HIPAA, HITECH & HIT :: Fox Rothschild LLP

On February 7, 2013, our partner Keith McMurdy, Esq., posted an excellent entry on the Employee Benefits Blog of Fox Rothschild LLP that merits republishing for our readers as well. The post outlines some direct effects of the new HIPAA Omnibus Rule on employers and their health plans. 

Keith McMurdy writes as follows:

On January 25, the new (final?) rules about HIPAA Privacy under the HITECH Act were issued in the Federal Register.  While the effect of the new rules may not be to substantially change the way HIPAA privacy is viewed, there are a number of action items for employers as plan sponsors that have to be accomplished when these rules go into effect.

There are two pieces of good news.  The first is that the general purpose of compliance remains the same.  Plan sponsors have to ensure PHI is properly protected, refrain from impermissible disclosures and provide notices of security breaches.  The second is that the earliest possible deadline for compliance with the new rules is September 23, 2013, so there is some time to prepare.  But it is not a bad idea to start preparing now.  So let's consider the key changes.

1. Tougher Security Breach Notification Standard

Under the old rule, the standard for notification to participants of a security breach was only necessary if the release of information "posed a significant risk of financial, reputational or other harm" to a covered person.  Now, that standard is tightened to apply to ANY security breach unless the plan sponsor can prove "a low probability that the [PHI] has been compromised based on a risk assessment."  This should encourage plan sponsors to tighten their security breach protections because any release, even things like accidental e-mails, can potentially become reportable events.  So the first step in compliance would be to review security standards and document steps taken to avoid security breaches.

2. Tougher Standards for Business Associates Agreements

Because the new rule provides for penalties to a covered entity for breaches by business associates, the default position is that plan sponsors should be much more concerned about how compliant their business associates really are.  Where in the past, plan sponsors may have felt comfortable simply handing off certain protection functions to service providers, the new rule makes it pretty clear that plan sponsors have to actually know that their business associates are HIPAA compliant and diligently seek to confirm that compliance.

3.  New Privacy Notices for 2013 Open Enrollment

The new rule also requires that plan sponsors add or amend their privacy notices:

1. The notice must specifically state that the covered health plans are required to obtain plan participants' authorization to use or disclose psychotherapy notes, to use PHI for marketing purposes, to sell PHI, or to use or disclose PHI for any purpose not described in the notice as well as a statement explaining how plan participants may revoke an authorization.
2. The notices must state that the plans (other than a long-term care plan) are prohibited from using PHI that is genetic information for underwriting purposes
3. The notice must inform plan participants of their right to receive a notice when there is a breach of their unsecured PHI.

The new rules makes it clear that since this new language is a "material change," plan sponsors are required to distribute this revised notice, even if they had just recently sent the old notice. 

4. Genetic Information and the GINA Notice

The Genetic Information Non-Discrimination Act of 2008 (GINA) prohibits discrimination based on genetic information.  The HIPAA Privacy Rule now similarly prohibits HIPAA-covered plans from taking genetic information into consideration when offering incentives or discounts through a health risk assessment.  Because this modification of the Privacy Rule materially affects how a plan may use PHI, the HIPAA Privacy Rule requires that plan participants be informed in the plan's privacy notice of the prohibition on the use of PHI for underwriting purposes.  See the second item under Part 3, above.

So in the midst of our struggles to comply with PPACA, plan sponsors should not forget about HIPAA medical privacy concerns.  Start pulling together privacy notices, business associates agreements and plan documents for review and amendment.  Review your security practices to avoid even accidental breaches.  And be prepared to issue new notices as necessary for your next open enrollment.  For more detailed information about HIPAA and HITECH Compliance, please make sure to check out our HIPAA Blog as well.  More information means better compliance, which is always a good thing.

• Print
• Comments
• Trackbacks
• Share Link

In the wake of the post-Omnibus Rule (the “Rule”) frenzy, it is necessary to consider some collateral effects that the Rule may have brought about with respect to compliance with HIPAA/HITECH.  The Office of Civil Rights (“OCR”) summaries of closed investigations (the “Summaries”) posted on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”) has been a source of meaningful guidance as discussed in previous posts on this blog.  For example, the summary (the “Tennessee Summary”) for a State of Tennessee Sponsored Group Health Plan breach (the “Tennessee Breach”) continues to provide an excellent road map of pre-Omnibus Rule actions for covered entities (“CEs”) or business associates (“BAs”)  that suffer List Breaches or PHI breaches of any size.  

While the Tennessee Breach itself dealt with mishandling of paper PHI and not electronic health records, the Tennessee Summary does give direction for early intervention by affected CEs or BAs before HHS knocks on their door.  However, while there was excellent compliance in the aftermath of the Tennessee Breach, advice from pre-Rule Summaries cannot be used without carefully taking into account the new requirements respecting PHI breaches under the Rule.  As will be further discussed below, the most important new requirement in this regard is the necessity for a CE, BA or subcontractor to analyze the level of risk of compromise of the affected PHI.

The Tennessee Summary

The Tennessee Breach occurred on October 6, 2011 and involved approximately 1,770 enrollees with respect to names, addresses, birth dates and social security numbers.  According to the Tennessee Summary, an equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.

The Tennessee Summary states that the CE did the following (with some parenthetical observations from the blog author):

1.         Retrained the equipment operator (suggesting that suspension and/or termination are not the only actions in appropriate cases with respect to dealing with employees involved with a PHI breach where rehabilitation is possible).

2.         Submitted a breach report to HHS (resulting in the posting on the HHS List).

3.         Provided notice to affected individuals.

4.         Notified the media.

5.         Created a toll-free number for information regarding the incident.

6.         Posted notice on the CE’s website.

7.         Modified policies to remove the social security number on templates for future mailings (a good policy whether paper or electronic PHI is involved).

8.         Offered identity theft protection to the affected individuals (a common decision for CEs and BAs based on the type of information that may have been compromised).

9.         Following the OCR investigation, reviewed its policies and procedures to ensure adequate safeguards are in place (with this disclosure in the Tennessee Summary, there is a suggestion that OCR continued to exercise some oversight or received reports after the investigation was finished).

The Tennessee Breach in Retrospect after the Omnibus Rule

There was no discussion in the Tennessee Summary of any analysis by the CE of the probable “risk of harm” from the Tennessee Breach under the proposed rule standards that prevailed prior to the Rule.  However, it is clear that, in the post-Rule period, a risk analysis of the probability that the PHI “has been compromised” would be necessary for the CE; failure to do such an analysis may be a violation in itself.   Under the Rule, there is a presumption that a breach of PHI has taken place unless there is a low probability that the PHI has been compromised.  The four factor analysis that would have been required of the CE in the Tennessee Breach case had it happened after the effectiveness of the Rule encompasses the following (with parenthetical comments):

(i)         Identifying the nature and extent of the PHI involved, including types of identifiers and risk of re-identification (i.e., names, addresses, birth dates and social security numbers);

(ii)        Identifying the unauthorized person(s) who impermissibly used the PHI or to whom the disclosure was made (in the case of the Tennessee Breach, subscribers to the health plan who were not individuals that had an obligation of their own to comply with HIPAA/HITECH);

(iii)       Determining whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the PHI to be acquired or viewed (in the case of the Tennessee Breach, there is a likelihood that numerous recipients of the PHI or others without the right to view such PHI did in fact view it); and

(iv)       The extent to which risk to the PHI was mitigated (items 3, 4, 5, 6 and 8 above appear to be potential mitigating factors).

As stated in an earlier postings here and here, no Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011.  While the Summaries continue to provide highly useful information for CEs, BAs and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the Rule.  It may be that a concern of OCR about potential confusion which could be created by publishing pre-Rule Summaries has prevented OCR from making recent postings of Summaries on the HHS List.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As of January 1, 2013 (and as of today), there were 525 postings of List Breaches.

A previous blog post reported that, on February 24, 2012, HHS listed the 400th List Breach. As the first postings on the HHS List occurred on March 4, 2010, an average of about 200 postings of List Breaches were recorded in each of its first two years. However, in the 10-plus months between February 24, 2012 and January 1, 2013, 125 additional List Breaches were posted, which on an annualized twelve month period basis would translate into 150 List Breaches. It is not yet clear whether the lower volume of List Breaches since February 2012 is attributable to increased caution and better practices in protecting PHI on the part of covered entities (“CEs”) and business associates (“BAs”), greater use of encryption and other practices to protect PHI, slower postings of List Breaches by HHS, other factors or a combination thereof.

Of the total of 525 List Breaches posted through January 1, 2013, there were approximately 274 (52.2%) events shat attributed the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the 60 additional List Breaches listing the category of “loss” of all types is added to the 274 “theft” events, the total for the two categories swells to approximately 334 or 63.6% of the 525 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.

Even more revealing may be the fact that approximately 193 (36.8%) of the 525 List Breaches listed the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices.  Theft or loss of laptops or other portable electronic devices thus constituted 51.6% of the 334 List Breaches that involved reported theft or loss. 

Over the last 10 months since the number of List Breaches passed 400, it appears that the relative percentage of List Breaches attributable to theft and loss is trending mildly upward. Of the 125 additional reported List Breaches, approximately 86 or 68.8% listed theft or loss as the source of the PHI breach. The number of such 125 List Breaches that reported theft or loss of laptops or other portable electronic devices was 37 or 29.6%, a lower percentage than the 36.8% for all 525 List Breaches.  The sample sizes are relatively small, so that further following of these numbers is warranted.

My partner, William Maruca, Esq., recently posted a blog entry highlighting the fact that the first breach settlement announcement by HHS in 2013 (the “2013 Settlement”) involved a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It was the first fine by HHS for a PHI security breach that involved fewer than 500 individuals and, therefore, was below the threshold for a List Breach. 

While the parade of List Breaches continues to lengthen, the 2013 Settlement underscores the fact that there are many more PHI security breaches involving fewer than 500 individuals. The PHI security breaches that are not List Breaches are receiving increased scrutiny by HHS. As this blog series has emphasized in the past, it may become more a question of when a CE or BA will suffer a PHI security breach and how severe the breach will be, rather than if it will suffer a breach. All CEs and BAs must exercise vigilance and use recommended protection procedures to avoid all PHI security breaches, not just large List Breaches. The continuing proliferation of the use of portable electronic devices to receive, access and store PHI should be monitored, as it can be expected that this type of security breach will continue to expand.

