Category: HIPAA

HHS Actually Takes Action to LOWER the Penalties For One Of Its Enforcement Laws

On April 29, 2019, the United States Department of Health and Human Services (“HHS”) announced in the Federal Register through a Notification of Enforcement Discretion that effective immediately, it would be exercising its discretion regarding the application of HHS regulations concerning the assessment of Civil Monetary Penalties (“CMPs”) under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Specifically, HHS has changed its uniform cumulative annual CMP limit across the four categories of culpability and replaced it with tiered annual CMP limits increasing as the categories of culpability increase in severity.

In 2009, HITECH established four tiers of culpability with increasing penalties based on increasing severity. Those categories included: (1) the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision; (2) the violation was due to reasonable cause, and not willful neglect; (3) the violation was due to willful neglect that is timely corrected; and (4) the violation was due to willful neglect that is not timely corrected.

At the time of enactment of the HITECH Act, discrepancies were identified in the descriptions of the penalty ranges and uncertainty existed surrounding whether the $1,500,000 annual cap on CMPs should be applied to all of the categories of culpability. In the final regulations implementing HITECH that were adopted by HHS in 2013, the $1,500,000 annual cap was confirmed by HHS to apply to all categories. And, ever since then, HHS has been issuing penalties under the following framework:

Culpability Min. Penalty per Violation Max. Penalty Per Violation Annual Limit
No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect  – Corrected $10,000 $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

However, in a sudden change of position, HHS’ guidance this past week states that upon further review of the statute, it believes a better reading of the statute is to provide a tiered annual limit. Thus, under HHS’ new interpretation, there are new maximum annual limits to HIPAA enforcement actions as follows:

Culpability Min. Penalty per Violation Max. Penalty Per Violation Annual Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect  – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

It is unclear how the “No Knowledge” category will work given that the maximum penalty per violation remains at $50,000 while the annual limit is only $25,000. A review of the Federal Register entry from HHS confirms these to be the numbers published by HHS, and thus, until HHS offers further guidance or begins applying these new figures to specific cases, there remains some uncertainty for this category of culpability.

Nevertheless, these changes should come as welcome news to providers and business associates trusted with protected health information (“PHI”) as a penalty for a HIPAA violation can add up quickly. Thus, these new annual limits will help to curb the financial sting of a violation, especially when the provider or business associate either is genuinely unaware of the violation or takes appropriate action in response to a violation. Only time will tell whether HHS’ clarification of its reading of the statute to require lesser annual CMP penalty caps marks a general shift toward lower penalties or fewer enforcement actions overall.

In the meantime, it would be wise for providers and business associates to continue demonstrating good faith compliance efforts to try and minimize the tier of culpability within which a particular penalty falls. Only through ongoing reviews, audits and assessments of privacy policies and procedures and general compliance programs will providers and business associates remain prepared and help to mitigate the penalty of a potential HIPAA violation.  Certainly with these new tiered annual CMP caps, those that handle PHI have an even greater incentive to remain focused on effective compliance efforts.

The OCR Reminds Businesses that Consequences for HIPAA Violations Do Not Vanish When the Business Closes

The U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), issued a press release recently to make the point that just because a business closes during an OCR investigation does not mean that is the end of the business’ potential liability under the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule.

For those unaware, the OCR enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).

To highlight its point, OCR identified in its press release a recent settlement it reached with an Illinois business that provided for storage, maintenance and delivery of medical records for covered entities. An investigation of the entity began in February 2015, following an anonymous complaint of improper disposal and disclosure of the protected health information (“PHI”) of 2,150 individuals. Specifically, the allegations included that PHI was left in unlocked trucks and that access was given to unauthorized personnel to remove PHI from the company’s facility.

Prior to resolution of the investigation, the company went out of business resulting in a receiver being appointed by a court in 2016 to liquidate all assets for distribution to creditors and others. Despite this fact, OCR continued to pursue the case and ultimately the receiver entered into a settlement and corrective action plan that included both a monetary penalty and an agreement by the company to properly store and dispose of the remaining PHI in its possession in accordance with HIPAA.

Thus, the OCR made clear with this matter and its reaffirming press release that those entrusted with PHI will not be able to simply walk away from the corresponding responsibilities simply because the business ceases operations. Accordingly, such businesses must ensure proper transition or disposal of all PHI in its possession prior to concluding operations to avoid significant penalties from the OCR. By reinforcing these responsibilities, the OCR reemphasizes the importance of covered entities and business associates avoiding placing PHI at risk of disclosure and also avoiding putting covered entities in a potential breach situation when the business associate it entrusts with PHI suddenly goes out of business.

