HIPAA, HITECH & HIT :: Fox Rothschild LLP

If your hospital is being raked over the coals in the media for alleged fraudulent billing, it’s understandable to want to set the record straight. However, releasing patient information without consent is not the wisest approach. 

California’s Shasta Regional Medical Center and its parent company Prime Healthcare Services have come under fire for aggressive Medicare billing practices, arising out of the unusual frequency of claims for a rare third-world malnutrition condition known as kwashiorkor, which they reported at a rate over 70 times the state average. The story was reported by the Center for Investigative Reporting’sCalifornia Watch, who quoted a patient and her daughter who came forward upon learning that she had been assigned this diagnosis during a hospital stay.  The patient signed a waiver allowing California Watch to review her hospital records, which indicated she was treated for kidney failure, but her doctors made no mention of kwashiorkor or malnutrition.  The kwashiorkor diagnosis resulted in an estimated $6,755 increase in the hospital’s Medicare DRG payment. 

Faced with embarrassing publicity, a lawsuit and potential federal and/or state regulatory action, Prime Healthcare went into damage control mode.  The Los Angeles Times reports that when the local newspaper, the Redding Record Searchlight, contacted Shasta Regional for comment prior to publishing California Watch’s allegations, the hospital’s CEO and Chief Medical Officer paid a visit to the paper’s editor with the patient’s chart, which they discussed with him in detail.  They also divulged information about her treatment to the LA Times reporter, who reports that the patient and her daughter never authorized these disclosures.            

The Times reports that the hospital CEO Randall Hempling defended his decision by stating: "As far as we're concerned, the patient gave that permission when she gave her records to California Watch and was quoted on the record. . . . That waived her privacy." 

As the Times accurately noted, a patient who discloses PHI to a media representative or any other recipient does not waive his or her rights to additional disclosures.  California Watch reports that the FBI is now looking into the unauthorized disclosure of the patient’s records along with the billing irregularities. 

Moral for covered entities: Resist the temptation to reveal patient information without proper authorization, even to defend your reputation in the face of disputed allegations. HIPAA protection is not like the attorney-client privilege which can easily be waived by a single disclosure -- patients still control their PHI and can choose to whom, and for what purpose, they disclose that information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Order of Judge Richard Smoak in a recent Federal District Court case (Opis Management, LLC, et. al. v. Dudek, No. 4:11-cv-400/RS-WCS (N.D. Fla., Tallahassee Division)) (the “Opis Order”) reminds us of the attention that must be paid to the interaction and potential conflicts or dual applicability of state law with HIPAA compliance. While the Opis Order dealt with a relatively narrow issue that did not involve a data security breach, as will be hereinafter discussed, its focus highlights the broader concern about conflicts or dual law coverage involving  HIPAA and state law.

The Opis Order itself dealt with the concern of plaintiffs that compliance with a Florida law would violate federal law under HIPAA, and compliance with federal law under HIPAA would violate state law.As a result, plaintiffs argued that the Florida law was invalid. More specifically they argued that

Florida law requires nursing homes to “furnish to the spouse, guardian, surrogate, proxy, or attorney in fact . . . of a former resident . . . a copy of that resident’s records which are in the possession of the facility.” Further, the law provides that “copies of such records shall not be considered part of the deceased resident’s estate and may be made available prior to the administration of an estate, upon request, to the spouse, guardian, surrogate, proxy, or attorney in fact.” FLA. STAT. § 400.145 . . . Plaintiffs claim that their non-compliance is excusable because Section 400.145 is preempted by the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”). They seek a declaratory judgment that Section 400.145 is invalid and injunctive relief prohibiting its enforcement. [For whatever reason, the Opus Order uses the definition “HIPPA” rather than the much more widely-used acronym “HIPAA.” Except in quotations taken directly from the OPIS Order, this posting will use the more prevalent “HIPAA.”] 

Under HIPAA, a more stringent state law preempts HIPAA as to a particular matter. HIPAA defines more stringent as meaning “with respect to a use or disclosure, the [state] law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted.” In granting plaintiff’s declaratory judgment petition, the Court found that, rather than being more stringent than HIPAA, Florida provision Section 400.145 actually afforded less protection of protected health information (“PHI”) than HIPAA.  The Opis Order concluded as follows:

Section 400.145 is preempted because it is contrary to HIPPA. It affords a patient far less protection than the heightened privacy requirements imposed by the federal requirement and is, therefore, not more stringent than HIPPA. For this reason, Section 400.145 “stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPPA].” 45 C.F.R. § 160.202.

The Opis Order serves as a case in point of the need to analyze state law whenever considering compliance issues involving HIPAA. However, the Opis Order is only one example of potential conflicts, overlapping or inconsistencies that can exist between HIPAA and state law relative to the same or similar subject matter. A proper analysis requires a comparison of HIPAA and state law definitions of terms, scope of applicability and procedural requirements. Moreover, it must be remembered that, to the extent a HIPAA item is not “contrary to” a state law provision, both HIPAA and state law provisions must be followed. For example, some areas where differences between HIPAA and state law may surface in connection with notification of security breaches include the following:

• To what persons does the law apply? - HIPAA applies to covered entities and business associates/state law may apply to different persons, e.g., all businesses and/or public entities.

