Header graphic for print

HIPAA, HITECH & HIT

Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Hobby Lobby, HIPAA and Happy Independence Day

Posted in Health Reform, Privacy & Security

The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has  attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit from not-for-profit corporations).  Perhaps not many people are pondering the HIPAA implications of this historic decision, but if you are reading this blog, you might be among the very few of us wondering what this decision means in terms of HIPAA protection.  Or, more likely, you are wondering why I don’t have better things to think about on the eve of a national holiday.

The majority notes that the Department of Health and Human Services (HHS) has effectively exempted certain religious nonprofit organizations (“eligible organizations”) from the contraceptive mandate imposed by the Affordable Care Act (ACA).  If an employer certifies that it is an eligible organization, its health insurance issuer must exclude contraceptive coverage from the employer’s plan and must provide separate payments for contraceptive services for plan participants without imposing fees or cost-sharing requirements on the eligible organization, its insurance plan, or its employee beneficiaries.  HHS regulations implementing this eligible organization contraceptive policy make it clear that the health insurance issuer is not acting as an insurance carrier under state insurance law because the payments for contraceptive coverage “derive solely from a federal regulatory requirement, not a health insurance policy… .”  If the eligible organization is self-funded, its third party administrator (TPA) must pay for contraceptive services (without imposing fees or cost-sharing requirements) or arrange for an insurer or other entity to pay for these services.

The Hobby Lobby majority endorses this “reasonable accommodation” for use by religious for-profit, closely-held corporations such as Hobby Lobby – it points out that HHS has the means to achieve its desired goal (here, employer plan coverage of contraceptives) without imposing a substantial burden on the exercise of religion by these closely-held corporate entities.

Back to HIPAA.  If a beneficiary of an eligible organization’s health plan seeks contraceptive coverage, and the health plan is not covering this benefit, who is the covered entity for purposes of HIPAA compliance?  If the eligible organization has a self-funded plan, is the TPA (which acts the business associate in relation to the self-funded plan in its normal course of operations) the “covered entity” for purposes of protected health information (PHI) related to contraceptive services?   This is an important question because presumably the beneficiary who is seeking contraceptive services must obtain coverage for these services someone other than the eligible organization’s health plan.

Women whose health plans do not cover contraception, whether because their employer plans were exempt from the ACA contraceptive coverage mandate under the pre-Hobby Lobby religious nonprofit exemption, or because the Hobby Lobby decision casts open the doors to new employer plan exemptions, may want to think about who’s responsible for protecting this very personal PHI.

The requirements of HIPAA impose other specific obligations on a covered entity and raise additional questions.  For example, what will the Notice of Privacy Practices of the covered entity (assuming we know who that is) look like for contraceptive services?  If the TPA (or other person now responsible for paying for contraceptive services) normally acts as a business associate in relation to the employer plan, does it now need its own Notice of Privacy Practices and business associate agreements with third parties to deal with its receipt of PHI related to contraceptive services?  These types of issues will likely become more clouded as cases involving other challenges to the ACA move through the courts.  Certainly, religious freedom is important and worth protecting, but so too is health information privacy.  Happy Fourth!

 

Paper Records HIPAA Violation Results in $800,000 Payment under HHS Resolution Agreement

Posted in HIPAA Enforcement, Privacy & Security

My partner Elizabeth Litten was quoted at length by Alexis Kateifides in his recent article in DataGuidance entitled “USA: ‘Unique’ HIPAA violation results in $800,000 settlement.”  While the full text can be found in the June 26, 2014 article in DataGuidance.com, the following considerations are based upon points discussed in the article.  (Elizabeth herself has written many entries on this blog related to the topic of large breaches of protected health information (“PHI”) under HIPAA.)

The article discusses the U.S. Department of Health and Human Services (“HHS”) press release on June 23, 2014 that it had reached a Resolution Agreement (the “Resolution Agreement”) with Parkview Health System, Inc. d/b/a Parkview Physicians Group, f/k/a Parkview Medical Group, a nonprofit Indiana health provider (“Parkview”).  Pursuant to the Resolution Agreement, Parkview has agreed to pay $800,000 as a “Resolution Amount” and to enter a corrective action plan to address its HIPAA compliance issues.