Revised Confidentiality Rules Under HIPAA Part 2 For Substance Use Disorder Patient Records

On January 3, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) within the Department of Health and Human Services published its final rule revising confidentiality rules for substance use disorder treatment programs.   A review of the Part 2 regulations for such programs and their overlap with pertinent provisions of HIPAA was the subject of a recent post on this blog.

The effective date of the revised regulations is February 2, 2018 with the exception of one provision which has a compliance date of within two years of the effective date.  The agency indicated that “[t]hese changes are intended to better align the regulations with advances in the U.S. health care delivery system while retaining important privacy protections for individuals seeking treatment for substance use disorders.”  An important aspect of this effort was aligning the substance use regulations with HIPAA and HITECH while recognizing the Part 2 regulations provide “more stringent federal protections” to safeguard individuals from discrimination and the legal consequences of improper disclosure.

The prior Part 2 regulations included a strict prohibition on redisclosure of information that is disclosed in the first instance with a patient’s consent.   SAMSHA’s new regulation approved the use of an abbreviated notice of prohibition of redisclosure which was intended to help the notice fit within space limitations of free-text fields in electronic health record systems.

The new regulation also permits disclosures with written consent for payment and health care operations activities.  The germane language in this regard is in the preamble to the regulation to indicate that the catalog of such activities is illustrative rather than an exhaustive list.  SAMSHA sought to balance the protection of confidentiality with the legitimate need to disclose information to obtain the benefits of emerging health care models promoting integrated care and patient safety.  It pointed to the existing provision in 42 CFR § 2.13(a) that was intended to ensure that information is not shared more broadly than the purpose(s) for which the patient consents.

SAMSHA also addressed the applicability of the Part 2 regulations to business associates and subcontractors in a fashion similar to the HITECH regulations.  It stated that the agency did not intend at this time to have Part 2 regulations apply to business associates and subcontractors. However, the agency left the door open to further alignment with HIPAA indicating that additional changes were under consideration.

With these latest changes and the promise of more to possibly come in the future, providers subject to these regulations must be sensitive to their applicability and complexity given the significant repercussions that can come from violations of HIPAA Part 2.

Overlapping Regulations for Confidentiality Regarding Substance Abuse Treatment

Our starting point is that privacy and confidentiality are important in any type of treatment but in connection with substance abuse and addiction treatment, there is a need for some enhanced protections. The United States Court of Appeals for the First Circuit has stated that “[t]he express purpose” of federal initiatives in this area was “to encourage patients to seek treatment for substance abuse without fear that by so doing their privacy will be compromised.” United States v. Cresta, 825 F.2d 538, 551-52 (1st Cir. 1987).  The collateral stigmas for an individual and the family are of such great concern that they can be obstacles to even seeking treatment. Reputations are at risk for having the disease and jobs or work opportunities may be jeopardized. Family members will be embarrassed. Federal regulations involving the HIPAA Privacy Rule and special provisions for substance abuse treatment programs recognize these concerns. While there have been efforts to align these two regulatory systems, it is important to recognize that these regulations intersect, overlap, and sometime supersede each other. In addition, state licensing or regulatory provisions may have stricter requirements or may, as in New Jersey (N.J.A.C. 10:161B-3.6(b)(5)), incorporate the Federal standards.

HIPAA is the first body of regulations concerning medical privacy that comes to mind for most persons. But historically speaking, it is not. The Health Insurance Portability and Accountability Act (HIPAA), 42 USC §1320d, enacted in 1996 directed the Secretary of Health and Human Services and the Attorney General to develop guidelines that “appropriately protect the confidentiality of the information and the privacy of individuals receiving health care services.”  This eventually led to the release of the Privacy Rule in 2002 with an April 13, 2003 effective date and codification at 45 CFR Parts 160 and 164. In contrast, the restrictions on disclosures concerning substance abuse treatment have their origins in the 1970 Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act and the 1972 Drug Abuse and Prevention, Treatment and Rehabilitation Act with implementing regulations issued by the then Department of Health, Education and Welfare in 1975 with various revisions and supplements. The pertinent statute is 42 USC §290dd-2 with regulations now codified at 42 CFR Part 2.

As with the HIPAA regulations, there have been some recent amendments to the 42 CFR Part 2 regulations. 82 Fed.Reg. 6052 (Jan. 18, 2017). The most recent update was to go into effect as of February 17, 2017 but was delayed to March 21, 2017 by virtue of the 60-day regulatory freeze issued by the Trump Administration on January 20. The amendments were intended to make the Part 2 regulations more consistent with HIPAA. Differences persist with the potential for resulting confusion.

