Header graphic for print

HIPAA, HITECH & HIT

Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Connecticut “Opens Floodgates” for HIPAA Litigation

Posted in Lawsuits, Privacy & Security

My partner Elizabeth Litten and I were recently interviewed for an article entitled “Connecticut ‘opens floodgates’ for HIPAA litigation” published in “Privacy this Week” by DataGuidance. The full text of the article can be found in the November 13, 2014 issue of “Privacy this Week,” but a discussion of the article is set forth below.

On November 11, 2013, the Connecticut Supreme Court ruled in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. that (i) an action for negligence arising from a health care provider’s breach of patient privacy is not preempted by the HIPAA statute and regulations, which do not permit a private right of action to be brought by an individual under HIPAA, and (ii) HIPAA regulations may well inform the applicable standard of care in certain circumstances. Elizabeth and I have previously posted blog entries respecting the Byrne case that may be read here and here, respectively.

Elizabeth pointed out, “The precedents this case sets may have exponential repercussions and may twist the decision in extreme illogical directions.”

I observed that the Byrne case may have opened the floodgates of litigation because the decision may have established a new level of punishment that is not present under the federal HIPAA law itself.  Just consider the liability a doctor could incur if he or she mistakenly leaves a document with personal health data on the wrong nurse station desk. If, for example, someone improperly accesses that information and uploads the data to the Internet, we have a data breach under HIPAA standards – which in turn may be an act of negligence under state tort or malpractice law with liability to the doctor under the principles of the Byrne case.

Elizabeth also stated that there is fear that some of the things HIPAA tries to regulate, such as transparency in data breaches, may be undermined. If individuals can resort to state law to seek compensation for data breaches, companies may see benefits in not complying with the transparency finality of HIPAA. “Furthermore there are many other federal standards with implications in data protection, such as the Family Educational Rights and Privacy Act (FERPA), that could follow the case of HIPAA,” Elizabeth noted.

I added my view that it would not be surprising if HIPAA is taken to the United States Supreme Court to delimit its preemption scope. We certainly haven’t seen the end of it.  The Connecticut case may provide a new avenue for an individual plaintiff to sue for a health data breach under state law by using HIPAA indirectly when he or she cannot sue under HIPAA itself directly.  This blog will continue to follow the Byrne case and other cases involving HIPAA and other federal and state law interactions and potential conflicts.

Celebrities’ Health Information Compromised by Sony Hacking

Posted in Privacy & Security, Sensitive Health Information

Fox Rothschild partner Scott Vernick recently appeared as a guest on the Willis Report to discuss the fallout of the hacking of Sony Pictures Entertainment.  Click here to view the segment.  Celebrities’ individually identifiable health information, some of which appears to be protected health information (“PHI”) under HIPAA, was among the sensitive personal data hacked into.  According to one report, a file was accessed that contains a list of the highest-cost patients covered by Sony Pictures’ health plan.

As a covered entity, a health plan (and/or its business associate) that suffers a breach of plan members’ PHI may find itself subject to civil monetary penalties imposed by the Secretary of the Department of Health and Human Services (“HHS”) that can be substantial, particularly if HHS determines the HIPAA violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the health plan (or its business associate, if the business associate is liable) knew or, by exercising reasonable diligence, would have known that the violation occurred.

Penalties under these circumstances are to be at least $50,000 for each violation, up to $1,500,000 for identical violations in a single calendar year.  Penalties of up to $50,000 for each violation and up to $1,500,000 for identical violations in a year can even be imposed when the health plan (or business associate) did not know, and by exercising reasonable diligence, would not have known that it had violated HIPAA.  45 CFR 160.404.

The Secretary of HHS will consider aggravating factors in determining the amount of the penalty, including whether the HIPAA violation resulted in harm to an individual’s reputation.  45 CFR 160.408.

Although HIPAA may seem the least of Sony Pictures’ concerns right now, as discussed in previous posts (here and here) regarding the recent Byrne v. Avery Center for Obstetrics and Gynecology, P.C. case,  HIPAA “may well inform the applicable standard of care” in negligence actions brought under state law.

Michael Kline’s “List of Considerations” for Indemnification Provisions in Business Associate Agreements

Posted in Privacy & Security

I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s “List of Considerations” before signing.  Michael’s list, included in an article he wrote that was recently published in the American Health Lawyers Association’s “AHLA Weekly” and available here, highlights practical and yet not obvious considerations.  For example, will indemnification jeopardize a party’s cybersecurity or other liability coverage?

