HIPAA, HITECH & HIT :: Fox Rothschild LLP

The first breach settlement announcement of the new year breaks new ground - a $50,000 fine based on theft of a laptop containing 441 patients' unencrypted data. It's the first settlement of a breach involving fewer than 500 individuals.  There was no indication that any PHI was improperly viewed or accessed.

In a press release issued January 2, 2013, OCR announced the negotiated resolution of a breach by the Hospice of North Idaho (HONI), which began when HONI reported the June 2010 laptop theft.  The investigation revealed that HONI had not conducted a risk analysis to safeguard ePHI and had not adopted policies or procedures to address mobile device security.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Resolution Agreement, which appears here, emphasized the hospice agency's failure to anticipate the risk of loss of unprotected data on mobile devices which were commonly used by its staff in field work: 

"In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures."  

The emphasis on a small covered entity's lack of analysis and risk assessment is reminiscent of OCR's settlement with two-physician Phoenix Cardiac Surgery, P.C. announced in April 2012, another case widely considered to be a warning to similarly situated entities. Note that HONI disputes the allegations in its own press release.

OCR also required HONI to enter into a two-year corrective action plan, which requires HONI to investigate any information indicating that any workforce member may have failed to comply with its Privacy and Security policies and procedures, and report the details of any such failure including sanctions imposed and steps taken to prevent recurrence.                  

Some lessons can be taken away from the HONI settlement.

First, encryption of ePHI is critical! Given the prevalance of breaches associated with lost and stolen laptops, it is often forgotten that the loss of unreadable encrypted data is generally not a HIPAA breach. 

Next, all organizations but especially those like hospices, home health agencies and other entities with mobile workforces must prioritize securing mobile devices. For starters, refer to OCR's guidance entitled Your Mobile Device and Health Information Privacy and Security, which is definitely worth reading.  Some of the advice seems to be common sense (password protection, remote wiping or disabiling, firewall and security software, avoiding file-sharing applications) but needs to be enforced organization-wide, particularly in today's "bring your own device" environment.   OCR has even created a handy one-page Fact Sheet with useful mobile device security tips. 

Loss and theft of mobile devices may be inevitable, but protection of the data those devices contain is not as challenging as many think, and effectively implementing such protection should be a priority for 2013. 

• Print
• Comments
• Trackbacks
• Share Link

Attorney General Lori Swanson of Minnesota (“AG”) issued a press release reporting that Accretive Health, Inc. (“Accretive”), the defendant in an action filed by the AG in U.S. District Court alleging violations of HIPAA, HITECH, the Minnesota Health Records Act, and the Minnesota consumer protection laws, signed a Settlement Agreement, Release and Order on July 30, 2012 (“Settlement Agreement”). The Settlement Agreement recites:

[R]ecognizing that unique circumstances exist in Minnesota in light of the Attorney General’s Agreement with Minnesota charitable hospitals … Accretive Health … has decided to wind down its remaining work for Minnesota Clients …

(other than its continuation of prior technology licensing agreements). The Settlement Agreement also requires Accretive  to pay the AG nearly $2.5 million within 15 days of the Settlement Agreement’s effective date. The funds may be distributed to patients at the discretion of the AG, used for settlement administration, and/or remitted to the State Treasury.

Previous posts to this blog have reported on the AG’s action against Accretive, and on the need for entities or individuals sharing Protected Health Information (‘PHI”) to identify the roles, rights, and obligations of the parties. Michael Kline’s recent blog reported on a breach involving more than 500 individuals included on the list maintained by the U.S. Department of Health and Human Services (the “HHS List”), highlighting the summary provided by the Office of Civil Rights (“OCR”). Michael noted that the OCR summary implies that OCR expects a covered entity (“CE”) contracting with a business associate (“BA”) to verify that the BA is “not an independent” CE.  