Here is one starkly clear reality: violation of the substance abuse treatment restrictions is a federal crime with a fine to be imposed pursuant to Title 18 of the United States Code.  42 USC §290dd-2(f). While both sets of regulations cover similar material, there are points of difference. But a reasonably valid heuristic in choosing between HIPAA and Part 2, with a slight refinement, is: Whichever standard is stricter — usually 42 CFR Part 2 — and provides the greater privacy protection should be applied.

Here is the refinement to that problem-solving heuristic. While HIPAA covers the health care industry broadly, the provisions of 42 CFR Part 2 only apply to “federally assisted” drug and alcohol “programs.” These are defined terms in 42 CFR 2.11. Thus, the records of a primary care physician who is not held out as providing alcohol or drug abuse treatment is not covered. The special confidentiality provisions would not apply to a hospital except to an identified unit that has a “primary function” of providing substance abuse diagnosis, treatment or referral. Similarly, the rules would not apply to an emergency room. See generally Center for Legal Advocacy v. Earnest, 320 F.3d 1107 (10th Cir. 2003); United States v. Zamora, 408 F.Supp.2d 295 (S.D. Tex. 2006). The applicability of Part 2 requires not only a “program” as defined in the regulation but also that the program be “federally assisted.” Federal funding is, of course, endemic in health care and the definition in 42 CFR 2.12(b) is consistent with that reality but being “federally assisted” must be confirmed.

The basic HIPAA rule of thumb is that except in connection with disclosures to the individual whose health information is at issue or to HHS or its Office of Civil Rights enforcement arm, a covered entity should not make any use or disclosure without a patient’s authorization unless permitted by the Privacy Rule. However, in addition to the broad approval for use or disclosure for treatment, payment or operations (TPO) without patient authorization, there are quite a few permissive disclosures without patient authorization set forth in 45 CFR 164.512 including such circumstances as public health activities and oversight, judicial and administrative proceedings, law enforcement purposes, and reporting crimes. The Part 2 regulations on the other hand are much stricter and more limited than what is allowed under HIPAA. Disclosures without a patient’s consent are allowed in the following circumstances:

  • Communications among program personnel
  • Communications between a program and a Qualified Service Organization
  • Crimes on program premises or against program personnel but without an exception for the duty to warn others unless the threatened violence is against program personnel.
  • Reports of suspected child abuse and neglect limited to making the initial report with any disclosure for subsequent investigation not permitted in the absence of a court order or signed authorization.
  • Medical emergencies involving an immediate threat to the health of the patient requiring immediate medical intervention.
  • Scientific research
  • Audits and evaluation activities
  • Court order, which must comply with special requirements set forth in the regulations.

Moreover, in the absence of consent or the special court order, the regulations in 42 CFR  2.13(c) prohibit a substance abuse treatment facility from even acknowledging that a particular individual is a patient.

Another instance of a stricter standard in Part 2 can be found in connection with a consented-to disclosure. 42 CFR 2.31 requires written voluntary consent. A verbal consent is inadequate. The consent document must contain ten elements specified in the regulation. Furthermore, under the provisions of the HIPAA Privacy Rule found at 45 CFR 164.508(c)(2) information that is disclosed pursuant to an authorization has the potential for being re-disclosed and no longer subject to HIPAA privacy protection. In contrast, an authorized disclosure under Part 2 must be accompanied by an explicit statement that further disclosure of information that identifies a patient as having or being treated for a substance use disorder is prohibited. 42 CFR 2.32(a).

HIPAA covers “protected health information” (PHI) and “individually identifiable health information” (IIHI). The Part 2 regulations speak in terms of “records” which term is defined in 42 CFR 2.11 as “any information” whether recorded or not, created by, received, or acquired by a Part 2 program relating to a patient whether involving diagnosis, treatment, referral for treatment, billing, emails, voice mails, and texts. For the purpose of the regulations “records” include both paper and electronic records.

