HIPAA, HITECH & HIT :: Fox Rothschild LLP

In the wake of the post-Omnibus Rule (the “Rule”) frenzy, it is necessary to consider some collateral effects that the Rule may have brought about with respect to compliance with HIPAA/HITECH.  The Office of Civil Rights (“OCR”) summaries of closed investigations (the “Summaries”) posted on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”) has been a source of meaningful guidance as discussed in previous posts on this blog.  For example, the summary (the “Tennessee Summary”) for a State of Tennessee Sponsored Group Health Plan breach (the “Tennessee Breach”) continues to provide an excellent road map of pre-Omnibus Rule actions for covered entities (“CEs”) or business associates (“BAs”)  that suffer List Breaches or PHI breaches of any size.  

While the Tennessee Breach itself dealt with mishandling of paper PHI and not electronic health records, the Tennessee Summary does give direction for early intervention by affected CEs or BAs before HHS knocks on their door.  However, while there was excellent compliance in the aftermath of the Tennessee Breach, advice from pre-Rule Summaries cannot be used without carefully taking into account the new requirements respecting PHI breaches under the Rule.  As will be further discussed below, the most important new requirement in this regard is the necessity for a CE, BA or subcontractor to analyze the level of risk of compromise of the affected PHI.

The Tennessee Summary

The Tennessee Breach occurred on October 6, 2011 and involved approximately 1,770 enrollees with respect to names, addresses, birth dates and social security numbers.  According to the Tennessee Summary, an equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.

The Tennessee Summary states that the CE did the following (with some parenthetical observations from the blog author):

1.         Retrained the equipment operator (suggesting that suspension and/or termination are not the only actions in appropriate cases with respect to dealing with employees involved with a PHI breach where rehabilitation is possible).

2.         Submitted a breach report to HHS (resulting in the posting on the HHS List).

3.         Provided notice to affected individuals.

4.         Notified the media.

5.         Created a toll-free number for information regarding the incident.

6.         Posted notice on the CE’s website.

7.         Modified policies to remove the social security number on templates for future mailings (a good policy whether paper or electronic PHI is involved).

8.         Offered identity theft protection to the affected individuals (a common decision for CEs and BAs based on the type of information that may have been compromised).

9.         Following the OCR investigation, reviewed its policies and procedures to ensure adequate safeguards are in place (with this disclosure in the Tennessee Summary, there is a suggestion that OCR continued to exercise some oversight or received reports after the investigation was finished).

The Tennessee Breach in Retrospect after the Omnibus Rule

There was no discussion in the Tennessee Summary of any analysis by the CE of the probable “risk of harm” from the Tennessee Breach under the proposed rule standards that prevailed prior to the Rule.  However, it is clear that, in the post-Rule period, a risk analysis of the probability that the PHI “has been compromised” would be necessary for the CE; failure to do such an analysis may be a violation in itself.   Under the Rule, there is a presumption that a breach of PHI has taken place unless there is a low probability that the PHI has been compromised.  The four factor analysis that would have been required of the CE in the Tennessee Breach case had it happened after the effectiveness of the Rule encompasses the following (with parenthetical comments):

(i)         Identifying the nature and extent of the PHI involved, including types of identifiers and risk of re-identification (i.e., names, addresses, birth dates and social security numbers);

(ii)        Identifying the unauthorized person(s) who impermissibly used the PHI or to whom the disclosure was made (in the case of the Tennessee Breach, subscribers to the health plan who were not individuals that had an obligation of their own to comply with HIPAA/HITECH);

(iii)       Determining whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the PHI to be acquired or viewed (in the case of the Tennessee Breach, there is a likelihood that numerous recipients of the PHI or others without the right to view such PHI did in fact view it); and

(iv)       The extent to which risk to the PHI was mitigated (items 3, 4, 5, 6 and 8 above appear to be potential mitigating factors).

As stated in an earlier postings here and here, no Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011.  While the Summaries continue to provide highly useful information for CEs, BAs and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the Rule.  It may be that a concern of OCR about potential confusion which could be created by publishing pre-Rule Summaries has prevented OCR from making recent postings of Summaries on the HHS List.

• Print
• Comments
• Trackbacks
• Share Link

We have written several times in this blog series about the long-awaited (some would assert long overdue) HIPAA “Mega Rule.” What was highly anticipated for the summer of 2012 has become the winter of discontent and a new year for eager HIPAA professionals. Below are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information (PHI), even without the benefit of the Mega Rule.  