Identifying the roles of the parties and the context in which PHI is disclosed is critical because different information-sharing standards apply depending on these roles and circumstances. For example, a business associate agreement (“BAA”) is not required for disclosures made within a CE for treatment, payment, or health care operations, nor is a BAA required for PHI to be disclosed from one CE to another CE where the recipient CE is a health care provider and the PHI is being disclosed for treatment purposes.

However, if the recipient CE is a health care provider, but is receiving the PHI as a BA (generally defined as a person or entity that performs functions or activities on behalf of another person that is a CE, which involves the use or disclosure of PHI), a BAA is required and it must, among other things, “establish the permitted and required uses and disclosures” of the PHI (though failure to execute a BAA will not absolve the BA of its responsibilities and liabilities under HIPAA and HITECH). In addition, while most uses and disclosures of PHI must be limited to the “minimum necessary,” current regulations do not restrict disclosures to or requests by a CE that is a health care provider to the “minimum necessary” when the disclosure or request is for treatment of a patient. A CE can use or disclose PHI for “payment” activities, but must comply with the “minimum necessary” standard.  If the “payment” activity involves disclosure to a consumer reporting agency, the CE may only disclose specified information (name/address, date of birth, social security number, payment history, account number, and the name and address of the CE). 

The Accretive case was triggered by an alleged PHI breach (the all-too-frequent loss of a laptop containing sensitive information about 23,500 patients treated at two hospitals that had contracted with Accretive), but the AG’s allegations were most scathing where they painted a picture of insidious and inappropriate sharing and use of PHI between hospitals and Accretive.  The AG alleged that Accretive’s “Quality and Total Cost of Care” services used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms.  Accretive allegedly “amasse[d] and ha[d] access to a high volume of sensitive and personal information,” which it used, among other things, to create “per patient risk score” calculations, yet the hospitals’ patient authorization forms allegedly failed to disclose the scope or breadth of the PHI that the hospitals would share with Accretive.

In addition to this questionable and seemingly surreptitious “behind the scenes” PHI-sharing, Accretive staff allegedly interfaced directly with patients seeking treatment at the hospitals, often appearing to be members of the hospital’s staff.  Jessica Silver-Greenberg, reporting on the Settlement Agreement in the New York Times, describes allegations of aggressive collection tactics taken by Accretive that involved requesting payment from patients seeking emergency care. 

Whether a clear delineation of the role of Accretive as a BA and/or restriction of PHI disclosed to Accretive to the “minimum necessary” would have prevented the AG’s action is unclear. However, the Accretive case provides a good example of how the blurring of the CE and BA roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.

• Print
• Comments
• Trackbacks
• Share Link

Ever wonder about those HIPAA breaches that affect less than 500 individuals and don’t get posted on the government website known as the “Wall of Shame”? In a recent presentation to the Hospital Council of Western Pennsylvania, officials from the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) provided detailed information on all breaches including the agency’s enforcement and auditing activities.

The presentation revealed that the publicly-posted breaches represent only the tip of the iceberg, less than 1% of all reported breaches. During the period September 2009 through May 31, 2012, there were 435 reports involving a breach of 500 individuals or more, and over 57,000 reports of breaches involving under 500 individuals.

Of the breaches exceeding 500 individuals, the most common cause is theft and loss, representing 65% of large breaches (and about 70% of these incidents involved ePHI). 

The location of the compromised data was spread broadly over a variety of media, with a quarter of the breaches represented by paper records, another quarter by laptops, and 15% by portable devices such as phones, iPads and USB flash drives.  Network servers represent 11%, perhaps due to tighter institutional control over firewalls and malware protection; and email is comparably secure at only 2% :

These statistics suggest that organizations should prioritize establishing and effectively implmenting policies addressing the highest-risk media and breach circumstances, without ignoring the lower frequency risks.

Keep in mind that breaches involving less than 500 individuals have been among the most prominent and high-impact cases, including the UCLA snooping case and the recent Phoenix Cardiac Surgery P.C. settlement.