Both HIPAA and Part 2 address disclosures in connection with judicial proceedings and various law enforcement activities. Although there are few judicial decisions concerning 42 CFR Part 2, there is a lucid and helpful discussion by the Connecticut Superior Court in Briggs v. Winter, 2014 Conn. Super. LEXIS 1292, 2014 WL 2922643, of these “two discrete but complementary federal statutory schemes” in the civil context. The HIPAA approaches of “satisfactory assurances” concerning civil subpoenas and the effectiveness of grand jury subpoenas without a court order are inadequate for substance abuse records. The statutory standard found in 42 USC §290dd-2 requires a showing of “good cause.” The Part 2 regulations more specifically set forth separate requirements for what constitutes “good cause” as to the court orders to be issued in connection with disclosures for noncriminal purposes such as civil law suits and those for criminal investigations and prosecutions of patients as well as for investigations or prosecutions of Part 2 programs or employees including the use of undercover agents. Under 42 CFR 2.64, the criteria for entry of an order authorizing disclosure for a noncriminal matter require a finding of “good cause” with determinations (1) that other ways of obtaining the information are not available or would not be effective and (2) that the public interest and need for the disclosure outweigh the potential injury to the patient, the physician-patient relationship and the treatment services. In connection with disclosures for criminal matters, the criteria in 42 CFR 2.65 are more extensive and “all” must be met. The threshold is that the crime involved is extremely serious, such as one which causes or directly threatens loss of life or serious bodily injury including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect. Next, there must be a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution along with a demonstration that other ways of obtaining the information are not available or would not be effective. As part of the evaluation, the court must determine that the potential injury to the patient, to the physician-patient relationship and to the ability of the Part 2 program to provide services to other patients is outweighed by the public interest and the need for the disclosure. Lastly, if the applicant is a law enforcement agency or official, the person holding the records has been afforded the opportunity to be represented by independent counsel; and any person holding the records which is an entity within federal, state, or local government has in fact been represented by counsel independent of the applicant.

In connection with any contemplated disclosure, there are several questions to be posed which include at least the following. Can or should patient authorization be obtained? Is there an exception for disclosure without patient authorization? Is the recipient to whom the disclosure is to be made pursuant to an exception authorized under the regulations to receive the information?

American society has long placed significant value on a private sphere protected from intrusion. In addition, bioethical principles of nonmalefience — the doing of no harm — and respect for persons call for safeguarding personal privacy and placing importance on individual autonomy. In follow-up at another time or in another place, musings on whether or not privacy and confidentiality really exist in this era might be appropriate.

Breach of Medical Confidentiality and Privacy Claims

On July 12, 2017, the New Jersey Appellate Division issued an opinion in the case of Smith v. Datla, which involved the question of how much time a party has to file a lawsuit arising out of the unauthorized disclosure of private medical information. The court ruled that the appropriate statute of limitations period was two years.  In the opinion the court reiterated New Jersey’s adherence to the widely held rule that there is no private right of action under the Federal HIPAA rule but clarified that conduct that violates HIPAA regulatory provisions provides a state law claim for disclosure of the patient’s protected health information. While the decision is currently binding precedent in New Jersey, it could be appealed to the New Jersey Supreme Court for further review.

The appeal was presented on a somewhat limited factual record.  The plaintiff, identified by the pseudonym of John Smith, was a hospitalized patient.  The physician, a board-certified nephrologist, was treating the patient for acute kidney failure.  During an emergency bedside consultation with John Smith in his private hospital room, the doctor discussed his medical condition including the patient’s HIV-positive status.  It is not clear if this was an established diagnosis or newly conveyed information. The conversation took place while “an unidentified third party” was in the room.  In a footnote the court stated that “[t]he record does not reveal the third party’s identity nor his or her relationship to plaintiff.” Plaintiff claimed that the HIV disclosure was without his consent. The plaintiff further claimed that the disclosure caused him to endure pain and suffering, emotional distress, other emotional injuries and insult, and permanent injury with physiological consequences.

That third-party’s identity and relationship to the patient may become an important factor in the eventual outcome of this case.  The HIPAA Privacy Rule specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment that the patient does not object.

On an admittedly “limited record,” the court evaluated the consequences of this disclosure which took place on July 25, 2013 and with the lawsuit being filed on July 1, 2015.

Ultimately, following motion practice, the plaintiff’s amended complaint asserted three causes of action: (1) invasion of privacy based on public disclosure of private facts; (2) medical malpractice based on the improper disclosure; and (3) violation of the AIDS Assistance Act, N.J.S.A. 26:5C-1 to -14.

Defendant filed a new motion to dismiss on the grounds that all three claims were barred by the one-year statute of limitations found in N.J.S.A. 2A:14-3 where the complaint had been filed nearly two years after the incident.  Arguing that all three claims were predicated on the public disclosure of private facts, defendant contended that they should be subject to the same statute of limitations.  Defendant noted that there was no specific statute of limitations for the public disclosure of private facts, but analogized that type of invasion of privacy claim to claims for placing plaintiff in a false light in the public eye and defamation.  This motion was denied by the trial court with leave to appeal granted.

The Appellate Division engaged in an extended analysis leading to the rejection of defendant’s contention.  It invoked the classic comments of Professor William Prosser regarding invasion of privacy being “not one tort, but a complex of four.”

