Header graphic for print


Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Chief Administrative Law Judge Refuses to Swallow FTC’s Section 5 Interpretation in LabMD Ruling

Posted in Privacy & Security, Uncategorized

Already many blogs and articles have been written on Chief Administrative Law Judge D. Michael Chappell’s November 13, 2015 92-page decision exonerating LabMD from the FTC’s charges that it failed to provide reasonable and appropriate security for personal information maintained on its computer networks in violation of Section 5(a) of the FTC Act.  A number of the commentators accurately point out that this ruling makes it clear the FTC does not have unbridled enforcement authority over allegedly “unfair” data security cases.

The FTC would have had Chief Judge Chappell believe that liability should be imposed for conduct that is theoretically “likely” to cause consumer harm, despite its inability to identify a single instance of consumer harm over the course of 7 years since the allegedly “unfair” conduct occurred. Judge Chappell refused to drink the FTC’s Kool-Aid, though, restoring my faith in the ability of logic and rational thinking to outweigh agency fluff and bluster in an administrative judicial proceeding.  Section 5(n) of the FTC Act requires a showing that the conduct “caused, or is likely to cause, substantial injury to consumers,” and while the Act doesn’t define the word “likely”,  Judge Chappell concluded that:

The term “likely” in Section 5(n) does not mean that something is merely possible.  Instead, “likely” means that it is probable that something will occur.”

Hardly complex legal reasoning – just basic, simple common sense.

We blogged on this case and the FTC’s enforcement activities in the data security realm in October of 2014 (read here), as well as in March, April, May and June of 2014 (read here), and have closely followed LabMD founder Michael Daugherty’s tireless battle to defend his small, now-defunct cancer testing company from what has seemed an outrageous abuse of regulatory enforcement power from the beginning.

It’s refreshing (and relieving, for other businesses facing FTC investigations over what may seem to be minor and inconsequential infractions) that Judge Chappell carefully considered the evidence presented over the course of approximately two years and injected intelligence and reason into a case that seemed shockingly deficient in these traits.  Thank goodness Judge Chappell refused to drink from the FTC’s “possible-means-likely” cup of legal reasoning.  However, the Judge’s painstakingly articulated factual findings, enumerated in 258 paragraphs, reveal the unsettling back-story behind this case.

The FTC’s case was built around information provided to it by a company affiliated with Tiversa, a business involved in finding security vulnerabilities in companies’ computer networks and then selling remediation services to the companies to prevent similar infiltrations.  LabMD declined Tiversa’s offer to sell it remediation services.  Chief Judge Chappell found:

158.  Mr. Boback’s motive to retaliate against LabMD for refusing to purchase remediation services from Tiversa … resulted in Tiversa’s decision to include LabMD in the information provided to the FTC… .”

The FTC may be wishing it had heeded the warning and advice of FTC Commissioner J. Thomas Rosch, who had initially suggested (in his Dissenting Statement issued June 21, 2012) that FTC staff should not rely on Tiversa for evidence or information related to LabMD, given Tiversa’s business model and prior attempts to sell its services to LabMD, in order to avoid the appearance of impropriety.  Instead, FTC staff readily accepted Tiversa’s Kool-Aid, relying on evidence it might have realized was tainted at the outset.

Again, hardly complex reasoning – just basic, simple common sense:  if it doesn’t smell or taste right, don’t drink the Kool-Aid.

Regardless of whether the case is appealed and its ultimate outcome, the LabMD ruling  may serve as a precedent to encourage others to challenge the FTC’s enforcement authority under Section 5, authority that the agency has expanded over the years through consent decrees, particularly where there is no evidence that allegedly inadequate security practices have resulted in (or will probably result in) consumer harm.

Emailing PHI? NIST Seeks Comments on Trustworthy Email by November 30, 2015

Posted in Health IT, HIPAA Enforcement, Privacy & Security, Uncategorized

When and how should you email PHI, if at all?  The Office for Civil Rights (OCR) offers guidance as to the permissibility of sending PHI via email in this “Frequently Asked Question” answer, but doesn’t provide specifics as to how PHI can be safely emailed.  Whether you are a covered entity or a business associate (or the CIO or Privacy Officer for a covered entity or business associate), an attorney trying to navigate privacy and security compliance under HIPAA and other laws, or an individual whose PHI is at stake, you may wonder what tools and resources are available to protect PHI transmitted via email.

