On February 7, 2013, our partner Keith McMurdy, Esq., posted an excellent entry on the Employee Benefits Blog of Fox Rothschild LLP that merits republishing for our readers as well. The post outlines some direct effects of the new HIPAA Omnibus Rule on employers and their health plans. 

Keith McMurdy writes as follows:

On January 25, the new (final?) rules about HIPAA Privacy under the HITECH Act were issued in the Federal Register.  While the effect of the new rules may not be to substantially change the way HIPAA privacy is viewed, there are a number of action items for employers as plan sponsors that have to be accomplished when these rules go into effect.

There are two pieces of good news.  The first is that the general purpose of compliance remains the same.  Plan sponsors have to ensure PHI is properly protected, refrain from impermissible disclosures and provide notices of security breaches.  The second is that the earliest possible deadline for compliance with the new rules is September 23, 2013, so there is some time to prepare.  But it is not a bad idea to start preparing now.  So let's consider the key changes.

1. Tougher Security Breach Notification Standard

Under the old rule, the standard for notification to participants of a security breach was only necessary if the release of information "posed a significant risk of financial, reputational or other harm" to a covered person.  Now, that standard is tightened to apply to ANY security breach unless the plan sponsor can prove "a low probability that the [PHI] has been compromised based on a risk assessment."  This should encourage plan sponsors to tighten their security breach protections because any release, even things like accidental e-mails, can potentially become reportable events.  So the first step in compliance would be to review security standards and document steps taken to avoid security breaches.

2. Tougher Standards for Business Associates Agreements

Because the new rule provides for penalties to a covered entity for breaches by business associates, the default position is that plan sponsors should be much more concerned about how compliant their business associates really are.  Where in the past, plan sponsors may have felt comfortable simply handing off certain protection functions to service providers, the new rule makes it pretty clear that plan sponsors have to actually know that their business associates are HIPAA compliant and diligently seek to confirm that compliance.

3.  New Privacy Notices for 2013 Open Enrollment

The new rule also requires that plan sponsors add or amend their privacy notices:

1. The notice must specifically state that the covered health plans are required to obtain plan participants' authorization to use or disclose psychotherapy notes, to use PHI for marketing purposes, to sell PHI, or to use or disclose PHI for any purpose not described in the notice as well as a statement explaining how plan participants may revoke an authorization.
2. The notices must state that the plans (other than a long-term care plan) are prohibited from using PHI that is genetic information for underwriting purposes
3. The notice must inform plan participants of their right to receive a notice when there is a breach of their unsecured PHI.

The new rules makes it clear that since this new language is a "material change," plan sponsors are required to distribute this revised notice, even if they had just recently sent the old notice. 

4. Genetic Information and the GINA Notice

The Genetic Information Non-Discrimination Act of 2008 (GINA) prohibits discrimination based on genetic information.  The HIPAA Privacy Rule now similarly prohibits HIPAA-covered plans from taking genetic information into consideration when offering incentives or discounts through a health risk assessment.  Because this modification of the Privacy Rule materially affects how a plan may use PHI, the HIPAA Privacy Rule requires that plan participants be informed in the plan's privacy notice of the prohibition on the use of PHI for underwriting purposes.  See the second item under Part 3, above.

So in the midst of our struggles to comply with PPACA, plan sponsors should not forget about HIPAA medical privacy concerns.  Start pulling together privacy notices, business associates agreements and plan documents for review and amendment.  Review your security practices to avoid even accidental breaches.  And be prepared to issue new notices as necessary for your next open enrollment.  For more detailed information about HIPAA and HITECH Compliance, please make sure to check out our HIPAA Blog as well.  More information means better compliance, which is always a good thing.

• Print
• Comments
• Trackbacks
• Share Link

In the wake of the post-Omnibus Rule (the “Rule”) frenzy, it is necessary to consider some collateral effects that the Rule may have brought about with respect to compliance with HIPAA/HITECH.  The Office of Civil Rights (“OCR”) summaries of closed investigations (the “Summaries”) posted on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”) has been a source of meaningful guidance as discussed in previous posts on this blog.  For example, the summary (the “Tennessee Summary”) for a State of Tennessee Sponsored Group Health Plan breach (the “Tennessee Breach”) continues to provide an excellent road map of pre-Omnibus Rule actions for covered entities (“CEs”) or business associates (“BAs”)  that suffer List Breaches or PHI breaches of any size.  