The presentation also summarized OCR’s enforcement efforts over the past two calendar years. Of the 9,032 privacy complaints and compliance reviews opened in 2011 (up from 8,770 in 2010), 8,370 were closed: 2,595 after corrective action; 4,472 were resolved after intake and review, and in 1,303 cases the investigations found no violation.  Security complaints are less frequent – 203 closed in 2011, 158 after corrective action, 15 without determination of a violation, and 30 closed at the intake stage without investigation. 

The OCR representatives also described the agency’s pilot audit program which will target up to 115 covered entities for audit before the end of 2012 as required by the HITECH Act.  The first 20 audits involved 8 health plans, 10 providers and 2 clearinghouses (Business Associates will be audited later):

The OCR presentation was led by Verne Rinker, a 13-year veteran of HHS who was also one of the presenters in last year's comprehensive series entitled "HIPAA Training for State Attorneys General," which is publicly available and would be an excellent training resource for covered entities and business associates. 

In a welcome move toward transparency, OIG has been sharing more "inside" information than ever before. For instance, in this blog my partner Elizabeth Litten previously reported on the program OCR's Linda Sanches recently presented on OCR's audit efforts.  Further, the official OCR summaries of breaches posted on the Wall of Shame often contain valuable insights into the enforcement process and those actions and factors considered relevant by the regulators, as noted in my partner Michael Kline's recent post.

In another nod toward transparency, just this week, OCR also published its Audit Protocol, a comprehensive document that contains the requirements OCR's team will assess through its performance audits. The audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.

The audit protocol covers Privacy Rule requirements for

• notices of privacy practices for PHI,
• rights to request privacy protection for PHI,
• access of individuals to PHI,
• administrative requirements,
• uses and disclosures of PHI,
• amendment of PHI, and
• accounting of disclosures.

The protocol also covers Security Rule requirements for administrative, physical, and technical safeguards, and requirements for the Breach Notification Rule.

The protocol is both a useful guide to compliance and a valuable tool for preparing for and surviving an OCR audit.

• Print
• Comments
• Trackbacks
• Share Link

Do you think a two-physician cardiology group is too small for the feds to fine for  alleged HIPAA violations? Phoenix Cardiac Surgery, P.C.  (PCS) has learned otherwise the hard way, to the tune of $100,000. As this blog has noted, almost all enforcement to date has been against large insurers or major hospitals and not community hospitals or physician practice groups,  and  enforcement has largely been low-hanging fruit of failure to comply on a timely basis with notice requirements.  The Resolution Agreement, announced by HHS in an April 17 press release, describes a very different participant in the Parade of HIPAA Breaches we have been following in this blog series.  Among the unusual features of this settlement are:

• The type of  covered entity - a two-physician cardiology practice;
• The  alleged  nature of the violation - not just a one-time negligent breach, but a systematic, multi-year failure to adopt and implement appropriate HIPAA safeguards; and 
• The size of the violation - as the breach has yet to appear on the OCR Wall of Shame, it may have involved  fewer than 500 individuals. 

Phoenix Cardiac Surgery first came to the attention of HHS’s Office of Civil Rights following a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. That alone is not unique - other covered entities including SAIC and Stanford University Hospital have been embarrassed to discover their PHI had been inadvertently made available online to prying eyes. What OCR found upon further investigation was a startling indifference to health privacy concerns dating back to the earliest effective dates of HIPAA and continuing through 2009. 