There are several interesting aspects to the Parkview incident and Resolution Agreement, including those in Elizabeth’s comments quoted below.  The Resolution Agreement recites that it relates to an incident that was reported in a complaint to HHS on June 10, 2009 by Dr. Christine Hamilton, a physician.  Dr. Hamilton apparently asserted that Parkview failed to appropriately and reasonably safeguard the PHI of thousands of her patients in paper medical records that had been in the custody of Parkview from September, 2008 when Dr. Hamilton had retired.  The Resolution Agreement alleged that

Parkview employees, with notice that Dr. Hamilton had refused delivery and was not at home, delivered and left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of Dr. Hamilton’s home, within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue.

Elizabeth pointed out in the DataGuidance article, “The fact that Parkview left such a large volume of medical records in an unsecured location suggests that Parkview acted with ‘willful neglect’ as defined by the HIPAA regulations.”  Elizabeth went on to say in the article,

Although the resolution amount of $800,000 seems high given the fact that the records were, apparently, intended to be transferred from one covered entity to another, the circumstances suggest that Parkview was intentionally or recklessly indifferent to its obligation to secure the records. Second, the incident underscores the risks attendant to paper records. A majority of large breaches involve electronic records, but paper PHI is also vulnerable to breach and covered entities and business associates need to realize that large fines and penalties are also likely to be imposed for failure to secure PHI contained in paper form. . . .  While the Resolution Agreement does not provide very much information as to the events leading up to the ‘driveway dumping’ event, its recitation of the facts raises the possibility that Parkview may not have had proper authorization to hold the records in the first place. . . .  Parkview ‘received and took control’ of the records of 5,000 to 8,000 of the physician’s patients in September of 2008, because it was ‘assisting’ the physician with transitioning the patients to new providers and was ‘considering the possibility of purchasing’ the records from the physician, who was retiring and closing her practice. The ‘driveway dumping’ did not occur until June of 2009. It is not clear from the Resolution Agreement when the physician retired, whether Parkview ever treated the patients, and/or whether Parkview was otherwise appropriately authorized under HIPAA to receive, control and hold the records for this  10-month period.

In addition to the incisive analysis by Elizabeth in the DataGuidance article, there are a few other points worth making relative to the Resolution Agreement.  First, the incident is not posted on the HHS “Wall of Shame” for large PHI breaches affecting 500 or more individuals because it occurred several months before the effective date in September 2009 for such posting.  Second, it is noteworthy that it took almost five years after the incident for the Resolution Agreement to be signed between Parkview and HHS.  Third, the Web site of Parkview appears to be notably void to this point in time of any reference to the Resolution Agreement or payment of the Resolution Amount.

Finally, the Resolution Agreement took great effort to make it clear that the $800,000 payment by Parkview was not a civil monetary penalty (“CMP”) but a “resolution amount”; in the Resolution Agreement, HHS reserved the right to impose a CMP if there was noncompliance by Parkview with the corrective action plan.  The HHS Web site says the following about the relatively few cases of resolution agreements (only 21 reported to date):

A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into 21 resolution agreements and issued CMPs to one covered entity.

PHI Data Breaches just went from Bad Dream to Nightmare in West Virginia

Posted in Privacy & Security

Michael Coco writes:

The dreaded PHI data breach is every covered entity’s bad dream, but the West Virginia Supreme Court just turned that bad dream into a nightmare. The court decided a case, Tabata v. Charleston Area Medical Center, Inc., brought on behalf of thousands of patients requesting class certification to sue the medical center for breaching their privacy rights. The patients alleged that the medical center was responsible for placing their personal and medical information on an electronic database and website, which was accessible to the public. This database included names, contact details, Social Security Numbers, and dates of birth of 3,655 patients, along with certain basic respiratory care information. The breach was also an apparent HIPAA violation and was reported by the Center on the “Wall of Shame” website for reporting HIPAA data breaches involving more than 500 individuals. A business associate, Xforia Web Services, was also reported on the website as having been involved in the breach but is not listed among the parties in the West Virginia Supreme Court opinion.

