HIPAA, HITECH & HIT :: Fox Rothschild LLP

In the wake of the post-Omnibus Rule (the “Rule”) frenzy, it is necessary to consider some collateral effects that the Rule may have brought about with respect to compliance with HIPAA/HITECH.  The Office of Civil Rights (“OCR”) summaries of closed investigations (the “Summaries”) posted on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”) has been a source of meaningful guidance as discussed in previous posts on this blog.  For example, the summary (the “Tennessee Summary”) for a State of Tennessee Sponsored Group Health Plan breach (the “Tennessee Breach”) continues to provide an excellent road map of pre-Omnibus Rule actions for covered entities (“CEs”) or business associates (“BAs”)  that suffer List Breaches or PHI breaches of any size.  

While the Tennessee Breach itself dealt with mishandling of paper PHI and not electronic health records, the Tennessee Summary does give direction for early intervention by affected CEs or BAs before HHS knocks on their door.  However, while there was excellent compliance in the aftermath of the Tennessee Breach, advice from pre-Rule Summaries cannot be used without carefully taking into account the new requirements respecting PHI breaches under the Rule.  As will be further discussed below, the most important new requirement in this regard is the necessity for a CE, BA or subcontractor to analyze the level of risk of compromise of the affected PHI.

The Tennessee Summary

The Tennessee Breach occurred on October 6, 2011 and involved approximately 1,770 enrollees with respect to names, addresses, birth dates and social security numbers.  According to the Tennessee Summary, an equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.

The Tennessee Summary states that the CE did the following (with some parenthetical observations from the blog author):

1.         Retrained the equipment operator (suggesting that suspension and/or termination are not the only actions in appropriate cases with respect to dealing with employees involved with a PHI breach where rehabilitation is possible).

2.         Submitted a breach report to HHS (resulting in the posting on the HHS List).

3.         Provided notice to affected individuals.

4.         Notified the media.

5.         Created a toll-free number for information regarding the incident.

6.         Posted notice on the CE’s website.

7.         Modified policies to remove the social security number on templates for future mailings (a good policy whether paper or electronic PHI is involved).

8.         Offered identity theft protection to the affected individuals (a common decision for CEs and BAs based on the type of information that may have been compromised).

9.         Following the OCR investigation, reviewed its policies and procedures to ensure adequate safeguards are in place (with this disclosure in the Tennessee Summary, there is a suggestion that OCR continued to exercise some oversight or received reports after the investigation was finished).

The Tennessee Breach in Retrospect after the Omnibus Rule

There was no discussion in the Tennessee Summary of any analysis by the CE of the probable “risk of harm” from the Tennessee Breach under the proposed rule standards that prevailed prior to the Rule.  However, it is clear that, in the post-Rule period, a risk analysis of the probability that the PHI “has been compromised” would be necessary for the CE; failure to do such an analysis may be a violation in itself.   Under the Rule, there is a presumption that a breach of PHI has taken place unless there is a low probability that the PHI has been compromised.  The four factor analysis that would have been required of the CE in the Tennessee Breach case had it happened after the effectiveness of the Rule encompasses the following (with parenthetical comments):

(i)         Identifying the nature and extent of the PHI involved, including types of identifiers and risk of re-identification (i.e., names, addresses, birth dates and social security numbers);

(ii)        Identifying the unauthorized person(s) who impermissibly used the PHI or to whom the disclosure was made (in the case of the Tennessee Breach, subscribers to the health plan who were not individuals that had an obligation of their own to comply with HIPAA/HITECH);

(iii)       Determining whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the PHI to be acquired or viewed (in the case of the Tennessee Breach, there is a likelihood that numerous recipients of the PHI or others without the right to view such PHI did in fact view it); and

(iv)       The extent to which risk to the PHI was mitigated (items 3, 4, 5, 6 and 8 above appear to be potential mitigating factors).

As stated in an earlier postings here and here, no Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011.  While the Summaries continue to provide highly useful information for CEs, BAs and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the Rule.  It may be that a concern of OCR about potential confusion which could be created by publishing pre-Rule Summaries has prevented OCR from making recent postings of Summaries on the HHS List.

• Print
• Comments
• Trackbacks
• Share Link

The September 23, 2013 deadline for updating Business Associate Agreements is extended for one year under the Omnibus Rule for covered entities who have compliant Business Associate Agreements in place by Friday, January 25, 2013. This also applies to agreements between Business Associates and their subcontractors.

Covered Entities and Business Associates (as well as Business Associates and their subcontractors) may continue to rely on those agreements for up to one year beyond the compliance date of the modifications, regardless of whether the contract meets the applicable contract requirements in the Omnibus Rule. This includes existing written agreements between business associates and subcontractors under which such subcontractors agree to the same restrictions and conditions that apply to the business associate. Such contracts are deemed to be compliant with the modifications to the Rules until either the covered entity or business associate has renewed or modified the contract following the compliance date of the modifications, or until September 23, 2014 (one year after the compliance date), whichever is sooner. "Evergreen" contracts which automatically renew also qualify for the extension.

Covered Entities (providers, health plans/insurers, and clearinghouses) should verify that they have current signed business associate agreements in place no later than this Friday in order to be grandfathered for an extra year.

Business Associates who have delegated functions to subcontractors involving PHI need to make sure they have signed written agreements in place that meet the standards of the existing rule under which the subcontractors agree to follow HIPAA.   This is where there may be more gaps, since many Business Associates may have been unaware of their obligations to assure compliance by their subcontractors.

Even grandfathered Business Associate Agreements and subcontractor agreements should be reviewed to see if the contracted party (business associate or subcontractor) is acting as an agent of the Covered Entity or Business Associate.  If it is, the date on which a breach is discovered (or should have been discovered) is imputed up contractual chain and could mean that the Covered Entity is responsible for reporting breaches it knows nothing about. 

If you need help determining whether you qualify for grandfathering, please contact your Fox Rothschild attorney immediately

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As of January 1, 2013 (and as of today), there were 525 postings of List Breaches.