• What type of information is covered? – HIPAA applies to PHI, a very broad range of information/state law may apply to more limited information primarily associated with potential identity theft, such as credit card numbers, social security numbers and dates of birth.

•  In what medium is the information contained? -  HIPAA covers PHI in electronic, paper and oral format/state law may only cover one or two of these formats.

• What constitutes a security breach? – HIPAA and state law may diverge greatly.

• In what cases, who, how and when must regulatory authorities be notified of a data security breach? – HIPAA and state law may have provisions that differ greatly and may conflict with each other, overlap or have dual applicability, while not conflicting.

In summary, while HIPAA requires careful compliance in the event of a security breach, state law provisions must also be considered and analyzed as well.

Happy New Year and thank you to each of our readers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings) can be accessed, can we trust that any electronically transmitted or stored information is really safe?  

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases. 

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.  

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology. 

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage. 

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 We all know how those year-end deadlines sneak up on us and how there never seems to be enough time to get everything done. Well, here’s some welcome news – The feds have decided to play Santa and give us a little more breathing room this season.

HIPAA 5010 Transition

CMS is transitioning its electronic transaction standards from Accredited Standards Committee (ASC) X12 version 4010A1 to ASC X12 version 5010. These standards regulate the transmission of certain health care transactions among covered entities including hospitals, physician practices, health plans and clearinghouses. Although this description may sound like impenetrable technobabble, CMS considers  the upgrade necessary to increase transaction uniformity, support pay-for-performance methods and streamline reimbursement transactions, particularly with the coming exponential expansion of diagnosis codes under ICD-10.  CMS summarizes the improvements as follows:

“Version 5010 of the HIPAA standards includes improvements in structural, front matter, technical, and data content (such as improved eligibility responses and better search options). It is more specific in requiring the data that is needed, collected, and transmitted in a transaction (such as tightened, clear situational rules, and in misunderstood areas such as corrections and reversals, refund processing, and recoupments). Further, the new claims transaction standard contains significant improvements for the reporting of clinical data, enabling the reporting of ICD–10–CM diagnosis codes and ICD–10–PCS procedure codes, and distinguishes between principal diagnosis, admitting diagnosis, external cause of injury and patient reason for visit codes. These distinctions will improve the understanding of clinical data and enable better monitoring of mortality rates for certain illnesses, outcomes for specific treatment options, and hospital length of stay for certain conditions, as well as the clinical reasons for why the patient sought hospital care.

Finally, Version 5010 also addresses a variety of currently unmet business needs, including an indicator on institutional claims for conditions that were “present on admission,” and accommodating the use of the ICD-10 code sets, which are not supported by Version 4010/4010A1.”

Level I Compliance was required by December 31, 2010, meaning that a covered entity can demonstrably create and receive compliant transactions, resulting from the compliance of all design/build activities and internal testing. Level II Compliance is due by: December 31, 2011, and all covered entities must be fully compliant on January 1, 2012. Level II compliance means that a covered entity has completed end-to-end testing with each of its trading partners, and is able to operate in production mode with the new versions of the standards.  

In a notice posted on December 14 on Medicare Learning Network as MLN Matters® Number: SE1137, CMS' Office of E-Health Standards and Services (OESS) announced that it would not initiate enforcement with respect to any HIPAA covered entity that is not in compliance on January 1, 2012 with the Version 5010 standards until March 31, 2012. Importantly, this is only a 90-day delay on the enforcement of the transition, including fines. Claims not submitted under the 5010 standards on or after January 1, 2012 may not be paid, unless CMS has accepted a transition plan. Modern Healthcare reports that most physician practices are relying on their clearinghouses to convert claims into the new format, or assuming that an updgrade in software will meet all the new standards.

If you don’t know your practice’s status regarding 5010 compliance, contact your clearinghouse or practice management system vendor as soon as possible to avoid an unanticipated interruption in your revenue stream.

Extension of HITECH Meaningful Use Stage 2 Deadline

Physicians who met the Stage 1 Meaningful Use criteria to qualify for the HITECH Act’s subsidies in 2011 will get another year to meet the Stage 2 criteria, according to a HHS notice . Under the current requirements, eligible doctors and hospitals that begin participating in the Medicare EHR (electronic health record) Incentive Programs this year would have to meet new standards for the program in 2013. If they did not participate in the program until 2012, they could wait to meet these new standards until 2014 and still be eligible for the same incentive payment. To encourage faster adoption, HHS Secretary Sebilius announced that HHS intends to allow eligible providers to adopt health IT in 2011, without meeting the new standards until 2014. The final Stage 2 meaningful use criteria will appear in a Notice of Proposed Rulemaking scheduled to be published in February 2012.