OCR determined that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients' electronic protected health information (ePHI). The Resolution Agreement indicates that PCS was unusually lax about HIPAA training, policies and procedures, safeguards, and accountability.  It is almost a textbook case of everything a covered entity can do wrong. OCR alleged that PCS:

• did not provide and document training of each workforce member on required policies and procedures with respect to PHI as necessary and appropriate for each workforce member to carry out his/her function within the Covered Entity.
• posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar over a two year period;
• transmitted ePHI daily from an Internet-based email account to workforce members’ personal Internet-based email accounts.
• failed to appoint a security official until 2009.
• failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI held by PCS.
• failed to obtain satisfactory assurances in business  associate agreements from the Internet-based calendar vendor and from the Internet-based public email provider that these entities would appropriately safeguard the ePHI received from PCS.
• permitted the entity providing the Internet-based calendar application to receive, store, and maintain ePHI on  behalf of PCS without obtaining satisfactory assurances in a business associate agreement with the entity.  

OCR imposed a $100,000 penalty and required PCS to adopt a Corrective Action Plan which appears as Appendix A to the Resolution Agreement. The plan requires PCS to

• Develop, maintain and revise, as necessary, written policies and procedures that meet the requirements of the HIPAA Privacy and Security Rules, and submit them to OCR for review and approval within 60 days;
• Make any changes required by OCR and implement the finalized policies and procedures within 30 days of approval.
• Distribute the policies and procedures to all members of the workforce within 15 days of their joining PCS‘s workforce, and obtain certification from each member that they have read, understood and will abide by such policies and procedures;
• Update its 2009 risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used or transmitted by the Covered Entity, including, but not limited to, when ePHI is a) posted to an Internet-based electronic calendaring system, b) transmitted over an Internet-based electronic communications system, c) accessed remotely, or d) transmitted to or from or stored on a portable device;
• Develop and submit a risk management plan to OCR for approval.
•  Appoint a security official;
• Produce satisfactory assurances that all business associates will comply with HIPAA;
• Adopt  technical safeguards for electronic information systems;
• Implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network, including a measure to encrypt or otherwise adequately safeguard ePHI;
• Provide and document comprehensive privacy and security training to its workforce;
• Report all violations of the policies and procedures by any member of the workforce to OCR within 30 days;

OCR also reserves the right to impose additional civil monetary penalties in the event of a breach of the Corrective Action Plan that is not cured within 30 days.

In essence, the Corrective Action Plan requires PCS to do what it should have done all along to comply with HIPAA, but with the added intrusion and inconvenience of government oversight analogous to the Corporate Integrity Agreements frequently required in settlements of Medicare fraud and other federal false claims allegations. For Phoenix Cardiac Surgery, this is one march that provides no aerobic benefits.

If OCR is trying to send a message that no covered entity is too small to be penalized, they picked a particularly clear and egregious first case. However, that is no assurance that less pervasive compliance failures will continue to fly under the OCR radar.

• Print
• Comments
• Trackbacks
• Share Link

A Wall Street-based medical collection service has been sued by the Minnesota Attorney General after losing a laptop containing sensitive information about 23,500 patients treated by two hospitals which contracted with the company. More significantly, the AG’s complaint alleges that the company, Accretive Health, Inc., was mining, analyzing and using the data for purposes that were not disclosed to patients and which may adversely affect their access to care. The suit is being reported as the first HIPAA enforcement action by a state attorney general against a business associate.

Accretive Health’s parent company, Accretive, LLC, a private equity firm, has run into legal challenges in Minnesota before due to its vertical integration of the debt collection industry under which they took control of the nation’s largest debt collection enterprise, the largest national collection law firm, and the nation’s largest consumer debt collection arbitration company.  

The company’s laptop, which was stolen from a rental car, allegedly contained patient names, addresses, dates of birth, social security numbers, as well as risk factors developed by Accretive to sort patients by likelihood of inpatient admission, the presence of any of 22 costly health conditions, “frailty” and ability to pay.

According to Attorney General Lori Swanson’s press release, 

“The debt collector found a way to essentially monetize portions of the revenue and health care delivery systems of some nonprofit hospitals for Wall Street investors, without the knowledge or consent of patients who have the right to know how their information is being used and to have it kept confidential.”