• Print
• Comments
• Trackbacks
• Share Link

Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services (“HHS”) the sum of $1.5 million to settle potential violations involving an alleged security breach (the “2010 Breach”) of Protected Health Information (“PHI”) under HIPAA. However, relatively little has been written that the 2010 Breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years. 

This blog series has been following breaches of PHI that have been reported on the HHS list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 502 List Breaches. The first List Breach posted for MEEI on the HHS List (the “2009 Breach”) was reported to have occurred by reason of a theft on November 10, 2009 that was said to have affected 1,076 individuals. 

The 2010 Breach was reported to have occurred on February 19, 2010, only slightly more than three months after the 2009 Breach. According to the HHS List, it affected 3,621 individuals. A statement from MEEI on its Web site reports that HHS review of the 2010 Breach was “triggered by the hospital’s proactive self-reporting of a doctor’s unencrypted laptop being stolen while he was traveling abroad in 2010.”  MEEI further stated that it “has no indication that any patients were harmed by this isolated incident.” Query: How “isolated” was the incident in view of the fact that the 2010 Breach occurred soon after the 2009 Breach?

Potential entries in the PHI Breach Parade did not end for MEEI, however, with the 2010 Breach. On April 16, 2012, during a time that MEEI was likely to have been heavily negotiating with HHS about the $1.5 million payment, MEEI posted the following statement on its Web site (the “2012 Statement”), about which relatively little was reported in the media:

On March 5, 2012, the Quincy, Massachusetts, Police Department informed [MEEI] that they were investigating a [MEEI] employee for inappropriately using the names, Social Security numbers and dates of birth of certain individuals, some of whom were believed to be MEEI patients. . . .

While [MEEI] is only aware of four individuals whose personal information was actually misused, as a precaution we are notifying, by mail,  approximately 3,600 patients whose Social Security numbers were available to the former employee in the course of performing her assigned duties.

The 2012 Statement went on to say that MEEI will “provide one year of free credit monitoring to potentially affected individuals to protect them against possible harm resulting from this incident.”  [Emphasis supplied.]

It is perplexing that nothing about the 2012 Breach has been posted on the HHS List to this point, although

(i)         the MEEI Web site reported the event more than six months ago,

(ii)        the number of “potentially” affected individuals far exceeded the 500 minimum threshold for placement on the HHS List, and

(iii)       the period during which MEEI was dealing with HHS after the 2010 Breach overlapped with the occurrence and aftermath of the 2012 Breach.

Queries: Did MEEI not report the 2012 Breach to the HHS List because it ultimately concluded that the 2012 Breach did not involve more than 500 individuals even though it does offer credit monitoring to more than 3,600 individuals? (As a potential third time marcher in the Breach Parade, MEEI was certainly aware of its reporting obligations to HHS.) In other words, did MEEI determine by a reasonable risk assessment that the potential access by the former employee to PHI of 3,600 individuals was not sufficient to require a report for the HHS List, absent more substantial proof that the PHI of 500 or more individuals was actually accessed and/or that 500 or more individuals were actually harmed by such access?

Alternatively, is it simply possible that HHS has been slow in reporting additional List Breaches on the HHS List, similar to a suggestion in an earlier post in this blog series that HHS may be slow in posting Summaries of cases that it has investigated and closed?

This blog series will continue to monitor developments in this area.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 498 List Breaches reported by covered entities (“CEs”), of which approximately 102 (20.5%) have been reported as also involving business associates (“BAs”).  

As stated in an earlier posting in this blog series, the HHS List includes valuable guidance for CEs and BAs in the form of “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” To date, the HHS List has posted approximately 96 summaries (“Summaries”) respecting the 498 current postings for CE marchers in the Breach Parade (which include some multiple postings of List Breaches where a single alleged breach by a BA caused a number of CEs to have List Breaches). Of the 96 List Breaches for which Summaries have been posted by OCR, 19 (19.8%) were reported as involving BAs.  

Unfortunately, since May 10, 2012, it would appear that only one new Summary has been posted by OCR, which relates to List Breach number 337 reported by Indiana University School of Optometry as CE. According to the OCR Summary, that List Breach affected 757 individuals and resulted in accessibility over the Internet of patient names, birth dates, medical history, diagnoses and treatment plans for the period from August 8, 2011 through September 9, 2011.  

No Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011, already a year ago. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011, as discussed in an earlier posting in this blog series. 

Moreover, the substantial majority of Summaries posted by OCR relate to List Breaches affecting fewer than 10,000 persons. While this Summary history may be reflective of the population of List Breaches as discussed in an earlier post in this blog series, the largest number of affected individuals for which a Summary has been posted to date is 83,000. That List Breach, which occurred on November 12, 2009 and was number 21 on the HHS List, related to unauthorized access/disclosure of paper information and was reported by Universal American in New York as the CE with Democracy Data & Communications, LLC as an involved BA. In light of the existence of complex List Breaches that reportedly affect hundreds of thousands or even millions of individuals, Summaries respecting larger List Breaches may be helpful in providing new and different insights for CEs and BAs.

There is great value in the guidance provided by the posted Summaries for educating CEs and BAs as to what OCR may deem to be significant with respect to List Breaches. OCR Summaries may provide analysis not only of the List Breaches themselves but also subsequent actions taken by the affected CEs and BAs. However, because the paucity of recent postings of Summaries can dampen their overall educational benefit, OCR is encouraged to increase the frequency, number, currentness and diversity of the Summaries posted.  

• Print
• Comments
• Trackbacks
• Share Link

We have seen substantial delay in publication of the long-awaited HIPAA/HITECH Omnibus Final Rule, sometimes affectionately referred to as the “Mega Rule.” Health Data Management reported on June 6 of this year that Farzad Mostashari, national coordinator for health information technology, had said that the HIPAA Mega rule, which will include modifications to the privacy and security rule, breach notification and enforcement, “should’ be published by “the end of summer.” After previous disappointments and delays in regulations in other contexts from the U.S. Department of Health and Human Services, however, it may be noteworthy that Mr. Mostashari was said to have used the word “should,” and did not specify the summer of what year, e.g., 2012, 2013, 2014, etc.

Now there has been some scuttlebutt that the Mega Rule may not surface until after Election Day, November 6, 2012, perhaps because of concerns about potential political implications. Even as we wait, there is some justifiable trepidation as to the number of pages of regulations that will be published. The recently-issued CMS final requirements that hospitals and other providers must meet to receive funding under the second phase of the federal electronic health-record incentive program, which is a relatively narrow topic, constituted 672 pages.

What can we expect from HHS on the Mega Rule? Well, we can register our own speculations. Marla Durben Hirsch, Editor of Medical Practice Compliance Alert published by DecisionHealth, Inc., informed me of a clever contest that is being conducted on line by idexperts as to the Mega Rule. Any household can put in a single entry as to the month, day and year that the Mega Rule will be published in the Federal Register. In the event of a tie, the number of pages in the Mega Rule will serve as a first tie breaker. The prize for first place is a contribution of $2,500 in the name of the winner to the Wounded Warrior Project, a $200 Amazon gift card, a year’s subscription to RADAR published by idexperts and, of course, internet bragging rights.

So, with the approach of Labor Day and the waning days of summer, join the contest and make the Mega Rule wait more enjoyable!

• Print
• Comments
• Trackbacks
• Share Link

A recent posting by our partner Christina Stoneburner, Esq., on the Fox Rothschild Employment Discrimination blog discussed the need by employers to limit protected health information (“PHI”) that they provide with respect to medical examinations of employees and job applicants to the least amount of medical information necessary for evaluation.  Interestingly, the focus of her posting was not disclosure under HIPAA/HITECH, or even state statutes regulating the use of PHI; it dealt with allegations that employees and job applicants had been sent for unnecessary medical examinations in violation of the Americans with Disabilities Act and the Genetic Information Nondisclosure Act. 

Christina summarizes her posting with the following:

In short, the least amount of medical information necessary to evaluate an employee is what should be provided to examiners.  For example, if you have an employee being evaluated to see if he can perform the essential functions of his job after a shoulder injury, the examining doctor should not be given the medical records relating to his planter's wart being removed.

In her discussion, Christina noted our blog series respecting large breaches and a particular recent posting by Elizabeth Litten, Esq.  Christina also mentioned that the complaint on which her posting focused had alleged, "the employer often turned over Workers' Compensation records . . . , even where those records were not relevant to the examination.”

Workers’ compensation is an area where Christina’s posting comes full circle to our blog’s focus on HIPAA;  as HIPAA directly confronts such area by making it clear that only the “minimum necessary” disclosure of PHI is permitted by covered entities without patient authorization pursuant to 45 CFR 164.512(l):

A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published further advice on how the workers’ compensation Regulation works:

Covered entities are required reasonably to limit the amount of protected health information disclosed . . . to the minimum necessary to accomplish the worker’s compensation purpose. Under this requirement, protected health information may be shared for such purposes to the full extent authorized by State or other law. 

In summary, to avoid needless and costly violations, employers and other covered entities must be constantly aware of the need to comply with multiple regulatory schemes that may govern PHI, beyond those of HIPAA and State laws governing PHI;  there is not unlimited flexibility to disclose PHI even within the context of State-governed workers’ compensation matters. When the long-anticipated “mega-regulation” regarding HIPAA/HITECH is finally published by HHS, special attention must be given to potential changes that may further tighten the “minimum necessary" standards.

• Print
• Comments
• Trackbacks
• Share Link

A recent post in this blog series has discussed the valuable guidance for covered entities (“CEs”) and business associates (“BAs”) that can be contained in the U.S. Department of Health and Human Services list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”), especially within the “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” (“Summaries”). 

An example is List Breach number 265 (“LB 265”), which reported a theft of a laptop in Alaska from Trisha Elaine Cordova,  a BA of Catholic Social Services (“CSS”), the related CE, on February 1, 2011. The laptop reportedly contained approximately 493 adoption home studies affecting 1,700 individuals.  LB 265 also happens to be the most recent List Breach involving a BA for which a Summary has been provided by OCR. (As an aside, LB 265 actually appears on line 266 of a chronological schedule of List Breaches because the first line was used by HHS for column headings.)