10.       I will ask for a copy of my employer’s HIPAA Policies and Procedures.

9.         I will read them.

8.         I will compare what they say with what I do with PHI and will identify and correct discrepancies.

7.         I will not snoop through PHI of others or access or use any PHI I do not need in order to do my job.

6.         If I get PHI from or send PHI to a third party (outside my employer) as part of my job, I will find out whether my employer has a Business Associate Agreement (“BAA”) in place with that third party (or has decided one is not needed).

5.         I will learn how to encrypt (as per National Institute of Standards and Technology) PHI before I save it or send it.

4.         I will check my laptop, smartphone, or other portable device for encryption capability and make sure it is activated. I will also check for any unencrypted PHI that may be lurking on my portable device(s). I will encrypt or remove such PHI (if consistent with the HIPAA Policies and Procedures of my employer and any BAAs).

3.         I will investigate the “chain of control” of PHI before I send it to make sure it will not end up outside the jurisdiction of the United States.

2.         I will educate myself as to whether and how PHI might be de-identified and will recommend that my employer consider a policy of de-identification in accordance with guidance published by the Office of Civil Rights of the Department of Health and Human Services.

1.         Even if I’ve accomplished resolution # 4, I will not leave my laptop, smartphone or other portable device containing PHI in plain sight inside my parked car, especially while at lunch.

If everyone were to make and follow these resolutions, we all will have a Happy HIPAA New Year.

• Print
• Comments
• Trackbacks
• Share Link

A thoughtful reader commented on the recent blog post in this series that asked whether the 2012 Breach of Massachusetts Eye and Ear Infirmary (“MEEI”) should have by now been reflected in a third posting respecting MEEI on the HHS List. (Capitalized terms not otherwise defined herein shall have the meanings assigned to them in the earlier blog post.) 

The reader’s comments included the following:

I have been wondering—and this article [the blog post] continues to make me wonder—whether covered entities will be less likely to “err on the side of caution” in making breach reports, now that they see the potentially draconian consequences of making such a report. I think it’s pretty clear (and I think OCR [the Office of Civil Rights] has even said publicly) that large breach reports will trigger investigations and, as we have seen, investigations are likely to open to scrutiny all aspects of the covered entity’s HIPAA policies, practices and procedures. Seeing million dollar resolution agreements may give covered entities pause about blowing the whistle on themselves, particularly where there is room to argue whether the disclosure creates a significant risk of harm. . . .

The reader’s comments point out the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach, even if it appears not to rise to the level of a potential List Breach. I concur with the reader that more attention may be given by a covered entity in the future to make a risk analysis of the probable harm of a potential List Breach. One of the purposes will be to determine the number of involved individuals and whether the entity can reasonably conclude that a List Breach has not occurred, and, therefore, there may be no need for a List Breach report to HHS. 

The covered entity may so conclude even if it publicizes the PHI security breach, notifies “potentially affected individuals,” posts information about the breach on its Web site, engages in some “voluntary” remedial action for such potentially affected individuals, disciplines involved employees and makes improvements to its policies and procedures. Repeat marchers in the Breach Parade may be especially motivated to conclude that a List Breach has not occurred.

However, the stakes may be high for a covered entity to conclude that a List Breach has not occurred. The penalties that can flow from the potentially “draconian consequences of making such a report” to HHS can be greatly amplified if the conclusion not to report the security breach as a List Breach turns out to be erroneous. The failure to report a List Breach is a separate violation and can give rise to significant penalties. Moreover, the covered entity must consider that most states have adopted their own requirements to make timely reports to state regulators about a PHI security breach, often with different standards for reporting, and state Attorneys General can seek to enforce a failure to make a mandatory report under both state law and HIPAA.

To some observers, elements of the risk analysis of a covered entity for reporting a possible List Breach may be somewhat analogous to the considerations that exist for self-reporting by healthcare providers of potential false claims to the HHS Office of Inspector General under its voluntary disclosure program. The important difference is that voluntary disclosure is optional; reporting a PHI security breach that is a List Breach to HHS is mandatory, with potential materially adverse consequences for failure to comply.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 498 List Breaches reported by covered entities (“CEs”), of which approximately 102 (20.5%) have been reported as also involving business associates (“BAs”).  