The HHS press release also linked to a CDC survey that indicated that physician use of electronic records had doubled in the past two years. The reprt shows that in 2011, 57% of office-based physicians used EMR/EHR systems, ranging from 40% in Louisiana to 84% in North Dakota. Over half intended to apply for the HITECH incentives. In Pennsylvania, CDC reports that  50% of office-based practice use some EHR, and that 47.5% planned to apply for HITECH funds.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Five members of Congress (two Republicans and three Democrats) representing districts from far-flung states (Colorado, Florida, Massachusetts, New Jersey and Texas) are co-signers of a bipartisan letter dated December 2, 2011 (the “December 2 Letter”), addressed to the Director of the TRICARE Management Authority. The December 2 Letter was written to express the Congress members’ “deep concerns about a major breach of personally identifiable and protected health information” by TRICARE contractor Science Applications International Corporation (SAIC).” 

Michael Kline and I have previously blogged about the SAIC PHI breach in four previous postings on this blog series, the most recent posting of which was on November 9, 2011, shortly after TRICARE did an about-face and announced that it was directing SAIC to offer the 4.9 million affected individuals credit monitoring services and assistance.

The December 2 Letter requests “timely and thorough responses” by no later than February 2, 2012 to seventeen startlingly direct and often blame-loaded questions. The questions make it very clear that the authors believe SAIC (and/or TRICARE) should have done more to prevent the SAIC breach and should be doing more to protect affected individuals. Question 9 notes that SAIC offered to provide “victims” (note the word choice) credit monitoring services for a year, but goes on to point out that “such services are useless in protecting against medical identity theft and fraudulent health insurance claims.” It then asks whether victims will also be provided with “newly available medical identity theft monitoring,” and, if not, to explain why such monitoring would not be provided.

The December 2 Letter closes with a brief and scathing chronology of recent SAIC misconduct, after noting that “SAIC has received more than $20 billion in federal contracts over the previous three fiscal years,” and asks: “Why does [TRICARE] continue to contract with SAIC for its data handling and IT needs despite these major performance problems?”

The members of Congress who authored the December 2 Letter hail from both sides of the aisle and from various parts of the country, but a common link seems to be a strong interest in information privacy and security. For example, Edward Markey (D-Mass) and Joe Barton (R-Texas) co-chair the Bi-Partisan Privacy Caucus and recently focused on Facebook privacy issues.    Cliff Stearns (R-Florida) introduced an online privacy bill last spring. Diana DeGette (D-Colorado) has commented publicly on the importance of online privacy. 

While Rob Andrews (D-New Jersey) has no apparent recent history with respect to information privacy and security, he was the sponsor in 2003 of a bill, which was not ultimately enacted, designed to afford students and parents with private civil remedies for the violation of their privacy rights under the General Education Provisions Act. Moreover, in his continuing role as a member of the House Committee on Armed Services and its Subcommittee on Oversight and Investigation, he has a deep interest and abiding concern regarding large scale threats to the privacy and security of protected health information of millions of service individuals and their families.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the list (the “HHS List”) posted by the U.S. Department of Health and Human Services (“HHS”) that reports breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Four months ago a blog posting in this series did some analysis as to the extent to which such List Breaches are being reported by covered entities (“CEs”) as attributable to events involving business associates (“BAs”). 

A December 2, 2011 article in MedPage Today by Cole Petrochko reported on a survey conducted by the Ponemon Institute (the “Survey”) that was conducted based on "interviews with senior-level staff at 72 healthcare organizations regarding data loss and theft experiences at their facilities. Sites included parent holding companies of healthcare organizations, parts of a healthcare network, and individual hospitals or clinics."

This interesting Survey acknowledged that it had a number of limiting factors, including self-reporting from only 14% of the organizations, mostly larger-sized groups, that were contacted by the Ponemon Institute to participate in the interview process. It is therefore likely that data derived from the HHS List is more reliable in light of the adverse consequences and penalties that can be incurred by a CE from inaccurately reporting in writing to HHS. Nonetheless, according to the Survey, "two out of five respondents (41%) blamed data breaches on employee negligence -- not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices -- and 49% reported lost or stolen devices. Third-party errors were responsible for 46% of breaches."  [Emphasis supplied.]

It is not clear that the incidents involving “third-party errors” in the Survey are coincident with events that would have been reportable as involving BAs had they been on the HHS List. Moreover, the Survey covered institutional healthcare providers only and not other types of CEs such as insurers, government agencies and individual physicians and physician practice groups. However, the Survey results as to third party errors mirror to some extent the proportion of reported BA involvement with respect to the largest of the List Breaches on the HHS List as of December 2, 2011. 

As of that date, only 83 of the total of 372 List Breaches (22.3%) reportedly involved BAs of the reporting CEs.

This overall amount is far lower than the 46% of breaches that was attributable to third-party errors in the Survey. However, further analysis of the HHS List as of December 2, 2011 reveals the following information that more closely parallels the Survey at higher numbers of involved individuals:

•   3 of the 6 List Breaches (50%) that affected 1,000,000 or more individuals reportedly involved BAs of the reporting CEs.