According to the LB 265 Summary: “The protected health information involved in the breach included names, addresses, phone numbers, dates of birth, driver’s license numbers, and health information; 20% of the files contained social security numbers.”

While the PHI involved covered a broad range, there was nothing unusual about the items. What makes LB 265 Summary worthy of discussion is its final two sentences:

The covered entity did not have a business associate contract with the contractor at the time of the breach. OCR’s investigation resulted in the covered entity developing policies and procedures for obtaining business associate contracts when required by the Privacy Rule and verifying that the contractor involved was not an independent covered entity. 

The LB 265 Summary identified what OCR deems to be two related important elements of compliance with the HHS Privacy Rule when a CE contracts with another person with respect to PHI - the first of which is obvious and well-known but the second of which is more subtle and less recognized: 

1.   The requirement that a CE have a business associate agreement or contract (“BAA”) with the contractor and

2.   The need for the CE to verify in what capacity the contractor is serving with respect to the CE’s PHI, that is, whether the contractor is only a BA or is a CE as well as a BA (a “BA/CE”). 

In its LB 265 Summary, OCR is pointing out its expectation that a contractor like Ms. Cordova may be a BA with respect to the PHI of CSS, but, depending upon her status and activities with respect to such PHI, she could also be a BA/CE. Furthermore, it is viewed by OCR to be the obligation of CSS as a CE (and presumably Ms. Cordova as a BA as well) to have policies and procedures in place to verify if Ms. Cordova was a BA/CE with respect to the PHI.

Ms. Cordova was apparently provided with PHI by CSS for the purpose of conducting adoption home studies for CSS respecting applicants seeking to adopt children through the auspices of CSS. It is conceivable that the CSS PHI in Ms. Cordova’s hands could have been reformulated and processed by her in her BA activities to such an extent that she could have been a BA/CE.  

The discussion by OCR in LB 265 of the need by a CE for a BAA under the HIPAA Privacy Rule in the same sentence as the verification activity is consistent with OCR’s sentence in its “OCR Privacy Brief” section on CEs as follows: “A covered entity can be the business associate of another covered entity.”  In requiring a CE to establish policies and procedures to verify whether a BA is also a BA/CE, OCR would appear to have extended CE obligations. However, because no further comment was made on the matter by OCR in LB 265, it would appear that Ms. Cordova was not deemed to be a BA/CE.

Separate and apart from OCR’s position on verification, unless a CE (and its contractor as well) has done sufficient analysis of the status of its BA and the character of the BA’s activities, how can the CE properly draft applicable provisions of its BAA? One form of BAA does not necessarily fit all BAs, as much as CEs would like to believe. For example, if a BA of a CE is also a BA/CE with respect to specific PHI, the BA/CE has primary reporting and/or documentation obligations to HHS in the event of a privacy breach, even to the extent of a separate report to HHS for a List Breach. If a BA/CE were to fail to notify HHS of a List Breach, the BA/CE may incur significant penalties and sanctions. 

The BAA should take cognizance of whether the BA is deemed by the parties to be a BA/CE and in such case, discuss procedures and methods to confront, among other things, a List Breach, other breaches and the parties' relative investigation, documentation and reporting responsibilities under HIPAA/HITECH, and even data breach insurance. Without proper coordination, in the event of a List Breach or other breach, there can be (i) unnecessary and costly duplication of investigation efforts and evaluation of risk of harm, (ii) inappropriately inconsistent reporting of the event to affected individuals, HHS and state agencies, (iii) inconsistent statements to the media, etc. 

In summary, the OCR deems it a requirement for a CE to verify the status of its BA and the character of the BA’s activities with respect to the CE’s PHI; in turn such CE and BA and their respective counsel should use the verification process to develop provisions in the BAA. 

• Print
• Comments
• Trackbacks
• Share Link

As part of our healthcare practice, we frequently field questions from individuals from the general public about alleged violations of the HIPAA law that have affected them.  Many people have been in the unfortunate situation where they believe that their protected health information (PHI) has been compromised inappropriately, and they want to know what they can do about it.  Such individuals are often surprised and deeply disappointed to learn that the HIPAA law does not provide a "private right of action" in the event of unlawful  access, use or disclosure of PHI.  That means that under HIPAA, an individual cannot file a private lawsuit  to recover damages against a party that  allegedly improperly accessed, used or disclosed their PHI.  

Such improper disclosures, however, may violate other state or federal laws or common law rights of privacy, so that  individuals may wish to reach out to an attorney who is licensed in their state of residence to determine whether they have any specific claims, rights or remedies related to the improper access, use or disclosure.   The statute of limitations on such claims may be very short-lived, so those who wish to pursue such potential claims should do so without undue delay. 

Under HIPAA, if you feel that your PHI has been accessed, used or disclosed inappropriately, you may contact the Office of Civil Rights within the U.S. Department of Health and Human Services (HHS) to file a complaint (go to the OCR website to acquire a form that you may fill out online to file a complaint).  Additionally, each state's Attorney General is authorized to bring lawsuits under HIPAA on behalf of individuals whose medical records have been improperly disclosed, and to share any proceeds of such suits with the affected individuals.   

While it may be viewed as unfair by victims of inappropriate access, use or disclosure of PHI that they cannot sue under HIPAA themselves, they should act promptly to seek assistance of HHS or their state's Attorney General to assert what rights they do have under HIPAA.

• Print
• Comments
• Trackbacks
• Share Link

As reported in the Houston Chronicle on June 28, 2012, an unencrypted laptop computer containing data on more than 30,000 patients of the University of Texas MD Anderson Cancer Center (“MD Anderson”) was stolen from a faculty member’s home on April 30, 2012. The stolen laptop scenario has become all too familiar (this blog series has reported on the high proportion of breaches resulting from the theft or loss of laptops or other portable devices), and even the high number of patients affected pales in comparison with the roughly 5 million patients affected in the SAIC breach. 

What caught my attention was the fact that MD Anderson posted notice of the breach on its website on June 28^th, exactly 59 days after the theft took place. Pursuant to the interim final breach notification regulations, a covered entity must provide notice to affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.”   Although an exception exists for prompt notification where a law enforcement official tells the covered entity (or business associate) that notification would impede the criminal investigation or cause damage to national security, the time required for performance of a criminal investigation is, presumably, less than 60 days. MD Anderson’s website notice gives every indication that it acted promptly and investigated thoroughly:

MD Anderson was alerted to the theft on May 1 and immediately began a thorough investigation to determine what information was contained on the laptop. After a detailed review with outside forensics experts, we have confirmed that the laptop may have contained some of our patients’ personal information, including patients’ names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers.

Would patients have been better off knowing their data might have been illegally accessed prior to day 59 following the breach, or does the benefit of a thorough investigation outweigh the risk that earlier notification would have benefited patients? 

Navigant Consulting released an “Information Security and Data Breach Report” in April of this year that found that the average number of days between discovery of a breach involving medical records and disclosure was 63 days in the third quarter of 2011, compared with 65 days in the fourth quarter of 2011, an increase of 3%, despite the requirement that applicable HIPAA law requires patients to be notified “without unreasonable delay” and no later than 60 days following the breach. When analyzed in terms of the entity reporting the breach, “[h]ealthcare entities registered an 84% increase between discovery and disclosure from 51 days in Q3 to 94 days in Q4.” 

From this perspective, it seems MD Anderson did pretty well. Had the faculty member delayed his or her original notification to MD Anderson regarding the theft, however, MD Anderson might have been hard-pressed to meet the 60 day deadline. Covered entities such as MD Anderson (and business associates who provide protected health information to subcontractors) should be reminded that prompt communication and investigation is essential to meeting the “without unreasonable delay and in no case later than 60 calendar days” notification requirement, and must balance the need to get the facts straight with the need to alert affected individuals, and, where applicable, the Department of Health and Human Services and state agencies, as quickly as possible. 

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As reported in a recent posting, the HHS List includes guidance that covered entities (“CEs”) and business associates (“BAs”) can use in the event of a PHI security breach in the form of brief summaries (“Summaries”) of the breach cases that the federal Office of Civil Rights (“OCR”) has investigated and closed. 

On June 26, 2012, HHS and OCR reported in a press release (the “Press Release”) that Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), had agreed to pay HHS $1.7 million with respect to a resolution of possible violations of HIPAA, which included the compromising of PHI of 501 affected individuals by means of a theft that occurred on October 12, 2009 of an “Other Portable Electronic Device” (the “2009 Breach”).  Alaska Medicaid has also agreed, among other things, to take corrective action to properly safeguard the PHI of Medicaid beneficiaries. An official statement by Alaska Medicaid Commissioner Bill Streur relating to the resolution with HHS of the 2009 Breach is posted on the Alaska Medicaid Web site.

While the Alaska Medicaid resolution has not yet been reported in a Summary on the HHS List, visiting the HHS List reveals that the 2009 Breach was originally posted by HHS in the very first batch of List Breaches on February 22, 2010. What is also interesting is that Alaska Medicaid had a later separate List Breach, reportedly involving the compromising of PHI of approximately 2,000 affected individuals by means of a theft on September 7, 2010 of an “Other Portable Electronic Device” (the “2010 Breach”). The 2010 Breach was reported as involving Alaskan AIDS Assistance Association as a BA.

However, it is difficult to identify readily that the 2009 Breach and the 2010 Breach involved the same CE, Alaska Medicaid. The 2009 Breach is alphabetically indexed under “Alaska Department of Health and Social Services,” while the 2010 Breach is indexed under “State of Alaska, Department of Health and Social Services.” It would be helpful for HHS to endeavor to use CE and BA names consistently to assist in analysis by those visiting the HHS List.

The Press Release of HHS regarding the 2009 Breach quotes OCR Director Leon Rodriguez: “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

It commendable that OCR enforces compliance with HIPAA against private and public entities with the same vigor. Query, however, to what extent is it wise for HHS to exact a $1.7 million payment from Alaska Medicaid? Alaska Medicaid oversees a program to provide medical care to the indigent in Alaska, a program that is funded by the taxpayers of Alaska and the U.S. In almost all states, Medicaid programs are financially embattled and under severe economic and political stress. The large payment by Alaska Medicaid to HHS is an enforced shifting by a state agency of “other people’s money” to HHS that may have to be replaced by increased taxes or reductions in future benefits for Alaskan indigents.