The National Institute of Standards and Technology (NIST) has provided many such tools and resources, including its 2007 “Guidelines on Electronic Mail Security”.  Now, though, NIST is accepting comments through November 30, 2015 on its most recent proposed set of email security guidelines, “Special Publication 800-177, Trustworthy Email”.  Though this Trustworthy Email draft (available with other NIST computer security and privacy publications here) comes with a disclaimer that it is “written for the enterprise email administrator, information security specialists and network managers”, it’s worth review (even by the less tech-savvy among us) because it breaks down and describes each component of email functionality and the protocols and technology currently available to improve privacy and security.

Emailing PHI has become extremely common, but before deciding to send or receive PHI via email, it’s a good idea to make sure the Trustworthy Email protocols and technologies have been considered.   And if you have suggestions or comments as to how these protocols and technologies specifically relate to or can be improved in the context of emails containing PHI, here’s your chance to speak up!  Finally, remember that whatever comes out as the final set of NIST guidelines can become obsolete quickly in this rapidly developing and expanding e-world.

5 Practical Steps for Business Associate Compliance

Posted in HIPAA Business Associates

Congratulations!  You have a HIPAA-compliant business associate (or subcontractor) agreement in place – now what? How can you implement the agreement without becoming a HIPAA guru?

There are many resources available that offer detailed guidance on risk analysis and implementation protocols (such as the Guide to Privacy and Security of Electronic Health Information published by the Office of the National Coordinator for Health Information Technology and numerous “Special Publications” issued by the National Institute of Standards and Technology (NIST)).

These are terrific resources and can keep a team of IT professionals and Privacy and Security Officers reading and scratching their heads for weeks, but here are a few simple and practical steps you can take to avoid the security incident that may result in a protected health information (PHI) breach.

  1. Make sure the covered entity knows which individual(s) is authorized to receive PHI at the business associate. If neither the services agreement nor the business associate agreement specifies the person to whom PHI is to be disclosed, make sure the name, title and contact information of any designated recipient is communicated to the covered entity in writing.
  2. Include a provision in the business associate agreement (or subcontractor agreement) or develop a process whereby the covered entity (or business associate) provides notice, when feasible, prior to transmitting PHI to the designated recipient. Particularly when the transmission of PHI is sporadic or infrequent, provision of advance notice helps heighten awareness of the parties’ HIPAA obligations with respect to particular data being transmitted.
  3. Establish an agreed-upon means of PHI transmission – for example, specify whether transmission will be made via encrypted email, portable device, hard copy, etc. – and document the chain of custody from covered entity to business associate and after receipt by business associate.
  4. Create a “vault” for PHI received by the business associate that is secured by access codes that are changed periodically and can be deactivated when personnel leave the employ of the business associate.
  5. Maintain a perpetual inventory of PHI repositories, delegating responsibility to the Security Officer to oversee or authorize repository access rights, review activity, and conduct regular audits.

Four Tips for Reducing HIPAA Security Risks When Using Mobile Devices

Posted in Privacy & Security

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Improve Usability but Mind HIPAA if Using Personal Mobile Devices for Work.” The full text can be found in the September 28, 2015, issue of Medical Practice Compliance Alert, but a synopsis reflecting our comments is included below.

Medical practice communications are increasingly mobile, with a reported 83% of physicians using mobile technology to provide patient care and 71% of nurses doing the same, according to a mobile technology survey from the Healthcare Information and Management Systems Society (HIMSS). Mobile devices, however, must be managed carefully to avoid creating an undue HIPAA security risk.

Some steps to protect patient data when using mobile devises include the following:

  1. Health care providers should use encryption to make mobile devices more secure. Email programs should be able to assure that the message cannot be read until it has been transmitted to the provider’s device. Kline warns, “A password on a phone is not encryption.”
  2. Providers should get informal messages and conversations from mobile devices, such as text messages, into the patient’s medical record. Kline says, “Have you made an entry [of the informal message or conversation] in the record? If not, the medical record is not accurate.”
  3. Providers should be sure to obtain patient consent to communicate by mobile device as well,” says Litten. This is especially important if the communication may be unsecured.
  4. Avoiding the lack of discipline that mobile devices often encourage, such as non-medical shorthand, is crucial. Kline says, “Communications over mobile devices are more likely to contain misspellings and other errors, which can create malpractice liability and are not best practice when communicating treatment.”