•   13 of the 29 List Breaches (44.8%) that affected between 30,000 and 999,999 individuals reportedly involved BAs of the reporting CEs.

•   14 of the 47 List Breaches (29.8%) that affected between 10,000 and 29,999 individuals reportedly involved BAs of the reporting CEs.

•   53 of the 290 List Breaches (18.3%) that affected between 500 and 9,999 individuals reportedly involved BAs of the reporting CEs.

While the foregoing review is only a snapshot of the HHS List as of a given date, the review would indicate that, as the size of a List Breach increases, it is more likely that involvement of a BA will be reported. However, the overwhelming proportion of List Breaches (77.7%) on the HHS List that affected fewer than 10,000 individuals have reported no involvement of a BA. 

More data will be required before the impact of BA involvement in smaller and larger List Breaches becomes clearer.  However, there are indications that the larger the List Breach that is reported by a CE, the greater the likelihood that it will involve an alleged BA.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 Contributed by David Restaino, Esq.

 Last month a posting was made on this blog series regarding action being taken by the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) relating to the fact that government audits for HIPAA compliance with privacy and security standards are finally beginning.  In this regard, OCR recently released a “sample” letter (the “Sample Letter”) that will be used as the template for the actual letters that OCR will issue to those covered entities that are selected for audit in 2012.  As OCR noted in the Sample Letter, recipients of actual letters will find that the audit process will begin within 30 to 90 calendar days from the date of the letter. 

OCR has hired KPMG LLP (“KPMG”), one of the “Big Four” certified public accounting firms, to conduct the audits in accordance with government auditing standards.  OCR's release of the Sample Letter likely represents its way of communicating to all regulated facilities that KPMG's actions will have the same force and effect as actions by OCR itself.  As a result, when KPMG requests detailed information at the beginning of and during the audit process, the covered entity under audit should assume that the KPMG request carries with it the full weight of the United States government. 

Release of the Sample Letter can also be viewed as OCR's effort to prepare the regulated community for the seriousness of the upcoming audits.  Perhaps more importantly, recipients of actual letters should use the 30 to 90 calendar day period to get prepared -- although facilities would be well advised to take appropriate steps to ensure compliance now rather than risk the adverse results that can occur from last-minute efforts to organize for an audit.  Those facilities that are unprepared will have a difficult time getting ready if KPMG comes knocking. 

(David Restaino, a partner at Fox Rothschild LLP in its Princeton, NJ office, has more than 20 years of experience representing clients in regulatory compliance and complex commercial litigation matters, including environmental and health care disputes, before multiple federal and state courts and agencies.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Contributed by David Restaino, Esq.

Those entities subject to both the HIPAA privacy and security rules should pay close attention to recent action taken by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which will increase the frequency and depth of government audits for HIPAA/HITECH compliance over the next year. This initiative may be in direct response to some critics that OCR was not doing sufficient monitoring of compliance with HIPAA/HITECH.

Preliminary Audit Procedures. Specifically, OCR awarded a contract worth over $9 million to KPMG, LLP for administration of the audits, which will begin shortly. The audits are required by the American Recovery and Reinvestment Act of 2009 (ARRA), which states at Section 13411, “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements … comply with such requirements.”   Details are sketchy regarding the process to identify the entities that will be audited. However, this much is known:

● The first step will be creation of audit protocols, followed by an undertaking of the actual audits.

● OCR will base its decision to audit upon risk.

● Audits will not be based upon complaints or actual reported privacy or security breaches. 

● KPMG will assist OCR in establishing the program to audit covered entities and business associates, and their compliance with the privacy and security rules.

● HHS staff will guide KPMG’s conduct during the audits.

● The audits will include site visits, interviews with leadership, documentation, an examination of operations, and an assessment of the consistency with which process is married to policy.

● Each audit will be followed by a report that will, among other things, address compliance efforts and corrective actions taken. 

Who Will Be Audited?  HHS reports that every covered entity and business associate is eligible to be audited. The initial round of recipients is expected to provide a broad assessment of a complex and diverse health care industry. Thus, the audit process is designed to have OCR audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered. OCR has also made it explicitly clear that covered entities must fully cooperate with the auditors – as obligated under the HIPAA “enforcement rule.” Finally, HHS reports that business associates will be included in future audits.

What can covered entities do now to be ready? For starters, they can make sure that all policies and procedures are in place now. For example, the HHS website states that covered entities will have only ten (10) days to produce documents; this is not much time if policies and procedures are not already in good order. 

Based on the above, the best way to get prepared is to make sure that compliance protocols are in place, and being followed, today. Stated differently, all covered entities and business associates should assess their compliance efforts, ensure that timely corrective actions are taken when necessary, and remain on their guard.  Documentation of the proactive assessment and corrective measures should also assist in demonstrating that the compliance efforts are effective.

