Header graphic for print


Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

The Wild West of Data Breach Enforcement by the Feds

Posted in Uncategorized

Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule.  You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human Services (HHS) and its Office of Civil Rights (OCR), as well as media reporters and others, that you exercised due diligence and should not be penalized. Your expenditure of time and money will help ensure your compliance with federal law.

Unfortunately, however, HHS is not the only sheriff in town when it comes to data breach enforcement.  The Federal Trade Commission (FTC) has been battling LabMD for the past few years in a case that gets more interesting as the filings and rulings mount (In the Matter of LabMD, Inc., Docket No. 9357 before the FTC).  LabMD’s CEO Michael Daugherty recently published a book on the dispute with a title analogizing the FTC to the devil, with the byline, “The Shocking Expose of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine, and Small Business.”  Daugherty issued a press release in late January attributing the shutdown of operations of LabMD primarily to the FTC’s actions.

Among many other reasons, this case  is interesting because ofthe dual jurisdiction of the FTC and HHS/OCR over breaches that involve individual health information.

On one hand, the HIPAA regulations detail a specific, fact-oriented process for determining whether an impermissible disclosure of PHI constitutes a breach under the law.  The pre-Omnibus Rule breach analysis involved consideration of whether the impermissible disclosure posed a “significant risk of financial, reputational, or other harm” to the individual whose PHI was disclosed.  The post-Omnibus Rule breach analysis presumes that an impermissible disclosure is a breach, unless a risk assessment that includes consideration of at least four specific factors demonstrates there was a “low probability” that the individual’s PHI was compromised.

In stark contrast to HIPAA, the FTC can bring an enforcement action based upon its decision that an entity’s data security practices are “unfair”, but it has not promulgated regulations or issued specific guidance as to how or when a determination of “unfairness” is made.  Instead, the FTC routinely alleges that entities’ data security practices are “unfair” because they are not “reasonable” – two vague words that leave entities guessing about how to become FTC compliant.

In 2013, LabMD filed a motion to have the FTC’s enforcement action dismissed.  LabMD argued, in part, that the FTC does not have the authoritiy to bring actions under the “unfairness” prong of Section 5 of the FTC Act.  LabMD further argued that there should only be one sheriff in town – not both HHS and the FTC.  Not surprisingly, in January 2014, the FTC denied the motion to dismiss, finding that HIPAA requirements are “largely consistent with the data security duties” of the FTC under the FTC Act.The opinion speaks of “data security duties” and “requirements” of the FTC Act, but these “duties” and “requirements” are not spelled out (much less even mentioned) in the FTC Act.  As a result, how can anyone arrive at the determination that the standards are consistent?  Instead, entities that suffer a data security incident must comply with the detailed analysis under HIPAA, as well as the absence of any clear guidance under the FTC Act.

In a March 10th ruling, the judge ruled that he would permit LabMD to depose an FTC designee regarding consumers harmed by LabMD’s allegedly inadequate security practices.  However, the judge also ruled that LabMD could not “inquire into why, or how, the factual bases of the allegations … justify the conclusion that [LabMD] violated the FTC Act.”  So while the LabMD case may eventually provide some guidance as to the factual circumstances involved in an FTC determination that data security practices are “unfair” and have caused, or are likely to cause, consumer harm, the legal reasoning behind the FTC’s determinations is likely to remain a mystery.

HHS Enforces Against County Government in Washington State

Posted in HIPAA Enforcement, Security Breach Notification

Last week’s Resolution Agreement between the US Department of Health and Human Services, Office for Civil Rights (“HHS”) and a small county in Washington State marks the first time HHS has settled an action against a county government for noncompliance with the Privacy and Security Rules under HIPAA (the “HIPAA Rules”). The Resolution Order with Skagit County, Washington requires the county to pay $215,000 and institute a detailed Corrective Action Plan.