The lower West Virginia court held that the patients lacked standing and could not be certified as a class because they had no actual, concrete damages as a result of their information being accessible on a website controlled by the medical center. None of the patients could prove their information was stolen or used for a nefarious purpose, and their claims were based on a general invasion of privacy action and emotional distress.

In reversing the lower court ruling, the West Virginia Supreme Court focused on the four usual requirements to certify a class – “numerosity”, commonality, typicality, and adequacy of representation – and did not require the class members to prove any actual, pecuniary damages. The West Virginia Supreme Court determined that a violation of the patient’s right to privacy alone was enough to create the requisite standing to bring an action, and the plaintiffs need not prove actual damages as a prerequisite to class certification.

This state ruling stands in contrast to the federal rule articulated in Federal Aviation Administration v. Cooper, in which the Supreme Court of the United States evaluated the standing issue under the doctrine of sovereign immunity and held that an individual needed to prove actual, pecuniary damages before he or she might prevail in a suit against the federal government for wrongful disclosure of health information under the Privacy Act.

Although limited to West Virginia, the Tabata ruling could persuade courts in other states to allow breach actions brought by affected individuals even where proof of damages is lacking. Normally, a covered entity might suffer fines, notification and remediation costs, and negative publicity for a breach, but HIPAA does not provide individuals a private cause of action.  As long as no PHI was actually stolen and used to injure a party, the ability of a patient to bring a private civil suit in state court is limited. The Tabata case opens the door to filings in state court by any patient who had his or her information impermissibly disclosed, regardless of any actual injury. In the event of a large breach, this could subject a covered entity to a large class action or thousands of suits brought by individual patients.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]

Risky (Health Care) Business: Disclosure of FTC Data Security Enforcement Potential to Investors and Other Third Parties

Posted in Privacy & Security

Readers of this blog know that we have been tracking the FTC’s recent data security enforcement activities with a particular focus on the FTC v. LabMD case.  As reported by Cause of Action, a nonprofit organization involved in the defense of LabMD, the LabMD trial was put on hold on May 30, 2014 until June 12, 2014 because the House Oversight Committee is investigating Tiversa Holding Co, the cybersecurity firm that found the patient data leading to the FTC’s investigation.  The unofficial transcript from the May 30th trial proceeding is available via the Cause of Action report.

While we don’t yet know how the LabMD case will end or whether the FTC will eventually decide to defer to the Department of Health and Human Services (“HHS”) and its detailed HIPAA requirements for data privacy and security, businesses involved with protected health information (PHI) might want to consider including a paragraph on the FTC’s data security enforcement activities in disclosure statements provided to investors or other third parties (such as those viewing website privacy statements).  A statement to be included in a private placement memorandum might provide as follows:

Section 5 of the Federal Trade Commission Act (“FTC Act”) prohibits unfair or deceptive acts or practice in or affecting commerce. The FTC has taken the position that unfair practices include those related to the use or protection of a consumer’s personal information, and has taken enforcement action against businesses based on its determination that the businesses had unfair practices relating to deficient data security measures.  The FTC has taken such enforcement action against businesses, such as [COMPANY], that must protect data in accordance with HIPAA, even where no HIPAA violation has been alleged and no HIPAA penalties have been imposed. Management of [COMPANY] has no reason to believe that [COMPANY] will not comply with Section 5 of the FTC Act; however, the failure to do so could result in the expenditure of significant sums incurred in responding to an administrative complaint and navigating the consent order process, and COMPANY could face the imposition of civil penalties, bans on certain activities, and requirements for corrective actions, including reporting, audit and compliance requirements for periods of up to twenty years.    

Businesses subject to HIPAA may also want to consider including a statement related to applicable state privacy and security standards or requirements, specifying those that are more stringent than the HIPAA standards and requirements.

Will Unearthing the FTC’s Data Security Standards Help the Health Care Industry?