(David Restaino, a partner at Fox Rothschild LLP in its Princeton, NJ office, has more than 20 years of experience representing clients in regulatory compliance and complex commercial litigation matters, including environmental and health care disputes, before multiple federal and state courts and agencies.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By: Elizabeth Litten and Michael Kline

[Capitalized terms not otherwise defined in this Part 4 shall have the meanings assigned to them in Part 3 or earlier Parts.]

As reported in Part 3 of this blog series, Tricare and SAIC did not initially offer credit monitoring services to patients affected by the 2011 Breach made public on September 29, 2011, due to what was then judged to be the low “risk of harm” to those affected.  The Public Statement specifically answered the question “Will credit monitoring and restoration services be provided to protect affected individuals against possible identity theft?” as follows:

No.  The risk of harm to patients is judged to be low despite the data elements involved. Retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. To date, we have no conclusive evidence that indicates beneficiaries are at risk of identify theft, but all are encouraged to monitor their credit and place a free fraud alert of their credit for a period of 90 days using the Federal Trade Commission (FTC) web site.  

Now, less than 6 weeks later, Tricare has directed SAIC to provide one year of credit monitoring and restoration services to patients “who express concern about their credit” as a result of the 2011 Breach.  In a press release issued by the DoD on November 4, 2011, entitled "Proactive Response to Recent Data Breach Announced" (the “DoD Press Release”), Tricare Management Activity's deputy director explains,

These additional proactive security measures exceed the industry standard to protect against the risk of identity theft.  We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will be unaffected by this breach.  

It is unclear that the new security measure exceeds the “industry standard,” as evidenced by numerous past postings respecting PHI security breaches in this blog series. In some cases as long as two years of credit monitoring was offered to affected individuals. However, given the assurances in the Public Statement to the “approximately 4.9 million patients treated at military hospitals and clinics during the past 20 years” that the risk of harm was low and there was no conclusive evidence that patients were at risk of identity theft, one can speculate as to whether Tricare’s abrupt about-face relates to new evidence, a revised judgment as to the risk of harm to affected patients and/or simply an abundance of caution as to its own exposure to risk. 

Then again, Tricare's new position could have less to do with new concerns related to patient identity theft risk, and more to do with a “proactive response” or even a preemptive strike by Tricare and DoD to combat certain of the allegations in the putative class action lawsuit filed against them  in the U.S. District Court for the District of Columbia on October 11, 2011 (Gaffney v. Tricare Management Activity, et. al., Case No. 1:2011cv01800) (the “Class Action Complaint”).  Each of Virginia Gaffney and Adrienne Taylor, two of the plaintiffs named in the Class Action Complaint, has alleged that she had “incurred an economic loss as a result of having to purchase a credit monitoring service to alert her to potential misappropriation of her identity.” 

By offering the credit monitoring services to all of the 4.9 million affected individuals, Tricare and DoD may be endeavoring to render moot or at least mitigate the risk from those allegations in the Class Action Complaint. [Note: The recent posting of the 2011 Breach in the HHS List, which did not provide any information beyond that reflected in the Public Statement, earlier reported “5,117,799” as the approximate number of individuals affected, but the current number reported is “4,901,432.”]

The Class Action Complaint seeks judgment against Tricare and DoD for damages in an amount of $1,000 for each affected individual.  Perhaps Tricare and DoD did the quick math and realized that the cost of credit monitoring and restoration for a subset (those “expressing concern”) of the roughly 4.9 million affected patients would be far less than the almost $5 billion aggregate damages award sought in the Class Action Complaint.  Tricare may have reversed its stance as a result of this “risk of harm” analysis, and not because of new information or a revised evaluation related to a heightened risk of harm to affected individuals.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Michael Kline and Elizabeth Litten

[Capitalized terms not otherwise defined in this Part 3 shall have the meanings assigned to them in Parts 1 and 2.]

The Public Statement reports that SAIC and Tricare are cooperating in the notification process but that no credit monitoring or restoration services will be provided in light of the “low risk of harm.” This was in contrast to the decision of Nemours in the Nemours Report to provide such services.

Since the release by SAIC of the Public Statement, Law 360 has reported that

(i)   According to Tricare, SAIC was “on the hook for the cost of notifying nearly 5 million program beneficiaries that computer tapes containing their personal data had been stolen”;

(ii)  A putative class action lawsuit was filed against Tricare and DoD (but not SAIC) respecting the 2011 Breach; and

(iii) Another putative class action lawsuit was filed against SAIC (but not Tricare and DoD) respecting the 2011 Breach. 

Further review of SAIC and its incidents regarding PHI reveals that the 2011 Breach was not the first such event for SAIC. However, it appears to the first such breach since the adoption of the Breach Notification Rule in August of 2009.

On July 21, 2007 The Washington Post reported that SAIC had acknowledged the previous day that “some of its employees sent unencrypted data -- such as medical appointments, treatments and diagnoses -- across the Internet” that related to 867,000 U.S. service members and their families. The Post article continues:

So far, there is no evidence that personal data have been compromised, but ‘the possibility cannot be ruled out,’ SAIC said in a press release. The firm has fixed the security breach, the release said.