The ever-increasing utilization of mobile devices in the delivery of healthcare services to patients is placing greater demands on those providers who are subject to, and those who are drafting, implementing and enforcing, HIPAA policies and procedures.

Did Practice Violate HIPAA By Tipping Off Immigration Authorities?

Posted in Articles, Uncategorized

A Houston-area woman was arrested at her gynecologist’s office by Sheriff’s deputies because she presented a false ID and now may face deportation, according to a September 11, 2015 report in the Houston Press.  The woman, Blanca Borrego, was reportedly visiting Northeast Women’s Healthcare for an annual check-up and to follow up on a painful abdominal cyst that had been identified a year earlier.   The Houston Press goes on to say that after filling out paperwork and waiting two hours, she was called into an exam room and met by law enforcement officers, who led her out in handcuffs in front of her young daughters.

“We’re going to take her downtown, she presented a form of false identification,” Borrego’s daughter recalled the deputy saying. He said their mother’s bond would probably be around $20,000, and added, “She’s going to get deported.”

Ms. Borrego had reportedly remained in the U.S. for 12 years on an expired visa.  It was her first visit to this clinic, although she had been treated previously by the same physician.  However, one commentator suggests she may have been eligible for protection from deportation under current law:

In fact, Borrego would have qualified for President Obama’s Deferred Action for Parents of Americans and Lawful Permanent Residents (DAPA) administrative reform program, which was announced last year. For the estimated 4.1 million undocumented individuals like Borrego—who have been in the United States since January 1, 2001 and have a son or daughter who is a U.S. citizen or lawful permanent resident—DAPA allows work permit applications and protection from deportation.  – Ana DeFrates, Texas Latina Advocacy Network, National Latina Institute for Reproductive Health

When can a physician practice, clinic, hospital or other healthcare provider reveal protected health information to law enforcement?  Section 164.512(j) of the HIPAA rule permits such disclosures to avert a serious threat to health or safety, and only in limited situations:

(j) A covered entity may,consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure:

(i)(A) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

(B) Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or

(ii) Is necessary for law enforcement authorities to identify or apprehend an individual:

(A) Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim; or

(B) Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody, as those terms are defined in §164.501.

Covered entities may also disclose to law enforcement officials protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.  It is not clear whether at this time if Northeast will rely on that provision to justify their call to the police.  There are no allegations of identity theft and in fact Ms. Borrego reportedly was covered by her husband’s health insurance policy.

Ironically, when asked by the Houston Press about its policies regarding informing authorities about suspected undocumented aliens, the Houston Press reports that Memorial Hermann spokeswoman Alex Loessin replied  “As you know, because of patient privacy, I am unable to provide comment.”

The HIPAA implications of this emerging story have yet to fully play out.  Covered entities and their business associates should use caution before voluntarily disclosing PHI to law enforcement agencies, particularly when there is no indication of violent crime or serious threats to health or safety.

FTC on Privacy: Beware of Offering Choices to Consumers beyond the Legal Minimum Requirements

Posted in Articles, Privacy & Security

A recent post on this blog by our partner Elizabeth Litten was quoted in the Dissenting Statement (the “Dissent”) of FTC Commissioner Maureen K. Ohlhausen in the Matter of Nomi Technologies, Inc., Matter No. 1323251. Ms. Ohlhausen disagreed with the views of the majority of the Commissioners in the Matter because she believed that

. . . by applying a de facto strict liability deception standard absent any evidence of consumer harm, the proposed complaint and order inappropriately punishes a company that acted consistently with the FTC’s privacy goals by offering more transparency and choice than legally required.

To buttress her viewpoint, Ms. Ohlhausen quoted as follows from Elizabeth’s post, which was referenced at footnote 9:

In response to the case’s release, one legal analyst [Elizabeth Litten] advised readers that ‘giving individuals more information is not better’ and that where notice is not legally required, companies should ‘be sure the benefits of notice outweigh potential risks.’