Posted in Privacy & Security

As a regulatory lawyer, I frequently find myself parsing words and phrases crafted by legislators and agencies that, all too often, are frustratingly vague or contradictory when applied to a particular real-world and perhaps unanticipated (at the time of drafting) scenario.  So when an agency crafting guidance for a regulated industry has advisors on hand who have first-hand knowledge and expertise about particular real-world occurrences, such as data security breaches, it would seem that agency would be in an ideal position to create relevant, clear, and sufficiently detailed guidance that the affected industry could use to prevent certain occurrences and achieve compliance with the agency’s requirements.

As described in prior posts on this blog, the Federal Trade Commission (FTC) has brought numerous enforcement actions against businesses based on its decision that the businesses’ data security practices were “deceptive” or “unfair” under Section 5 of the FTC Act.  When I last checked the FTC’s website, there were 54 cases listed under the “Privacy and Security” topic and “Data Security” subtopic, one of which is the LabMD case filed on August 29, 2013.  Blog readers may have “discerned” (as do smart businesses when reviewing these cases and trying to figure out what the FTC’s data security “standards” might be) that I am intrigued with the LabMD case.  My intrigue arises, in part, from the stark contrast between the FTC and the Department of Health and Human Services (HHS) and the way these agencies identify data security standards applicable to regulated entities.  Of course, HHS’s standards apply specifically to the subset of data that is protected health information (PHI) – precisely the type of data involved in the LabMD case – but that hasn’t stopped the FTC from insisting that its own “standards” also apply to covered entities and business associates regulated by HIPAA.

The latest development in the LabMD case is particularly intriguing.  On May 1, 2014, FTC Chief Administrative Law Judge D. Michael Chappell granted LabMD’s motion to compel deposition testimony as to “what data security standards, if any, have been published by the FTC or the Bureau [of Consumer Protection], upon which … [FTC] Counsel intends to rely at trial to demonstrate that … [LabMD’s] data security practices were not reasonable and appropriate.”  The FTC had fought to prevent this testimony, arguing that the “FTC’s “data security standards” are not relevant to” the factual question of whether LabMD’s data security procedures were “unreasonable” in light of the FTC’s standards.

The FTC does publish a “Guide for Business” on “Protecting Personal Information” on its website.  This “Guide” is very basic (15 pages in total, with lots of pictures), and includes bullet points with tips such as “Don’t store sensitive consumer data on any computer with an Internet connection unless it’s essential for conducting your business.”  The “Guide” does not reference HIPAA, and does not come close to the breadth and depth of the HIPAA regulations (and other HHS published materials) in terms of setting forth the agency’s data security standards.

LabMD’s Answer and Defenses to the FTC’s Complaint was filed on September 17, 2013.  In that document, LabMD admits to having been contacted in May of 2008 by a third party, Tiversa, claiming that it had obtained an “insurance aging report” containing information about approximately 9,300 patients.  Tiversa, a privately-held company that provides “intelligence services to corporations, government agencies and individuals based on patented technologies” and can “locate exposed files … and assist in remediation and risk mitigation,” boasts an impressive advisory board.  According to Tiversa’s website, advisory board member Dr. Larry Ponemon “has extensive knowledge of regulatory frameworks for managing privacy and data security including … health care,” and “was appointed to the Advisory Committee for Online Access & Security” for the FTC.

Perhaps the FTC might consult with Dr. Ponemon in crafting data security standards applicable to the health care industry, since Tiversa apparently identified LabMD’s data security breach in the first place.  If (as published by the Ponemon Institute in its “Fourth Annual Benchmark Study on Patient Privacy and Data Security”) criminal attacks on health care systems have risen 100% since the Ponemon Institute’s first study conducted in 2010, the health care industry remains vulnerable despite efforts to comply with HIPAA and/or discern the FTC’s data privacy standards.  Bringing Dr. Ponemon’s real-world experience to bear in crafting clear and useful FTC data privacy standards (that hopefully complement, not contradict, already-applicable HIPAA standards) might actually help protect PHI from both criminal attack and discovery by “intelligence service” companies like Tiversa.