HHS’s action results from an incident in 2011 where the ePHI of 1,581 individuals was disclosed over a two-week period on a public web server maintained by the county. According to the HSS Press Release, the original breach report stated that the ePHI of only seven individuals was at issue, but HHS’s investigation revealed a far broader disclosure and also found that many of the accessible files contained sensitive information pertaining to testing and treatment of infectious diseases. HHS also found that the county failed to provide appropriate notifications after the breach. The investigation further revealed a period of noncompliance with the HIPAA Rules going back to 2005, including failures to implement and maintain Policies and Procedures and to train workforce members appropriately. The Resolution Agreement demonstrates HHS’s commitment to enforcement when it discovers a party has committed the twin sins of long-term noncompliance and inappropriate action after a breach. (Curiously, HHS has yet to include this breach on its list of breaches of unsecured protected health information affecting 500 or more individuals).

The Resolution Agreement with Skagit County serves as a useful reminder that HHS will take action against parties of any size, whether public or private, and is especially inclined to do so when a party shows a history of noncompliance and reacts inappropriately to a breach. Two simple things can help Covered Entities (of any size) avoid these situations: an up-to-date set of HIPAA Policies and Procedures and a well-trained workforce. Covered Entities should confirm that their Policies and Procedures are current (the Omnibus Rule changed the HIPAA landscape last year and requires updates to existing Policies and Procedures) and that members of their workforce with access to PHI have received specific training related to the Policies and Procedures.


More on Considerations for Entering into or Revising Business Associate Agreements

Posted in HIPAA Business Associates

My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her recent article in Medical Practice Compliance Alert entitled “Evaluate Relationships Before Signing Business Associate Agreements.” While the full text can be found in the February 3, 2014 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed in the article.   (Elizabeth has written several earlier entries on this blog related to the topic of the article, including those that may be found here and here.)

Often a relationship that a physician (or another professional such as a lawyer or other vendor) has with a covered entity (“CE”), including a hospital, regarding individual health information (“IHI”) may not rise to the level of a business associate (“BA”) under HIPAA which would necessitate a signed business associate agreement (“BAA”). Signing a BAA when it is not required could result in the unnecessary giving up of certain rights and the avoidable creation of some HIPAA compliance issues in the future for both parties to the BAA.

Some CEs may assume that other persons including physicians are, as a matter of course, their BAs when they are sharing IHI and may pressure them to sign BAAs without understanding that a physician’s ability to access, use or disclose his or her patient’s IHI does not automatically make such a physician a BA, and many times he or she is not.  Physicians require information on their patients for treatment, payment and healthcare operations as CEs and as allowed and contemplated by HIPAA. Just because two CEs are sharing IHI does not make one a BA of the other.

Signing a BAA could, depending on its language, require a purported BA (the “Purported BA”) to succumb to obligations under HIPAA and tie the hands of the Purported BA, thereby potentially impeding its right to use the IHI appropriately for its own purposes.  One should not assume the need for a BAA without sufficiently assessing why the PHI is being shared.   For example, if a physician is sharing the use of a hospital’s servers and accessing its electronic health records system for common patient information, a data use and access agreement between the parties may be the appropriate document, as a BAA may not be necessary.  In that regard an underlying agreement may describe why the physician needs the IHI of the other CE’s patients and clarify whether a BA relationship exists. Moreover, in some cases, even an existing CE/BA relationship with a BAA in place that was appropriate when signed could evolve over time, causing a need for the BAA to be updated or even terminated.

Finally, in the event that a party, which may be under pressure by a counterparty to sign a BAA when such party believes that it may not be necessary, should point out that signing the BAA could put both parties at additional compliance risk by acknowledging a BA relationship under HIPAA and the regulatory aspects flowing therefrom when such relationship does not in fact exist.