Embedded later in the Post article is the following: 

The [2007] disclosure comes less than two years after a break-in at SAIC's headquarters that put Social Security numbers and other personal information about tens of thousands of employees at risk. Among those affected were former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq, and a former director who was a top CIA official.

It is not clear whether the earlier 2005 breach reported in the Post involved PHI or other personal information.

On January 20, 2009, SPAMfighter reported that SAIC had informed the Attorney General of New Hampshire of a data breach that had occurred involving malware. The SPAMfighter report continues that SAIC wrote a letter to many affected users to inform them about the potential compromise of personal information.  (A portion of such personal information would have been deemed PHI had it been part of health-related material.)

The SPAMfighter report also discloses the following:

Furthermore, the current [2009] breach at SAIC is not the only one. There was one other last year (2008), when keylogging software managed to bypass SAIC's malware detection system. That breach had exposed mainly business account information.

As of the date of this blog post, the “News Releases” section on the SAIC Web site has no reference to the 2011 Breach. Nor does the “SEC Filings” section under “Investor Relations” on the SAIC Web site indicate any recent SEC filing that discloses the 2011 Breach. 

Coincidentally, the SEC issued a release on October 13, 2011 containing guidelines for public companies regarding disclosure obligations relating to cybersecurity risks and cyber incidents. In the context of SAIC, an $11 billion company, while the actual costs of notification and remediation of the 2011 Breach may run into millions of dollars, the 2011 Breach may not be deemed a “material” reportable event for SEC purposes by its management.

It is likely that much more will be heard in the future about the mammoth 2011 Breach and its aftermath that may give covered entities and their business associates valuable information and guidance to consider in identifying and confronting a future large PHI security breach. The 2011 Breach has not even yet appeared on the HHS List. The regulatory barriers preventing private actions under HIPAA/HITECH may be tested by the putative class action lawsuits. It will also be interesting to see whether the cooperation of SAIC with Tricare and DoD may wither in the face of the pressures of the lawsuits and potential controversy regarding the decision of SAIC not to provide credit monitoring and identity theft protection to affected individuals.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

[Capitalized terms not otherwise defined in this Part 2 shall have the meanings assigned to them in Part 1.]

In an October 3, 2011 Securities and Exchange Commission (“SEC”) filing posted on its Web site, SAIC described itself as

a FORTUNE 500^® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. The company’s approximately 41,000 employees serve customers in the U.S. Department of Defense, the intelligence community, the U.S. Department of Homeland Security, other U.S. Government civil agencies and selected commercial markets. Headquartered in McLean, Va., SAIC had annual revenues of approximately $11 billion for its fiscal year ended January 31, 2011.

The SAIC PHI breach, which potentially affected nearly 5 million individuals, was reported despite the fact that the PHI was contained on backup tapes used by the military health system, and despite, as explained in the Public Statement: 

The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure…  [Q and A] Q. Can just anyone access this data? A. No. Retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure.

The Public Statement goes on to say the following in another answer:

After careful deliberation, we have decided that we will notify all affected beneficiaries. We did not come to this decision lightly. We used a standard matrix to determine the level of risk that is associated with the loss of these tapes. Reading the tapes takes special machinery. Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low. Nevertheless, the tapes are missing and given the totality of the circumstances, we determined that individual notification was required in accordance with DoD guidance. [Emphasis supplied.]

The lynchpin of SAIC’s final decision to notify all of the potentially affected individuals appeared to be the DoD guidance. In SAIC’s position as an $11 billion contractor that is heavily dependent on DoD and other U.S. government contracts as described above, it would appear that SAIC may not have had many practical alternatives but to notify beneficiaries.

SAIC conducted “careful deliberation” before reaching its result and indicated that the risk of breach was “low.” Had the DoD guidance not been a factor and had SAIC concluded that the case was one where an unlocked file or unencrypted data was discovered to exist, but it appeared that no one had opened such file or viewed such data, would SAIC’s conclusion have been the same? Would SAIC have come to the same conclusion as Nemours and decided to report? 

What is clear is that the breach notice determination should involve a careful risk and impact analysis, as SAIC asserts that it performed. Even the most deafening sound created by a tree crashing in the forest is unlikely to affect the ears of the airplane passengers flying overhead. Piping that sound into the airplane, though, is very likely to disgruntle (or even unduly panic) the passengers. 

[To be continued in Part 3]

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

A recent public statement (the “Public Statement”) was published regarding a breach (the “2011 Breach”) of protected health information (“PHI”) of nearly 5 million military clinic and hospital patients that involved Science Applications International Corporation (SAI-NYSE) (“SAIC”). The 2011 Breach occurred in SAIC’s apparent role as a business associate and/or subcontractor for Tricare Management Activity, a component of Tricare, the military health plan (collectively, “Tricare”) for active duty service members of the U.S. Department of Defense (“DoD”). 

According to the Public Statement the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the Public Statement says that there is no financial data, such as credit card or bank account information, on the backup tapes.