A previous blog post reported that, on February 24, 2012, HHS listed the 400th List Breach. As the first postings on the HHS List occurred on March 4, 2010, an average of about 200 postings of List Breaches were recorded in each of its first two years. However, in the 10-plus months between February 24, 2012 and January 1, 2013, 125 additional List Breaches were posted, which on an annualized twelve month period basis would translate into 150 List Breaches. It is not yet clear whether the lower volume of List Breaches since February 2012 is attributable to increased caution and better practices in protecting PHI on the part of covered entities (“CEs”) and business associates (“BAs”), greater use of encryption and other practices to protect PHI, slower postings of List Breaches by HHS, other factors or a combination thereof.

Of the total of 525 List Breaches posted through January 1, 2013, there were approximately 274 (52.2%) events shat attributed the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the 60 additional List Breaches listing the category of “loss” of all types is added to the 274 “theft” events, the total for the two categories swells to approximately 334 or 63.6% of the 525 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.

Even more revealing may be the fact that approximately 193 (36.8%) of the 525 List Breaches listed the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices.  Theft or loss of laptops or other portable electronic devices thus constituted 51.6% of the 334 List Breaches that involved reported theft or loss. 

Over the last 10 months since the number of List Breaches passed 400, it appears that the relative percentage of List Breaches attributable to theft and loss is trending mildly upward. Of the 125 additional reported List Breaches, approximately 86 or 68.8% listed theft or loss as the source of the PHI breach. The number of such 125 List Breaches that reported theft or loss of laptops or other portable electronic devices was 37 or 29.6%, a lower percentage than the 36.8% for all 525 List Breaches.  The sample sizes are relatively small, so that further following of these numbers is warranted.

My partner, William Maruca, Esq., recently posted a blog entry highlighting the fact that the first breach settlement announcement by HHS in 2013 (the “2013 Settlement”) involved a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It was the first fine by HHS for a PHI security breach that involved fewer than 500 individuals and, therefore, was below the threshold for a List Breach. 

While the parade of List Breaches continues to lengthen, the 2013 Settlement underscores the fact that there are many more PHI security breaches involving fewer than 500 individuals. The PHI security breaches that are not List Breaches are receiving increased scrutiny by HHS. As this blog series has emphasized in the past, it may become more a question of when a CE or BA will suffer a PHI security breach and how severe the breach will be, rather than if it will suffer a breach. All CEs and BAs must exercise vigilance and use recommended protection procedures to avoid all PHI security breaches, not just large List Breaches. The continuing proliferation of the use of portable electronic devices to receive, access and store PHI should be monitored, as it can be expected that this type of security breach will continue to expand.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 498 List Breaches reported by covered entities (“CEs”), of which approximately 102 (20.5%) have been reported as also involving business associates (“BAs”).  

As stated in an earlier posting in this blog series, the HHS List includes valuable guidance for CEs and BAs in the form of “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” To date, the HHS List has posted approximately 96 summaries (“Summaries”) respecting the 498 current postings for CE marchers in the Breach Parade (which include some multiple postings of List Breaches where a single alleged breach by a BA caused a number of CEs to have List Breaches). Of the 96 List Breaches for which Summaries have been posted by OCR, 19 (19.8%) were reported as involving BAs.  

Unfortunately, since May 10, 2012, it would appear that only one new Summary has been posted by OCR, which relates to List Breach number 337 reported by Indiana University School of Optometry as CE. According to the OCR Summary, that List Breach affected 757 individuals and resulted in accessibility over the Internet of patient names, birth dates, medical history, diagnoses and treatment plans for the period from August 8, 2011 through September 9, 2011.  

No Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011, already a year ago. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011, as discussed in an earlier posting in this blog series. 

Moreover, the substantial majority of Summaries posted by OCR relate to List Breaches affecting fewer than 10,000 persons. While this Summary history may be reflective of the population of List Breaches as discussed in an earlier post in this blog series, the largest number of affected individuals for which a Summary has been posted to date is 83,000. That List Breach, which occurred on November 12, 2009 and was number 21 on the HHS List, related to unauthorized access/disclosure of paper information and was reported by Universal American in New York as the CE with Democracy Data & Communications, LLC as an involved BA. In light of the existence of complex List Breaches that reportedly affect hundreds of thousands or even millions of individuals, Summaries respecting larger List Breaches may be helpful in providing new and different insights for CEs and BAs.

There is great value in the guidance provided by the posted Summaries for educating CEs and BAs as to what OCR may deem to be significant with respect to List Breaches. OCR Summaries may provide analysis not only of the List Breaches themselves but also subsequent actions taken by the affected CEs and BAs. However, because the paucity of recent postings of Summaries can dampen their overall educational benefit, OCR is encouraged to increase the frequency, number, currentness and diversity of the Summaries posted.  

• Print
• Comments
• Trackbacks
• Share Link

Attorney General Lori Swanson of Minnesota (“AG”) issued a press release reporting that Accretive Health, Inc. (“Accretive”), the defendant in an action filed by the AG in U.S. District Court alleging violations of HIPAA, HITECH, the Minnesota Health Records Act, and the Minnesota consumer protection laws, signed a Settlement Agreement, Release and Order on July 30, 2012 (“Settlement Agreement”). The Settlement Agreement recites:

[R]ecognizing that unique circumstances exist in Minnesota in light of the Attorney General’s Agreement with Minnesota charitable hospitals … Accretive Health … has decided to wind down its remaining work for Minnesota Clients …

(other than its continuation of prior technology licensing agreements). The Settlement Agreement also requires Accretive  to pay the AG nearly $2.5 million within 15 days of the Settlement Agreement’s effective date. The funds may be distributed to patients at the discretion of the AG, used for settlement administration, and/or remitted to the State Treasury.

Previous posts to this blog have reported on the AG’s action against Accretive, and on the need for entities or individuals sharing Protected Health Information (‘PHI”) to identify the roles, rights, and obligations of the parties. Michael Kline’s recent blog reported on a breach involving more than 500 individuals included on the list maintained by the U.S. Department of Health and Human Services (the “HHS List”), highlighting the summary provided by the Office of Civil Rights (“OCR”). Michael noted that the OCR summary implies that OCR expects a covered entity (“CE”) contracting with a business associate (“BA”) to verify that the BA is “not an independent” CE.  

Identifying the roles of the parties and the context in which PHI is disclosed is critical because different information-sharing standards apply depending on these roles and circumstances. For example, a business associate agreement (“BAA”) is not required for disclosures made within a CE for treatment, payment, or health care operations, nor is a BAA required for PHI to be disclosed from one CE to another CE where the recipient CE is a health care provider and the PHI is being disclosed for treatment purposes.