Puerto Rico Raises a High Bar for Fines Levied for PHI Breaches

Posted in HIPAA Enforcement

My partner Bill Maruca was quoted in Jeff Overley’s article “Historic HIPAA Fine Will Push Feds To Get Tougher” published in Law360 on Friday, February 20, 2014.   The article reports on the nearly $7 million fine imposed by the Puerto Rico Health Insurance Administration on a contractor, health plan Triple-S Salud Inc. (“Triple-S”).  Bill’s quote sums it up:  “This is a shocking fine, given the circumstances.”  The breach affected roughly 13,000 individuals eligible for both Medicare and Medicaid (“dual eligibles”), but what were the circumstances that made this fine so large as to be shocking to my esteemed colleague and other observers? 

Here’s my take.  First, the fine was imposed by Puerto Rico, not the Office of Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), which is the federal agency generally associated with penalties for breaches involving protected health information (“PHI”), and is significantly higher than fines that have been reported by OCR as having been levied for breaches affecting many more individuals than the 13,000 affected here.  OCR has created training tools for state attorneys general and states that it “welcomes” collaborations with state attorneys general seeking to bring civil actions to enforce HIPAA, but no state has imposed such a large penalty for a HIPAA violation, either on its own or in collaboration with OCR. 

Second, the breach was not the result of a sophisticated hacking incident or careless laptop loss or theft capable of exposing thousands of individuals’ information in a single view.  Here, the breach resulted from Triple-S’s inclusion of individual Medicare health insurance claim numbers in plain sight on mailings addressed to the individuals.  This PHI would only have been viewed by those delivering or otherwise physically handling the mail addressed to the individuals, thereby subjecting the PHI to a relatively limited scope of potential viewers (presumably, the postal service and anyone retrieving a specific individual’s mail, with or without permission).    

Finally, while the disclosure of an individual’s Medicare health insurance claim number is a disclosure of PHI (and potentially might be used in an attempt to improperly claim health care benefits), it is not the type of PHI that most people are likely to consider sensitive and private.

More information about Triple-S and this incident (and perhaps past incidents involving HIPAA violations, such as the 2010 incident reported to HHS) is likely to surface in the coming weeks and months.

“Boilerplate” Provisions in Business Associate Agreements Warrant Attention

Posted in HIPAA Business Associates

Michael J. Coco writes:

The expanded requirements under the HIPAA Omnibus Rule for a Business Associate Agreement (“BAA”) has created an increase in volume and the need for analysis of such agreements, as individuals in industries traditionally unrelated to health care – such as IT vendors –find themselves confronting issues respecting a BAA. The increase in BAA’s has also generated an increase in articles and commentators opining on advisable BAA provisions. Most of these articles focus, as one would expect, on the functional aspects of the BAA. This “meaty” part of the BAA, however, is not the only important part of the agreement. Less frequently have commentators discussed “boilerplate” or “standard” provisions found in most contracts, including BAA’s.

In spite of the seemingly self-explanatory term given to these provisions, they are not always standard and, more importantly, not advisable in all circumstances. The BAA is similar to other contracts in that certain boilerplate provisions sometimes work in the favor of both parties, whereas other provisions may be unduly limiting or even detrimental to both parties, while some provisions favor the party that is the covered entity (“CE”) over the business associate (“BA”), or vice versa. In reviewing BAA’s, I have noticed that certain standard provisions, often tacked on to the end of the BAA, may be detrimental to both parties, and other standard provisions that should have been included were absent. Below is a list of some standard contract provisions and how they might operate in a BAA:

Choice of Law: This provision allows the parties to choose what law governs the contract. Although federal law governs the required content of a BAA, the actual interpretation of the contract, damage awards, and other substantive issues are governed by state law. As such, each party should request to use an applicable state law that will favor its position.

Jurisdiction and Venue: This standard provision requires the parties to litigate any claims under the BAA in a specific state and county. In most cases, as a matter of convenience and economy, each party to an agreement will want jurisdiction and venue to be in its respective home county. CE’s, however, should be mindful that a large HIPAA breach would be likely to reflect negatively on it within the community, even if the breach is legally attributable to actions or inactions of the BA. A CE should take this into consideration, along with its reputation in the community, when deciding to assign venue to its home county.