As stated in an earlier posting in this blog series, the HHS List includes valuable guidance for CEs and BAs in the form of “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” To date, the HHS List has posted approximately 96 summaries (“Summaries”) respecting the 498 current postings for CE marchers in the Breach Parade (which include some multiple postings of List Breaches where a single alleged breach by a BA caused a number of CEs to have List Breaches). Of the 96 List Breaches for which Summaries have been posted by OCR, 19 (19.8%) were reported as involving BAs.  

Unfortunately, since May 10, 2012, it would appear that only one new Summary has been posted by OCR, which relates to List Breach number 337 reported by Indiana University School of Optometry as CE. According to the OCR Summary, that List Breach affected 757 individuals and resulted in accessibility over the Internet of patient names, birth dates, medical history, diagnoses and treatment plans for the period from August 8, 2011 through September 9, 2011.  

No Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011, already a year ago. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011, as discussed in an earlier posting in this blog series. 

Moreover, the substantial majority of Summaries posted by OCR relate to List Breaches affecting fewer than 10,000 persons. While this Summary history may be reflective of the population of List Breaches as discussed in an earlier post in this blog series, the largest number of affected individuals for which a Summary has been posted to date is 83,000. That List Breach, which occurred on November 12, 2009 and was number 21 on the HHS List, related to unauthorized access/disclosure of paper information and was reported by Universal American in New York as the CE with Democracy Data & Communications, LLC as an involved BA. In light of the existence of complex List Breaches that reportedly affect hundreds of thousands or even millions of individuals, Summaries respecting larger List Breaches may be helpful in providing new and different insights for CEs and BAs.

There is great value in the guidance provided by the posted Summaries for educating CEs and BAs as to what OCR may deem to be significant with respect to List Breaches. OCR Summaries may provide analysis not only of the List Breaches themselves but also subsequent actions taken by the affected CEs and BAs. However, because the paucity of recent postings of Summaries can dampen their overall educational benefit, OCR is encouraged to increase the frequency, number, currentness and diversity of the Summaries posted.  

• Print
• Comments
• Trackbacks
• Share Link

A recent posting by our partner Christina Stoneburner, Esq., on the Fox Rothschild Employment Discrimination blog discussed the need by employers to limit protected health information (“PHI”) that they provide with respect to medical examinations of employees and job applicants to the least amount of medical information necessary for evaluation.  Interestingly, the focus of her posting was not disclosure under HIPAA/HITECH, or even state statutes regulating the use of PHI; it dealt with allegations that employees and job applicants had been sent for unnecessary medical examinations in violation of the Americans with Disabilities Act and the Genetic Information Nondisclosure Act. 

Christina summarizes her posting with the following:

In short, the least amount of medical information necessary to evaluate an employee is what should be provided to examiners.  For example, if you have an employee being evaluated to see if he can perform the essential functions of his job after a shoulder injury, the examining doctor should not be given the medical records relating to his planter's wart being removed.

In her discussion, Christina noted our blog series respecting large breaches and a particular recent posting by Elizabeth Litten, Esq.  Christina also mentioned that the complaint on which her posting focused had alleged, "the employer often turned over Workers' Compensation records . . . , even where those records were not relevant to the examination.”

Workers’ compensation is an area where Christina’s posting comes full circle to our blog’s focus on HIPAA;  as HIPAA directly confronts such area by making it clear that only the “minimum necessary” disclosure of PHI is permitted by covered entities without patient authorization pursuant to 45 CFR 164.512(l):

A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published further advice on how the workers’ compensation Regulation works:

Covered entities are required reasonably to limit the amount of protected health information disclosed . . . to the minimum necessary to accomplish the worker’s compensation purpose. Under this requirement, protected health information may be shared for such purposes to the full extent authorized by State or other law. 

In summary, to avoid needless and costly violations, employers and other covered entities must be constantly aware of the need to comply with multiple regulatory schemes that may govern PHI, beyond those of HIPAA and State laws governing PHI;  there is not unlimited flexibility to disclose PHI even within the context of State-governed workers’ compensation matters. When the long-anticipated “mega-regulation” regarding HIPAA/HITECH is finally published by HHS, special attention must be given to potential changes that may further tighten the “minimum necessary" standards.