This blog series will continue to review various of the OCR Summaries and resolutions to give guidance to CEs and BAs.  We will also monitor future developments with respect to the 2010 Breach.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 435 List Breaches affecting marchers in the ever-lengthening parade, although the number of marchers has remained unchanged for several weeks.

The most recent posting on this blog series by my partner Elizabeth Litten, Esq., discussed a recent presentation by Linda Sanches, Office of Civil Rights ("OCR") Senior Advisor and the lead on HIPAA Compliance Audits, on the progress of the 2012 HIPAA Privacy and Security Audit Program.  As pointed out in the earlier posting, the presentation by Ms. Sanches included some general tips that covered entities (“CEs”) and business associates ("BAs") can use to reduce the likelihood of HIPAA violations, one of which is PHI security breaches.

The HHS List includes additional focused guidance from OCR that CEs and BAs can use in efforts to avoid, or in the event of, a PHI security breach (even if it does not rise to the level of a List Breach) in the form of  brief summaries of the breach cases that OCR has investigated and closed. To date, the HHS List has posted approximately 93 summaries (“Summaries”) out of the 435 postings respecting marchers in the Breach Parade (which include some multiple postings of List Breaches where an alleged breach by one BA caused a number of CEs to have List Breaches). Of the 93 List Breaches for which Summaries have been prepared by OCR, 18 (approximately 20%) were reported as involving BAs.  

These Summaries can provide valuable clues for CEs and BAs on how to deal with a HIPAA security breach. One example is contained in a Summary respecting a List Breach reported on January 29, 2010 by Thrivent Financial for Lutherans (“Thrivent”) in Wisconsin. The List Breach, which did not report an involved BA, related to a theft of laptops that contained the PHI of approximately 9,400 individuals. (The original report by Thrivent had stated that approximately 9,500 individuals had been affected.) The OCR Summary included the following statement:

The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR’s formal investigation brought the CE into compliance.

OCR clearly viewed it as noteworthy and commendable that Thrivent had voluntarily taken necessary steps for compliance before OCR conducted its investigation. That should be an alert for those who suffer HIPAA breaches that all appropriate and reasonable remedial measures should be undertaken promptly to demonstrate and document compliance before OCR comes knocking on the door of the CE. This blog series will continue to review various of the OCR Summaries as to guidance that they may contain respecting PHI security breaches.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the ever-growing parade of large security breaches of Protected Health Information (“PHI”). Within the last week, The Boston Globe reported that venerable Boston Children’s Hospital (the “Hospital”), the primary pediatric teaching hospital of Harvard Medical School, has notified the public media and affected individuals of a large PHI security breach (the “Breach”). The Globe article by Chelsea Conaboy reported that the Breach occurred when an employee of the Hospital, while at a conference in Buenos Aires, Argentina, “lost a laptop containing a file with information about 2,159 patients, including names, birth dates, diagnoses, and treatment information.” The laptop, which was reported by the Hospital as having been password protected but not encrypted, did not include financial data or Social Security numbers.

The Breach is one of the first reported instances of the loss or theft outside of the United States of a laptop that contained unsecured PHI. Nonetheless, it is uncertain as to whether the PHI stored on the computer has been or will be inappropriately accessed and used.

The Breach has not yet been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of reported breaches of unsecured PHI affecting 500 or more individuals. Nor does a visit to the Hospital's Web site and its on-line “Newsroom” and Press Releases for 2012 reveal any reference to the Breach.  

The Hospital does have a Code of Conduct on its Web site that contains a short reference to “Patient Privacy and Confidentiality.” However, an endeavor to open the links under that heading to referenced “Patient Health Information Policies” and “Information Security Policies” only results in “Oops! There was an error finding that page” and instructions to try again. Moreover, the Code of Conduct has a bottom line on each page that recites a publication date of 12/06, well before the enactment of the federal HITECH Act.

A number of conclusions can be drawn from the information currently available regarding this unfortunate Breach. If the Hospital takes “this incident and the protection of protected health and personal information extremely seriously,” as the Hospital’s chief information officer was quoted in the Globe article, the Hospital should, at a minimum, as many other covered entities that have suffered PHI security breaches have done, prominently place its press release respecting the Breach on its Web site.

The Hospital should also appropriately update its Code of Conduct respecting patient privacy and confidentiality and rectify the “dead” links that would provide meaningful information on such subjects to those who seek it.

Finally, the Hospital and other covered entities should consider adopting clear policies governing the protection and transporting outside of the United States of laptops and other electronic devices that contain PHI.

• Print
• Comments
• Trackbacks
• Share Link

Postings on this blog series have been following the continuing parade of security and privacy breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals. On March 30, 2012, a large data security breach (the “Utah Breach”) that has not yet been posted on the HHS List was experienced by the Utah Department of Technology Services (“DTS”) on a computer server (the “DTS Server”) that stores Medicaid and Children’s Health Insurance Program (“CHIP”) claims data.  

DTS detected the Utah Breach on Monday, April 2, 2012 after the putative thieves began removing data from the DTS Server. Upon detection, DTS stated that it immediately shut down the DTS Server, has identified where the breakdown in security occurred and has implemented new processes to ensure this type of breach will not happen again.

DTS and the Utah Department of Health (“UDOH”) have established a separate Web page to provide “Latest Information” respecting the Utah Breach (the “Update Page”). The Update Page has turned out to be a useful reporting mechanism for what has become a continuously rising count of individuals affected by the Utah Breach. Currently the Update Page reports that “approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen.” Therefore, the total current number of identified affected individuals of the Utah Breach appears to be approximately 780,000. However, the various numbers of victims reflected on the Update Page are somewhat confusing, possibly due at least in part to the addition on a serial basis of newly discovered victims.

Information on the DTS Server included claims payment and eligibility inquiries regarding potential Medicaid and CHIP claimants. According to UDOH:

This could include sensitive, personal health information from individuals and health care providers such as Social Security numbers, names, dates of birth, addresses, diagnosis codes, national provider identification numbers, provider taxpayer identification numbers, and billing codes.

Interestingly, UDOH and DTS have made a clear distinction as to the assistance and support that they will provide to identified victims of the Utah Breach. Victims who had their Social Security numbers (“SSNs”) stolen will be offered one year of free credit monitoring services. Those victims of the Utah Breach who did not have SSNs stolen will not be offered free credit monitoring services, even though they have had other information compromised that has been characterized by UDOH as “less-sensitive.” Moreover, those who had SSNs stolen will receive priority in being alerted as to the Utah Breach over those victims who did not have stolen SSNs.

The Utah Breach is not the first large PHI breach experienced by UDOH.  The HHS List reports that on March 1, 2010, UDOH had an "Unauthorized Access/Disclosure" affecting 1,298 individuals respecting "Computer, Paper."  The HHS List also reflects that Utah Department of Workforce Services was involved as a Business Associate in the 2010 UDOH PHI breach.

It is possible that the current offering by UDOH of free credit monitoring services only to those Utah Breach victims who had stolen SSNs may be reevaluated or changed in the future. This blog series has previously reported the abrupt about-face by SAIC to offer credit monitoring services to the millions of victims of its large 2011 PHI breach after pressure by the Department of Defense to do so.

We will continue to monitor developments with regard to the Utah Breach.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). A recent posting in this blog series reported that, on February 24, 2012, HHS recorded number 400 in the ever-lengthening parade of List Breaches.

Such posting also noted that more than half (223) of the 400 List Breaches attributed the breach to “Theft.” Of the 223 thefts reported, 93 of them were characterized as theft of a laptop. Therefore, it is not surprising that the 400^th List Breach affecting Triumph, LLC (“Triumph”) was reported to be a theft on December 13, 2011 of a laptop affecting 2,000 individuals (the “Triumph Breach”) respecting several of its North Carolina behavioral and psychiatric facilities.

While the facts of the Triumph Breach were not remarkable in themselves, the event is worthy of review as being a typical List Breach involving a theft of a laptop that contained PHI of several thousand individuals. A closer look at the Triumph Breach reveals that it was an event as to which Triumph appears to have been a victim with little ability to avoid the loss. 

To its credit, Triumph has placed a HIPAA Breach Notification (the “Notification”) on its Web site with a prominent notice on its Home page in red with a link to the Notification and the following advice: “Please click here to read the public notice which may affect consumers receiving services from our Winston-Salem, Mocksville and King facilities.” As this blog series has pointed out in previous postings, many covered entities do not detail List Breaches on their Web sites.

The Notification states that the Triumph Breach occurred on December 13, 2011 when three men entered the 2nd floor lobby. While two of them were distracting the receptionist, the third entered a hallway and stole a laptop computer from an office. Because the Notification says that the laptop was password protected, one can reasonably conclude that there was no encryption. The information on the computer was reported in the Notification to have included names, dates of birth, medical record numbers, insurance/Medicaid numbers, billing codes  and authorization status for services, but not social security numbers, diagnostic codes or specific financial information.

Although the HHS List states that 2,000 individuals were affected by the Triumph Breach, no reference to the number of affected individuals was contained in the Notification. Additionally, while the Notification included contact information for questions about the Triumph Breach, no reference was made in the Notification as to the offering by Triumph of credit monitoring or other security services to affected individuals as has been done for many other List Breaches. Perhaps the explanation for the latter omission is the following statement by Triumph in the Notification:

We believe the motive for the theft was for the computer not for the information stored on the computer. In light of this theft, we are examining our policies, procedures and protocols to safeguard against any future incidents. 

Nonetheless, it is unclear whether the PHI stored on the computer will be inappropriately accessed and used.  Triumph was clearly an unfortunate victim of a theft of PHI as many other providers have been. Nonetheless, the Triumph Breach is a reminder that it does not matter how a List Breach is caused. It will be costly for the covered entity in every case on many levels, and the ultimate extent of the adverse impact cannot be known with certainty.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). On February 24, 2012, HHS posted number 400 in the ever-lengthening parade of List Breaches.

The first postings on the HHS List occurred on March 4, 2010.  Therefore, it took almost exactly two years to reach the 400 level, which means that an average of 200 postings of List Breaches have been occurring each year.

A closer look at the 400 List Breaches reveals that there are an appreciable number of repeat entrants into the parade. This blog series has reported on a number of them, such as Henry Ford Health System with 3 List Breaches and University of Rochester Medical Center with 2 List Breaches. (In some cases assumptions had to be made as to repeat entrants because the names of some covered entities on the HHS List were similar but not identical to others or appeared to be different divisions of the same covered entity.) 