Force Majeure: Under contemporary contract law, a party is liable for a breach (in most cases) regardless of fault. A Force Majeure provision alleviates the harshness of this rule by eliminating liability for a breach where the action or omission that caused the breach was beyond the reasonable control of the breaching entity. Examples typically include floods, earthquakes, terror attacks and other events beyond the parties’ control. In a typical BAA arrangement, the BA has more obligations than the CE (often because the BAA was originally drafted by the CE). A CE, therefore, should carefully consider whether a Force Majeure provision will advance its interest. BA’s, on the other hand, will often benefit from a Force Majeure provision.

Indemnification: An indemnification provision requires the breaching party to act as an indemnitor to the non-breaching party, covering liability, costs and damages as a result of the breach. This provision often requires negligence on the part of the breaching party and may or may not be reciprocal. Because the CE more likely than not has more to lose than the BA, a reciprocal indemnity provision favors a CE more than a BA.  (A prior posting on this blog provided a list of ten items to contemplate if an indemnification provision is being considered for a BAA.)

Third Party Beneficiaries: A Third Party Beneficiary (“TPB”) is a person or group that claims rights under a contract to which the TPB is not a party. Because HIPAA does not create a private right of action, patients and other injured parties cannot use HIPAA directly to sue for damages. A BAA could, potentially, create a “backdoor” right to enable patients and other third parties to sue the CE and/or BA under a TPB theory. For that reason, both parties to the BAA should agree on and include a standard provision that excludes TPB from the contract.

These are just a few of the standard provisions in contracts, and parties should carefully consider including them in their BAA. Certain facts, updated regulations, state law peculiarities or other circumstances might alter the general rules discussed here.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]

HIPAA Compliance Trends for 2014

Posted in HIPAA Enforcement

My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her Medical Practice Compliance Alert article “HIPAA, ICD-10 Among 6 Compliance Trends That Will Affect You in 2014.” While the full text can be found in the January 6, 2014 issue of Medical Practice Compliance Alert, a synopsis is noted below. As we have earlier stated, it is always a pleasure for us to talk with Marla because she provokes our thinking in new areas.   We look forward to the opportunity of further encounter sessions with her.

The article discussed the fact that medical practices will face several compliance challenges in 2014. We expressed the view that HIPAA enforcement activities and litigation will increase because the Office for Civil Rights has stated that it will aggressively enforce HIPAA, especially since the rule implementing much of the HITECH Act went into effect September 23, 2013. This increase in enforcement coincides with the jump in mobile device use, electronic health record adoption and online scheduling, which will cause digital protected health information (PHI) to be less secure since providers may have less control over it.

Complying with HIPAA requirements can be expected to be used increasingly as a “best practice” in state courts, and patients are winning damages. The article states that “People [will] learn that they can sue [for privacy and security breaches]. This area is growing.”

We also believe that whistleblower activity will increase.  The article points out, “[Former National Security Agency contractor Edward] Snowden will encourage people to whistle blow. A trusted consultant can have an employee that decides whistleblowing is the right thing as a matter of public policy,”  

The Affordable Care Act (ACA) will create billing compliance difficulties.  Elizabeth warned, “The ACA loophole that allows for unpaid care for health exchange patients gives patients a three-month grace period before the insurance policy is canceled. It is still unclear when and how practices can bill patients directly once insurers determine the patients are no longer covered, putting practices at risk of not only revenue loss but violating debt-collection practice.”

Finally, the article observed that meaningful use audits respecting initiatives in electronic health records (EHR) will increase. The federal government has paid more than $1.7 billion in incentives regarding EHR to providers under the Medicare and Medicaid meaningful use program. The article concluded, “The government will start audits to get a lot of this money back.”


Springing, Shifting, and Slip-Sliding Business Associate Agreements

Posted in HIPAA Business Associates

BananaPeelWhat do you do if you have signed a Business Associate Agreement (BAA) with a covered entity, but are getting protected health information (PHI) from the covered entity in conjunction with health care treatment you provide to the individual? What if another covered entity provider has contracted with you to provide services to that provider’s patients? What if you are a covered entity health plan that wants to share PHI with a health care provider, such as a clinical laboratory, in conjunction with an employee wellness program? These are just a few of the situations that come up where the need for a BAA may be questionable and/or the roles of the parties to that BAA are not entirely clear.