The takeaway from the FTC decision in Nomi and the Dissent appears to be that, in setting and publishing privacy policies, an organization should carefully consider whether adopting standards in excess of legal requirements is advisable if there is a reasonable possibility that the organization may find such standards difficult or costly to attain and maintain, thereby increasing the risk of regulatory scrutiny and sanctions.

How the NIST Cybersecurity Framework Can Help With HIPAA Compliance: 3 Tips

Posted in Privacy & Security

As our partner Mark McCreary writes in his post describing the “Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology (NIST):

The Framework is designed to work with businesses to reach a sufficient level of cybersecurity protection regardless of size, sector, or level of security.  The Framework consists of three parts (1) The Framework Core, (2) The Framework Implementation Tiers, and (3) The Framework Profiles.  The Framework Core is a grouping of cybersecurity activities based on industry indicators, desired outcomes, and practices.  It assists businesses in developing Framework Profiles, which are used to create cybersecurity plans.

So how can a health care covered entity (such as a health care provider or health plan) or business associate use the Framework to help with HIPAA compliance?

1.  Review health industry-specific guidance available on NIST’s Framework website, such as that issued by the Health Information Trust Alliance (HITRUST).

2.  Review the Framework and Framework’s FAQs to build a Framework Core that applies in the context of your business activities — for example, include Framework outcome language such as “physical devices and systems within the organization are inventoried” and a Framework category for “Electronic Health Record Access Control”.

3.  Realize that the Framework can be used to improve or strengthen your PHI security by layering it over or weaving it into your HIPAA Privacy and Security Policies and Procedures.


Oncology Group Fined $750,000 Over Stolen Backup Media, Lax Compliance Efforts

Posted in Articles, HIPAA Enforcement, Privacy & Security, Uncategorized

Cancer Care Group, P.C., a 13-physician radiation oncology practice in Indiana (group), has agreed to pay $750,000 and implement a comprehensive corrective action plan in a settlement resulting from the theft of a laptop and backup media containing unencrypted patient information.  As is often the case, the breach incident triggered an investigation that revealed deeper deficiencies in the physician group’s HIPAA compliance efforts.  The Office of Civil Rights of the Department of Health and Human Services (OCR) announced the settlement in a September 2, 2015 press release entitled “$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies.”  That heading alone strongly suggests that OCR chose this case to send a clear and powerful message to smaller covered entities and business associates that neglecting basic compliance efforts can and will result in heavy fines, especially if meaningful corrective action is not undertaken after a breach occurs.

The practice first notified OCR of the theft of an employee’s laptop bag in 2012 from the employee’s car. The bag contained a laptop, which did not contain ePHI, and unencrypted computer server backup media with names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former patients.   OCR learned upon further investigation that the group had taken its HIPAA obligations less than seriously for years preceding the breach.

It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

In addition to the fine, the group adopted a Corrective Action Plan as part of its Resolution Agreement with OCR, which can be read here.

Much like the Phoenix Cardiac Surgery settlement that we discussed on this blog in 2012, this case involved  not just a one-time negligent breach, but a systematic, ongoing failure to adopt and implement appropriate HIPAA safeguards, policies and compliance efforts.  The Resolution Agreement indicates that such failures continued for a significant time after the theft of the devices.

The Resolution Agreement states that the payment of the $750,000 “Resolution Amount” does not preclude the government from imposing civil monetary penalties in the future if the deficiencies are not cured, and the group agreed to extend the statute of limitations on such penalties during the three-year term of the Resolution Agreement and Corrective Action Plan and for one year afterwards.  During the term of the Agreement, the group is required to complete a comprehensive Risk Analysis of all security risks and vulnerabilities posed by its electronic equipment, data systems, and applications that contain, store, transmit, or receive electronic protected health information (“ePHI”) and report the results to OCR; develop and implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis; revised and update its policies and procedures to OCR’s satisfaction; revise its current Security Rule Training Program; investigate any workforce member’s violation of such policies and report the results to OCR (even if such violation did not result in a breach); and file detailed annual reports with OCR.