While the Tennessee Breach itself dealt with mishandling of paper PHI and not electronic health records, the Tennessee Summary does give direction for early intervention by affected CEs or BAs before HHS knocks on their door.  However, while there was excellent compliance in the aftermath of the Tennessee Breach, advice from pre-Rule Summaries cannot be used without carefully taking into account the new requirements respecting PHI breaches under the Rule.  As will be further discussed below, the most important new requirement in this regard is the necessity for a CE, BA or subcontractor to analyze the level of risk of compromise of the affected PHI.

The Tennessee Summary

The Tennessee Breach occurred on October 6, 2011 and involved approximately 1,770 enrollees with respect to names, addresses, birth dates and social security numbers.  According to the Tennessee Summary, an equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.

The Tennessee Summary states that the CE did the following (with some parenthetical observations from the blog author):

1.         Retrained the equipment operator (suggesting that suspension and/or termination are not the only actions in appropriate cases with respect to dealing with employees involved with a PHI breach where rehabilitation is possible).

2.         Submitted a breach report to HHS (resulting in the posting on the HHS List).

3.         Provided notice to affected individuals.

4.         Notified the media.

5.         Created a toll-free number for information regarding the incident.

6.         Posted notice on the CE’s website.

7.         Modified policies to remove the social security number on templates for future mailings (a good policy whether paper or electronic PHI is involved).

8.         Offered identity theft protection to the affected individuals (a common decision for CEs and BAs based on the type of information that may have been compromised).

9.         Following the OCR investigation, reviewed its policies and procedures to ensure adequate safeguards are in place (with this disclosure in the Tennessee Summary, there is a suggestion that OCR continued to exercise some oversight or received reports after the investigation was finished).

The Tennessee Breach in Retrospect after the Omnibus Rule

There was no discussion in the Tennessee Summary of any analysis by the CE of the probable “risk of harm” from the Tennessee Breach under the proposed rule standards that prevailed prior to the Rule.  However, it is clear that, in the post-Rule period, a risk analysis of the probability that the PHI “has been compromised” would be necessary for the CE; failure to do such an analysis may be a violation in itself.   Under the Rule, there is a presumption that a breach of PHI has taken place unless there is a low probability that the PHI has been compromised.  The four factor analysis that would have been required of the CE in the Tennessee Breach case had it happened after the effectiveness of the Rule encompasses the following (with parenthetical comments):

(i)         Identifying the nature and extent of the PHI involved, including types of identifiers and risk of re-identification (i.e., names, addresses, birth dates and social security numbers);

(ii)        Identifying the unauthorized person(s) who impermissibly used the PHI or to whom the disclosure was made (in the case of the Tennessee Breach, subscribers to the health plan who were not individuals that had an obligation of their own to comply with HIPAA/HITECH);

(iii)       Determining whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the PHI to be acquired or viewed (in the case of the Tennessee Breach, there is a likelihood that numerous recipients of the PHI or others without the right to view such PHI did in fact view it); and

(iv)       The extent to which risk to the PHI was mitigated (items 3, 4, 5, 6 and 8 above appear to be potential mitigating factors).

As stated in an earlier postings here and here, no Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011.  While the Summaries continue to provide highly useful information for CEs, BAs and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the Rule.  It may be that a concern of OCR about potential confusion which could be created by publishing pre-Rule Summaries has prevented OCR from making recent postings of Summaries on the HHS List.

• Print
• Comments
• Trackbacks
• Share Link

The recent release of the HIPAA/HITECH “mega rule” or “omnibus rule” has given bloggers and lawyers like us plenty of topics for analysis and debate, as well as some tools with which to prod covered entities, business associates and subcontractors to put HIPAA/HITECH-compliant Business Associate Agreements (“BAAs”) in place. It’s also a reminder to read BAAs that are already in place, and to make sure the provisions accurately describe how and why protected health information (“PHI”) is to be created, received, maintained, and/or transmitted. 