• Print
• Comments
• Trackbacks
• Share Link

Attorney General Lori Swanson of Minnesota (“AG”) issued a press release reporting that Accretive Health, Inc. (“Accretive”), the defendant in an action filed by the AG in U.S. District Court alleging violations of HIPAA, HITECH, the Minnesota Health Records Act, and the Minnesota consumer protection laws, signed a Settlement Agreement, Release and Order on July 30, 2012 (“Settlement Agreement”). The Settlement Agreement recites:

[R]ecognizing that unique circumstances exist in Minnesota in light of the Attorney General’s Agreement with Minnesota charitable hospitals … Accretive Health … has decided to wind down its remaining work for Minnesota Clients …

(other than its continuation of prior technology licensing agreements). The Settlement Agreement also requires Accretive  to pay the AG nearly $2.5 million within 15 days of the Settlement Agreement’s effective date. The funds may be distributed to patients at the discretion of the AG, used for settlement administration, and/or remitted to the State Treasury.

Previous posts to this blog have reported on the AG’s action against Accretive, and on the need for entities or individuals sharing Protected Health Information (‘PHI”) to identify the roles, rights, and obligations of the parties. Michael Kline’s recent blog reported on a breach involving more than 500 individuals included on the list maintained by the U.S. Department of Health and Human Services (the “HHS List”), highlighting the summary provided by the Office of Civil Rights (“OCR”). Michael noted that the OCR summary implies that OCR expects a covered entity (“CE”) contracting with a business associate (“BA”) to verify that the BA is “not an independent” CE.  

Identifying the roles of the parties and the context in which PHI is disclosed is critical because different information-sharing standards apply depending on these roles and circumstances. For example, a business associate agreement (“BAA”) is not required for disclosures made within a CE for treatment, payment, or health care operations, nor is a BAA required for PHI to be disclosed from one CE to another CE where the recipient CE is a health care provider and the PHI is being disclosed for treatment purposes.

However, if the recipient CE is a health care provider, but is receiving the PHI as a BA (generally defined as a person or entity that performs functions or activities on behalf of another person that is a CE, which involves the use or disclosure of PHI), a BAA is required and it must, among other things, “establish the permitted and required uses and disclosures” of the PHI (though failure to execute a BAA will not absolve the BA of its responsibilities and liabilities under HIPAA and HITECH). In addition, while most uses and disclosures of PHI must be limited to the “minimum necessary,” current regulations do not restrict disclosures to or requests by a CE that is a health care provider to the “minimum necessary” when the disclosure or request is for treatment of a patient. A CE can use or disclose PHI for “payment” activities, but must comply with the “minimum necessary” standard.  If the “payment” activity involves disclosure to a consumer reporting agency, the CE may only disclose specified information (name/address, date of birth, social security number, payment history, account number, and the name and address of the CE). 

The Accretive case was triggered by an alleged PHI breach (the all-too-frequent loss of a laptop containing sensitive information about 23,500 patients treated at two hospitals that had contracted with Accretive), but the AG’s allegations were most scathing where they painted a picture of insidious and inappropriate sharing and use of PHI between hospitals and Accretive.  The AG alleged that Accretive’s “Quality and Total Cost of Care” services used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms.  Accretive allegedly “amasse[d] and ha[d] access to a high volume of sensitive and personal information,” which it used, among other things, to create “per patient risk score” calculations, yet the hospitals’ patient authorization forms allegedly failed to disclose the scope or breadth of the PHI that the hospitals would share with Accretive.

In addition to this questionable and seemingly surreptitious “behind the scenes” PHI-sharing, Accretive staff allegedly interfaced directly with patients seeking treatment at the hospitals, often appearing to be members of the hospital’s staff.  Jessica Silver-Greenberg, reporting on the Settlement Agreement in the New York Times, describes allegations of aggressive collection tactics taken by Accretive that involved requesting payment from patients seeking emergency care. 

Whether a clear delineation of the role of Accretive as a BA and/or restriction of PHI disclosed to Accretive to the “minimum necessary” would have prevented the AG’s action is unclear. However, the Accretive case provides a good example of how the blurring of the CE and BA roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.

• Print
• Comments
• Trackbacks
• Share Link

A recent post in this blog series has discussed the valuable guidance for covered entities (“CEs”) and business associates (“BAs”) that can be contained in the U.S. Department of Health and Human Services list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”), especially within the “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” (“Summaries”). 