Data use and confidentiality agreements used outside of the HIPAA context may also include indemnification provisions that are triggered in the event of a privacy or security breach.  Parties to these agreements should take a close look at these “standard” provisions and Michael’s list and proceed carefully before agreeing to indemnify and/or be indemnified by the other party.

 

OCR: HIPAA Privacy Rule “Not Set Aside in an Emergency”

Posted in Privacy & Security

The threats to health privacy in the face of the Ebola scare has not escaped the notice of the Office of Civil Rights (OCR).  As we reported last month, a great deal of information regarding the identity and condition of individuals who may have been exposed to or treated for Ebola has appeared in news reports. Ebola In The News – Is Too Much PHI Being Revealed And By Whom?  and Which Privacy Protections Apply? HIPAA, FERPA and Ebola.  On November 10, OCR issued a bulletin entitled HIPAA Privacy in Emergency Situations reminding covered entities and business associates that their obligations under HIPAA do not change during emergency situations such as the Ebola outbreak.

The bulletin notes that HIPAA balances the interests of patient privacy in a manner that ensures that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

Patient information can be shared for “treatment” purposes, and OCR notes  that “covered entities may disclose, without a patient’s authorization, protected health information [PHI] about the patient as necessary to treat the patient or to treat a different patient.” Further, treatment includes the coordination or management of health care, which may be critical when handling a communicable and dangerous infection such as Ebola.

OCR summarizes the disclosures which are permissible for public health purposes to agencies like the Centers for Disease Control and Prevention (CDC) or state or local health departments. “For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease.”

Other situations where disclosure is permissible include:

  • At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority. (Highly relevant when coordinating information with government agencies in West Africa and other affected regions)
  • To persons at risk of contracting or spreading a disease or condition, but only if authorized under state or federal law.
  • To a patient’s family members, relatives, friends or others involved in the patient’s care.
  • When necessary to identify, locate, and communicate with family members, guardians, or anyone else responsible for the patient’s care, to notify them of the patient’s location, general condition, or death. OCR notes such disclosures may include police, the press, or the public at large. However, it is not a blanket authority to release PHI to the media unless there is a valid reason to do so. OCR also notes that verbal permission should be sought from the patient if possible.
  • To disaster relief organizations such s the Red Cross, but only for the coordination of contacting family members and others involved in the patient’s care.
  • To anyone else as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.
  • Limited “directory” condition information may be released when a patient is identified by name. OCR warns: In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient).

Health care providers and their business associates are now clearly on notice that OCR will not look the other way if information relating to individuals potentially exposed to Ebola or similar diseases is disclosed without meeting a valid exception, no matter how persistently media outlets press for details.  Each covered entity and business associate should take the time to remind their personnel that the privacy rule remains in effect in emergencies.

 

 

Connecticut Supreme Court Decision Depicts Rubik’s Cube of Federal and State Privacy and Security Compliance

Posted in Privacy & Security

As if compliance with the various federal privacy and data security standards weren’t complicated enough, we may see state courts begin to import these standards into determinations of privacy actions brought under state laws. Figuring out which federal privacy and data security standards apply, particularly if the standards conflict or obliquely overlap, becomes a veritable Rubik’s cube puzzle when state statutory and common law standards get thrown into the mix.

A state court may look to standards applied by the Federal Communications Commission (“FCC”), the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), or some other federal agency asserting jurisdiction over privacy and data security matters, and decide whether the applicable standard or standards are preempted by state law. The state court may also decide that one or more of these federal agencies’ standards represent the “standard of care” to be applied in determining a matter under state law. Or, as shown in a recent Connecticut Supreme Court decision discussed in Michael Kline‘s November 9th post, a court may decide that state law is not preempted by federal law or standards in one respect, while recognizing that the federal law or standard may embody the “standard of care” to be applied in deciding a privacy or data security matter under state law.

 

Connecticut Supreme Court Recognizes Individual’s Right for State Tort Action Using HIPAA as Standard of Care

Posted in HIPAA Business Associates

The Connecticut Supreme Court handed down a decision in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014 WL 5507439 (2014) that

[a]ssuming, without deciding, that Connecticut’s common law recognizes a negligence cause of action arising from health care providers’ breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances.

Interestingly, the decision is dated November 11, 2014, the federal holiday of Veterans Day, but was available on Westlaw on November 7, 2014.  The Court’s decision was rendered 20 months after the date that the case was argued on March 12, 2013.

The decision adds the Connecticut Supreme Court to a growing list of courts that have found that HIPAA’s lack of a private right of action does not necessarily foreclose action under state statutory and common law.  The Byrne case, however, has added significance, as it appears to be the first decision by the highest court of a state that says that state statutory and judicial causes of action for negligence, including invasion of privacy and infliction of emotional distress, are not necessarily preempted by HIPAA.  Moreover, it recognized that HIPAA may be the appropriate standard of care to determine whether negligence is present.