Unencrypted Laptops Prove Costly

Posted in Articles, HIPAA Enforcement, Privacy & Security

Is the PHI on all your mobile devices encrypted?  If not, here’s another two million reasons to make encryption your top priority. The Office of Civil Rights (OCR) of the Department of Health and Human Services announced on April 22, 2014 that they had imposed nearly $2 million in penalties on two entities as a result of the theft of unencrypted laptops.

As previously noted in this blog, theft or loss of laptops or other portable electronic devices remains a predominant factor in HIPAA breaches, constituting 57.5% of the approximately 400 List Breaches that involved reported theft or loss as of August 2013.

In the first incident, Concentra Health Services was fined $1,725,220 and agreed to adopt a corrective action plan after an OCR investigation following a report of the theft of an unencrypted laptop from a physical therapy clinic.  According to the press release,

“OCR’s investigation revealed Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.”

This isn’t Concentra’s first experience with laptop theft. The OCR list of Breaches Affecting 500 or More Individuals (also known as the “Wall of Shame”) includes two prior similar incidents, one in 2009 and another in 2011. (It is unclear whether this theft was related to the 2011 incident). Modern Healthcare reports that Concentra reported 16 additional breaches involving fewer than 500 individuals’ records.  So, although 434 out of 597 laptops had been encrypted according to HealthITSecurity.com, a batting average of .726 wasn’t good enough given their status as repeat offenders. Concentra’s resolution agreement, including the Corrective Action Plan, is available here and is worth reading.  Among other conditions, OCR requires that the company provide an update regarding its encryption status, including the percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted and an explanation for the percentage of devices and equipment that are not encrypted.

The company’s incomplete and inadequate implementation of compliance steps after known vulnerabilities had been identified may also have contributed to the severity of the penalty.  One of the worst things a covered entity or business associate can do is to engage in a half-hearted compliance effort that documents knowledge of uncorrected problems.

In the second case, Arkansas-based QCA Health Plan reported the theft of an unencrypted laptop containing records of 148 individuals. OCR noted that its investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to pay $250,000 and implement upgraded security procedures and employee training. QCA’s Resolution Agreement and Corrective Action Plan is here. This case marks only the second time OCR has fined an entity for a breach involving less than 500 individuals’ PHI, following the Hospice of North Idaho settlement.

One lesson is clear from both incidents: if these laptops had been encrypted in accordance with NIST standards, neither entity would have been subjected to fines and additional government oversight.  As enforcement continues to ramp up and target both Covered Entities and Business Associates, and as the use of mobile devices continues to increase, there is no excuse to delay full implementation of encryption.  Encryption isn’t a panacea, but it’s as close as you can get in the HIPAA compliance world.

When the Long Arm of HIPAA Reaches into Mergers, Acquisitions and Asset Sales of Health Care Practices

Posted in HIPAA Business Associates

Michael J. Coco writes:

If you have ever bought or sold a business, or you have experience with the process, you are aware of the due diligence efforts and multiple agreements required to close the deal. Transactions involving the sale or purchase of health care related business, such as a medical practice, often take the form of asset purchases, set in motion by executing an asset purchase agreement (“APA”). The APA can be a voluminous document written by the purchaser to protect the purchaser. APAs have been known to cover every conceivable circumstance that may reflect negatively on the purchaser after the acquisition. APAs have been known to cover everything from the seller’s violation of a local ordinance to more serious violations, including violations of federal law. With a novelette of protective provisions, a well-written APA seems to cover everything. But like all legal documents, a typical APA needs to keep up with evolving law and, in the case of health care, the law evolves quickly.

Major and fairly recent changes in healthcare law include the clear requirement under applicable HIPAA provisions for covered entities to have business associate agreements in place and for business associates to have subcontractor agreements in place. Breach notification rules and penalties have also been created or refined under HIPAA. The typical APA requires the seller to represent that it has not violated any law, and often expands this representation to its employees. However, few APAs discuss potential HIPAA breaches by employees, or breaches by business associates. More importantly, there may be no specific representation that the seller has in place all of the appropriate business associate agreements.