Based on the assumptions and the review, there were 28 covered entities with 2 List Breaches, 16 covered entities with three List Breaches and 1 covered entity with four List Breaches (counting multiple divisions as one covered entity). Therefore, there were 337 separate covered entities that reported the total of 400 List Breaches.

Of the total of 400 List Breaches, 223 of them attributed the cause or partial cause of the breach to be “Theft.” As a matter of fact the 400^th List Breach was reported by Triumph, LLC as a theft on December 13, 2011 of a laptop affecting 2,000 individuals at several of its North Carolina behavioral and psychiatric facilities.

While the Parade of List Breaches continues to grow, there are many more PHI data breaches involving fewer than 500 individuals that are occurring as well. As this blog series has emphasized in the past, it is more a question of when a covered entity will suffer a PHI data breach and how severe the breach will be, rather than if it will suffer a breach.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the list (the “HHS List”) posted by the U.S. Department of Health and Human Services (“HHS”) that reports breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Four months ago a blog posting in this series did some analysis as to the extent to which such List Breaches are being reported by covered entities (“CEs”) as attributable to events involving business associates (“BAs”). 

A December 2, 2011 article in MedPage Today by Cole Petrochko reported on a survey conducted by the Ponemon Institute (the “Survey”) that was conducted based on "interviews with senior-level staff at 72 healthcare organizations regarding data loss and theft experiences at their facilities. Sites included parent holding companies of healthcare organizations, parts of a healthcare network, and individual hospitals or clinics."

This interesting Survey acknowledged that it had a number of limiting factors, including self-reporting from only 14% of the organizations, mostly larger-sized groups, that were contacted by the Ponemon Institute to participate in the interview process. It is therefore likely that data derived from the HHS List is more reliable in light of the adverse consequences and penalties that can be incurred by a CE from inaccurately reporting in writing to HHS. Nonetheless, according to the Survey, "two out of five respondents (41%) blamed data breaches on employee negligence -- not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices -- and 49% reported lost or stolen devices. Third-party errors were responsible for 46% of breaches."  [Emphasis supplied.]

It is not clear that the incidents involving “third-party errors” in the Survey are coincident with events that would have been reportable as involving BAs had they been on the HHS List. Moreover, the Survey covered institutional healthcare providers only and not other types of CEs such as insurers, government agencies and individual physicians and physician practice groups. However, the Survey results as to third party errors mirror to some extent the proportion of reported BA involvement with respect to the largest of the List Breaches on the HHS List as of December 2, 2011. 

As of that date, only 83 of the total of 372 List Breaches (22.3%) reportedly involved BAs of the reporting CEs.

This overall amount is far lower than the 46% of breaches that was attributable to third-party errors in the Survey. However, further analysis of the HHS List as of December 2, 2011 reveals the following information that more closely parallels the Survey at higher numbers of involved individuals:

•   3 of the 6 List Breaches (50%) that affected 1,000,000 or more individuals reportedly involved BAs of the reporting CEs.

•   13 of the 29 List Breaches (44.8%) that affected between 30,000 and 999,999 individuals reportedly involved BAs of the reporting CEs.

•   14 of the 47 List Breaches (29.8%) that affected between 10,000 and 29,999 individuals reportedly involved BAs of the reporting CEs.

•   53 of the 290 List Breaches (18.3%) that affected between 500 and 9,999 individuals reportedly involved BAs of the reporting CEs.

While the foregoing review is only a snapshot of the HHS List as of a given date, the review would indicate that, as the size of a List Breach increases, it is more likely that involvement of a BA will be reported. However, the overwhelming proportion of List Breaches (77.7%) on the HHS List that affected fewer than 10,000 individuals have reported no involvement of a BA. 

More data will be required before the impact of BA involvement in smaller and larger List Breaches becomes clearer.  However, there are indications that the larger the List Breach that is reported by a CE, the greater the likelihood that it will involve an alleged BA.

• Print
• Comments
• Trackbacks
• Share Link

 By Elizabeth Litten and Michael Kline

What was the highlight of the Macy’s® Thanksgiving Day parade when we were kids? The Snoopy® float (shown below) was probably right up there, along with the Sesame Street® and Disney® floats. Spectators of the Protected Health Information (“PHI”) Breach Parade (and of the “silent brigade” of Business Associate breaches, discussed in this blog series on August 1, 2011) will be awed by the sight of the recent, somewhat bizarre, Business Associate (“BA”) breach involving Stanford Hospital’s emergency room data, as reported in the New York Times by Kevin Sack on September 8, 2011. The PHI of 20,000 emergency room patients seen in the Palo Alto, CA hospital reportedly somehow made its way from the hospital’s BA, Multi-Specialty Collection Services, to a public website used by students. The publicly-posted information included names and diagnoses for patients who visited the emergency room during a 6 month period in 2009.

This PHI breach stands out for a couple of unusual aspects. First, the data was allegedly made publicly accessible in September of 2010 as a spreadsheet attached to a document on the Web site “Student of Fortune,” a site describing itself as “Your source for easy online homework help!” As reported in the Sack article: “Gary Migdol, a spokesman for Stanford Hospital and Clinics, said that the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph."  The PHI breach was purportedly discovered on August 22, 2011 by a Stanford Hospital patient and reported to the hospital. The fact that nearly a year had lapsed from the time of the breach to its reported discovery suggests that the PHI was

(i)   not recognized as “real” by viewers,

(ii)  not thought by viewers to be worth noting or reporting, and/or

(iii) not actually viewed by anyone during the year it was accessible to students seeking bar graph tutorial. 

Nonetheless, the volume of patients affected, the sensitivity of the PHI data (more on that in a minute), the apparent lack of sufficient care by the BA, and the surprising nonchalance of whoever posted the PHI to be sifted and sorted by “Students of Fortune” accessing a publicly available Web site combine to make an attention-grabbing PHI breach event (the Snoopy float). 

Also reported on a New York Times blog site by Nick Bilton on September 8, 2011, Senator Richard Blumenthal (D-CT) introduced a bill, the Personal Data Protection and Breach Accountability Act of 2011, that, if passed, would impose strict storage and protection requirements for companies that store online data for more than 10,000 people. (Senator Blumenthal was previously highlighted in several postings in this blog series for his groundbreaking activities as Attorney General of Connecticut in investigations and enforcement actions against entities involved in PHI security breaches.)

While “Student of Fortune” was certainly not “storing” the emergency room PHI, the bill would likely affect BAs such as Multi-Specialty Collection Services. To the extent the Blumenthal bill imposes new or additional privacy and security provisions, Covered Entities and BAs handling large amounts of PHI would be subject to these provisions in addition to existing HIPAA/HITECH and state law requirements.

Back to the Snoopy float – the Stanford Hospital PHI breach (and the manner in which it was reported in the Sack article) stands out for a number of ironies. A large amounts of sensitive PHI was accessible to the public, but obscurely so (only to Students of Fortune using a particular learning tool and astute enough to recognize, or care about, the sensitivity of the information). If the Stanford Hospital patient had not noticed and reported the PHI breach, would the breach have ever been noticed? Would any patient have been harmed? (If a tree falls in the forest when no one is present, does it make a sound?) 

Even more ironic is the fact that one affected patient may actually have been harmed as a result of the breach reporting, rather than from the breach itself. The Sack article quotes (by name) a patient’s mother who “intercepted” the breach notice mailed from Stanford Hospital to her 21-year-old son (leaving the reader to wonder why Mom is opening her adult son’s mail and whether she was authorized to access his PHI). Mom is quoted as stating (i) that her son received psychiatric treatment at Stanford in 2009 and (ii) “My son, I can tell you [Kevin Sack], is fragile and confused enough that this would have sent him over the edge."  One can only hope that the disclosure of his "fragile" state in a national newspaper will not have a similar effect.  Perhaps, in this post-Facebook and Twitter age, we could all use reminders about what kind of information is private and sensitive, when we should report breaches of it, and with whom we should share it.  The Snoopy float is a good reminder.    

A final irony is that Michael Mucha, the Stanford Hospital Chief Information Security Officer at the time of the Stanford PHI breach, has written extensively and has been widely-quoted regarding information security. He has been quoted as saying, “The biggest thing we [Stanford Hospital] focus on with all of this is control of the data.” Unfortunately the Snoopy float PHI breach belies the level of control of the data that can be exercised by Stanford and other Covered Entities, even with safeguards in place.

This story will undoubtedly have further developments. It will be especially interesting to see what statement, if any, Stanford provides to the U.S. Department of Health and Human Services (“HHS”) about its PHI breach for posting on the HHS list of reported large breaches of unsecured PHI affecting 500 or more individuals.

[Capitalized items that have ® after their names may be registered trademarks of other entities as to which no claim is made.]

From Heather Cross, About.com Guide 

 The Snoopy Balloon floats along Central Park West in the 2000 Thanksgiving Day Parade.

• Print
• Comments
• Trackbacks
• Share Link

Postings on this blog series have been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. A recent posting highlighted an area that has received relatively little media attention respecting the HHS list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”) - the extent to which such Large Breaches are stated to be attributable to events involving business associates (“BAs”) of the reporting covered entities (“CEs”). Some Large Breaches involving BAs will be reviewed in this and future postings.

The HHS List reveals that Ohio Health Plans (“OHP”), the public health care program overseen by the Ohio Department of Jobs and Family Services, reported as a CE that a Large Breach on June 3, 2011 involving 78,042 individuals had resulted from the theft of a laptop (the “OHP Breach”). The HHS List states that “Area Agency on Aging, Ohio District 5” was a “Business Associate Involved.” Unlike some other disclosures respecting Large Breaches reported on the HHS List, no further information is available on the HHS List for the OHP Breach.

A June 20, 2011 report of the OHP Breach in CrawfordCountyNow.com (the “Internet Report”) indicates that the correct corporate name of the affected BA is Ohio District 5 Area Agency on Aging, Inc. (the “Agency”). The Internet Report states:

A laptop computer assigned to a PASSPORT case manager with the Ohio District 5 (Mansfield) Area Agency on Aging, Inc. containing consumer’s personal health information was stolen from a vehicle on June 3. The computer contained personal health information of up to 43,000 consumers and the personal contact information of up to 35,000 related clients’ personal representatives.