If you are an entity that participates in the Medicare Shared Savings Program as a Medicare Accountable Care Organization (“ACO”), your ability to access patient data from Medicare depends on your having signed the CMS Data Use Agreement (the “Data Use Agreement”). Just as covered entities, business associates, and subcontractors should read and fully understand their BAAs, Medicare ACOs should make sure they are aware of several Data Use Agreement provisions that are more stringent than provisions typically included in a BAA and that may come as a surprise. Here are ten provisions from the Data Use Agreement worth reviewing, whether you are a Medicare ACO or any other business associate or subcontractor, as these may very well resurface in some form in the “Super BAA” of the future:

1.         CMS (the covered entity) retains ownership rights in the patient data furnished to the ACO.

2.         The ACO may only use the patient data for the purposes enumerated in the Data Use Agreement.

3.         The ACO may not grant access to the patient data except as authorized by CMS.

4.         The ACO agrees that, within the ACO and its agents, access to patient data will be limited to the minimum amount of data and minimum number of individuals necessary to achieve the stated purposes.

5.         The ACO will only retain the patient data (and any derivative data) for one year or until 30 days after the purpose specified in the Data Use Agreement is completed, whichever is earlier, and the ACO must destroy the data and send written certification of the destruction to CMS within 30 days.

6.         The ACO must establish administrative, technical, and physical safeguards that meet or exceed standards established by the Office of Management and Budget and the National Institute of Standards and Technology.

7.         The ACO acknowledges that it is prohibited from using unsecured telecommunications, including the Internet, to transmit individually identifiable, bidder identifiable or deducible information derived from the patient files. 

8.         The ACO agrees not to disclose any information derived from the patient data, even if the information does not include direct identifiers, if the information can, by itself or in combination with other data, be used to deduce an individual’s identity.

9.         The ACO agrees to abide by CMS’s cell size suppression policy (which stipulates that no cell of 10 or less may be displayed).

And last, but certainly not least:

10.       The ACO agrees to report to CMS any breach of personally identifiable information from the CMS data file(s), loss of these data, or disclosure to an unauthorized person by telephone or email within one hour.

While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes. 

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As of January 1, 2013 (and as of today), there were 525 postings of List Breaches.

A previous blog post reported that, on February 24, 2012, HHS listed the 400th List Breach. As the first postings on the HHS List occurred on March 4, 2010, an average of about 200 postings of List Breaches were recorded in each of its first two years. However, in the 10-plus months between February 24, 2012 and January 1, 2013, 125 additional List Breaches were posted, which on an annualized twelve month period basis would translate into 150 List Breaches. It is not yet clear whether the lower volume of List Breaches since February 2012 is attributable to increased caution and better practices in protecting PHI on the part of covered entities (“CEs”) and business associates (“BAs”), greater use of encryption and other practices to protect PHI, slower postings of List Breaches by HHS, other factors or a combination thereof.

Of the total of 525 List Breaches posted through January 1, 2013, there were approximately 274 (52.2%) events shat attributed the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the 60 additional List Breaches listing the category of “loss” of all types is added to the 274 “theft” events, the total for the two categories swells to approximately 334 or 63.6% of the 525 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.

Even more revealing may be the fact that approximately 193 (36.8%) of the 525 List Breaches listed the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices.  Theft or loss of laptops or other portable electronic devices thus constituted 51.6% of the 334 List Breaches that involved reported theft or loss. 

Over the last 10 months since the number of List Breaches passed 400, it appears that the relative percentage of List Breaches attributable to theft and loss is trending mildly upward. Of the 125 additional reported List Breaches, approximately 86 or 68.8% listed theft or loss as the source of the PHI breach. The number of such 125 List Breaches that reported theft or loss of laptops or other portable electronic devices was 37 or 29.6%, a lower percentage than the 36.8% for all 525 List Breaches.  The sample sizes are relatively small, so that further following of these numbers is warranted.

My partner, William Maruca, Esq., recently posted a blog entry highlighting the fact that the first breach settlement announcement by HHS in 2013 (the “2013 Settlement”) involved a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It was the first fine by HHS for a PHI security breach that involved fewer than 500 individuals and, therefore, was below the threshold for a List Breach. 