The Byrne case has important implications for HIPAA matters beyond the rights of individuals to sue under state tort law, using HIPAA regulations as the standard of care.  For example, in the area of business associate agreements (“BAAs”) and subcontractor agreements (“SCAs”), as was discussed in a posting in October 2013 on this blog relating to indemnification provisions,

there should be a negation of potential third party beneficiary rights under the BAA or SCA. For example, HIPAA specifically excludes individual private rights of action for a breach of HIPAA – a [p]arty does not want to run a risk of creating unintentionally a separate contractual private right of action in favor of a third party under a[n indemnification] [p]rovision.

A party should, therefore, endeavor to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA.  Failing to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA or SCA can be costly indeed, especially if the number of states that follow the Byrne case principles increases.

Efforts to use HIPAA regulations as standards for causes of action under state law can be expected to rise as a result of the Byrne decision.  Covered entities, business associates and subcontractors should consider acquiring sufficient cybersecurity insurance with expanded coverage and limits.

Patient Support Groups, Email and the Duty to Warn

Posted in Privacy & Security

I was recently asked whether the sending of an unencrypted group email to participants in a health-related support group violated HIPAA.  Faithful blog readers can guess my first question:  “Was the sender a covered entity, business associate, or subcontractor?”  Many support group entities are non-profit organizations staffed by volunteers and do not meet the definition of a covered entity “health care provider” (or other type of covered entity) under the HIPAA regulations (see 45 CFR 160.103).  Participants in support groups may expect the fact that they participate in the group and the information they disclose to be held in confidence by the organizers and other participants, but HIPAA may or may not protect that information.  (Whether other federal laws, state laws, or codes of ethics may protect the privacy of the information is beyond the scope of this post.)

When HIPAA applies, support group organizers (and other providers) should remember to use caution when sending group emails.  Does the group email list the email addresses of other participants?  Not only does this listing of participant email addresses, by itself, potentially constitute protected health information (PHI), but a participant’s inadvertent “reply all” message (intended for a support group therapist alone, for example) raises sticky HIPAA issues.  Health information disclosed by the individual to another support group participant falls outside the definition of “individually identifiable health information” under the HIPAA regulations and so is not HIPAA-protected PHI.  Still, a covered entity should be very careful to limit how and when email and social media are used to communicate with both individual patients and members of a support group.  While it does not solve the problem, perhaps all messages sent to more than one participant by a support group organizer should be sent as a ”bcc” to limit disclosure.

The U.S. Department of Health and Human Services addressed whether covered entities have a “duty to warn” individuals that agree to receive unencrypted emails as a means of communication in the Omnibus Rule adoption:

“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.  We disagree [with some commenters] that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome … We do not expect covered entities to educate individuals about encryption technology and the information security.  Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party … .”  [78 Fed. Reg. 5566, 5634]

Covered entities, business associates and subcontractors that get an individual’s permission to communicate via unecrypted email might want to include some type of bold warning as to limits of HIPAA protection.  Although voluntary participants in support groups may seem most likely to understand and have agreed to disclosure and use of their PHI within the group, it’s important to set ground rules and remind participants as to when (or whether) HIPAA applies – particularly if email or social media is involved.  Before accepting email addresses or allowing individuals to participate in any other unencrypted means of electronic communication, a covered entity might want to put its HIPAA warning — or disclaimer — in big, bold, easy-to-understand writing.

Medical Device, “Heal Thyself” from Data Hacking

Posted in Privacy & Security

Innovative health care-related technology and developing telemedicine products have the potential for dramatically changing the way in which health care is accessed.  The Federation of State Medical Boards (FSMB) grappled with some of the complexities that arise as information is communicated electronically in connection with the provision of medical care and issued a Model Policy in April of 2014 to guide state medical boards in deciding how to regulate the practice of “telemedicine”, a definition likely to become outdated as quickly as the next technology or product is developed.

Interestingly, the development and use of medical devices and communication technology seems to outpace agency definitions and privacy laws as quickly as hackers outpace security controls.  So how can we encourage innovation and adopt new models without throwing privacy out with the bathwater of the traditional, in-person patient-physician relationship?  A first step is to see and understand the gaps in privacy protection and figure out how to they can be narrowed.