Accretive provided comprehensive revenue cycle services to its hospital clients, including patient intake and scheduling, billing and collections. In its contract with one of the hospitals, Fairview Health Services, Accretive offered what it called “Quality and Total Cost of Care” services, allegedly through using “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms. Under this model, Accretive was paid incentives for cost control and increased revenue.

The AG relied heavily on securities disclosure materials provided by Accretive to its investors, which described its business as including “development of risk scores on individual patients; automated care plans; case management; medical necessity reviews; pharmacy management; length of stay management; discharge planning; population based management; and analytics and reporting of utilization by patient, per patient profit and loss reports, and identification of patient ‘outliers.’” The AG characterizes Accretive’s business model using its own language, which boasted that the company provides risk scoring of patients; focuses on reducing avoidable hospital admissions; identifies the “sickest and most impactable patients” for “proactive management” and identifies “real-time interventions with significant revenue or cost impact.”

In addition to HIPAA violations, the suit alleges violation of state debt collection and consumer protection laws, and asks the court to order Accretive to fully disclose to patients the nature and purpose of the information gathered including to what extent data has been sent to the company’s “Shared Services Blended Shore Center of Excellence” in New Delhi, India. The suit also seeks injunctive relief and damages.

It may be tempting to see this lawsuit as an act of political grandstanding seeking to capitalize on current anti-Wall Street sentiments (and on the widespread resentment of outsourcing of American jobs).  Accretive’s troubled history with Minnesota regulators and its use of impenetrable, Orwellian and vaguely threatening euphemisms for its data analysis services (“impactable patients,” “proactive management,” “real-time interventions”) doesn’t help its case.

However, the case may also validate the maxim “bad cases make bad law.” The type of data allegedly gathered and analyzed by Accretive could potentially be used for nefarious purposes including shunting poorer, sicker patients into a second-class care system, but it could also be used to identify those patients for whom special attention could most effectively improve outcomes. In fact, this is the very type of analytical capability that many providers will need to develop to effectively participate in the emerging post-fee-for-service reimbursement environment typified by Medicare’s ACO Shared Savings Program.  The suit may signify a crackdown on shadowy organizations trafficking in secret health and financial scores for profit without the knowledge of the patients whose data is being bought and sold, but regulators should be cautious not to chill legitimate and transparent use of the multitude of electronic data currently available in ways that may advance cost-effective, high-quality care.

• Print
• Comments
• Trackbacks
• Share Link

A nurse has been fired by a Texas hospital after accessing information on patients for whom she had no clinical responsibility, according to the Mt. Pleasant, TX Daily Tribune. The hospital, Titus Regional Medical Center, reportedly discovered the unauthorized access in the course of an audit in November. The nurse admitted to looking at the records out of curiosity but insisted that no records had been further disclosed.

The hospital decided to notify 108 patients in a letter which warned them of a slight risk of identity theft. The hospital administrator indicated that the notices may not be required under HIPAA but were being sent out of an abundance of caution, and emphasized that there was no evidence any data was printed nor disclosed to any third parties. Although most records accessed did not contain social security numbers, affected patients were nevertheless advised to contact the three major credit bureaus, Equifax, Experian and TransUnion.

This incident is reminiscent of the 2011 UCLA breach which resulted in a prison term for the snooping employee and similar incidents involving other California hospitals. A common element in these breach incidents is that the health information was not sold, distributed or otherwise further disclosed by the snooping employees. However, after an investigation, federal health regulators determined that UCLA employees reviewed patients' electronic medical records "repeatedly and without a permissible reason."   Ultimately, UCLA entered into a settlement agreement with federal health regulators, which among other things, socked UCLA with a fine of $865,000. 

These cases illustrate the seriousness of HIPAA’s still poorly-defined “minimum necessary” standard which, at the least, requires workers at covered entities and business associates to have a valid reason beyond mere curiosity before they access PHI. The ease with which employees can call up any record in a health system’s database can present an overpowering temptation, and it is incumbent on employers to educate their workforce about the need to resist the urge to snoop.