The Internet Report quotes an apology from the CEO of the Agency, Duana Patton, and describes steps that the Agency was taking to mitigate the loss to affected individuals, including access to credit protection services and an 800 number to answer questions. Nowhere in the Internet Report is there any reference to OHP or the fact that the Agency was in possession of the PHI as a BA of a CE.

A visit to the Internet Web site of each of OHP and the Agency reveals no information respecting the OHP Breach. There is no reference to the OHP Breach in the links on the Home page of the OHP Web site or the links accessible through the  “News & Events” link, including the “What’s New” and “News Releases” links. 

The Agency Web site describes the Agency as

a private non-profit Agency, designated by the State of Ohio to be a Planning and Service Area (PSA) as mandated in the Older Americans Act, as enacted by the Federal Government in 1965. The Agency administers Title III, State Block Grant, Medicaid and other grant funds.

Again there is no reference to the OHP Breach on the Agency Web site, either in the “News and Events” links, the “Privacy Information” link or elsewhere, or the efforts of the Agency to mitigate adverse consequences to affected individuals that may result from the OHP Breach.

It appears that OHP, as the CE with respect to the OHP Breach and the entity required to report the OHP Breach to the HHS for placement on the HHS List, left it to the Agency as the apparently responsible BA to confront the aftermath. Moreover, OHP and the Agency appear to have consciously limited disclosures regarding the status of OHP as the CE to avoid adverse publicity for OHP, perhaps because it is part of the Ohio state sponsored health programs. 

Other Large Breaches involving BAs that have been reported on the HHS List will be reviewed in future postings on this blog.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. As required by HITECH, the HHS Web site posts a list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”). One area that has received relatively little attention from postings on the HHS List is the extent to which such Large Breaches are reported to be attributable to events involving business associates (“BAs”) of covered entities (“CEs”). 

The HITECH Act provides at Section 13402 (42 U.S.C. Section 17932) that, following a Large Breach of unsecured PHI, a CE must provide notification of the breach to affected individuals, the Secretary of HHS, and, in certain circumstances, to the media.  The HITECH Act imposed on a BA many of the obligations that only a CE previously had under the original HIPAA, unless the BA had specifically assumed such obligations contractually in an agreement with a CE. 

However, while Section 17932(b) of  HITECH requires a BA to notify the associated CE that a PHI breach has occurred, under HITECH, such a BA has no obligation or even authority for mandatory or voluntary reporting of a Large Breach directly to HHS. That is solely the obligation of the CE under HITECH Section 17932(e)(3).  Nonetheless, the form of "Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information" to be filed by a CE calls for a disclosure by the CE of information about any breach that occurred at or by a BA.

The effect is that a BA has no effective voice, which has been authorized by HITECH or the interim HHS rules, to allow such BA to make a statement to HHS that could be posted on the HHS List to correct, amend, modify, supplement or even deny a CE report on the HHS List regarding such BA.

Of the 292 PHI breaches listed on the HHS List as of July 31, 2011, the following information has been reported regarding BAs:

•   Approximately 53 of the Large Breaches or 18% allegedly involved BAs of the reporting CEs.

•   Approximately 12 of the Large Breaches of reported Large Breaches allegedly involving BAs contained a narrative as to the Large Breach event.

•   Approximately 8 of the narratives stated that the CE had enforced its agreement with the allegedly involved BA and/or modified or terminated its relationship with such BA.

It is clear that a Large Breach can generate substantial costs, embarrassment and loss of reputation to a CE and an involved BA.  It is in the interest of both parties that prompt, accurate and complete notification of a Large Breach be made to the public and HHS.  Cooperative efforts that optimally should exist between the CE and an involved BA in remediating a Large Breach should also include drafting a mutually acceptable narrative, if such a narrative is to be included in the report to HHS. However, it may not be possible to have agreement on remediation itself or the description that will be reported by the CE to HHS and posted on the HHS List.  HHS should consider giving a BA an opportunity to report its own responsive version of a Large Breach event in a case where a CE attributes involvement to such BA.

• Print
• Comments
• Trackbacks
• Share Link

Several recent PHI-related news items, including two that were commented upon by Michael Kline in this blog series in his posts dated June 27, 2011 (regarding Google Health’s announced shut down) and July 3, 2011 (regarding the Spartanburg (S.C.) Regional Health System PHI security breach), and one that was described by Bill Maruca in a post dated June 22, 2011 (regarding the safety of “cloud-based” data storage systems), share a common feature – they underscore our need to trust the keepers of our PHI. We need to trust that, whether PHI is in the cloud or on a server, in a thumb drive or on a hard drive, only those who have a right and a need to access it can and will do so. 

A recent petition (“Petition”), filed as a putative class action in federal court in St. Louis, Missouri against The Siteman Cancer Center at Barnes Jewish Center (“Siteman”) and the Washington University (St. Louis) School of Medicine provides an example of insult adding to injury when the trust in our PHI-keeper is broken. Mistakes may happen, but trust is really breached when the mistakes that involve PHI are not admitted and addressed immediately.

The Petition alleges that, sometime over the weekend of December 4, 2010, “an unencrypted laptop computer,” which contained the PHI of “hundreds of cancer patients,” was stolen from Siteman’s Gynecological Treatment Center.  While the exact number of individuals affected is not identified in the Petition, there has been no posting of the breach in the list maintained on the U.S. Department of Health and Human Services Web site respecting  breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”). This suggests that fewer than 500 individuals were affected. 

According to the Petition, Siteman did provide notice to affected individuals – but, based on allegations in the Petition, the notice was too little and too late. The Petition contends that Siteman knew about the stolen laptop immediately after the December 4, 2010 weekend, but did not notify affected individuals until it sent out a letter dated January 28, 2011.   Adding apparent insult to this delayed notice of injury, the Petition asserts that Siteman also “downplayed the seriousness of the security breach” and failed to include complete information about (and thus “misrepresented”) the type of information that was stolen. 

In blogging about the Spartanburg breach, Michael writes, “[i]t is perplexing that a hospital would choose to withhold disclosure of the extent of its PHI security breach, as it risks a second round of significant media coverage when the posting on the HHS List takes place one to three months later.”   I find it similarly perplexing that a hospital, such as Siteman, might choose to withhold disclosure of the extent of an especially sensitive PHI security breach, particularly when the disclosure is being made directly to the potentially affected individuals. Failure to disclose promptly and accurately the nature and extent of a breach not only erodes patient trust, but also increases the likelihood of a “second round” of patient harm and ensuing litigation.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. Immediately before the July 4th weekend, there was a posting on the U.S. Department of Health and Human Services Web site, which lists breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”), of a PHI security breach affecting 400,000 individuals that was reported by Spartanburg Regional Healthcare System (the “System”).

The HHS posting respecting the System reports that a PHI breach (the “System Breach”) occurred on March 28, 2011 from the “Theft” of a “Desktop Computer.” As a result the System appears to have suffered the fourth largest PHI security breach reported on the HHS Web site during 2011, surpassed only by the following, each of which has been discussed earlier in this blog series:

(i) the Health Net breach that involved 1,900,000 persons;  

(ii) the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network breach with a reported 1,700,000 persons affected; and

(iii) the Eisenhower Medical Center breach with a reported 514,330 persons affected.

The history of reporting of the System Breach by the System has been somewhat puzzling. Although the Web site of the System had previously published for some period of time a prominent link on its home page to the letter that was sent by the System to the affected individuals (the “System Letter”), the link appears now to have been deleted from the System’s home page. After a search, there appears to be no other reference to the System Breach on the System’s Web site, including the news archive that is linked from the home page.   

The System Letter asserted that the computer was stolen from the car of an employee who was “authorized to have possession of the computer.” The computer reportedly contained a password-protected file with Social Security numbers as well as names, addresses, dates of birth and medical billing codes. The System Letter also reported that the System will make available to affected individuals enhanced identity theft consultation and restoration and one year of free credit monitoring, although the System “had no evidence that any information has been misused.”

For some reason, the System originally made no disclosure of the large number of persons affected. This is not the first time that a provider that suffered a significant PHI security breach did not report the number of affected persons. See, for example, the postings in this blog series respecting Henry Ford Health System. It is perplexing that a hospital would choose to withhold disclosure of the extent of its PHI security breach, as it risks a second round of significant media attention when the posting on the HHS List takes place one to three months later. It would appear that providers and insurers should understand that one major media encounter for a single PHI security breach event is more than enough publicity.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. A recent posting of a major PHI security breach was made regarding Eisenhower Medical Center (the “Center”) on the U.S. Department of Health and Human Services (“HHS”) Web site that lists breaches of unsecured PHI affecting 500 or more individuals.  The Center, which is located on Bob Hope Drive in Rancho Mirage, near Palm Springs, California, houses, among other areas, the famous Annenberg Center for Health Sciences at Eisenhower, the Barbara Sinatra Children’s Center at Eisenhower and the Betty Ford Center on the Eisenhower campus. 

The HHS posting respecting the Center reports that a PHI breach affecting 514,330 persons (the “Center Breach”) occurred on March 11, 2011 from the “Theft” of a "Desktop Computer." As a result the Center appears to have suffered the third largest PHI security breach reported on the HHS Web site during 2011 to date, trailing only

(i) the Health Net breach earlier reported in this series that involved 1,900,000 persons and

(ii) the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network breach with a reported 1,700,000 persons potentially affected.

The Center Breach was reported as item 38 on page 16 of the U.S. Department of Homeland Security (“DHS”) “Daily Open Source Infrastructure Report for 1 April 2011.”  The DHS report quoted Center officials and the Center’s Director of Marketing and Public Relations as saying,

The computer was password protected, but not encrypted. The information in the   . . . file included patient names, ages, dates of birth, the last four digits of the Social Security number, and the hospital’s medical record number. . .

The theft occurred late in the day March 11, but the hospital was not aware the computer had been stolen until March 14. On March 17, officials learned the backup patient file was on the stolen computer . . .  [T]he theft was reported to the Riverside County Sheriff’s Department March 18. The file was a backup file that was not displayed on the computer’s desktop.