The 2011 Breach is the largest single PHI security breach reported to date. The 2011 Breach highlights the decision-making process that covered entities and business associates should employ with respect to notifying the Department of Health and Human Services (“HHS”), other regulators and potentially affected individuals of a PHI breach.

The published “interim final rule” governing “Breach Notification for Unsecured Protected Health Information” (the “Breach Notification Rule”)  defines “breach” as “the acquisition, access, use or disclosure of protected health information [“PHI”] in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” It further explains that “compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”  The Breach Notification Rule also defines the term “access” for purposes of the interim final rule as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”

These definitions, reviewed in the context of several recent PHI breaches (including those “marchers in the parade” previously discussed on this blog), raise an important issue: at what point does “access” matter?   When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?  

In this regard, an event reported on the Nemours Web site on October 7, 2011 (the “Nemours Report”), about a PHI security breach involving approximately 1.9 million individuals at a Nemours facility in Wilmington, DE is relevant. The Nemours Report stated that three unencrypted computer backup tapes containing patient billing and employee payroll were missing. The tapes reportedly were stored in a locked cabinet following a computer systems conversion completed in 2004. The tapes and locked cabinet were reported missing on September 8, 2011 and are believed to have been removed on or about August 10, 2011 during a facility remodeling project. 

Significantly, the Nemours Report stated the following:

There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused. Independent security experts retained by Nemours determined that highly specialized equipment and specific technical knowledge would be necessary to access the information stored on these backup tapes. There are no medical records on the tapes.

The Nemours Report reveals that, in spite of the low likelihood of access, it not only disclosed the breach but was offering free credit monitoring, identify theft protection, and call center support to affected individuals. 

If the analysis as to whether access “poses a significant risk of … harm” takes into account the likelihood that PHI was actually accessed, rather than simply whether a theoretical “ability or means” to read, write, modify, or communicate PHI existed at some point in time, perhaps the “possible breach” floodgates will not burst open unnecessarily.  

[To be continued in Part 2]

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 By Elizabeth Litten and Michael Kline

What was the highlight of the Macy’s® Thanksgiving Day parade when we were kids? The Snoopy® float (shown below) was probably right up there, along with the Sesame Street® and Disney® floats. Spectators of the Protected Health Information (“PHI”) Breach Parade (and of the “silent brigade” of Business Associate breaches, discussed in this blog series on August 1, 2011) will be awed by the sight of the recent, somewhat bizarre, Business Associate (“BA”) breach involving Stanford Hospital’s emergency room data, as reported in the New York Times by Kevin Sack on September 8, 2011. The PHI of 20,000 emergency room patients seen in the Palo Alto, CA hospital reportedly somehow made its way from the hospital’s BA, Multi-Specialty Collection Services, to a public website used by students. The publicly-posted information included names and diagnoses for patients who visited the emergency room during a 6 month period in 2009.

This PHI breach stands out for a couple of unusual aspects. First, the data was allegedly made publicly accessible in September of 2010 as a spreadsheet attached to a document on the Web site “Student of Fortune,” a site describing itself as “Your source for easy online homework help!” As reported in the Sack article: “Gary Migdol, a spokesman for Stanford Hospital and Clinics, said that the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph."  The PHI breach was purportedly discovered on August 22, 2011 by a Stanford Hospital patient and reported to the hospital. The fact that nearly a year had lapsed from the time of the breach to its reported discovery suggests that the PHI was

(i)   not recognized as “real” by viewers,

(ii)  not thought by viewers to be worth noting or reporting, and/or

(iii) not actually viewed by anyone during the year it was accessible to students seeking bar graph tutorial. 

Nonetheless, the volume of patients affected, the sensitivity of the PHI data (more on that in a minute), the apparent lack of sufficient care by the BA, and the surprising nonchalance of whoever posted the PHI to be sifted and sorted by “Students of Fortune” accessing a publicly available Web site combine to make an attention-grabbing PHI breach event (the Snoopy float). 

Also reported on a New York Times blog site by Nick Bilton on September 8, 2011, Senator Richard Blumenthal (D-CT) introduced a bill, the Personal Data Protection and Breach Accountability Act of 2011, that, if passed, would impose strict storage and protection requirements for companies that store online data for more than 10,000 people. (Senator Blumenthal was previously highlighted in several postings in this blog series for his groundbreaking activities as Attorney General of Connecticut in investigations and enforcement actions against entities involved in PHI security breaches.)

While “Student of Fortune” was certainly not “storing” the emergency room PHI, the bill would likely affect BAs such as Multi-Specialty Collection Services. To the extent the Blumenthal bill imposes new or additional privacy and security provisions, Covered Entities and BAs handling large amounts of PHI would be subject to these provisions in addition to existing HIPAA/HITECH and state law requirements.

Back to the Snoopy float – the Stanford Hospital PHI breach (and the manner in which it was reported in the Sack article) stands out for a number of ironies. A large amounts of sensitive PHI was accessible to the public, but obscurely so (only to Students of Fortune using a particular learning tool and astute enough to recognize, or care about, the sensitivity of the information). If the Stanford Hospital patient had not noticed and reported the PHI breach, would the breach have ever been noticed? Would any patient have been harmed? (If a tree falls in the forest when no one is present, does it make a sound?) 