HIPAA does not protect all information, even when the information is clearly health information and a specific individual can be identified in connection with the health information.   A guidance document issued jointly by the U.S. Department of Health and Human Services (HHS) and the Food and Drug Administration (FDA) on October 2, 2014 (FDA Guidance Document) contains the agencies’ “non-binding recommendations” to assist the medical device industry with cybersecurity.  The FDA Guidance Document defines “cybersecurity” as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”  If my medical device creates, receives, maintains, or transmits information related to my health status or condition, it’s likely I expect that information to be secure and private – but unless and until my doctor (or other covered entity or business associate) interfaces with it, it’s not protected health information (PHI) under HIPAA.

The FSMB’s Model Policy appropriately focused on the establishment of the physician-patient relationship.  In general, HIPAA protects information created, received, maintained or transmitted in connection with that relationship.  A medical device manufacturer, electronic health application developer, or personal health record vendor that is not a “health care provider” or other covered entity as defined under HIPAA, and is not providing services on behalf of a  covered entity as a business associate, can collect or use health-related information from an individual without abiding by HIPAA’s privacy and security obligations.  The device, health app, or health record may still be of great value to the individual, but the individual should recognize that the information it creates, receives, maintains or transmits is not HIPAA-protected until comes from or ends up with a HIPAA covered entity or business associate.

The FDA Guidance Document delineates a number of cybersecurity controls that manufacturers of FDA-regulated medical devices should develop, particularly if the device has the capability of connecting (wirelessly or hard-wired) to another device, the internet, or portable electronic media.  Perhaps these controls will become standard features of medical devices, but they might also be useful to developers of other types of health-related products marketed to or purchased by consumers.  In the meantime, though, it’s important to remember that your device is not your doctor, and HIPAA may not be protecting the health data created, received, maintained or transmitted by your medical device.

Which Privacy Protections Apply? HIPAA, FERPA and Ebola

Posted in Privacy & Security, Uncategorized

Recent news articles regarding a New Jersey elementary school’s handling of the enrollment of two new students from Rwanda provided another glimpse of Ebola hysteria and the opportunity for me to follow up on Bill Maruca’s blog about Ebola and HIPAA with yet another (fairly obscure) statutory acronym.  When it comes to protecting the privacy of students, HIPAA often does not even apply and it’s the Family Educational Rights and Privacy Act, known as FERPA, that matters.

The New Jersey elementary school apparently recognized that it had overreacted when it first announced that the Rwanda students’ parents would keep their children at home for 21 days.  The school posted a revised website notice stating that it would “welcome the new students whose parents graciously offered to keep them close this week.”  Setting aside the fact that Rwanda is located in East Africa, more than 2,500 miles away from the West African countries that have been reported to be affected by the Ebola virus, and is reportedly now screening all visitors to Rwanda who have been in the United States during the past 22 days, this elementary school incident offers a teachable moment.

If the school nurse at a public elementary school takes it upon himself or herself to identify students at risk for developing Ebola and decides to take twice-daily temperature readings of the students and record the information in student health records, the information would be protected under FERPA and parental consent would be required prior to its release.  “Frequently Asked Questions” posted on the website of the U.S. Department of Health and Human Services (HHS) address the interplay between HIPAA and FERPA and a “Joint Guidance” document issued by HHS and the U.S. Department of Education provides even more detail on the relationship between HIPAA and FERPA.  To the extent FERPA applies to the school nurse’s activities and information contained in the students’ health records, FERPA trumps HIPAA in one key privacy protection respect.

Under HIPAA, protected health information (PHI) can be used or disclosed without an authorization from the appropriate individual for certain public health activities.  For example, a covered entity, such as a health care provider, may disclose PHI to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease.  A covered entity may also disclose PHI to a person who may have been exposed to a communicable disease, under specific circumstances.  However, FERPA generally does not allow this type of disclosure (without parental authorization or authorization of a student over the age of 18) of identifiable student information, even when it is for public health purposes, other than in “emergency” situations. Note that under both HIPAA and FERPA, withholding names but releasing other information that makes it possible to identify the  individuals (ie, “students from Rwanda”) risks privacy violations.

The bottom line for public schools?  Check your FERPA obligations, your possible HIPAA obligations, and, when it comes to Ebola fears, your geography.

Ebola In The News – Is Too Much PHI Being Revealed And By Whom?

Posted in Articles, Privacy & Security

The names and photos of the late Thomas Eric Duncan and his former nurse Nina Pham are all over news media reports of the first cases of Ebola in the United States.   But just how did news outlets learn their identities?   Or, as my assistant asked me this morning, “isn’t this a HIPAA violation?” as many of the facts would appear to qualify as protected health information (PHI).