An example is List Breach number 265 (“LB 265”), which reported a theft of a laptop in Alaska from Trisha Elaine Cordova,  a BA of Catholic Social Services (“CSS”), the related CE, on February 1, 2011. The laptop reportedly contained approximately 493 adoption home studies affecting 1,700 individuals.  LB 265 also happens to be the most recent List Breach involving a BA for which a Summary has been provided by OCR. (As an aside, LB 265 actually appears on line 266 of a chronological schedule of List Breaches because the first line was used by HHS for column headings.)

According to the LB 265 Summary: “The protected health information involved in the breach included names, addresses, phone numbers, dates of birth, driver’s license numbers, and health information; 20% of the files contained social security numbers.”

While the PHI involved covered a broad range, there was nothing unusual about the items. What makes LB 265 Summary worthy of discussion is its final two sentences:

The covered entity did not have a business associate contract with the contractor at the time of the breach. OCR’s investigation resulted in the covered entity developing policies and procedures for obtaining business associate contracts when required by the Privacy Rule and verifying that the contractor involved was not an independent covered entity. 

The LB 265 Summary identified what OCR deems to be two related important elements of compliance with the HHS Privacy Rule when a CE contracts with another person with respect to PHI - the first of which is obvious and well-known but the second of which is more subtle and less recognized: 

1.   The requirement that a CE have a business associate agreement or contract (“BAA”) with the contractor and

2.   The need for the CE to verify in what capacity the contractor is serving with respect to the CE’s PHI, that is, whether the contractor is only a BA or is a CE as well as a BA (a “BA/CE”). 

In its LB 265 Summary, OCR is pointing out its expectation that a contractor like Ms. Cordova may be a BA with respect to the PHI of CSS, but, depending upon her status and activities with respect to such PHI, she could also be a BA/CE. Furthermore, it is viewed by OCR to be the obligation of CSS as a CE (and presumably Ms. Cordova as a BA as well) to have policies and procedures in place to verify if Ms. Cordova was a BA/CE with respect to the PHI.

Ms. Cordova was apparently provided with PHI by CSS for the purpose of conducting adoption home studies for CSS respecting applicants seeking to adopt children through the auspices of CSS. It is conceivable that the CSS PHI in Ms. Cordova’s hands could have been reformulated and processed by her in her BA activities to such an extent that she could have been a BA/CE.  

The discussion by OCR in LB 265 of the need by a CE for a BAA under the HIPAA Privacy Rule in the same sentence as the verification activity is consistent with OCR’s sentence in its “OCR Privacy Brief” section on CEs as follows: “A covered entity can be the business associate of another covered entity.”  In requiring a CE to establish policies and procedures to verify whether a BA is also a BA/CE, OCR would appear to have extended CE obligations. However, because no further comment was made on the matter by OCR in LB 265, it would appear that Ms. Cordova was not deemed to be a BA/CE.

Separate and apart from OCR’s position on verification, unless a CE (and its contractor as well) has done sufficient analysis of the status of its BA and the character of the BA’s activities, how can the CE properly draft applicable provisions of its BAA? One form of BAA does not necessarily fit all BAs, as much as CEs would like to believe. For example, if a BA of a CE is also a BA/CE with respect to specific PHI, the BA/CE has primary reporting and/or documentation obligations to HHS in the event of a privacy breach, even to the extent of a separate report to HHS for a List Breach. If a BA/CE were to fail to notify HHS of a List Breach, the BA/CE may incur significant penalties and sanctions. 

The BAA should take cognizance of whether the BA is deemed by the parties to be a BA/CE and in such case, discuss procedures and methods to confront, among other things, a List Breach, other breaches and the parties' relative investigation, documentation and reporting responsibilities under HIPAA/HITECH, and even data breach insurance. Without proper coordination, in the event of a List Breach or other breach, there can be (i) unnecessary and costly duplication of investigation efforts and evaluation of risk of harm, (ii) inappropriately inconsistent reporting of the event to affected individuals, HHS and state agencies, (iii) inconsistent statements to the media, etc. 

In summary, the OCR deems it a requirement for a CE to verify the status of its BA and the character of the BA’s activities with respect to the CE’s PHI; in turn such CE and BA and their respective counsel should use the verification process to develop provisions in the BAA. 