The law of privacy comprises four distinct kinds of invasion of four different interests of the plaintiff, which are tied together by the common name, but otherwise have almost nothing in common except that each represents an interference with the right of the plaintiff to “be left alone.” [Quoting William L. Prosser, The Law of Torts § 112 (3d ed. 1964).]

The four braches of Prosser’s taxonomy of the privacy tort included (1) intrusion, (2) public disclosure of private facts, (3) placing a person in a false light in the public eye, and (4) appropriation of the plaintiff’s name or likeness for the defendant’s benefit.  The court observed that the limitations period for the public disclosure of private facts was an “unresolved issue” in New Jersey.  In Rumbauskas v. Cantor, 138 N.J. 173 (1994), the Supreme Court had held that the limitations period for the intrusion on seclusion type of privacy tort was two years and approved the use of a six-year period for actions based on appropriation of a person’s name or likeness for the benefit of the defendant. In commenting on varying limitations periods for the different types of privacy torts, it had stated:

The limitation periods applicable to actions involving other types of invasion of privacy are not before us. … Regarding actions for public disclosure of private facts or placing one in a false light, case law in other jurisdictions indicates that such actions are subject to the limitations period for defamation claims, which is one year in New Jersey. [Id. at 183.]

 In rejecting the defense contention in Smith v. Datla for use of the one-year limitations period for public disclosure of private facts, the key factor in the court’s analysis is that the essential element of a defamation action is the dissemination of false information.  Here the private facts that were disclosed were true.  The court emphasized the heightened protection afforded to a person’s HIV and AIDS status in various contexts including the New Jersey Law Against Discrimination (LAD), the New Jersey Civil Rights Act, and actions under Section 1983 for deprivation of federally protected civil rights.  All of these claims were subject to a two-statute of limitations.

This heightened protection was also embodied in the AIDS’ Assistance Act which required that records regarding this infection were to be kept confidential and disclosed only with a person’s “prior written informed consent” in limited circumstances.  The Act provided for a private cause of action including compensatory and punitive damages as well as attorneys’ fees.  The Act did not set forth a particular statute of limitations but the court concluded that this statutory-based action was analogous to the public disclosure of private facts tort for which it had determined there was a two-year statute of limitations.

The court went through a similar analysis with regard to the medical malpractice claim.  Describing such a claim generally as a deviation from an accepted standard of care, it referred to the HIPAA requirements that health care providers protect personal medical information from unauthorized disclosure as well as the mandate of the AIDS’ Assistance Act.  Aside from these statutorily-based obligations, the court referred to “the common law duty “to maintain the confidentiality of patient records and information.”  It cited several prior cases involving breaches of physician-patient confidentiality.  Curiously, the court did not refer to Crescenzo v. Crane, 350 N.J. Super. 531, 541-44 (App. Div.), certif. denied, 174 N.J. 364 (2002) which had involved a physician releasing patient records to a lawyer in response to an improperly issued subpoena.  In concluding that there was “a viable cause of action” against the physician, the Crescenzo court had referred to the Board of Medical Examiners’ regulations mandating confidentiality of patient records.

In concluding that this claim also was within the two-year statute of limitations in N.J.S.A. 2A:14-2, the court stated:

The breach of a physician’s duty to maintain the confidentiality of his patient’s medical records is a deviation from the standard of care, giving rise to a personal injury claim based upon negligence, not defamation or placing plaintiff in a false light.

 In addition, plaintiff’s claim for medical malpractice is most analogous to the category of invasion of privacy claims that are grounded on an allegation that defendant improperly disclosed private facts concerning the plaintiff to a third party.

 The court affirmed the denial of the motion to dismiss.

The Appellate Division in its comprehensive opinion nonetheless placed too much emphasis on the categorization of the privacy tort as articulated by Professor Prosser. Prosser’s contributions to the development of tort law regarding privacy are widely acknowledged.  However, his “taxonomy” of the privacy tort has been criticized as too restrictive and omitting other important interests.  Neil M. Richards & Daniel J. Solove, Prosser’s Privacy Law: A Mixed Legacy, 98 Calif. L. Rev. 1887, 1891 (2010).  One of these omissions is the tort of breach of confidence.  “This tort provides a remedy whenever a person owes a duty of confidentiality to another and breaches that duty.” Id. at 1909. See generally Daniel J. Solove & Neil M. Richards, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).  This tort is well recognized in a variety of professional settings.

At the end of the day, this case is a further illustration of the importance of sensitivity to a patient’s right of privacy.  It is difficult to accept that the defendant was informing the patient for the first time that he had AIDS and presumably the patient was already aware of that diagnosis as a backdrop for the discussion of his current condition. A brief time-out in which the physician either asked the third party to leave the room or during which the patient was asked if he wanted that person to remain during the discussion could have avoided this litigation.