Rather than protecting health information, the unnecessary or sloppy BAA may actually just create a HIPAA headache.
The “Springing BAA” is the term I’ll use for a situation in which the parties routinely create, receive, maintain, or transmit information that is not PHI in the course of one party’s performance of services on behalf of the other party, but the parties realize that, at some point in the future, the services may involve information that is PHI. So as to avoid having to address their HIPAA obligations by entering a BAA down the road, they enter a BAA that will apply (“spring to life”) when and if the services involve PHI.

The “Shifting BAA” is the term I’ll use for a situation in which the parties provide services on each other’s behalf that involve the creation, receipt, maintenance, or transmission of PHI from time to time throughout the services contract. This situation will involve two parties that are both covered entities, where the contracted services involve the use or disclosure of PHI on behalf of the other party. At any given time during the contract, one party might be functioning as a covered entity and the other a business associate, or vice versa. If a hospital contracts with a radiology practice to read scans performed on hospital patients, and the radiology practice contracts with the hospital to provide billing or other services in connection patients seen in the radiology practice’s private office location (i.e., to patients of the practice), for example, each party will be acting as a business associate of the other with respect to the other party’s patients and PHI.

The “Slip-Sliding BAA” is the one to watch out for.  This is the BAA that shouldn’t have been entered in the first place, and turns a simple contractual arrangement into a muddy, slippery mess (thus, the HIPAA headache).  I’ve written about the importance of figuring out whether a party is acting as a business associate (see here and here), but it’s worth emphasizing again. If you’re the covered entity asking a contractor to sign a BAA, make sure the BAA is creating, receiving, maintaining or transmitting PHI in connection with services it is providing on your behalf. If it’s not, the contractor’s breaches could be attributed to you. If you’re the contractor being asked to sign the BAA as a business associate, analyze the services agreement to make sure you need to create, receive, maintain or transmit PHI in order to provide services on the other party’s behalf. If PHI is required from the covered entity for the business associate to provide the required services, such an analysis may have an additional ancillary value of having the parties focus on the minimum necessary level of PHI needed.

HIPAA Failure Results In Penalties: Lack of Compliance the Key

Posted in Articles, HIPAA Enforcement, Uncategorized

Our partner Keith McMurdy posted this analysis of a recent HIPAA settlement involving a physician practice on our Employee Benefits Legal Blog:

HIPAA Failure Results In Penalties: Lack of Compliance the Key

By Keith R. McMurdy on January 1, 2014Posted in Plan Administration, Welfare Plans

Often, when I am discussing HIPAA privacy compliance, I am asked about possible penalties for privacy breaches. Plan sponsors sometimes overlook the fact that failing to have a privacy compliance package in place is itself a violation and can lead to some hefty penalties. Such was the case for Adult & Pediatric Dermatology, P.C., a medical provider that had a security breach. While the facts may not be specific to a covered plan, they should serve as a reminder of the potential consequences for failing to be HIPAA compliant.

The provider had a thumb drive stolen from one of the vehicles of a staff member. It was unencrypted and had PHI for about 2,200 people. The Department of Health and Human Services Office for Civil Rights opened an investigation that revealed that the provider had not conducted an analysis of the potential risks and vulnerabilities as part of its security management process. More importantly, HHS also determined that the provider did not fully comply with requirements of the Breach Notification Rule and that it did not have written policies in place or procedures to train employees on HIPAA privacy and handling of PHI. The provider ended up settling the claim for a $150,000 penalty.

This result is significant for 2 reasons. First, it is the first reported settlement of a claim for failure to have policies and procedures in place under the Breach Notification rules under the HITECH Act. Second, it shows that the Office of Civil Rights is serious about investigating instances of an alleged breach and enforcing the rules related to privacy compliance. Covered entities (like health plans) are under an affirmative obligation to implement HIPAA Privacy and Security compliance policies, monitor and train employees and take steps to avoid breaches. There is a reporting obligation if a breach occurs and penalties can come into play not just for the breach, but for failing to comply to prevent the breach from occurring.