• Print
• Comments
• Trackbacks
• Share Link

If your hospital is being raked over the coals in the media for alleged fraudulent billing, it’s understandable to want to set the record straight. However, releasing patient information without consent is not the wisest approach. 

California’s Shasta Regional Medical Center and its parent company Prime Healthcare Services have come under fire for aggressive Medicare billing practices, arising out of the unusual frequency of claims for a rare third-world malnutrition condition known as kwashiorkor, which they reported at a rate over 70 times the state average. The story was reported by the Center for Investigative Reporting’sCalifornia Watch, who quoted a patient and her daughter who came forward upon learning that she had been assigned this diagnosis during a hospital stay.  The patient signed a waiver allowing California Watch to review her hospital records, which indicated she was treated for kidney failure, but her doctors made no mention of kwashiorkor or malnutrition.  The kwashiorkor diagnosis resulted in an estimated $6,755 increase in the hospital’s Medicare DRG payment. 

Faced with embarrassing publicity, a lawsuit and potential federal and/or state regulatory action, Prime Healthcare went into damage control mode.  The Los Angeles Times reports that when the local newspaper, the Redding Record Searchlight, contacted Shasta Regional for comment prior to publishing California Watch’s allegations, the hospital’s CEO and Chief Medical Officer paid a visit to the paper’s editor with the patient’s chart, which they discussed with him in detail.  They also divulged information about her treatment to the LA Times reporter, who reports that the patient and her daughter never authorized these disclosures.            

The Times reports that the hospital CEO Randall Hempling defended his decision by stating: "As far as we're concerned, the patient gave that permission when she gave her records to California Watch and was quoted on the record. . . . That waived her privacy." 

As the Times accurately noted, a patient who discloses PHI to a media representative or any other recipient does not waive his or her rights to additional disclosures.  California Watch reports that the FBI is now looking into the unauthorized disclosure of the patient’s records along with the billing irregularities. 

Moral for covered entities: Resist the temptation to reveal patient information without proper authorization, even to defend your reputation in the face of disputed allegations. HIPAA protection is not like the attorney-client privilege which can easily be waived by a single disclosure -- patients still control their PHI and can choose to whom, and for what purpose, they disclose that information.

• Print
• Comments
• Trackbacks
• Share Link

As physicians and other covered entities evaluate EHR systems, a recurring question is security from intrusion or other breach.  Counterintuitively, a recent blog post at www.softwareadvice.com suggests that the safest place for health data to reside may be "cloud-based" systems.

In the post, entitled HHS Data Tells the True Story of HIPAA Violations in the Cloud, analyst Michael Koploy reviewed the HHS "Wall of Shame" that lists breaches involving 500 or more individuals and broke them down according to causation. He noted that "physical theft and loss accounted for about 63% of the reported breaches. Unauthorized access / disclosure accounted for another 16%, while hacking was only 6%."  Only seven reported violations involved EHR systems, and none of them were off-site, cloud based databases.  The most common breaches involved loss or theft of portable devices or paper records.

It is possible that the emerging cloud-based EHR storage alternative represents too small a percentage of total health records to account for significant breaches, to date. However, based on the incidents reported to HHS, there are a lot less secure places to store your data.

 

• Print
• Comments
• Trackbacks
• Share Link

In the first settlement of a HIPAA enforcement action brought by a state attorney general under the new authority granted by the HITECH Act, Connecticut Attorney General Richard Blumenthal announced that the state had entered into an agreement with Health Net for failing to secure patient health and financial information.  The AG had brought suit in January based on Health Net's loss of a hard drive containing over 500,000 individuals' records including clinical data, social security numbers, addresses, and other financial information. The company had concluded that the hard drive had been lost due to theft. Compounding the damage, the AG alleged that the company had delayed notifying the affected individuals for over six months.