OCR and FTC Detail Overlapping Interests Between HIPAA and the FTC Act

On October 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued joint guidance highlighting agencies’ common interest in protecting individuals’ health information.

The health care industry is familiar with the restrictions on use and disclosure of protected health information (PHI) imposed by HIPAA.  In general, other than as required by the HIPAA Privacy Rule or for treatment, payment or health care operations, HIPAA requires a valid, signed authorization from the individual before any further use or disclosure of their PHI can occur.   This authorization must be in “plain language,” not be combined with any other type of authorization, and include specific terms and descriptions of the information sought and the proposed use or disclosure.

The FTC’s interest in the healthcare sector’s information security practices is less well known, however.  Many may be surprised by the FTC’s longstanding position that its broad power to regulate unfair and deceptive practices under Section 5 of the FTC Act includes overlapping jurisdiction with OCR concerning the privacy and security practices of HIPAA-regulated entities.

The FTC Act prohibits a contemplated use or disclosure of health information from being a “deceptive or unfair” act or practice.  Among other things, this means that individuals may not be “mislead” about how their PHI may be being used or disclosed.   The FTC therefore recommends that entities consider all of their consumer-facing messaging to ensure it is free from any deceptive or misleading statements.   Moreover, the FTC explicitly cautions against burying key facts regarding use and disclosure of health information in links to a privacy policy, terms of use, or HIPAA authorizations.  It also warns against manipulating font sizes or colors online in a manner which would make disclosure statements deceptive.  Instead, it recommends that all disclosure statements be “clear and conspicuous” from a consumer’s perspective.

OCR and the FTC have a history of collaboration and joint enforcement in the security area.  In February 2009, OCR entered into a $2.25 million settlement agreement with CVS Pharmacy, Inc. (CVS) and required implementation of a detailed corrective action plan to ensure the proper disposal of PHI.  Simultaneously, in a separate but related agreement, CVS resolved FTC charges that it failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

A year later, in July 2010, Rite Aid Corporation entered into a similar resolution agreement, paying $1 million to OCR and implementing a corrective plan of action while simultaneously settling a FTC complaint which alleged it failed to properly dispose of personal information, inadequately trained employees, did not sufficiently assess compliance with its disposal policies, and did not employ a reasonable process for discovering and remedying risks to personal information.

In addition, the FTC has not hesitated to bring enforcement actions on its own against healthcare entities.  Most notably, the FTC has doggedly pursued LabMD, a former clinical laboratory which no longer operates, for failure to protect patients’ sensitive personal information.  This resulted in a July 2016 unanimous opinion from the FTC which found LabMD’s security practices unreasonable, “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”  A motion to stay the FTC’s enforcement order has recently been filed in the Eleventh Circuit by LabMD. See, LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, motion to stay filed, Oct. 7, 2016.

It remains to be seen whether this recent joint statement from OCR and FTC foreshadows a more robust collaboration between the two agencies which builds on their efforts in the CVS and Rite Aid cases and expands into the HIPAA Privacy Rule area.  Even if that does not immediately occur, the FTC remains active in pursuing cases on its own, such as LabMD.  Whatever the outcome, businesses in the healthcare sector should remain sensitive to the FTC’s mandates, along with those from OCR.

HIPAA Enforcement At All-Time High So Far in 2016

Still with four months to go, 2016 has been a record-setting year for HIPAA enforcement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Before September even begins, OCR has already levied over $20 million in fines resulting from its investigation of suspected HIPAA violations. This amount more than triples the $6.2 million in HIPAA penalties which it assessed for all of 2015. These enforcement actions included both first-ever settlement of possible HIPAA violations by a Business Associate and the largest single fine of $5.5 million for suspected HIPAA violations.

In addition, OCR has recently begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. While Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.   The factors that OCR’s Regional Offices will consider in this manner include:

  • The type and size of the breach, including the amount nature, and sensitivity of the PHI involved
  • Whether the breach involved theft or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • A particular covered entity or business associate’s breach history;
  • Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

This flurry of enforcement activity has occurred against the backdrop of “Phase 2” desk and onsite audits of approximately 200 – 250 covered entities and their business associates which will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. In particular, these audits will focus on Notice of Privacy Practices’ contents, individual’s rights to access protected health information, risk analysis, risk management, and timeliness and content of breach notification. There will also be a limited number of comprehensive on-site audits. All audits are expected to be completed by December 31, 2016.

Even if not selected for an audit, the covered entities and business associates would be well-advised to review the Audit Protocol available through the HHS website, ensuring their internal list of business associates is current, and reviewing, and if necessary, updating their risk analysis and risk management in light of recent developments, particularly the proliferation of ransomware attacks targeting the health industry.

