event, the persuasiveness of the argument for encryption as a matter of routine was strengthened on January 9, 2015 when Governor Christie signed Senate Bill 562 into law as P.L. 2014, c. 88.

This is an amendment to the New Jersey Consumer Fraud Act that will be codified at N.J.S.A. 56:8-196 to 56:8-198. The new legislation has an effective date of August 1, 2015.

It uses the definition of individually identifiable health information found in the HIPAA Privacy Rule and incorporates it into a broader category of “personal information.” N.J.S.A. 56:8-196. As of its effective date the statute mandates that a health insurance carrier shall not compile or maintain computerized records with personal information “unless that information is secured by encryption or by any other method of technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” N.J.S.A. 56:8-197. It explicitly provides that “more than the use of a password protection” is required if the password program only prevents general unauthorized access and does not render the information “unreadable, undecipherable, or otherwise unusable.”   These requirements are directly at computer sytems broadly, including desktop computers, laptops, tablets or other mobile devices, or removable media.

New Jersey is the second state to impose explicit encryption requirements on personal information in a computerized form. Massachusetts had taken the first step with regulations effective in 2010 that had been promulgated pursuant to its anti-identity theft legislation. See generally 201 Mass. Code Regs. 17.04. The New Jersey restrictions currently apply only to health insurance carriers and do not extend to health care providers. This is consistent with the long-standing general proposition that the New Jersey Consumer Fraud Act does not apply to licensed professionals such as physicians or hospitals who are subject to comprehensive regulations by their own regulatory bodies. See, e.g., Macedo v. Dello Russo, 178 N.J. 340, 344-46, 840 A.2d 238, 240-42 (2004); Hampton Hosp. v. Bresan, 288 N.J. Super. 372, 381-83, 672 A.2d 725, 730-31 (App. Div.), certif. denied, 144 N.J. 588, 677 A.2d 760 (1996). But the statute certainly may be viewed as an expression of best practices if not an emerging standard of care.

Pursuant to N.J.S.A. 56:8-198 violations of the computer encryption statute are declared to be “an unlawful practice” subjecting violators to consequences under the Consumer Fraud Act. These include penalties of up to $10,000 for the first violation and up to $20,000 for the second and any subsequent violation. The Attorney General can bring an action for a cease and desist order and the court can order restitution. Lastly, an individual consumer who can demonstrate an ascertainable loss and a causal nexus between the alleged act of consumer fraud and the damages sustained can bring a private action for treble damages and attorney’s fees.

$150,000 HIPAA Resolution Agreement Emphasizes Importance of Updating, Patching IT Systems under the Security Rule

In a Resolution Agreement announced on December 8, 2014, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) made clear that the HIPAA Security Rule requires Covered Entities and their Business Associates who handle electronic protected health information (ePHI) to regularly patch and update their IT infrastructure.

This matter arose in March 2012 when OCR was notified by Anchorage Community Mental Health Services, Inc. (“ACMHS”) that due to a malware infection of its computer systems, a breach involving the unsecured ePHI of 2,743 individuals had occurred.

According to the Resolution Agreement, OCR’s subsequent investigation revealed that ACMHS failed to:  (1) conduct an accurate and thorough risk assessment of its IT infrastructure; (2) failed to implement policies and procedures requiring the implementation of security measures sufficient to reduce risks and vulnerabilities to its ePHI; and (3) failed to implement technical security measures to guard against unauthorized access to ePHI by failed to insure that firewalls were in place with “threat identification monitoring” of inbound and outbound internet traffic and that IT resources were adequately “supported and regularly updated with available patches.”

Under the terms of the Resolution Agreement, ACMHS will pay a $150,000 fine and adopt a corrective action plan designed to address deficiencies in its HIPAA compliance program.

This is the first explicit statement from OCR that the HIPAA Security Rule requires IT infrastructure to be “regularly updated with available patches.”   An unpatched vulnerability known as the “Heartbleed Bug” has been implicated in a breach reported earlier this year of 4.5 million health records from Community Health Systems which operates 206 hospitals in twenty-six states.

This should dispel any doubt that a thorough risk assessment and risk management plan should include an process by which hardware  (including firmware) and software are regularly patched updated to the latest versions that address known vulnerabilities which could be exploited and result in a breach.

Federal HIPAA Privacy Rule Provides Standard of Care for State Common Law Breach of Medical Confidentiality And Potentially for Class Action Claims of Data Breach

In an opinion filed November 11, 2014, the Supreme Court of Connecticut held that to the extent that state law recognized a cause of action for breach of a health care provider’s duty of confidentiality in responding to a subpoena issued in connection with private litigation involving the patient, such a cause of action was not preempted by the provisions of the HIPAA Privacy Rule.  The HIPAA regulations, however, could inform the standard of care applicable to such a claim.  The Supreme Court reversed the dismissal of the negligence counts alleging breach of confidentiality and remanded the matter for further proceedings.  Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 2014 WL 5507439 (Conn. 2014).

The plaintiff in Byrne had been a patient of the OB-GYN group and had received a copy of its Notice of Privacy Practices which included a representation regarding non-disclosure of protected health information without her authorization.  The patient had been in a relationship with one Andro Mendoza which ended.  She directed the OB-GYN group to not release any of her information to Mr. Mendoza.  The man filed paternity actions and issued a subpoena to the OB-GYN group for medical records.  The OB-GYN group did not alert the patient to receipt of the subpoena or move to quash it or appear in court in response.  Rather, it mailed a copy of the patient’s medical file to the court.  The records were not placed under seal but were made available to Mendoza for review.  The plaintiff alleged that she had been harassed by Mendoza and received extortionate threats from him following his accessing her medical records.