At a time when plan sponsors are struggling to comply with the requirements of PPACA, other rules like ERISA and HIPAA Medical Privacy can get overlooked. Employers would do well to remember that sponsoring a health plan means complying with all of the various regulations, not just the ones in the media right now. For help locating and complying with all of the requirements for benefit plans, ask your attorney at Fox Rothschild for assistance.




Avoiding a HIPAA Identity Crisis in 2014

Posted in Health IT, Privacy & Security

Who you are makes a big difference in how and whether you must protect individually identifiable health information under HIPAA.   As we near the end of 2013, I look back at the events of the past year and am struck by the breadth and complexity of the issues we have written about on this blog site and the realization that we have addressed only a miniscule fraction of the health care privacy and security issues of the past year. I see a recurring theme, though:  a persistent refusal or reluctance to grapple with one’s identity and related responsibilities under HIPAA.  It is almost as though we think there’s no HIPAA problem that a slapped-on Business Associate Agreement (BAA) bandage can’t cover.  In reality, though, the sloppy BAA (or Notice of Privacy Practices (NPP), described below) may just confuse matters.

A few explanations come to mind when I think about the reasons for this HIPAA identity crisis. Our world has become data-driven, security-scarred, and privacy-perplexed.  The need to access and share private information electronically has become a given, just as examples of breaches in the security of this information explode in the headlines almost daily.  In addition, we don’t seem to have widespread public agreement as to what “privacy” means when it comes to the personal information we create, receive, maintain, or transmit electronically.

No wonder so many in the health care industry (including large, sophisticated health care providers and payers, the technology vendors serving them, and, as Bill Maruca discussed in his recent blog, even the government office in charge of enforcing HIPAA) cannot seem to get it right when it comes to understanding their roles under HIPAA.  Christopher Rasmussen of the Center for Democracy & Technology wrote about “Covered California’s Misguided Privacy Policy” in an article published on December 17, 2013.  Covered California, the state’s Affordable Care Act insurance marketplace, shared personal information from applicants who had not completed the application with insurance agents and brokers so that the agents and brokers could contact the applicants and invite them to complete the applications.  Apparently, nothing on the Covered California website told applicants that their information would be shared in this manner, and as Mr. Rasmussen correctly points out, the Covered California’s published NPP confuses matters by making it appear that Covered California is a covered entity under HIPAA.  The first line of the NPP reads:  “This notice describes how medical information about you may be used”.   Perhaps none of the applicants included medical information on their incomplete applications, but if they did, it seems unlikely they would want their medical information to be used in an unexpected sales pitch from an insurance broker.

The bottom line?  If you use or disclose health information, pay careful attention to whether you are covered by HIPAA and understand your identity as a covered entity, business associate, subcontractor, or some combination of these roles.  If you aren’t covered by HIPAA, don’t confuse everyone by sounding as though you are.  In either case, resolve to spend time in 2014 understanding your privacy and security responsibilities before using or disclosing individually identifiable information.

Complex New Healthcare Relationships Create New Challenges in Electronic Health Records

Posted in EHR and PHR, Health IT

My partner Elizabeth G. Litten and I were interviewed by Marla Durben Hirsch in the FierceEMR article “Healthcare Attorneys: New Business Relationships Will Create New EHR Problems.” It is always a pleasure for us to talk with Marla because she provokes our thinking in new areas.  While the full text can be found here as part of the December 19, 2013, issue of FierceEMR, a synopsis is noted below.

The healthcare industry already has experienced several unintended issues related to electronic health records, many of which involve privacy and security, patient safety and coding. But as implementation of EHRs begins to mature and providers step up organizational consolidation and integration in response to health reform, there will be additional unanticipated operational and business problems involving EHRs that will arise.