However, if the recipient CE is a health care provider, but is receiving the PHI as a BA (generally defined as a person or entity that performs functions or activities on behalf of another person that is a CE, which involves the use or disclosure of PHI), a BAA is required and it must, among other things, “establish the permitted and required uses and disclosures” of the PHI (though failure to execute a BAA will not absolve the BA of its responsibilities and liabilities under HIPAA and HITECH). In addition, while most uses and disclosures of PHI must be limited to the “minimum necessary,” current regulations do not restrict disclosures to or requests by a CE that is a health care provider to the “minimum necessary” when the disclosure or request is for treatment of a patient. A CE can use or disclose PHI for “payment” activities, but must comply with the “minimum necessary” standard.  If the “payment” activity involves disclosure to a consumer reporting agency, the CE may only disclose specified information (name/address, date of birth, social security number, payment history, account number, and the name and address of the CE). 

The Accretive case was triggered by an alleged PHI breach (the all-too-frequent loss of a laptop containing sensitive information about 23,500 patients treated at two hospitals that had contracted with Accretive), but the AG’s allegations were most scathing where they painted a picture of insidious and inappropriate sharing and use of PHI between hospitals and Accretive.  The AG alleged that Accretive’s “Quality and Total Cost of Care” services used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms.  Accretive allegedly “amasse[d] and ha[d] access to a high volume of sensitive and personal information,” which it used, among other things, to create “per patient risk score” calculations, yet the hospitals’ patient authorization forms allegedly failed to disclose the scope or breadth of the PHI that the hospitals would share with Accretive.

In addition to this questionable and seemingly surreptitious “behind the scenes” PHI-sharing, Accretive staff allegedly interfaced directly with patients seeking treatment at the hospitals, often appearing to be members of the hospital’s staff.  Jessica Silver-Greenberg, reporting on the Settlement Agreement in the New York Times, describes allegations of aggressive collection tactics taken by Accretive that involved requesting payment from patients seeking emergency care. 

Whether a clear delineation of the role of Accretive as a BA and/or restriction of PHI disclosed to Accretive to the “minimum necessary” would have prevented the AG’s action is unclear. However, the Accretive case provides a good example of how the blurring of the CE and BA roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.

• Print
• Comments
• Trackbacks
• Share Link

A recent post in this blog series has discussed the valuable guidance for covered entities (“CEs”) and business associates (“BAs”) that can be contained in the U.S. Department of Health and Human Services list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”), especially within the “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” (“Summaries”). 

An example is List Breach number 265 (“LB 265”), which reported a theft of a laptop in Alaska from Trisha Elaine Cordova,  a BA of Catholic Social Services (“CSS”), the related CE, on February 1, 2011. The laptop reportedly contained approximately 493 adoption home studies affecting 1,700 individuals.  LB 265 also happens to be the most recent List Breach involving a BA for which a Summary has been provided by OCR. (As an aside, LB 265 actually appears on line 266 of a chronological schedule of List Breaches because the first line was used by HHS for column headings.)

According to the LB 265 Summary: “The protected health information involved in the breach included names, addresses, phone numbers, dates of birth, driver’s license numbers, and health information; 20% of the files contained social security numbers.”

While the PHI involved covered a broad range, there was nothing unusual about the items. What makes LB 265 Summary worthy of discussion is its final two sentences:

The covered entity did not have a business associate contract with the contractor at the time of the breach. OCR’s investigation resulted in the covered entity developing policies and procedures for obtaining business associate contracts when required by the Privacy Rule and verifying that the contractor involved was not an independent covered entity. 

The LB 265 Summary identified what OCR deems to be two related important elements of compliance with the HHS Privacy Rule when a CE contracts with another person with respect to PHI - the first of which is obvious and well-known but the second of which is more subtle and less recognized: 

1.   The requirement that a CE have a business associate agreement or contract (“BAA”) with the contractor and

2.   The need for the CE to verify in what capacity the contractor is serving with respect to the CE’s PHI, that is, whether the contractor is only a BA or is a CE as well as a BA (a “BA/CE”). 

In its LB 265 Summary, OCR is pointing out its expectation that a contractor like Ms. Cordova may be a BA with respect to the PHI of CSS, but, depending upon her status and activities with respect to such PHI, she could also be a BA/CE. Furthermore, it is viewed by OCR to be the obligation of CSS as a CE (and presumably Ms. Cordova as a BA as well) to have policies and procedures in place to verify if Ms. Cordova was a BA/CE with respect to the PHI.

Ms. Cordova was apparently provided with PHI by CSS for the purpose of conducting adoption home studies for CSS respecting applicants seeking to adopt children through the auspices of CSS. It is conceivable that the CSS PHI in Ms. Cordova’s hands could have been reformulated and processed by her in her BA activities to such an extent that she could have been a BA/CE.  

The discussion by OCR in LB 265 of the need by a CE for a BAA under the HIPAA Privacy Rule in the same sentence as the verification activity is consistent with OCR’s sentence in its “OCR Privacy Brief” section on CEs as follows: “A covered entity can be the business associate of another covered entity.”  In requiring a CE to establish policies and procedures to verify whether a BA is also a BA/CE, OCR would appear to have extended CE obligations. However, because no further comment was made on the matter by OCR in LB 265, it would appear that Ms. Cordova was not deemed to be a BA/CE.

Separate and apart from OCR’s position on verification, unless a CE (and its contractor as well) has done sufficient analysis of the status of its BA and the character of the BA’s activities, how can the CE properly draft applicable provisions of its BAA? One form of BAA does not necessarily fit all BAs, as much as CEs would like to believe. For example, if a BA of a CE is also a BA/CE with respect to specific PHI, the BA/CE has primary reporting and/or documentation obligations to HHS in the event of a privacy breach, even to the extent of a separate report to HHS for a List Breach. If a BA/CE were to fail to notify HHS of a List Breach, the BA/CE may incur significant penalties and sanctions. 