• Print
• Comments
• Trackbacks
• Share Link

As part of our healthcare practice, we frequently field questions from individuals from the general public about alleged violations of the HIPAA law that have affected them.  Many people have been in the unfortunate situation where they believe that their protected health information (PHI) has been compromised inappropriately, and they want to know what they can do about it.  Such individuals are often surprised and deeply disappointed to learn that the HIPAA law does not provide a "private right of action" in the event of unlawful  access, use or disclosure of PHI.  That means that under HIPAA, an individual cannot file a private lawsuit  to recover damages against a party that  allegedly improperly accessed, used or disclosed their PHI.  

Such improper disclosures, however, may violate other state or federal laws or common law rights of privacy, so that  individuals may wish to reach out to an attorney who is licensed in their state of residence to determine whether they have any specific claims, rights or remedies related to the improper access, use or disclosure.   The statute of limitations on such claims may be very short-lived, so those who wish to pursue such potential claims should do so without undue delay. 

Under HIPAA, if you feel that your PHI has been accessed, used or disclosed inappropriately, you may contact the Office of Civil Rights within the U.S. Department of Health and Human Services (HHS) to file a complaint (go to the OCR website to acquire a form that you may fill out online to file a complaint).  Additionally, each state's Attorney General is authorized to bring lawsuits under HIPAA on behalf of individuals whose medical records have been improperly disclosed, and to share any proceeds of such suits with the affected individuals.   

While it may be viewed as unfair by victims of inappropriate access, use or disclosure of PHI that they cannot sue under HIPAA themselves, they should act promptly to seek assistance of HHS or their state's Attorney General to assert what rights they do have under HIPAA.

• Print
• Comments
• Trackbacks
• Share Link

As reported in the Houston Chronicle on June 28, 2012, an unencrypted laptop computer containing data on more than 30,000 patients of the University of Texas MD Anderson Cancer Center (“MD Anderson”) was stolen from a faculty member’s home on April 30, 2012. The stolen laptop scenario has become all too familiar (this blog series has reported on the high proportion of breaches resulting from the theft or loss of laptops or other portable devices), and even the high number of patients affected pales in comparison with the roughly 5 million patients affected in the SAIC breach. 

What caught my attention was the fact that MD Anderson posted notice of the breach on its website on June 28^th, exactly 59 days after the theft took place. Pursuant to the interim final breach notification regulations, a covered entity must provide notice to affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.”   Although an exception exists for prompt notification where a law enforcement official tells the covered entity (or business associate) that notification would impede the criminal investigation or cause damage to national security, the time required for performance of a criminal investigation is, presumably, less than 60 days. MD Anderson’s website notice gives every indication that it acted promptly and investigated thoroughly:

MD Anderson was alerted to the theft on May 1 and immediately began a thorough investigation to determine what information was contained on the laptop. After a detailed review with outside forensics experts, we have confirmed that the laptop may have contained some of our patients’ personal information, including patients’ names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers.

Would patients have been better off knowing their data might have been illegally accessed prior to day 59 following the breach, or does the benefit of a thorough investigation outweigh the risk that earlier notification would have benefited patients? 

Navigant Consulting released an “Information Security and Data Breach Report” in April of this year that found that the average number of days between discovery of a breach involving medical records and disclosure was 63 days in the third quarter of 2011, compared with 65 days in the fourth quarter of 2011, an increase of 3%, despite the requirement that applicable HIPAA law requires patients to be notified “without unreasonable delay” and no later than 60 days following the breach. When analyzed in terms of the entity reporting the breach, “[h]ealthcare entities registered an 84% increase between discovery and disclosure from 51 days in Q3 to 94 days in Q4.” 

From this perspective, it seems MD Anderson did pretty well. Had the faculty member delayed his or her original notification to MD Anderson regarding the theft, however, MD Anderson might have been hard-pressed to meet the 60 day deadline. Covered entities such as MD Anderson (and business associates who provide protected health information to subcontractors) should be reminded that prompt communication and investigation is essential to meeting the “without unreasonable delay and in no case later than 60 calendar days” notification requirement, and must balance the need to get the facts straight with the need to alert affected individuals, and, where applicable, the Department of Health and Human Services and state agencies, as quickly as possible. 