Although a good due diligence review should evaluate business associate agreements, the purchaser should consider adding specific business associate agreement and breach representations, along with the corresponding indemnification provisions. Buyers should request copies of all business associate agreements currently in place, as well as any subcontractor agreements. In addition, the buyer should ask a seller to disclose any circumstance in which it discovered a potential breach, but determined the breach was not reportable based on an internal risk assessment conducted by the seller. Because the buyer is ordinarily acquiring the good will of the medical practice as an essential element, a past breach by the seller or the seller’s business associate could seriously reduce the value of the buyer’s investment. For this reason, buyers should consider adding specific breach and business associate representations to their APAs.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]

Wild West Data Breach Sheriff Wins a Round Back East

Posted in HIPAA Enforcement

LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices.  On Monday, April 7, 2014, the United States District Court for the District of New Jersey sided with the FTC and denied Wyndham’s motion to dismiss the FTC’s complaint.  The Court found that Section 5 of the FTC Act permits the FTC to regulate data security, and that the FTC is not required to issue formal rules about what companies must do to implement “reasonable” data security practices.  Notably, Wyndham’s data breach involved personal information that included names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes, and did not involve HIPAA-covered Protected Health Information (PHI), so the court did not address the coexistence of data security authority under the FTC Act and HIPAA.

My Fox Rothschild LLP colleague, Todd Rodriguez, recently posted a blog describing the new HIPAA “Security Risk Assessment Tool” (SRA Tool) developed by the Department of Health and Human Services (HHS) as a collaboration between the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC).  The tool, available for download, supplements the detailed Omnibus Rule standards with a practical, hands-on resource entities can use to evaluate the efficacy of their data security practices, and users are asked to provide feedback on the SRA Tool by submitting comments before June 2, 2014.

By contrast, the FTC expects companies to review its enforcement actions and figure out what not to do when it comes to data security practices.  As reported by Andrew Scurria in Law360 on March 26, 2014, FTC Chairwoman Ramirez appeared before a Senate Commerce Committee panel and responded to critiques that the FTC has not provided enough guidance to businesses regarding appropriate data security practices.  Ramirez referenced the consent decrees resulting from the cases the agency has brought and settled under the unfairness and deception prongs of Section 5 of the FTC Act, and said that companies can “discern” the FTC’s approach to data security enforcement from those.

The recent victory in the Wyndam case may be a sign that the “other” data security sheriff in town, the FTC, will ramp up its enforcement actions and catch more companies that have either been unable to “discern” the FTC’s expectations or to avoid hacking incidents or other security intrusions.  Unfortunately, because it does not appear that the FTC will issue any regulatory guidance in the near future about what companies can do to ensure that their data security practices are reasonable, companies must monitor closely the FTC’s actions, adjudications or other signals in an attempt to predict what the FTC views as data security best practices.

The Wild West of Data Breach Enforcement by the Feds

Posted in Uncategorized

Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule.  You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human Services (HHS) and its Office of Civil Rights (OCR), as well as media reporters and others, that you exercised due diligence and should not be penalized. Your expenditure of time and money will help ensure your compliance with federal law.

Unfortunately, however, HHS is not the only sheriff in town when it comes to data breach enforcement.  The Federal Trade Commission (FTC) has been battling LabMD for the past few years in a case that gets more interesting as the filings and rulings mount (In the Matter of LabMD, Inc., Docket No. 9357 before the FTC).  LabMD’s CEO Michael Daugherty recently published a book on the dispute with a title analogizing the FTC to the devil, with the byline, “The Shocking Expose of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine, and Small Business.”  Daugherty issued a press release in late January attributing the shutdown of operations of LabMD primarily to the FTC’s actions.

Among many other reasons, this case  is interesting because ofthe dual jurisdiction of the FTC and HHS/OCR over breaches that involve individual health information.