The BAA should take cognizance of whether the BA is deemed by the parties to be a BA/CE and in such case, discuss procedures and methods to confront, among other things, a List Breach, other breaches and the parties' relative investigation, documentation and reporting responsibilities under HIPAA/HITECH, and even data breach insurance. Without proper coordination, in the event of a List Breach or other breach, there can be (i) unnecessary and costly duplication of investigation efforts and evaluation of risk of harm, (ii) inappropriately inconsistent reporting of the event to affected individuals, HHS and state agencies, (iii) inconsistent statements to the media, etc. 

In summary, the OCR deems it a requirement for a CE to verify the status of its BA and the character of the BA’s activities with respect to the CE’s PHI; in turn such CE and BA and their respective counsel should use the verification process to develop provisions in the BAA. 

• Print
• Comments
• Trackbacks
• Share Link

As reported in the Houston Chronicle on June 28, 2012, an unencrypted laptop computer containing data on more than 30,000 patients of the University of Texas MD Anderson Cancer Center (“MD Anderson”) was stolen from a faculty member’s home on April 30, 2012. The stolen laptop scenario has become all too familiar (this blog series has reported on the high proportion of breaches resulting from the theft or loss of laptops or other portable devices), and even the high number of patients affected pales in comparison with the roughly 5 million patients affected in the SAIC breach. 

What caught my attention was the fact that MD Anderson posted notice of the breach on its website on June 28^th, exactly 59 days after the theft took place. Pursuant to the interim final breach notification regulations, a covered entity must provide notice to affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.”   Although an exception exists for prompt notification where a law enforcement official tells the covered entity (or business associate) that notification would impede the criminal investigation or cause damage to national security, the time required for performance of a criminal investigation is, presumably, less than 60 days. MD Anderson’s website notice gives every indication that it acted promptly and investigated thoroughly:

MD Anderson was alerted to the theft on May 1 and immediately began a thorough investigation to determine what information was contained on the laptop. After a detailed review with outside forensics experts, we have confirmed that the laptop may have contained some of our patients’ personal information, including patients’ names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers.

Would patients have been better off knowing their data might have been illegally accessed prior to day 59 following the breach, or does the benefit of a thorough investigation outweigh the risk that earlier notification would have benefited patients? 

Navigant Consulting released an “Information Security and Data Breach Report” in April of this year that found that the average number of days between discovery of a breach involving medical records and disclosure was 63 days in the third quarter of 2011, compared with 65 days in the fourth quarter of 2011, an increase of 3%, despite the requirement that applicable HIPAA law requires patients to be notified “without unreasonable delay” and no later than 60 days following the breach. When analyzed in terms of the entity reporting the breach, “[h]ealthcare entities registered an 84% increase between discovery and disclosure from 51 days in Q3 to 94 days in Q4.” 

From this perspective, it seems MD Anderson did pretty well. Had the faculty member delayed his or her original notification to MD Anderson regarding the theft, however, MD Anderson might have been hard-pressed to meet the 60 day deadline. Covered entities such as MD Anderson (and business associates who provide protected health information to subcontractors) should be reminded that prompt communication and investigation is essential to meeting the “without unreasonable delay and in no case later than 60 calendar days” notification requirement, and must balance the need to get the facts straight with the need to alert affected individuals, and, where applicable, the Department of Health and Human Services and state agencies, as quickly as possible. 

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As reported in a recent posting, the HHS List includes guidance that covered entities (“CEs”) and business associates (“BAs”) can use in the event of a PHI security breach in the form of brief summaries (“Summaries”) of the breach cases that the federal Office of Civil Rights (“OCR”) has investigated and closed. 

On June 26, 2012, HHS and OCR reported in a press release (the “Press Release”) that Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), had agreed to pay HHS $1.7 million with respect to a resolution of possible violations of HIPAA, which included the compromising of PHI of 501 affected individuals by means of a theft that occurred on October 12, 2009 of an “Other Portable Electronic Device” (the “2009 Breach”).  Alaska Medicaid has also agreed, among other things, to take corrective action to properly safeguard the PHI of Medicaid beneficiaries. An official statement by Alaska Medicaid Commissioner Bill Streur relating to the resolution with HHS of the 2009 Breach is posted on the Alaska Medicaid Web site.

While the Alaska Medicaid resolution has not yet been reported in a Summary on the HHS List, visiting the HHS List reveals that the 2009 Breach was originally posted by HHS in the very first batch of List Breaches on February 22, 2010. What is also interesting is that Alaska Medicaid had a later separate List Breach, reportedly involving the compromising of PHI of approximately 2,000 affected individuals by means of a theft on September 7, 2010 of an “Other Portable Electronic Device” (the “2010 Breach”). The 2010 Breach was reported as involving Alaskan AIDS Assistance Association as a BA.

However, it is difficult to identify readily that the 2009 Breach and the 2010 Breach involved the same CE, Alaska Medicaid. The 2009 Breach is alphabetically indexed under “Alaska Department of Health and Social Services,” while the 2010 Breach is indexed under “State of Alaska, Department of Health and Social Services.” It would be helpful for HHS to endeavor to use CE and BA names consistently to assist in analysis by those visiting the HHS List.

The Press Release of HHS regarding the 2009 Breach quotes OCR Director Leon Rodriguez: “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

It commendable that OCR enforces compliance with HIPAA against private and public entities with the same vigor. Query, however, to what extent is it wise for HHS to exact a $1.7 million payment from Alaska Medicaid? Alaska Medicaid oversees a program to provide medical care to the indigent in Alaska, a program that is funded by the taxpayers of Alaska and the U.S. In almost all states, Medicaid programs are financially embattled and under severe economic and political stress. The large payment by Alaska Medicaid to HHS is an enforced shifting by a state agency of “other people’s money” to HHS that may have to be replaced by increased taxes or reductions in future benefits for Alaskan indigents.

This blog series will continue to review various of the OCR Summaries and resolutions to give guidance to CEs and BAs.  We will also monitor future developments with respect to the 2010 Breach.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 435 List Breaches affecting marchers in the ever-lengthening parade, although the number of marchers has remained unchanged for several weeks.

The most recent posting on this blog series by my partner Elizabeth Litten, Esq., discussed a recent presentation by Linda Sanches, Office of Civil Rights ("OCR") Senior Advisor and the lead on HIPAA Compliance Audits, on the progress of the 2012 HIPAA Privacy and Security Audit Program.  As pointed out in the earlier posting, the presentation by Ms. Sanches included some general tips that covered entities (“CEs”) and business associates ("BAs") can use to reduce the likelihood of HIPAA violations, one of which is PHI security breaches.