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As reported in a recent posting, the HHS List includes guidance that covered entities (“CEs”) and business associates (“BAs”) can use in the event of a PHI security breach in the form of brief summaries (“Summaries”) of the breach cases that the federal Office of Civil Rights (“OCR”) has investigated and closed. 

On June 26, 2012, HHS and OCR reported in a press release (the “Press Release”) that Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), had agreed to pay HHS $1.7 million with respect to a resolution of possible violations of HIPAA, which included the compromising of PHI of 501 affected individuals by means of a theft that occurred on October 12, 2009 of an “Other Portable Electronic Device” (the “2009 Breach”).  Alaska Medicaid has also agreed, among other things, to take corrective action to properly safeguard the PHI of Medicaid beneficiaries. An official statement by Alaska Medicaid Commissioner Bill Streur relating to the resolution with HHS of the 2009 Breach is posted on the Alaska Medicaid Web site.

While the Alaska Medicaid resolution has not yet been reported in a Summary on the HHS List, visiting the HHS List reveals that the 2009 Breach was originally posted by HHS in the very first batch of List Breaches on February 22, 2010. What is also interesting is that Alaska Medicaid had a later separate List Breach, reportedly involving the compromising of PHI of approximately 2,000 affected individuals by means of a theft on September 7, 2010 of an “Other Portable Electronic Device” (the “2010 Breach”). The 2010 Breach was reported as involving Alaskan AIDS Assistance Association as a BA.

However, it is difficult to identify readily that the 2009 Breach and the 2010 Breach involved the same CE, Alaska Medicaid. The 2009 Breach is alphabetically indexed under “Alaska Department of Health and Social Services,” while the 2010 Breach is indexed under “State of Alaska, Department of Health and Social Services.” It would be helpful for HHS to endeavor to use CE and BA names consistently to assist in analysis by those visiting the HHS List.

The Press Release of HHS regarding the 2009 Breach quotes OCR Director Leon Rodriguez: “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

It commendable that OCR enforces compliance with HIPAA against private and public entities with the same vigor. Query, however, to what extent is it wise for HHS to exact a $1.7 million payment from Alaska Medicaid? Alaska Medicaid oversees a program to provide medical care to the indigent in Alaska, a program that is funded by the taxpayers of Alaska and the U.S. In almost all states, Medicaid programs are financially embattled and under severe economic and political stress. The large payment by Alaska Medicaid to HHS is an enforced shifting by a state agency of “other people’s money” to HHS that may have to be replaced by increased taxes or reductions in future benefits for Alaskan indigents.

This blog series will continue to review various of the OCR Summaries and resolutions to give guidance to CEs and BAs.  We will also monitor future developments with respect to the 2010 Breach.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 435 List Breaches affecting marchers in the ever-lengthening parade, although the number of marchers has remained unchanged for several weeks.

The most recent posting on this blog series by my partner Elizabeth Litten, Esq., discussed a recent presentation by Linda Sanches, Office of Civil Rights ("OCR") Senior Advisor and the lead on HIPAA Compliance Audits, on the progress of the 2012 HIPAA Privacy and Security Audit Program.  As pointed out in the earlier posting, the presentation by Ms. Sanches included some general tips that covered entities (“CEs”) and business associates ("BAs") can use to reduce the likelihood of HIPAA violations, one of which is PHI security breaches.

The HHS List includes additional focused guidance from OCR that CEs and BAs can use in efforts to avoid, or in the event of, a PHI security breach (even if it does not rise to the level of a List Breach) in the form of  brief summaries of the breach cases that OCR has investigated and closed. To date, the HHS List has posted approximately 93 summaries (“Summaries”) out of the 435 postings respecting marchers in the Breach Parade (which include some multiple postings of List Breaches where an alleged breach by one BA caused a number of CEs to have List Breaches). Of the 93 List Breaches for which Summaries have been prepared by OCR, 18 (approximately 20%) were reported as involving BAs.  

These Summaries can provide valuable clues for CEs and BAs on how to deal with a HIPAA security breach. One example is contained in a Summary respecting a List Breach reported on January 29, 2010 by Thrivent Financial for Lutherans (“Thrivent”) in Wisconsin. The List Breach, which did not report an involved BA, related to a theft of laptops that contained the PHI of approximately 9,400 individuals. (The original report by Thrivent had stated that approximately 9,500 individuals had been affected.) The OCR Summary included the following statement:

The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR’s formal investigation brought the CE into compliance.