The press release issued by the AG states:

• Under this settlement, Health Net and its affiliates have agreed to:
  • A “Corrective Action Plan” in which Health Net is implementing several detailed measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.
  • A $250,000 payment to the state representing statutory damages. This payment is intended as a future deterrent to such conduct not only by Health Net, but by other insurers and health care entities that are entrusted with individuals’ private information.
  • An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

The full settlement is here: 

• Print
• Comments
• Trackbacks
• Share Link

The more famous the patient, the greater the temptation to peek at his or her medical records. This is why California enacted health privacy legislation in 2008. Among the latest providers to be fined by the state is Ronald Reagan UCLA Medical Center in Los Angeles,  reportedly as a result of two employees’ unauthorized access of Michael Jackson’s medical records. The LA Times indicates that the employees who accessed the records have been fired.  State regulators would not confirm that the records were Jackson’s, but the Times cites sources close to Jackson’s case who said his legal team had previously been informed by UCLA officials that Jackson's medical files had been improperly accessed shortly after his death last year.

California’s state privacy laws, SB 541 and AB 211, which parallel HIPAA in many respects, established the California Office of Health Information Integrity which is authorized to enforce health privacy rules and impose fines on violators.  Fines range from $25,000 to $250,000 per violation.

Well-known persons whose records have been improperly viewed in California include Farrah Fawcett, Britney Spears, “Octomom” Nadya Suleman, and Maria Shriver, wife of Governor Arnold Schwarzenegger.

In a related item, the Riverside, CA Press-Enterprise reports that Community Hospital of San Bernadino has been fined $325,000 as a result of unauthorized access of over 200 patient records by a radiology technologist in 2009. Other hospitals fined include Enloe Medical Center, Rideout Memorial Hospital and San Joaquin Community Hospital, according to the California Department of Public Health.

A UCLA hospital employee was sentenced to the first reported prison term for unauthorized access of medical records earlier this year.

• Print
• Comments
• Trackbacks
• Share Link

While attention has been focused on the security risks posed by laptops, smartphones, flashdrives and more sophisticated electronic devices, humble office photocopiers have been quietly accumulating personal data on hard drives most of us didn't know were there.  A CBS News investigation reveals the ease with which clever identity thieves can access reams of data for the price of a used copier.

For the report, CBS's team purchased four used copiers for about $300 each from a New Jersey warehouse.   With the help of John Juntunen of  Digital Copier Security, which markets scrubbing software called "INFOSWEEP," each copier's hard drive was removed in 30 minutes, then scanned using free forensic software downloaded online.  Within 12 hours, the hard drives yielded highly sensitive documents including criminal investigations, financial and payroll records, real estate development documents, and 300 pages of individual medical records from Affinity Health Plan, including prescriptions, blood test results and diagnoses.

Modern copiers use digital scanning technology that is stored to hard drives.  Most businesses would not sell or dispose of used computers without taking steps to render any remaining data inaccessible (at least we hope so).  The same caution should be taken with copiers.

CBS reports that all the major manufacturers offer security or encryption packages on their products. For example, Sharp's product, which automatically erases an image from the hard drive, costs $500. Aftermarket products like INFOSWEEP claim more thorough results.   Whatever you decide to do about your copier's stored data, doing nothing is not the solution.

 

• Print
• Comments (2)
• Trackbacks
• Share Link

The scope of the October 2009 theft of Tennessee Blue Cross Blue Shield's hard drives,  initially estimated to involve 500,000 individuals, has grown to nearly a million subscribers, according to a updated notice posted on the insurance giant's web site on April 6, 2010.

The company has classified the risk level into three tiers, with the most serious category, Tier 3, involving the disclosure of the individual's name, address, BlueCross member ID number, diagnosis, Social Security number and/or date of birth.   The 238,589 Tier 3 members have been offered free credit monitoring for one year, free identity monitoring through LifeLock Identity Alert™, and  Kroll ID TheftSmart program free for one year.  Subscribers in Tier 1 (447,549 members) and Tier 2, (312,284 members) whose data exposure was less comprehensive, are being offered a reduced package of remediation services.