The HHS List includes additional focused guidance from OCR that CEs and BAs can use in efforts to avoid, or in the event of, a PHI security breach (even if it does not rise to the level of a List Breach) in the form of  brief summaries of the breach cases that OCR has investigated and closed. To date, the HHS List has posted approximately 93 summaries (“Summaries”) out of the 435 postings respecting marchers in the Breach Parade (which include some multiple postings of List Breaches where an alleged breach by one BA caused a number of CEs to have List Breaches). Of the 93 List Breaches for which Summaries have been prepared by OCR, 18 (approximately 20%) were reported as involving BAs.  

These Summaries can provide valuable clues for CEs and BAs on how to deal with a HIPAA security breach. One example is contained in a Summary respecting a List Breach reported on January 29, 2010 by Thrivent Financial for Lutherans (“Thrivent”) in Wisconsin. The List Breach, which did not report an involved BA, related to a theft of laptops that contained the PHI of approximately 9,400 individuals. (The original report by Thrivent had stated that approximately 9,500 individuals had been affected.) The OCR Summary included the following statement:

The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR’s formal investigation brought the CE into compliance.

OCR clearly viewed it as noteworthy and commendable that Thrivent had voluntarily taken necessary steps for compliance before OCR conducted its investigation. That should be an alert for those who suffer HIPAA breaches that all appropriate and reasonable remedial measures should be undertaken promptly to demonstrate and document compliance before OCR comes knocking on the door of the CE. This blog series will continue to review various of the OCR Summaries as to guidance that they may contain respecting PHI security breaches.

• Print
• Comments
• Trackbacks
• Share Link

At the risk of killing (or at least maiming) the “Breach Parade” metaphor we have used in this blog series by over-stretching it, I wanted to write about two tools being used by the federal Office of Civil Rights (“OCR”) and  individual State Attorneys General (“SAGs”) to deter and catch HIPAA privacy and security breaches that remind me of the red light cameras designed to deter and catch traffic violations. 

If a Covered Entity (“CE”) or Business Associate (“BA”) has already experienced a breach of Protected Health Information (“PHI”), it has probably already taken (or has been required by regulators to take) steps to prevent future breaches. However, all CEs and BAs should be aware of the tools available to the federal and state governments to check HIPAA compliance, investigate potential breaches, and bring enforcement actions for a variety of HIPAA violations, including, but not limited to, PHI breaches. 

Linda Sanches, OCR Senior Advisor and the lead on HIPAA Compliance Audits, recently presented on the progress of an OCR tool, the 2012 HIPAA Privacy and Security Audit Program (the “Audit Program”) being conducted for OCR by KPMG, Inc.  One stated objective of the Audit Program is to “[e]ncourage renewed attention to compliance activities.” The Audit Program is being conducted utilizing Generally Accepted Government Auditing Standards (aka “Yellow Book Standards”).

While OCR states that the Audit Program is not meant to be “punitive,” it also notes that the Audit Program currently being conducted will “feed into decisions” related to future audits. OCR lists “Non-Compliance Risks” as including loss of contracts, criminal and civil investigation, federal penalties and state fines, public harm and reputational risk, legal costs, and costs of notification.  

In particular, three of the tips to avoid the consequences of joining the marchers in the Breach Parade that were listed on the last slide of Ms. Sanches’ presentation, struck me as particularly noteworthy for their obviousness and simplicity:

1)  Determine your various lines of business that are affected by HIPAA.

2)  Map/Flow PHI movement within your organization, as well as flows to/from third parties.

3)  Find all of your PHI.

Yes, if you are a CE or BA and don’t know where your PHI resides or travels, you may have already joined the Breach Parade without even realizing it. 

As another enforcement tool, OCR has published guidance for SAGs looking to investigate HIPAA violations and drum up revenue for the states and individuals affected by the violations. CEs and BAs can view this guidance and see how states can investigate and prosecute potential HIPAA violations, as well as how OCR and SAGs can estimate the daunting potential penalties that may be imposed:

SAG Penalty Estimate

Amount of penalty = [number of violations] X [up to $100] per violation; and

A SAG may obtain damages as high as $100 per violation and up to $25,000 for violations of the same requirement in a calendar year.

OCR Penalty Estimate

OCR may collect civil money penalties of up to $50,000 per violation, depending on the level of culpability; and

Attorneys 13

The calendar year OCR maximum is $1.5 million, for a single CE, for violation of identical provisions.

One example of HIPAA violations, which did not involve a PHI security breach, worthy of SAG prosecution involves a pharmacy’s

disclosure of the PHI of 1,500 customers to a business associate, which the pharmacy paid to make a treatment communication on its behalf. The pharmacy did not limit the PHI it disclosed to the minimum necessary, and did not include the required information about this practice in its notice of privacy practices that the pharmacy distributed to all 1,500 customers.

The unfortunate pharmacy in this example is described as having otherwise compliant HIPAA policies and procedures, but is subject to a state penalty of $50,000 and an OCR penalty of up to $3 million.

The astronomical penalties that are potentially assessable by OCR and SAGs for HIPAA violations should act as a red light or at least a bright amber light of caution to those who may already be approaching or on the road to HIPAA violations. All CEs and BAs should heed the OCR warnings and guidelines before they become new unwilling marchers in the Breach Parade.

• Print
• Comments
• Trackbacks
• Share Link

The Order of Judge Richard Smoak in a recent Federal District Court case (Opis Management, LLC, et. al. v. Dudek, No. 4:11-cv-400/RS-WCS (N.D. Fla., Tallahassee Division)) (the “Opis Order”) reminds us of the attention that must be paid to the interaction and potential conflicts or dual applicability of state law with HIPAA compliance. While the Opis Order dealt with a relatively narrow issue that did not involve a data security breach, as will be hereinafter discussed, its focus highlights the broader concern about conflicts or dual law coverage involving  HIPAA and state law.