OCR Issues HIPAA Guidance on Ransomware Threat to Health Care Industry

U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has published a HIPAA Fact Sheet, outlining the multi-faceted threat which ransomware poses to the health care sector and providing insights into how this threat may affect HIPAA compliance.  In this publication, OCR states that a ransomware attack, even on encrypted devices, may result in a reportable breach of electronic Protected Health Information (“ePHI”).  In light of this, covered entities and business associates should consider revisions to their risk assessment plans specifically directed at countering ransomware attacks.

Ransomware is an increasingly rampant type of malware that encrypts data with a complex “key” known only to the hacker, making data and possibly entire information systems such EHRs or scheduling programs, inaccessible to authorized users. Once ransomware has taken hold, hackers demand a payment before providing the key required to decrypt the affected files.  Ransomware frequently infects devices and systems when unsuspecting users click on malicious website links or open infected emails attachments.

OCR’s guidance states that ransomware infections of a computer system are a “security incident” under HIPAA. As a result, once ransomware is detected, the covered entity or business associate must initiate its HIPAA-mandated security incident and response and reporting procedures.  In addition, they should also assess whether or not a “breach” has occurred.  As defined by HIPAA regulations, a breach occurs with “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [rules governing PHI] which compromises the security or privacy of the PHI.” Whether ransomware infections meet this definition is a fact-sensitive question.

According to OCR’s recent guidance, ransomware represents an unauthorized user’s attempt to encrypt the data, which amounts to an “acquisition,” and therefore impermissible disclosure, under HIPAA. At this point, a risk assessment is required to determine whether there is a “low probability” that a breach has occurred, taking into account the following factors:  (1) the nature and extent of ePHI involved; (2) the unauthorized person who used ePHI or to whom the disclosure was made; (3) whether the ePHI was actually acquired or viewed; and (4) the extent to which the risk to ePHI has been mitigated.  If a “low probability” of compromise cannot be demonstrated, then a breach has occurred and HIPAA’s Breach Notification Rule is triggered.

If encrypted data is involved, the question of whether or not a breach has occurred becomes more complicated and depends, in part, of the technical aspects of the particular encryption used. Because the Breach Notification Rule only applies to  “unsecured PHI,” meaning PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary,”  properly encrypted PHI, even if stolen, usually does not constitute a “breach.”  However, additional analysis is still required to ensure that the encryption solution, as implemented, is effective.  For example, a full disk encryption solution may render the data on a computer system’s hard drive unreadable, unusable and indecipherable to unauthorized persons while the computer system is powered down. However, once the system is operational, many full disk encryption solutions will transparently decrypt and encrypt files accessed by the user.  Thus, an authenticated user who accidentally infects the system with ransomware may cause breach of ePHI.  Thus, despite having encryption protection in place, sophisticated ransomware can result in a breach of ePHI which is reportable under HIPAA

HIPAA already requires covered entities and business associates to implement security measures to prepare for, respond to, and recover from ransomware and other malware attacks. Some of these required security measures include: implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to ePHI and implementing security measures to mitigate or remediate those identified risks; implementing procedures to guard against and detect malicious software; training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

With respect to recovery from a ransomware infection, covered entities should maintain offline backups of data and conduct periodic test restorations to verify the integrity of backed-up data. HIPAA requires covered entities to have a data backup plan as well as security incident procedures.

An interagency U.S. Government report reveals that there have been 4,000 daily ransomware attacks since early 2016, a remarkable 300% increase from this period last year. With health information systems containing vital information for daily operation as well as highly personal information of their patients, the health care sector has been a growing target of ransomware.  The OCR’s new guidance recognizes this threat, and clarifies the implications that it carries for covered entities and business associates.

Questions Regarding “Minimum Necessary,” Physical Controls, and Encryption Follow Insurer’s “Ongoing Search” for Six Hard Drives Containing PHI of 950,000 Individuals

A major health insurer announced an “ongoing comprehensive internal search” for six hard drives containing the PHI including the name, address, date of birth, social security number, member ID number and “health information,” of approximately 950,000 individuals who received laboratory services from 2009 through 2015. According to the announcement, the hard drives were used in an internal data project which analyzed laboratory results with the goal of improving health outcomes.

This incident raises two potential topics of interest under HIPAA. First, whether a data set containing fewer identifiers, or de-identified data could have been used for this project.  If de-identified information were used, the loss of the hard drives would be less damaging and possibly not a “breach” under HIPAA.  The post-breach risk assessment should attempt to answer this question and make policy recommendations that require a critical assessment of whether and to what extent PHI beyond the “minimum necessary” is required for future similar projects.