OCR clearly viewed it as noteworthy and commendable that Thrivent had voluntarily taken necessary steps for compliance before OCR conducted its investigation. That should be an alert for those who suffer HIPAA breaches that all appropriate and reasonable remedial measures should be undertaken promptly to demonstrate and document compliance before OCR comes knocking on the door of the CE. This blog series will continue to review various of the OCR Summaries as to guidance that they may contain respecting PHI security breaches.

• Print
• Comments
• Trackbacks
• Share Link

At the risk of killing (or at least maiming) the “Breach Parade” metaphor we have used in this blog series by over-stretching it, I wanted to write about two tools being used by the federal Office of Civil Rights (“OCR”) and  individual State Attorneys General (“SAGs”) to deter and catch HIPAA privacy and security breaches that remind me of the red light cameras designed to deter and catch traffic violations. 

If a Covered Entity (“CE”) or Business Associate (“BA”) has already experienced a breach of Protected Health Information (“PHI”), it has probably already taken (or has been required by regulators to take) steps to prevent future breaches. However, all CEs and BAs should be aware of the tools available to the federal and state governments to check HIPAA compliance, investigate potential breaches, and bring enforcement actions for a variety of HIPAA violations, including, but not limited to, PHI breaches. 

Linda Sanches, OCR Senior Advisor and the lead on HIPAA Compliance Audits, recently presented on the progress of an OCR tool, the 2012 HIPAA Privacy and Security Audit Program (the “Audit Program”) being conducted for OCR by KPMG, Inc.  One stated objective of the Audit Program is to “[e]ncourage renewed attention to compliance activities.” The Audit Program is being conducted utilizing Generally Accepted Government Auditing Standards (aka “Yellow Book Standards”).

While OCR states that the Audit Program is not meant to be “punitive,” it also notes that the Audit Program currently being conducted will “feed into decisions” related to future audits. OCR lists “Non-Compliance Risks” as including loss of contracts, criminal and civil investigation, federal penalties and state fines, public harm and reputational risk, legal costs, and costs of notification.  

In particular, three of the tips to avoid the consequences of joining the marchers in the Breach Parade that were listed on the last slide of Ms. Sanches’ presentation, struck me as particularly noteworthy for their obviousness and simplicity:

1)  Determine your various lines of business that are affected by HIPAA.

2)  Map/Flow PHI movement within your organization, as well as flows to/from third parties.

3)  Find all of your PHI.

Yes, if you are a CE or BA and don’t know where your PHI resides or travels, you may have already joined the Breach Parade without even realizing it. 

As another enforcement tool, OCR has published guidance for SAGs looking to investigate HIPAA violations and drum up revenue for the states and individuals affected by the violations. CEs and BAs can view this guidance and see how states can investigate and prosecute potential HIPAA violations, as well as how OCR and SAGs can estimate the daunting potential penalties that may be imposed:

SAG Penalty Estimate

Amount of penalty = [number of violations] X [up to $100] per violation; and

A SAG may obtain damages as high as $100 per violation and up to $25,000 for violations of the same requirement in a calendar year.

OCR Penalty Estimate

OCR may collect civil money penalties of up to $50,000 per violation, depending on the level of culpability; and

Attorneys 13

The calendar year OCR maximum is $1.5 million, for a single CE, for violation of identical provisions.

One example of HIPAA violations, which did not involve a PHI security breach, worthy of SAG prosecution involves a pharmacy’s

disclosure of the PHI of 1,500 customers to a business associate, which the pharmacy paid to make a treatment communication on its behalf. The pharmacy did not limit the PHI it disclosed to the minimum necessary, and did not include the required information about this practice in its notice of privacy practices that the pharmacy distributed to all 1,500 customers.

The unfortunate pharmacy in this example is described as having otherwise compliant HIPAA policies and procedures, but is subject to a state penalty of $50,000 and an OCR penalty of up to $3 million.

The astronomical penalties that are potentially assessable by OCR and SAGs for HIPAA violations should act as a red light or at least a bright amber light of caution to those who may already be approaching or on the road to HIPAA violations. All CEs and BAs should heed the OCR warnings and guidelines before they become new unwilling marchers in the Breach Parade.

• Print
• Comments
• Trackbacks
• Share Link