The Opis Order itself dealt with the concern of plaintiffs that compliance with a Florida law would violate federal law under HIPAA, and compliance with federal law under HIPAA would violate state law.As a result, plaintiffs argued that the Florida law was invalid. More specifically they argued that

Florida law requires nursing homes to “furnish to the spouse, guardian, surrogate, proxy, or attorney in fact . . . of a former resident . . . a copy of that resident’s records which are in the possession of the facility.” Further, the law provides that “copies of such records shall not be considered part of the deceased resident’s estate and may be made available prior to the administration of an estate, upon request, to the spouse, guardian, surrogate, proxy, or attorney in fact.” FLA. STAT. § 400.145 . . . Plaintiffs claim that their non-compliance is excusable because Section 400.145 is preempted by the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”). They seek a declaratory judgment that Section 400.145 is invalid and injunctive relief prohibiting its enforcement. [For whatever reason, the Opus Order uses the definition “HIPPA” rather than the much more widely-used acronym “HIPAA.” Except in quotations taken directly from the OPIS Order, this posting will use the more prevalent “HIPAA.”] 

Under HIPAA, a more stringent state law preempts HIPAA as to a particular matter. HIPAA defines more stringent as meaning “with respect to a use or disclosure, the [state] law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted.” In granting plaintiff’s declaratory judgment petition, the Court found that, rather than being more stringent than HIPAA, Florida provision Section 400.145 actually afforded less protection of protected health information (“PHI”) than HIPAA.  The Opis Order concluded as follows:

Section 400.145 is preempted because it is contrary to HIPPA. It affords a patient far less protection than the heightened privacy requirements imposed by the federal requirement and is, therefore, not more stringent than HIPPA. For this reason, Section 400.145 “stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPPA].” 45 C.F.R. § 160.202.

The Opis Order serves as a case in point of the need to analyze state law whenever considering compliance issues involving HIPAA. However, the Opis Order is only one example of potential conflicts, overlapping or inconsistencies that can exist between HIPAA and state law relative to the same or similar subject matter. A proper analysis requires a comparison of HIPAA and state law definitions of terms, scope of applicability and procedural requirements. Moreover, it must be remembered that, to the extent a HIPAA item is not “contrary to” a state law provision, both HIPAA and state law provisions must be followed. For example, some areas where differences between HIPAA and state law may surface in connection with notification of security breaches include the following:

• To what persons does the law apply? - HIPAA applies to covered entities and business associates/state law may apply to different persons, e.g., all businesses and/or public entities.

• What type of information is covered? – HIPAA applies to PHI, a very broad range of information/state law may apply to more limited information primarily associated with potential identity theft, such as credit card numbers, social security numbers and dates of birth.

•  In what medium is the information contained? -  HIPAA covers PHI in electronic, paper and oral format/state law may only cover one or two of these formats.

• What constitutes a security breach? – HIPAA and state law may diverge greatly.

• In what cases, who, how and when must regulatory authorities be notified of a data security breach? – HIPAA and state law may have provisions that differ greatly and may conflict with each other, overlap or have dual applicability, while not conflicting.

In summary, while HIPAA requires careful compliance in the event of a security breach, state law provisions must also be considered and analyzed as well.

Happy New Year and thank you to each of our readers.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the list (the “HHS List”) posted by the U.S. Department of Health and Human Services (“HHS”) that reports breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Four months ago a blog posting in this series did some analysis as to the extent to which such List Breaches are being reported by covered entities (“CEs”) as attributable to events involving business associates (“BAs”). 

A December 2, 2011 article in MedPage Today by Cole Petrochko reported on a survey conducted by the Ponemon Institute (the “Survey”) that was conducted based on "interviews with senior-level staff at 72 healthcare organizations regarding data loss and theft experiences at their facilities. Sites included parent holding companies of healthcare organizations, parts of a healthcare network, and individual hospitals or clinics."

This interesting Survey acknowledged that it had a number of limiting factors, including self-reporting from only 14% of the organizations, mostly larger-sized groups, that were contacted by the Ponemon Institute to participate in the interview process. It is therefore likely that data derived from the HHS List is more reliable in light of the adverse consequences and penalties that can be incurred by a CE from inaccurately reporting in writing to HHS. Nonetheless, according to the Survey, "two out of five respondents (41%) blamed data breaches on employee negligence -- not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices -- and 49% reported lost or stolen devices. Third-party errors were responsible for 46% of breaches."  [Emphasis supplied.]

It is not clear that the incidents involving “third-party errors” in the Survey are coincident with events that would have been reportable as involving BAs had they been on the HHS List. Moreover, the Survey covered institutional healthcare providers only and not other types of CEs such as insurers, government agencies and individual physicians and physician practice groups. However, the Survey results as to third party errors mirror to some extent the proportion of reported BA involvement with respect to the largest of the List Breaches on the HHS List as of December 2, 2011. 

As of that date, only 83 of the total of 372 List Breaches (22.3%) reportedly involved BAs of the reporting CEs.

This overall amount is far lower than the 46% of breaches that was attributable to third-party errors in the Survey. However, further analysis of the HHS List as of December 2, 2011 reveals the following information that more closely parallels the Survey at higher numbers of involved individuals:

•   3 of the 6 List Breaches (50%) that affected 1,000,000 or more individuals reportedly involved BAs of the reporting CEs.

•   13 of the 29 List Breaches (44.8%) that affected between 30,000 and 999,999 individuals reportedly involved BAs of the reporting CEs.

•   14 of the 47 List Breaches (29.8%) that affected between 10,000 and 29,999 individuals reportedly involved BAs of the reporting CEs.

•   53 of the 290 List Breaches (18.3%) that affected between 500 and 9,999 individuals reportedly involved BAs of the reporting CEs.

While the foregoing review is only a snapshot of the HHS List as of a given date, the review would indicate that, as the size of a List Breach increases, it is more likely that involvement of a BA will be reported. However, the overwhelming proportion of List Breaches (77.7%) on the HHS List that affected fewer than 10,000 individuals have reported no involvement of a BA. 

More data will be required before the impact of BA involvement in smaller and larger List Breaches becomes clearer.  However, there are indications that the larger the List Breach that is reported by a CE, the greater the likelihood that it will involve an alleged BA.