In spite of the more than 500,000 individuals reported as having been affected by the Center Breach, the information made available to date by the Center has been sparse.  A visit to the home page of the Center’s own Web site does not reveal any mention of the Center Breach.  Similarly a search of the 1,446 items dating back to 2004 in the Center’s News Archives on its Web Site (the “News Archives”) has no reference to the Center Breach.

The only article in the News Archives relative to privacy, which appeared to be from early 2009, reported the rolling out by the Center of a privacy code system to augment guidelines for the use and disclosure under the privacy standards for PHI (excluding information available in the hospital directory) to a patient’s family, significant other and friends. That article also stated, “All Eisenhower employees are required to complete a mandatory privacy NetLearning training module in April.” 

(NOTE - The conclusion that the year of the privacy article in the News Archives was 2009 was only determinable from a review of surrounding news items. The News Archives are deficient because they have no reference as to the dates of postings, unless they are indicated in the bodies of the articles themselves.)

It is perplexing that a hospital of the stature of  Eisenhower Medical Center has been relatively silent about the Center Breach that has affected so many individuals.  Nor has the Center disclosed what, if any, proactive remedial actions it will be taking to avoid a similar occurrence in the future.  However, it is clear that more will be heard about this event, as CaliforniaHealthline.org has reported, "The not-for-profit medical center is sending notification letters to affected patients, and the California Department of Health will investigate the incident."

• Print
• Comments
• Trackbacks
• Share Link

By: Elizabeth Litten and Michael Kline

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. As reported in a recent posting, prior to yesterday, the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network was perhaps the largest marcher in the parade of large PHI security breaches with a reported 1,700,000 persons potentially affected.  As of March 14, 2011, it appears Health Net is grappling with a breach that could involve as many as 1,900,000 persons, which would give it the distinction of having the largest and potentially loudest marching band in the Security Breach Parade.

This breach was described in a press release (issued by the California Department of Managed Care (“DMHC”):

The company [Health Net] announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare. Health Net is conducting an investigation into the drives discovered missing from its Rancho Cordova data center.  

Health Net issued a press release that does not mention the number of persons affected, and implies that its vendor, IBM, may have responsibility for the breach:

This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information. While the investigation continues, Health Net has made the decision out of an abundance of caution to notify the individuals whose information is on the drives. To help protect the personal information of affected individuals, Health Net is offering them two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance. These services will be provided through the Debix Identity Protection Network.

Health Net’s press release then (tautologically, since the press release is accessible under the “Newsroom” link at the bottom of Health Net’s home page) directs readers to Health Net’s website for more information. I was unable to find additional information about the breach or Health Net’s investigation on the website. It’s good to know that, “out of an abundance of caution” (and at what must be quite an abundance of expense), Health Net will be notifying the 1.9 million affected persons and offering them two years of free credit monitoring services. Perhaps the next large entity entrusted with PHI will exercise an “abundance of caution” by encrypting the information contained on its server drives to avoid having to march in the ever-growing Security Breach Parade. 

Health Net, however, is no stranger to the Security Breach Parade. As reported previously on this blog series, Health Net and its affiliates have made payments to the states of Connecticut and Vermont in actions brought by the respective attorneys general of those states for HIPAA/HITECH violations. It does not end there. Today the Attorney General of the State of Washington published a release that Health Net had informed the Washington Attorney General’s Office on Monday that “approximately 39,877 Washington residents” may be affected by a data breach. This developing situation warrants continued monitoring.

• Print
• Comments
• Trackbacks
• Share Link

The requirements under the HIPAA/HITECH statutes and regulations for public disclosure of breaches of Protected Health Information (“PHI”) have brought to light an increasing volume of breaches of PHI involving highly respected and sophisticated providers and insurers. On November 21, 2010, a posting on this blog discussed a PHI security breach (the “September 2010 Breach”) involving Henry Ford Health System in Michigan (“Henry Ford” or the “health system”) that was discovered by the health system on September 24, 2010. A follow-up posting in this series on November 24, 2010 reported that 3,700 individuals had been affected in the September 2010 Breach.

On February 25, 2011, Robin Erb, Medical Writer at the Detroit Free Press, wrote an article entitled, “Lost Device Compromises Medical Information of 2,777 Patients” relative to another security lapse in less than a year within Henry Ford (the “January 2011 Breach”). According to Ms. Erb, an employee of the health system lost a flash drive with information on 2,777 patients on January 31, 2011.

As Ms. Erb reported,

Hospital officials said it's unclear how the flash drive was lost. The device is not encrypted, as required to protect individual patients' information, officials said.

The information involved patients tested for urinary tract infections between July and October 2010 and included names, medical record numbers, test information and results.

While the first blog posting in this series about the November 2010 Breach gave a link to the Henry Ford posting of on its Web site about the security breach, that posting and link have apparently been already taken down by the health system. However, more than 500 other earlier stories dating back as far as March of 2005 remain on the Henry Ford News list. A visit today to the News list on the health system’s Web site also reveals that Henry Ford has made no posting to date about the January 2011 Breach.

HIPAA/HITECH provides that the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” The maximum time, therefore, for Henry Ford to notify the HHS about the January 2011 Breach is 60 days after the discovery date of January 31,2011 or April 1, 2011. Soon after notification by the health system to the HHS, the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals would add the January 2011 Breach. 

It is interesting that, while Ms. Erb’s article was published almost three weeks ago, nothing has apparently been published by Henry Ford about the January 2011 Breach on its Web site. Nor has the January 2011 Breach yet appeared on the HHS Web site. This matter warrants further monitoring.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. The New York City Health and Hospitals Corporation’s North Bronx Healthcare Network (“HHC”) has recently become perhaps the largest marcher in the parade of PHI security breaches with a reported 1,700,000 persons affected. 

The U.S. Department of Health and Human Services website, which provides a list (the “HHS List”) required by HIPAA/HITECH of large reported breaches of unsecured PHI incidents affecting 500 or more individuals, reveals that HHC had a PHI security breach on December 23, 2010 (the “Breach”). Of the 242 records currently reported on the HHS List, the Breach is by far the largest with 1,700,000 affected individuals. The Breach apparently resulted from a “Theft” of “Electronic Medical Record, Other.” 

Unlike some other participants in the parade of PHI security breaches that have been reported in this blog series, it is refreshing to see that HHC has tried to be forthright in its communication on the HHC Website. The information regarding the occurrence may be found in a number of ways, including a search for "PHI security breach" directly from the HHC Home Page or by clicking on "Publications and Reports" from the HHC Home Page and then clicking on "Press Releases" where the relevant Press Release dated February 11, 2011, is the only listing to date for 2011 (the “Press Release”).

The HHC breach can become a financially costly one for HHC, as it potentially affected information covering twenty years relative to (i) personal information such as social security numbers, names, addresses, and other information that may be used to identify individuals; (ii) personal information and patients' medical histories; and (iii) personal information and employees' health information. The Press Release states the following: “The loss of this data occurred through the negligence of a contracted firm [identified in the Press Release as GRM Information Management Services ("GRM")] that specializes in the secure transport and storage of sensitive data. There is no evidence to indicate that the information has been inappropriately accessed or misused.”  The Press Release also reported that HHC is making available free credit monitoring and fraud resolution services for one year to those affected individuals who request it.

The Press Release states that the information was stolen when "the GRM van was left unattended and unlocked while the driver made other pickups.  GRM reported the incident to the police and dismissed the driver of the vehicle.  To date, the files have not been recovered."  Therefore, it can be reasonably inferred from the Press Release that at least a portion of the financial burden for HHC from the Breach will be shared by GRM.  GRM may even have some type of liability insurance coverage that will pay for some of the expenses flowing from the Breach. 

In this regard, my partner Elizabeth Litten, Esq., had previously discussed in a blog entry in this series the need for healthcare providers and business associates to investigate the possibility of obtaining insurance covering potential losses arising out of large PHI security breaches. The case of HHC may encourage greater attention to this area.

The prominent posting of the Breach on the HHC website demonstrates that HHC has made a commitment to act responsibly and do more than what is (again borrowing a phrase from HITECH in a totally different context) “the minimum necessary” for communicating a large PHI security breach. This should accelerate the rehabilitation of confidence and relations with patients, employees and HHC’s larger constituency.

• Print
• Comments
• Trackbacks
• Share Link

This blog series  has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. The University of Rochester Medical Center (“URMC” or the “Medical Center”) joined in the parade of large PHI security breaches two times in 2010. 

The U.S. Department of Health and Human Services website, which provides a list (the “HHS List”) required by HIPAA/HITECH of large reported breaches of unsecured PHI incidents affecting 500 or more individuals, reveals that URMC had two large security breaches during 2010 (the “2010 Breaches”). The first 2010 Breach posted for URMC on the HHS List on May 28, 2010, related to 2,628 individuals from an “Unauthorized Access of Paper Records” that occurred on April 19, 2010. The second 2010 Breach posted for URMC on the HHS List on September 21, 2010 related to 857 individuals from a “Lost Portable Electronic Device” that occurred on August 2, 2010. 

There are several interesting aspects about the URMC events. First, like the incident at University of Tennessee Medical Center discussed earlier in this blog series, URMC apparently has determined that it is not necessary or appropriate to publish the 2010 Breaches in the URMC Newsroom or elsewhere on the URMC website.  A review of the list of 345 stories presently posted in the 2010 News Archives on the URMC website revealed no reference to either of the 2010 Breaches.  

It is somewhat disappointing that URMC has chosen not to communicate with its Internet community on the 2010 Breaches, as numerous other institutions with large PHI security breaches have chosen to do. It is even more puzzling in light of the fact that Peter Chesterton, MBA, the long-time Chief Privacy Officer and Chief HIPAA Security Official for URMC, has been a recognized leader and lecturer in the area of PHI security and privacy. He is also currently listed as a member of the University of Rochester Data Security Taskforce in the Office of the Provost (the “Provost Taskforce”). 

Mr. Chesterton lectured at the 4^th Academic Medical Center Privacy and Security Conference on June 11, 2007 on the topic “Protecting PHI Shared with Private Physician Practices” and at the 5^th Academic Medical Center Privacy and Security Conference on March 2, 2009 on the topic “AMC Privacy and Security: New Challenges, NewSolutions – Best Practices for Compliance.”