DuncanAP_nina_pham_ebola_jtm_141014_16x9_992
Thomas Eric Duncan – Source: CBS46.com                 Nina Pham, R.N. – Source: ABC News

Mr. Duncan’s name hit the news shortly after he was diagnosed with Ebola at Texas Health Presbyterian on September 20, 2014, upon his second visit to that hospital after arriving in Dallas from Liberia where he had been exposed to a neighbor who later died from the deadly virus.   After he succumbed to the disease on October 8, the details of his illness and treatment began to flow.   A recent Associated Press story  describes his care day-by-day.  It states that Duncan’s nephew, Josephus Weeks, talked to them and indicates that “Hundreds of pages of medical records provided to The Associated Press chart the disease’s relentless march through Duncan’s body and provide an unprecedented look at how Ebola killed despite the aggressive efforts doctors made to save him.”  His mother, Nowai Korkoyah, is also quoted in the article.

One of the critical care nurses who had treated Duncan at Texas Health Presbyterian Hospital, Nina Pham, has now tested positively for the disease and is being treated in isolation.  Pham was reportedly identified by family members who confirmed her name to ABC News affiliate WFAA.  Her family also reportedly confirmed her identity to USA Today.

Pham’s pastor reportedly disclosed to WFAA that she received a blood transfusion on October 14.  The story identifies the donor, Dr. Kent Brantly, and the fact that he was himself an Ebola survivor and attributes that information to “sources close to Brantly.”

Ebola is a devastating communicable disease about which the general public needs education and guidance, but the HIPAA rule does not provide exceptions for newsworthy or unusually terrifying medical conditions.  There are exceptions relating to public health and safety, but they generally do not permit covered entities or their business associates to release PHI to the media or general public.  Also, keep in mind that HIPAA applies only to covered entities and business associates, and does not restrict what information patients, or their family members, clergy, friends or neighbors, may legally disclose.   (However, there is a need to be aware that state privacy or defamation statutes and case law may limit what family members, clergy, friends or neighbors may legally disclose.)

Duncan’s relatives would have had access to his medical records after his death only to the extent they were involved in his care or if they were his “personal representatives,” or during his life if he released his records to them.   HIPAA Regulation section 164.502(g)(4) states  “If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.”   Not all relatives can compel the release of a decedent’s medical records, but anyone who obtains such records, for instance from another relative who is the executor or administrator of the estate, is not prohibited by HIPAA from sharing them with the media.

What about public safety?  Some commenters have suggested that in the case of serious public threats, “HIPAA be damned.”    The HIPAA rule at 45 CFR § 164.512(b) does include an exception for uses and disclosures for public health activities, but that exception is limited.   A covered entity may use or disclose PHI to a public health authority (such as the Centers for Disease Control (CDC)) that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, and the conduct of public health surveillance, public health investigations, and public health interventions.  The CDC has issued valuable guidance on the effect of HIPAA on its mission.

PHI may also be disclosed to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.  That exception could authorize, for example, direct communication with the families and close associates of Mr. Duncan and Ms. Pham, but not to media outlets.

How did Ms. Pham’s identity emerge?  One web site, Gotnews.com explained in an Exclusive & Breaking report “After learning the address of the unnamed Ebola patient, Gotnews.com editor-in-chief Charles C. Johnson and researcher Shannon Knutsen cross referenced the address with a list of every known occupant.” This begs the question of how they learned her address.   Yahoo news claimed they identified Pham through ”public records and a state nursing database.”  Sounds like impressive detective work, but what additional data did they rely on to narrow down their search, and from what sources?   Resourceful journalists will follow leads, rumors and word-or-mouth reports, but if the sources were hospital personnel who revealed sufficient information about these patients to allow their identification when cross-referenced with public sources, they likely  crossed the line even if they did not reveal patient names, particularly if the leakers had knowledge that the information could be combined with other information to identify the individual.

Individuals are certainly free to share their own stories any way they like.  For example, Dr. Brantly authored a first-person piece entitled  This Is What It Feels like To Survive Ebola in Time magazine.   Nina Pham issued a statement through the hospital, assuring supporters “I’m doing well and want to thank everyone for their kind wishes and prayers.”

This isn’t the first time Ebola has raised HIPAA compliance issues. Two Nebraska Medical Center employees were fired for improperly accessing records of a patient being treated for Ebola in September.  (Ironically, these reports also reveal the name of the patient, an American doctor who contracted the virus in West Africa.)  Accordingly, covered entities and business associates should remind all personnel that the rules don’t change because of controversial, highly dangerous diseases.   We will continue to monitor developments in this rapidly evolving story.