• Print
• Comments
• Trackbacks
• Share Link

 By Elizabeth Litten and Michael Kline

What was the highlight of the Macy’s® Thanksgiving Day parade when we were kids? The Snoopy® float (shown below) was probably right up there, along with the Sesame Street® and Disney® floats. Spectators of the Protected Health Information (“PHI”) Breach Parade (and of the “silent brigade” of Business Associate breaches, discussed in this blog series on August 1, 2011) will be awed by the sight of the recent, somewhat bizarre, Business Associate (“BA”) breach involving Stanford Hospital’s emergency room data, as reported in the New York Times by Kevin Sack on September 8, 2011. The PHI of 20,000 emergency room patients seen in the Palo Alto, CA hospital reportedly somehow made its way from the hospital’s BA, Multi-Specialty Collection Services, to a public website used by students. The publicly-posted information included names and diagnoses for patients who visited the emergency room during a 6 month period in 2009.

This PHI breach stands out for a couple of unusual aspects. First, the data was allegedly made publicly accessible in September of 2010 as a spreadsheet attached to a document on the Web site “Student of Fortune,” a site describing itself as “Your source for easy online homework help!” As reported in the Sack article: “Gary Migdol, a spokesman for Stanford Hospital and Clinics, said that the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph."  The PHI breach was purportedly discovered on August 22, 2011 by a Stanford Hospital patient and reported to the hospital. The fact that nearly a year had lapsed from the time of the breach to its reported discovery suggests that the PHI was

(i)   not recognized as “real” by viewers,

(ii)  not thought by viewers to be worth noting or reporting, and/or

(iii) not actually viewed by anyone during the year it was accessible to students seeking bar graph tutorial. 

Nonetheless, the volume of patients affected, the sensitivity of the PHI data (more on that in a minute), the apparent lack of sufficient care by the BA, and the surprising nonchalance of whoever posted the PHI to be sifted and sorted by “Students of Fortune” accessing a publicly available Web site combine to make an attention-grabbing PHI breach event (the Snoopy float). 

Also reported on a New York Times blog site by Nick Bilton on September 8, 2011, Senator Richard Blumenthal (D-CT) introduced a bill, the Personal Data Protection and Breach Accountability Act of 2011, that, if passed, would impose strict storage and protection requirements for companies that store online data for more than 10,000 people. (Senator Blumenthal was previously highlighted in several postings in this blog series for his groundbreaking activities as Attorney General of Connecticut in investigations and enforcement actions against entities involved in PHI security breaches.)

While “Student of Fortune” was certainly not “storing” the emergency room PHI, the bill would likely affect BAs such as Multi-Specialty Collection Services. To the extent the Blumenthal bill imposes new or additional privacy and security provisions, Covered Entities and BAs handling large amounts of PHI would be subject to these provisions in addition to existing HIPAA/HITECH and state law requirements.

Back to the Snoopy float – the Stanford Hospital PHI breach (and the manner in which it was reported in the Sack article) stands out for a number of ironies. A large amounts of sensitive PHI was accessible to the public, but obscurely so (only to Students of Fortune using a particular learning tool and astute enough to recognize, or care about, the sensitivity of the information). If the Stanford Hospital patient had not noticed and reported the PHI breach, would the breach have ever been noticed? Would any patient have been harmed? (If a tree falls in the forest when no one is present, does it make a sound?) 

Even more ironic is the fact that one affected patient may actually have been harmed as a result of the breach reporting, rather than from the breach itself. The Sack article quotes (by name) a patient’s mother who “intercepted” the breach notice mailed from Stanford Hospital to her 21-year-old son (leaving the reader to wonder why Mom is opening her adult son’s mail and whether she was authorized to access his PHI). Mom is quoted as stating (i) that her son received psychiatric treatment at Stanford in 2009 and (ii) “My son, I can tell you [Kevin Sack], is fragile and confused enough that this would have sent him over the edge."  One can only hope that the disclosure of his "fragile" state in a national newspaper will not have a similar effect.  Perhaps, in this post-Facebook and Twitter age, we could all use reminders about what kind of information is private and sensitive, when we should report breaches of it, and with whom we should share it.  The Snoopy float is a good reminder.    

A final irony is that Michael Mucha, the Stanford Hospital Chief Information Security Officer at the time of the Stanford PHI breach, has written extensively and has been widely-quoted regarding information security. He has been quoted as saying, “The biggest thing we [Stanford Hospital] focus on with all of this is control of the data.” Unfortunately the Snoopy float PHI breach belies the level of control of the data that can be exercised by Stanford and other Covered Entities, even with safeguards in place.

This story will undoubtedly have further developments. It will be especially interesting to see what statement, if any, Stanford provides to the U.S. Department of Health and Human Services (“HHS”) about its PHI breach for posting on the HHS list of reported large breaches of unsecured PHI affecting 500 or more individuals.

[Capitalized items that have ® after their names may be registered trademarks of other entities as to which no claim is made.]

From Heather Cross, About.com Guide 

 The Snoopy Balloon floats along Central Park West in the 2000 Thanksgiving Day Parade.

• Print
• Comments
• Trackbacks
• Share Link

Postings on this blog series have been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. A recent posting highlighted an area that has received relatively little media attention respecting the HHS list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”) - the extent to which such Large Breaches are stated to be attributable to events involving business associates (“BAs”) of the reporting covered entities (“CEs”). Some Large Breaches involving BAs will be reviewed in this and future postings.

The HHS List reveals that Ohio Health Plans (“OHP”), the public health care program overseen by the Ohio Department of Jobs and Family Services, reported as a CE that a Large Breach on June 3, 2011 involving 78,042 individuals had resulted from the theft of a laptop (the “OHP Breach”). The HHS List states that “Area Agency on Aging, Ohio District 5” was a “Business Associate Involved.” Unlike some other disclosures respecting Large Breaches reported on the HHS List, no further information is available on the HHS List for the OHP Breach.

A June 20, 2011 report of the OHP Breach in CrawfordCountyNow.com (the “Internet Report”) indicates that the correct corporate name of the affected BA is Ohio District 5 Area Agency on Aging, Inc. (the “Agency”). The Internet Report states:

A laptop computer assigned to a PASSPORT case manager with the Ohio District 5 (Mansfield) Area Agency on Aging, Inc. containing consumer’s personal health information was stolen from a vehicle on June 3. The computer contained personal health information of up to 43,000 consumers and the personal contact information of up to 35,000 related clients’ personal representatives.

The Internet Report quotes an apology from the CEO of the Agency, Duana Patton, and describes steps that the Agency was taking to mitigate the loss to affected individuals, including access to credit protection services and an 800 number to answer questions. Nowhere in the Internet Report is there any reference to OHP or the fact that the Agency was in possession of the PHI as a BA of a CE.