The stolen hard drives contained audio and video training recordings, not text or data base records.  The delay in identifying additional affected members may have been the result of the compromised files requiring individual review.  As of April 2, 2010, the total tally has reached 998,422, of which 550,873 have been notified of the breach and their rights so far.

The cost of investigating and remediating this high-profile breach should serve as a wake-up call to all covered entities and business associates.  If your data is not properly secured and encrypted, all it takes is the loss or theft of a few laptops, smart phones, thumb drives or other storage media to generate serious expense, not to mention PR damage.

• Print
• Comments
• Trackbacks
• Share Link

As required by Section 13402(e)(4) of the HITECH Act, The Office of Civil Rights of the Department of Health and Human Services has posted a list of PHI breaches affecting 500 or more individuals.  Fifty-three covered entities appear, including hospitals, physician practices, dental practices, insurers, and several state agencies.  The most common causes of the breaches reported are theft or unauthorized access of a laptop, desktop computer or portable device, but other incidents reported involved lost or stolen paper records, phishing scams and hacking, backup tapes, and even postcards.

You can access the list here.  This is a list you don't want to be on.   

• Print
• Comments
• Trackbacks
• Share Link

Ambulance-chasing meets the age of electronic records.  The husband and wife team of Ruben E. Rodriguez and Maria Victoria Suarez  have been charged with conspiring with an ambulance company worker to steal personal identification information of individuals transported by Randle Eastern Ambulance Service, Inc., d/b/a American Medical Response (“AMR”) and sell the information to various South Florida personal injury attorneys and clinics. This is the second time the couple has been charged with theft and sale of patient records. In a plea bargain agreement he later renounced, Rodriguez admitted to paying a hospital technologist for information from records of accident victims that he then sold to personal injury lawyers for a percentage of damage awards and settlements.  See http://www.miamiherald.com/2010/03/07/1518101/coral-gables-couple-accused-again.html

According to the FBI press release, the couple faces a maximum of five (5) years’ imprisonment for both the conspiracy and fraud in connection with computers. They also face a mandatory consecutive term to any other potential sentence of two (2) years’ imprisonment on the aggravated identity theft offenses.

• Print
• Comments
• Trackbacks
• Share Link

With the HITECH breach notification rules weeks away from taking effect, BlueCross BlueShield of Tennessee is scrambling to control the damage from the October 2009 theft of 57 hard drives containing sensitive patient information. In a notice posted on its website as of January 13, 2010, the company stated that hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a former call center, including video images from computer screens of customer service representatives and audio files of recorded phone conversations. The files contained members’ personal data and protected health information, including members’ names and BlueCross ID numbers, diagnostic information, dates of birth and Social Security numbers. This information was encoded but not encrypted, and the company has no evidence that the data has been accessed or used by the thieves.

The company has chosen to voluntarily follow the HITECH notice rules that formally kick in as of February 22, 2010. They estimate that the breach may have affected up to a total of 500,000 members in all 50 states. So far, they have identified approximately 220,000 members whose data may have been compromised and are in the process of sending them notices by mail. They have identified 32 states with 500 or more members whose data may be at risk. The company notified the Secretary of HHS, the State of Tennessee and the attorney general’s office and media in each state with 500 or more affected members, and notified all three credit bureaus.

The company is also offering a one-year free credit-monitoring membership through Equifax to affected members, and three tiers of additional protective services based on the amount of information believed to have been compromised.

The company’s first challenge has been to identify affected members. They have engaged a national security consultant, Kroll, Unlike patient information in text or database format that could be easily reviewed to identify patients at risk (and “mined” for identity theft purposes), the hundreds of thousands of audio and video recordings must be manually reviewed.

• Print
• Comments
• Trackbacks
• Share Link