Even more ironic is the fact that one affected patient may actually have been harmed as a result of the breach reporting, rather than from the breach itself. The Sack article quotes (by name) a patient’s mother who “intercepted” the breach notice mailed from Stanford Hospital to her 21-year-old son (leaving the reader to wonder why Mom is opening her adult son’s mail and whether she was authorized to access his PHI). Mom is quoted as stating (i) that her son received psychiatric treatment at Stanford in 2009 and (ii) “My son, I can tell you [Kevin Sack], is fragile and confused enough that this would have sent him over the edge."  One can only hope that the disclosure of his "fragile" state in a national newspaper will not have a similar effect.  Perhaps, in this post-Facebook and Twitter age, we could all use reminders about what kind of information is private and sensitive, when we should report breaches of it, and with whom we should share it.  The Snoopy float is a good reminder.    

A final irony is that Michael Mucha, the Stanford Hospital Chief Information Security Officer at the time of the Stanford PHI breach, has written extensively and has been widely-quoted regarding information security. He has been quoted as saying, “The biggest thing we [Stanford Hospital] focus on with all of this is control of the data.” Unfortunately the Snoopy float PHI breach belies the level of control of the data that can be exercised by Stanford and other Covered Entities, even with safeguards in place.

This story will undoubtedly have further developments. It will be especially interesting to see what statement, if any, Stanford provides to the U.S. Department of Health and Human Services (“HHS”) about its PHI breach for posting on the HHS list of reported large breaches of unsecured PHI affecting 500 or more individuals.

[Capitalized items that have ® after their names may be registered trademarks of other entities as to which no claim is made.]

From Heather Cross, About.com Guide 

 The Snoopy Balloon floats along Central Park West in the 2000 Thanksgiving Day Parade.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Postings on this blog series have been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. A recent posting highlighted an area that has received relatively little media attention respecting the HHS list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”) - the extent to which such Large Breaches are stated to be attributable to events involving business associates (“BAs”) of the reporting covered entities (“CEs”). Some Large Breaches involving BAs will be reviewed in this and future postings.

The HHS List reveals that Ohio Health Plans (“OHP”), the public health care program overseen by the Ohio Department of Jobs and Family Services, reported as a CE that a Large Breach on June 3, 2011 involving 78,042 individuals had resulted from the theft of a laptop (the “OHP Breach”). The HHS List states that “Area Agency on Aging, Ohio District 5” was a “Business Associate Involved.” Unlike some other disclosures respecting Large Breaches reported on the HHS List, no further information is available on the HHS List for the OHP Breach.

A June 20, 2011 report of the OHP Breach in CrawfordCountyNow.com (the “Internet Report”) indicates that the correct corporate name of the affected BA is Ohio District 5 Area Agency on Aging, Inc. (the “Agency”). The Internet Report states:

A laptop computer assigned to a PASSPORT case manager with the Ohio District 5 (Mansfield) Area Agency on Aging, Inc. containing consumer’s personal health information was stolen from a vehicle on June 3. The computer contained personal health information of up to 43,000 consumers and the personal contact information of up to 35,000 related clients’ personal representatives.

The Internet Report quotes an apology from the CEO of the Agency, Duana Patton, and describes steps that the Agency was taking to mitigate the loss to affected individuals, including access to credit protection services and an 800 number to answer questions. Nowhere in the Internet Report is there any reference to OHP or the fact that the Agency was in possession of the PHI as a BA of a CE.

A visit to the Internet Web site of each of OHP and the Agency reveals no information respecting the OHP Breach. There is no reference to the OHP Breach in the links on the Home page of the OHP Web site or the links accessible through the  “News & Events” link, including the “What’s New” and “News Releases” links. 

The Agency Web site describes the Agency as

a private non-profit Agency, designated by the State of Ohio to be a Planning and Service Area (PSA) as mandated in the Older Americans Act, as enacted by the Federal Government in 1965. The Agency administers Title III, State Block Grant, Medicaid and other grant funds.

Again there is no reference to the OHP Breach on the Agency Web site, either in the “News and Events” links, the “Privacy Information” link or elsewhere, or the efforts of the Agency to mitigate adverse consequences to affected individuals that may result from the OHP Breach.

It appears that OHP, as the CE with respect to the OHP Breach and the entity required to report the OHP Breach to the HHS for placement on the HHS List, left it to the Agency as the apparently responsible BA to confront the aftermath. Moreover, OHP and the Agency appear to have consciously limited disclosures regarding the status of OHP as the CE to avoid adverse publicity for OHP, perhaps because it is part of the Ohio state sponsored health programs. 

Other Large Breaches involving BAs that have been reported on the HHS List will be reviewed in future postings on this blog.

• Email This
• Print
• Comments
• Trackbacks
• Share Link