A visit to the Internet Web site of each of OHP and the Agency reveals no information respecting the OHP Breach. There is no reference to the OHP Breach in the links on the Home page of the OHP Web site or the links accessible through the  “News & Events” link, including the “What’s New” and “News Releases” links. 

The Agency Web site describes the Agency as

a private non-profit Agency, designated by the State of Ohio to be a Planning and Service Area (PSA) as mandated in the Older Americans Act, as enacted by the Federal Government in 1965. The Agency administers Title III, State Block Grant, Medicaid and other grant funds.

Again there is no reference to the OHP Breach on the Agency Web site, either in the “News and Events” links, the “Privacy Information” link or elsewhere, or the efforts of the Agency to mitigate adverse consequences to affected individuals that may result from the OHP Breach.

It appears that OHP, as the CE with respect to the OHP Breach and the entity required to report the OHP Breach to the HHS for placement on the HHS List, left it to the Agency as the apparently responsible BA to confront the aftermath. Moreover, OHP and the Agency appear to have consciously limited disclosures regarding the status of OHP as the CE to avoid adverse publicity for OHP, perhaps because it is part of the Ohio state sponsored health programs. 

Other Large Breaches involving BAs that have been reported on the HHS List will be reviewed in future postings on this blog.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. As required by HITECH, the HHS Web site posts a list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”). One area that has received relatively little attention from postings on the HHS List is the extent to which such Large Breaches are reported to be attributable to events involving business associates (“BAs”) of covered entities (“CEs”). 

The HITECH Act provides at Section 13402 (42 U.S.C. Section 17932) that, following a Large Breach of unsecured PHI, a CE must provide notification of the breach to affected individuals, the Secretary of HHS, and, in certain circumstances, to the media.  The HITECH Act imposed on a BA many of the obligations that only a CE previously had under the original HIPAA, unless the BA had specifically assumed such obligations contractually in an agreement with a CE. 

However, while Section 17932(b) of  HITECH requires a BA to notify the associated CE that a PHI breach has occurred, under HITECH, such a BA has no obligation or even authority for mandatory or voluntary reporting of a Large Breach directly to HHS. That is solely the obligation of the CE under HITECH Section 17932(e)(3).  Nonetheless, the form of "Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information" to be filed by a CE calls for a disclosure by the CE of information about any breach that occurred at or by a BA.

The effect is that a BA has no effective voice, which has been authorized by HITECH or the interim HHS rules, to allow such BA to make a statement to HHS that could be posted on the HHS List to correct, amend, modify, supplement or even deny a CE report on the HHS List regarding such BA.

Of the 292 PHI breaches listed on the HHS List as of July 31, 2011, the following information has been reported regarding BAs:

•   Approximately 53 of the Large Breaches or 18% allegedly involved BAs of the reporting CEs.

•   Approximately 12 of the Large Breaches of reported Large Breaches allegedly involving BAs contained a narrative as to the Large Breach event.

•   Approximately 8 of the narratives stated that the CE had enforced its agreement with the allegedly involved BA and/or modified or terminated its relationship with such BA.

It is clear that a Large Breach can generate substantial costs, embarrassment and loss of reputation to a CE and an involved BA.  It is in the interest of both parties that prompt, accurate and complete notification of a Large Breach be made to the public and HHS.  Cooperative efforts that optimally should exist between the CE and an involved BA in remediating a Large Breach should also include drafting a mutually acceptable narrative, if such a narrative is to be included in the report to HHS. However, it may not be possible to have agreement on remediation itself or the description that will be reported by the CE to HHS and posted on the HHS List.  HHS should consider giving a BA an opportunity to report its own responsive version of a Large Breach event in a case where a CE attributes involvement to such BA.

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

Many Covered Entities (CE) and Business Associates (BA) (and now, Subcontractors (SC) as well) are using a variety of approaches to limit exposure to liability and the potentially dire consequences associated with security breaches of Protected Health Information (“PHI”).  Recently, we have noticed “PHI Warnings” in email and facsimile transmissions, by which CE, BA, or SC warn unintended recipients not to transmit or re-send PHI to third parties.  Such PHI Warnings are being routinely used by hospitals, providers, health insurers, law firms and others that create, receive, maintain, or transmit PHI.  Such PHI Warnings should be used and worded with caution, however.

For example, instructions such as the following sample may be found at the bottom of a CE’s email transmission:

Email Confidentiality Notice:  The information contained in this transmission is privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).  This transmission is intended for the sole use of the individual or entity to whom it is addressed.  If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing  or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties.  If you have received this transmission in error, please contact the sender immediately by replying to this email and deleting this email and any attachments from any computer.

Unfortunately, if an unintended (or unprepared) recipient of such PHI reads this message and follows the sender’s instruction by “replying” to the email, such recipient could be unintentionally perpetuating or re-publishing the breach.  Particularly in a case where the original email was sent to a number of recipients, a “reply” could easily become a “reply to all” and have the effect of re-sending (and announcing) PHI to new unintended third parties. Such a result could make it much more difficult for the original sender to ascertain the total scope of the security breach in its subsequent remediation and compliance efforts.

Moreover, such PHI Warnings should only be used in the context of overall HIPAA/HITECH policies and procedures of the sender.  For example, if the unintended recipient were a BA or SC of the sender, the attempt to comply with the sender’s instructions could actually conflict with, and result in a breach of, the parties’ Business Associate Agreement (“BAA”).

The following sample avoids the problem described above by providing an alternative  method of notifying the original sender but perhaps may still be “too little, too late,” as a serious PHI security breach may have already occurred:

This email and its attachments may contain privileged and confidential information and/or protected health information (PHI) intended solely for the use of ______________ and the recipient(s) named above.  If you are not the recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited.  If you have received this transmission in error, please notify the sender immediately at 800-xxx-xxxx and permanently delete this email and any attachments.

Finally, if PHI is sent to a recipient prior to the parties’ execution of a compliant BAA and implementation of policies and procedures to protect PHI properly, a PHI Warning is unlikely to mitigate the liability of the sender (or recipient) for a security breach under HIPAA/HITECH.

• Print
• Comments
• Trackbacks
• Share Link