If it was necessary to use the complete data set of PHI contained on the lost hard drives, additional security precautions, such as enhanced physical security tracking measures and encryption, should have been considered and implemented.  Physical security tracking that restricted or linked the physical movement of the hard drives to a particular location or individual could be enhanced with a requirement that the location and custody of media containing PHI be periodically verified, especially if the PHI of nearly a million individuals is potentially in play.  Although there seems to have been some process along these lines in place in light of the “ongoing comprehensive internal search,” there is no indication of the last date on which the location of the hard drives can be verified.

In addition, the decision to apparently not encrypt the hard drives should also be examined.  Encryption remains an addressable implementation standard under HIPAA, it must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. See, 45 CFR § 164.312(a)(2)(iv) and -(e)(2)(ii).  If the entity decides that encryption, as addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

With the relative ease and speed of modern encryption applications that are available across a variety of platforms, from smart phones and tablets, to flash drives and individual hard drives, to back-up media, not encrypting data, whether it is in use, in motion, or at rest, is becoming increasingly difficult to defend from a technical standpoint.

The unexplained disappearance of devices or storage media containing unencrypted PHI through inadvertence, malicious theft, or other physical loss remains a vexing problem for covered entities.  Two relatively simple strategies to avoid the serious harm that could result for such an occurrence are eliminating the use of PHI when possible, and implementing robust tracking and encryption protocols for those instances when PHI is truly necessary.

OCR Assess Over $5 Million in HIPAA Penalties, Formally Announces Phase 2 Audits

Coming in like the proverbial March lion, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced two Resolution Agreements and penalties totaling over $5 million and the launch of its long-awaited 2016 Phase 2 HIPAA Audit Program.

Lack of Encryption and Other Failings, Lead to Substantial HIPAA Fines

Both recently announced resolution agreements arise from familiar facts involving the theft of an unencrypted laptop computer containing electronic protected health information (ePHI) from a vehicle.

On March 17, 2016, OCR announced the $1.55 million settlement of potential HIPAA violations arising from the theft of an unencrypted, password-protected laptop containing the ePHI of 9,497 individuals from a business associate’s locked vehicle in September 2011. Upon investigation it was discovered that no business associate agreement existed between the covered entity and its business associate which was tasked with providing payment and health care operations activities and had access to almost 300,000 patients’ data. It was further determined that the covered entity had not performed a risk assessment as required by the Security Rule to address all potential risks and vulnerabilities to the ePHI which it maintained, accessed, or transmitted across its entire IT infrastructure. In addition to the $1.55 million fine, a two-year corrective action plan and workforce retraining are required under the settlement.

The next day, on March 17, 2016 OCR announced a near-record $3.9 million settlement resolving potential HIPAA violations with a research institute arising from a laptop computer stolen in September 2012 which contained the ePHI of approximately 13,000 patients and research participants. A subsequent investigation discovered that among other deficiencies, the institution had inadequate security practices, lacked policies and procedures regarding access to ePHI, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.

As we have previously noted on this blog, robust encryption is quickly becoming industry standard, and there are few reasons not to implement it for mobile devices such as laptops. Had the laptops been properly encrypted as part of a larger risk assessment and risk management plan, these losses would not have constituted reportable “breaches” for HIPAA purposes.

2016 Phase 2 HIPAA Audit Program Formally Launches

On March 21, 2016, OCR announced the formal beginning to the long-awaited 2016 Phase 2 HIPAA Audit Program (the “Phase 2 Audits”) through which it will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

As this blog previously reported, the Phase 2 Audits will primarily be “desk audits,” meaning that the will be conducted through information requests sent by OCR via email to selected covered entities and business associates, although a limited number of on-site audits will also be conducted.

The audit process will begin with verification of an entity’s address and contact information followed by a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools. If no response is received by email, OCR will use publically available information about the entity to create its audit subject pool. Thus, entities that do not respond to OCR emails may still be selected for an audit or be subject to a compliance review. Spam filters should be carefully reviewed to ensure that OCR communications are not inadvertently discarded.

OCR is expected to post updated audit protocols on its website which will reflect the 2013 enactment of the HIPAA Omnibus Rule. These can also be used by organizations to conduct their own internal self-audits as part of ongoing HIPAA compliance activities. More information about the 2016 Phase 2 Audits can be found on OCR’s website, including key information regarding audit selection criteria based on entity size, affiliations, type of entity, and geography and past enforcement history with OCR.

Audit selectees should keep in mind that information disclosed during the audit process may trigger a more thorough compliance review.