On one hand, the HIPAA regulations detail a specific, fact-oriented process for determining whether an impermissible disclosure of PHI constitutes a breach under the law.  The pre-Omnibus Rule breach analysis involved consideration of whether the impermissible disclosure posed a “significant risk of financial, reputational, or other harm” to the individual whose PHI was disclosed.  The post-Omnibus Rule breach analysis presumes that an impermissible disclosure is a breach, unless a risk assessment that includes consideration of at least four specific factors demonstrates there was a “low probability” that the individual’s PHI was compromised.

In stark contrast to HIPAA, the FTC can bring an enforcement action based upon its decision that an entity’s data security practices are “unfair”, but it has not promulgated regulations or issued specific guidance as to how or when a determination of “unfairness” is made.  Instead, the FTC routinely alleges that entities’ data security practices are “unfair” because they are not “reasonable” – two vague words that leave entities guessing about how to become FTC compliant.

In 2013, LabMD filed a motion to have the FTC’s enforcement action dismissed.  LabMD argued, in part, that the FTC does not have the authoritiy to bring actions under the “unfairness” prong of Section 5 of the FTC Act.  LabMD further argued that there should only be one sheriff in town – not both HHS and the FTC.  Not surprisingly, in January 2014, the FTC denied the motion to dismiss, finding that HIPAA requirements are “largely consistent with the data security duties” of the FTC under the FTC Act.The opinion speaks of “data security duties” and “requirements” of the FTC Act, but these “duties” and “requirements” are not spelled out (much less even mentioned) in the FTC Act.  As a result, how can anyone arrive at the determination that the standards are consistent?  Instead, entities that suffer a data security incident must comply with the detailed analysis under HIPAA, as well as the absence of any clear guidance under the FTC Act.

In a March 10th ruling, the judge ruled that he would permit LabMD to depose an FTC designee regarding consumers harmed by LabMD’s allegedly inadequate security practices.  However, the judge also ruled that LabMD could not “inquire into why, or how, the factual bases of the allegations … justify the conclusion that [LabMD] violated the FTC Act.”  So while the LabMD case may eventually provide some guidance as to the factual circumstances involved in an FTC determination that data security practices are “unfair” and have caused, or are likely to cause, consumer harm, the legal reasoning behind the FTC’s determinations is likely to remain a mystery.

HHS Enforces Against County Government in Washington State

Posted in HIPAA Enforcement, Security Breach Notification

Last week’s Resolution Agreement between the US Department of Health and Human Services, Office for Civil Rights (“HHS”) and a small county in Washington State marks the first time HHS has settled an action against a county government for noncompliance with the Privacy and Security Rules under HIPAA (the “HIPAA Rules”). The Resolution Order with Skagit County, Washington requires the county to pay $215,000 and institute a detailed Corrective Action Plan.

HHS’s action results from an incident in 2011 where the ePHI of 1,581 individuals was disclosed over a two-week period on a public web server maintained by the county. According to the HSS Press Release, the original breach report stated that the ePHI of only seven individuals was at issue, but HHS’s investigation revealed a far broader disclosure and also found that many of the accessible files contained sensitive information pertaining to testing and treatment of infectious diseases. HHS also found that the county failed to provide appropriate notifications after the breach. The investigation further revealed a period of noncompliance with the HIPAA Rules going back to 2005, including failures to implement and maintain Policies and Procedures and to train workforce members appropriately. The Resolution Agreement demonstrates HHS’s commitment to enforcement when it discovers a party has committed the twin sins of long-term noncompliance and inappropriate action after a breach. (Curiously, HHS has yet to include this breach on its list of breaches of unsecured protected health information affecting 500 or more individuals).

The Resolution Agreement with Skagit County serves as a useful reminder that HHS will take action against parties of any size, whether public or private, and is especially inclined to do so when a party shows a history of noncompliance and reacts inappropriately to a breach. Two simple things can help Covered Entities (of any size) avoid these situations: an up-to-date set of HIPAA Policies and Procedures and a well-trained workforce. Covered Entities should confirm that their Policies and Procedures are current (the Omnibus Rule changed the HIPAA landscape last year and requires updates to existing Policies and Procedures) and that members of their workforce with access to PHI have received specific training related to the Policies and Procedures.