There are plenty of lessons to learn from this settlement, but one of the most critical lessons may be the easiest to implement: encrypt your data, particularly any data that is stored in portable devices which have a disturbing tendency to disappear.  Had the backup device been encrypted, it is likely that the outcome of this incident would have been very different. Another lesson is that, if a breach of HIPAA is discovered, be proactive and act immediately to assess and address the risk and mediate the potential damage, update your policies and procedures, implement changes designed to avoid another breach, etc.  Do not wait for OCR to tell you how to respond to the breach.

Six Tips for Physicians to Protect Patient Data on the Internet

Posted in HIPAA Enforcement, Privacy & Security

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Misapplication of Internet Application Triggers $218,400 Settlement” and “Protect Patient Data on the Internet with These 6 Steps.”  The three of us together were able to come up with a number of ideas to assist physicians in improving the likelihood that protected health information (“PHI”) will be more secure. The full text can be found in the August 17, 2015 issue of Medical Practice Compliance Alert, but a synopsis of our input is included below.

Internet applications and files should be included in a physician practice’s HIPAA compliance plan, or a violation may result.  As an example, St. Elizabeth’s Medical Center (“SEMC”) in Brighton, MA recently settled several potential HIPAA violations for $218,400 with the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”).  One of the incidents involved SEMC’s use of an unauthorized internet-based document. The size of this settlement highlights the concerns of OCR about misuse by healthcare providers of internet-based document sharing or other applications.

Some steps to protect patient data on the internet include the following:

  1. Review the internet applications your practice uses. Litten says, “Take steps such as encryption to protect the data when it’s shared, transmitted and stored.”
  2. Ask the application’s manufacturer about its security safeguards. “If a manufacturer claims that (its application) is HIPAA protected, ask what that means,” Litten urges.
  3. Investigate all internal and external complaints and concerns. Kline says, “Expect the government to find out about PHI exposed on the Internet from a third party.”
  4. Keep track of the steps you take to identify and fix the problem. “You do better if you have a history that you endeavored to comply with HIPAA,” says Kline.
  5. Provide a mechanism by which employees can report concerns anonymously. Kline suggests, “You need a private place where people feel they’re not being watched.”
  6. Don’t allow staff to use unauthorized public networks. “Don’t open documents in, say, a Starbucks,” warns Litten.

In summary, in order for physicians to protect their practices, they must be certain that they understand HIPAA obligations with respect to privacy and security in the context of internet application usage.

Hackers: Take My Health Information, But Please Don’t Take My Health

Posted in Privacy & Security, Sensitive Health Information

We know by now that protected health information (PHI) and other personal information is vulnerable to hackers.  Last week, the Washington Times reported that the Department of Health and Human Services (HHS), the agency responsible for HIPAA enforcement, had suffered security breaches at the hands of hackers in at least five separate divisions over the past three years.  The article focused on a House Committee on Energy and Commerce report that described the breaches as having been relatively unsophisticated and the responsible security officials as having been unable to provide clear information regarding the security incidents.

We know it’s not a question of “if” sensitive information maintained electronically will be compromised by a hacking or other type of cyber security incident, but “when” — regardless of who maintains it — and how destructive an incident it will be. Even HHS and its operating divisions, which include both the Office of Civil Rights (OCR), charged with protecting PHI privacy and security, and the Food and Drug Administration (FDA), the country’s principal consumer protection and health agency, are vulnerable.

Just one day before its coverage of the House Committee report on the cyber security vulnerabilities that exist within the very government agencies charged with protecting us, the Washington Times reported on an even more alarming cyber security risk: the vulnerability of common medical devices, such as x-ray machines and infusion pumps, to hacks that could compromise not just the privacy and security of our health information, but our actual physical health.

This report brought to mind a recent report on the ability of hackers to remotely access the control systems of automobiles.  While the thought of losing control of my car while driving is terrifying, the realization that medical devices are vulnerable to hackers while being used to diagnose or treat patients is particularly creepy.  The two situations may present equally dangerous scenarios, but hacking into a medical device is like hacking into one’s physical being.

So while it’s one thing to have PHI or other sensitive information compromised by a hacking incident, it’s much more alarming to think that one’s health status, itself, could be compromised by a hacker.