On motions for summary judgment, the trial court had concluded that there was no private right of action under HIPAA and that the Federal regulations preempted any basis for action in the state court.  In its opinion, the Connecticut Supreme Court acknowledged the now well established proposition that HIPAA did not provide for a private right of action and indeed the concession in this regard by plaintiff.  However, it emphasized that the cause of action was not based on HIPAA but would use the HIPAA regulations as evidence of the proper standard of care.  “[T]o the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”  The court concluded that common-law negligence actions, with HIPAA informing the standard of care, did not obstruct, preclude, conflict with, or complicate health care providers’ compliance with HIPAA for preemption purposes. On the contrary, it stated:  “[N]egligence claims in state courts support ‘at least one of HIPAA’s goals by establishing another disincentive to wrongfully disclose a patient’s health care record.’” (Quoting Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 50 (Minn. App. 2009).

In a pre-HIPAA opinion by Judge Philip Carchman, the New Jersey Appellate Division identified a cause of action in tort under state law for improper disclosure of medical records in response to a subpoena where there had not been compliance with the procedural requirements for the subpoena and, as in Byrne, the health care provider had simply mailed the requested records – although directly to the attorney issuing the subpoena.  Cresceno v. Crane, 350 N.J. Super. 531 (App. Div.), certif. denied, 174 N.J. 364 (2002).  There is no published opinion from a New Jersey court that directly addresses this issue in light of HIPAA.  In Smith v. American Home Products, 372 N.J. Super. 105 (Law Div. 2003), Judge Marina Corodemus rejected a contention by plaintiffs that the HIPAA regulations preempted the informal discovery procedures permitted by state law but acknowledged certain additional procedural safeguards to be HIPAA-compliant.

In a posting in July of this year, we had noted the developing groundswell of decisions utilizing HIPAA violations as a basis for a cause of action arising under state law.  The Connecticut decision joins a number of jurisdictions that now include decisions from the highest court in North Carolina (Acosta v. Byrum, 638 S.E.2d 246 (N.C. 2006)) and West Virginia (R.K. v. St. Mary’s Medical Center, 735 S.E.2d 715 (W.Va. 2012), cert. denied, 133 S.Ct. 1738 (2013)); as well as lower court decisions in Missouri, Minnesota, and Tennessee.  These lower court decisions are collected in the R.K. opinion.

Building on the R.K. precedent and the use of HIPAA as a standard of care for breach of medical confidentiality, West Virginia had expanded the existence of that cause of action into a basis for a data breach class action in its opinion in Tabata v. Charleston Area Medical Center, 759 S.E.2d 459 (W.Va. 2014), which was featured in our July blog posting.  The court found that this was sufficient “injury in fact” to sustain the putative class claim.  Two recent Illinois decisions reached the seemingly opposite conclusion in HIPAA data breach claims arising – once again – out of the loss of unencrypted laptop computers.  In Vides v. Advocate Health & Hospitals, Case No. 13-CH-2701 (Ill. Lake County Cir. Ct. May 27, 2014), and in Maglio v. Advocate Health & Hospitals, Gen. No. 13 L 538 (Ill. Kane County Cir. Ct. July 10, 2014) the court granted motions to dismiss a putative class action arising out of a data breach, holding that the recent United States Supreme Court decision in Clapper v. Amnesty Int’l, Inc., 133 S.Ct. 1138 (2013), compelled “rejection of Plaintiffs’ argument that an increased risk of identity theft is sufficient to satisfy the injury-in-fact requirement for standing.”  The potential for future injury was deemed too speculative to sustain the cause of action.  The Illinois decisions are in line with the overall consensus regarding data breach cases that putative class members lack standing where there is only a possible future risk of harm and cannot show an injury-in-fact.  It remains to be seen if the notion of the more focused concept of breach of medical confidentiality as injury will be widely accepted as conferring standing and liability on a class basis for a HIPAA breach.

Overseas Hackers Suspected In Second-Largest HIPAA Breach In History Affecting 4.5 Million Patients

In its most recent SEC 8-K Filing dated August 18, 2014, Community Health Systems, Inc., (CHS), which operates over 206 hospitals in twenty-nine states, announced that an “Advanced Persistent Threat,” group originating from China used “highly sophisticated malware and technology” to infiltrate its computer systems “and successfully copy and transfer certain data” in the form of “non-medical patient identification data” including  names, addresses, birthdates, telephone numbers and social security numbers affecting 4.5 million individuals who were patients at CHS in the last five years.   This represents the second-largest breach of PHI in HIPAA history to date.

According to CHS, no credit card, medical or clinical information was compromised.    CHS has said that it has appropriately reported this incident in accordance with federal and state law, that it will be offering free credit monitoring to affected individuals, and that it possesses sufficient cyber/privacy liability insurance to address some of the losses related to remediation expenses, regulatory inquiries, litigation and other liabilities.

According to media reports, the intruders exploited the so-called Heartbleed flaw which allows the undetectable bypassing of virtually all security protections and permits the retrieval of sensitive data residing in the memory of computers or servers running certain software.  This permits intruders to “eavesdrop” and obtain passwords, banking credentials, and other sensitive data.  Heartbleed was first publicly revealed, along with a patch to fix it, by security researchers on April 7, 2014.

If this loss is the result of Heartbleed, it would represent the first known breach attributable to it.  Given the size of the breach, OCR will almost certainly investigate and examine whether CHS’s risk assessment and risk management programs were sufficient.  Since a patch was available on the date that the vulnerability was publicly announced, the investigation will likely focus on whether CHS should have updated its servers in a timelier manner between the time of Heartbleed’s revelation on April 7, 2014 and the attacks which occurred in April and June of 2014.  Fortunately for CHS and the individuals affected, CHS appears to have planned in advance for a breach, as evidenced by the presence of cyber/privacy insurance.