As a matter of fact Slide 23 on “Recent Developments” in Mr. Chesterton’s 2009 presentation referred to a “recent security incident.” Presumably his reference was to a January 11, 2009 data security breach, which was reported by www.identitytheft.info  as having occurred at the University of Rochester (the “2009 Breach”), that involved 450 individuals from a “Hacked Database.”

It is not clear that the 2009 Breach involved PHI which is covered by HIPAA/HITECH or whether it related to the University of Rochester or URMC. In any event the 2009 Breach preceded the establishment of the HHS List and would not have been reportable on the HHS List had it been PHI because fewer than 500 individuals were affected. If the 2009 Breach related to the University of Rochester and not to the Medical Center, Mr. Chesterton’s knowledge of the 2009 Breach could have come from his membership on the Provost Taskforce.

Clearly Mr. Chesterton is not responsible for the publication policy of the URMC website or its news postings. However, I believe that the multiple occurrences of PHI security breaches in 2010 at URMC and is a serious matter. The posting of the 2010 Breaches (and the 2009 Breach if it related to the Medical Center) on the URMC website would have demonstrated that URMC has a commitment to act responsibly and do more than what is (to borrow a phrase from HITECH in a different context) “the minimum necessary” for communicating a large PHI security breach. This would accelerate the rehabilitation of confidence and relations with patients and the Medical Center’s larger constituency.

• Print
• Comments
• Trackbacks
• Share Link

My colleague, Michael Kline, has been regularly reporting on this blog about the parade of Protected Health Information (PHI) privacy and security breaches that are occurring at large, sophisticated hospital systems, such as the Henry Ford Health System in Michigan, and health insurance carriers, such as Wellpoint, Inc. in Indiana.  A recent breach at the Puerto Rico Department of Health involved an estimated 400,000 individuals.  Breaches involving more than 500 individuals, including those referenced in this paragraph, must be reported to the Secretary of Health and Human Services (HHS) and can be accessed at the HHS Web site. 

If state agencies, insurance carriers, and large health care systems are vulnerable to the devastating aftermath of large breaches, how can a smaller covered entity, such as a free-standing specialty hospital or a physician practice group, or a business associate or subcontractor whose business does not revolve around or even frequently involve PHI, effectively limit its vulnerability to the heavy costs of a PHI security breach?

Whether HIPAA/HITECH privacy and security issues are in the forefront of an entity's compliance mindset or are a periodically worrisome background buzz, an entity should investigate measures to protect itself against privacy and security breaches and the ensuing economic costs associated with investigation of the potential breach, notice to affected individuals and, potentially, HHS, damage to reputation, remediation and protection actions, and, possibly, penalties, fines, and other damages asserted by the government or third parties.

I was intrigued to learn recently of a type of relatively new insurance coverage called "Privacy & Computer Security Protection." This coverage may be a good option for those among us who worry that even airtight, well-implemented policies and procedures may not be enough. Whether a breach results from human error (a typical cause for breach) or from organized or individual cyber crime such as hacking and stolen laptops (a less typical, but increasing risk), insurance companies such as Chartis, Beazley, and Hiscox are willing to underwrite certain computer security risks and cover specified losses that may be incurred by an insured from a PHI security breach.

According to my friends at Marsh USA Inc. (an insurance broker and an original creator of "cyber" policy forms), subject to the results of an underwriting pre-assessment of risks specifically associated with an entity that is applying for insurance coverage against losses from a PHI security breach, such an entity may pay as little as about $20,000 for $1 million in coverage. Insurance protection might cover claims arising from actual or alleged breaches of duty, neglect, or other acts, errors, or omissions that result in disclosure of PHI or other confidential information; vicarious liability for privacy breaches of an entity's vendor/subcontractor; costs associated with defense of regulatory actions; costs associated with compliance with PHI breach notification requirements, costs associated with public relations/crisis management professionals, etc.

The extent of financial risk involved in the HIPAA/HITECH security breach context is daunting. The cost of just setting up and operating a toll-free line for PHI security breaches involving 3,000 individuals is estimated by the federal Office of Civil Rights to be upwards of $8 million (table on page 42764).

I plan to review and report back in future blog postings on the current coverage options specifically designed to protect against the costs of HIPAA/HITECH security breaches, gaps that may exist in the currently available coverage and other related matters.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers. 

On November 21, 2010, a posting on this blog discussed a PHI security breach involving Henry Ford Health System (“Henry Ford” or the “health system”).

The blog posting observed that the disclosure by Henry Ford on its Web site did not divulge the number of patients affected by the security breach. As discussed in the posting, the required time frame for the health system to notify the U.S. Department of Health and Human Services (“HHS”) is the same as that for notifying affected patients; therefore, the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals would soon reveal the number of affected patients. Indeed, a visit today to the HHS Web site reveals that the Henry Ford security breach is now listed and that the breach affected 3,700 patients. 

It is somewhat perplexing as to why the health system would have chosen not to have reported the number of affected patients on its own Web site. While every PHI security breach is costly and makes providers and insurers potentially vulnerable to embarrassment, criticism and diminished reputation, proactive transparency assists in rehabilitating relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers. 

The giant Henry Ford Health System (“Henry Ford” or the “health system”) in Michigan has joined the march. On November 19, 1010, Henry Ford posted on its Web site a “Required Substitute Notice” (the “Notice”) under HIPAA/HITECH. The Notice discloses that the health system has notified and apologized to “affected patients” that their information related to prostate services received between 1997 and 2008 was affected by a breach of unsecured PHI.  Henry Ford reported that it learned on September 24, 2010, that  “an employee's laptop computer storing the information was stolen from an unlocked urology medical office.” 

While no Social Security numbers, health insurance identification numbers or medical records were apparently stored on the stolen laptop, other elements of PHI were present on the laptop. To provide support for those affected by the PHI breach, as has been done by other providers and insurers, Henry Ford has responsibly offered a free year of identity monitoring, protection and remediation service to the potential victims. 

There are a number of interesting aspects of the Notice itself. The Notice states that “[u]nder federal law, health care organizations are required to notify patients within 60 days of a breach of unsecured health information.” As stated in an earlier posting on this blog, the time frame for providers and insurers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.”

If the PHI breach was discovered by Henry Ford on September 24, 2010, the sixtieth day would be November 23, 2010. Therefore, that part of the notification requirement was clearly satisfied. It is a factual matter, however, as to whether, under the circumstances, the notification by the health system on or about the 53^rd day met the other standard that notice was provided “without unreasonable delay.”

Another aspect of the Notice was that it did not disclose the number of affected patients. A visit today to the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals reveals that the Henry Ford security breach is not yet posted.  Since the required time frame for the health system to notify the HHS is the same as that for notifying affected patients, the HHS Web site should soon post such information.

Perhaps one of the most concerning aspects of the security breach is the report by Henry Ford that “[w]hile the laptop was password protected, the patient information stored on the computer could potentially be viewed on the computer.” Chief Privacy Officer of Henry Ford, Meredith Phillips, was quoted as saying that, to prevent future patient information breaches, “employees will be re-educated in the steps necessary to protect patient information stored on computers.” She also stated that  “the process will be improved for how employees obtain a laptop computer for work purposes.”

Henry Ford is taking reasonable measures to forestall another similar incident. Clearly, however, current technological security protection practices, such as passwords, even if followed as in the Henry Ford case, are not sufficient to avoid a security breach. Unfortunately, re-education of employees and adding new limitations on issuance of laptops will not protect providers or insurers against negligence, rogue employees who may download PHI on their own computers,

outright thieves within or without the organization, computer hacking and a host of other threats. 

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself. 

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

Note: The title and substance of this blog entry has been substantially amended in response to a helpful comment by an anonymous fellow blogger. I am grateful that others are reading our blog posts and have sufficient interest in the topic to comment. To assist readers, the highly appreciated comment is set forth in full as follows:

I read your blog post, "MISSING FROM THE PARADE OF LARGE PHI SECURITY BREACHES - REASONABLY PROMPT POSTING BY THE SECRETARY OF HHS ON THE HHS WEBSITE," and wanted to let you know:

You've been looking at the wrong url. The HHS breach list has been updated frequently since June, but they moved the breach report url to here in July.

HHS never put a forward, redirect, or notice on the old url, and I've seen a number of sites, like yours, misled by the unannounced move and I've tried to let fellow bloggers know.

When you go to the new page, note that there are also csv and xml formats. Those files may, in some cases, be a bit more current than the list you see when you go to the web site.

Hope this helps.

The Breach Notification Rule in the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), relating to public disclosure of security breaches of Protected Health Information (“PHI”), has continuously been bringing to light new breaches of PHI involving highly respected and sophisticated healthcare providers and insurers (generally, “covered entities”). 

The HITECH Act requires covered entities to notify, among others,  Kathleen Sibelius, Secretary (the “Secretary”), of the U.S. Department of Health and Human Services (“HHS”), respecting a PHI breach involving 500 or more individuals. The notification to the Secretary is to be made “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach of PHI. . . .” 

What is supposed to happen, however, when the Secretary receives the report of a PHI breach involving 500 or more individuals? The Website “HIPAA Survival Guide” quotes Section 13402(e)(4) of HITECH as follows:

(4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach . . . in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

Unfortunately, the original URL address (the “Old URL”) for the HHS list relative to breach notification (the "List") was changed by HHS with no apparent notice in July 2010 and has not been updated since that time. From late June 2010 until the original posting of this blog entry, I was visiting the Old URL on at least a weekly basis on the assumption that HHS had simply not been updating the List on a timely basis. 

A fellow blogger advised me that HHS changed the Old URL to a new URL (the “New URL”) but never put a forward, redirect or notice on the Old URL as to the change. It would seem reasonable and relatively easy for the Secretary at a minimum to do one or more of the following to assist those who may mistakenly visit the obsolete Old URL:

(1) keep the Old URL, while prominently placing on the old URL information about the change to the New URL;

(2) close the Old URL and automatically redirect visitors to the New URL; and/or

(3) issue a press release or notice about the change from the Old URL to the New URL and post it prominently on the general HHS Website.

It is not too late for the Secretary to correct any further misunderstandings by appropriate action. If HHS is serious about encouranging compliance by covered entities, HHS should lead by example and act reasonably with respect to its own statutorily-mandated HITECH responsibilities.

• Print
• Comments
• Trackbacks
• Share Link