While the parade of List Breaches continues to lengthen, the 2013 Settlement underscores the fact that there are many more PHI security breaches involving fewer than 500 individuals. The PHI security breaches that are not List Breaches are receiving increased scrutiny by HHS. As this blog series has emphasized in the past, it may become more a question of when a CE or BA will suffer a PHI security breach and how severe the breach will be, rather than if it will suffer a breach. All CEs and BAs must exercise vigilance and use recommended protection procedures to avoid all PHI security breaches, not just large List Breaches. The continuing proliferation of the use of portable electronic devices to receive, access and store PHI should be monitored, as it can be expected that this type of security breach will continue to expand.

• Print
• Comments
• Trackbacks
• Share Link

We have written several times in this blog series about the long-awaited (some would assert long overdue) HIPAA “Mega Rule.” What was highly anticipated for the summer of 2012 has become the winter of discontent and a new year for eager HIPAA professionals. Below are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information (PHI), even without the benefit of the Mega Rule.  

10.       I will ask for a copy of my employer’s HIPAA Policies and Procedures.

9.         I will read them.

8.         I will compare what they say with what I do with PHI and will identify and correct discrepancies.

7.         I will not snoop through PHI of others or access or use any PHI I do not need in order to do my job.

6.         If I get PHI from or send PHI to a third party (outside my employer) as part of my job, I will find out whether my employer has a Business Associate Agreement (“BAA”) in place with that third party (or has decided one is not needed).

5.         I will learn how to encrypt (as per National Institute of Standards and Technology) PHI before I save it or send it.

4.         I will check my laptop, smartphone, or other portable device for encryption capability and make sure it is activated. I will also check for any unencrypted PHI that may be lurking on my portable device(s). I will encrypt or remove such PHI (if consistent with the HIPAA Policies and Procedures of my employer and any BAAs).

3.         I will investigate the “chain of control” of PHI before I send it to make sure it will not end up outside the jurisdiction of the United States.

2.         I will educate myself as to whether and how PHI might be de-identified and will recommend that my employer consider a policy of de-identification in accordance with guidance published by the Office of Civil Rights of the Department of Health and Human Services.

1.         Even if I’ve accomplished resolution # 4, I will not leave my laptop, smartphone or other portable device containing PHI in plain sight inside my parked car, especially while at lunch.

If everyone were to make and follow these resolutions, we all will have a Happy HIPAA New Year.

• Print
• Comments
• Trackbacks
• Share Link

Elizabeth Litten and Michael Kline write:

We have posted several blogs, including those here and here, tracking the reported 2011 theft of computer tapes from the car of an employee of Science Applications International Corporation (“SAIC”) that contained the protected health information (“PHI”) affecting approximately 5 million military clinic and hospital patients (the “SAIC Breach”).  SAIC’s recent Motion to Dismiss (the “Motion”) the Consolidated Amended Complaint filed in federal court in Florida as a putative class action (the “SAIC Class Action”) highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach. SAIC’s Motion emphasizes this gap between the incident and the realization of harm, making it appear like a chasm so wide it practically swallows the breach into oblivion. 

SAIC, a giant publicly-held government contractor that provides information technology (“IT”) management and, ironically, cyber security services, was engaged to provide IT management services to TRICARE Management Activity, a component of TRICARE, the military health plan (“TRICARE”) for active duty service members working for the U.S. Department of Defense (“DoD”).  SAIC employees had been contracted to transport backup tapes containing TRICARE members’ PHI from one location to another.

According to the original statement published in late September of 2011 ( the “TRICARE/SAIC Statement”) the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the TRICARE/SAIC Statement said that there was no financial data, such as credit card or bank account information, on the backup tapes. Note 17 to the audited financial statements (“Note 17”) contained in the SAIC Annual Report on Form 10-K for the fiscal year ended January 31, 2012, dated March 27, 2012 (the “2012 Form 10-K”), filed with the Securities and Exchange Commission (the “SEC”) includes the following:

There is no evidence that any of the data on the backup tapes has actually been accessed or viewed by an unauthorized person. In order for an unauthorized person to access or view the data on the backup tapes, it would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.  The Company [SAIC] has notified potentially impacted persons by letter and is offering one year of credit monitoring services to those who request these services and in certain circumstances, one year of identity restoration services.

While the TRICARE/SAIC Statement contained similar language to that quoted above from Note 17, the earlier TRICARE/SAIC Statement also said, “The risk of harm to patients is judged to be low despite the data elements . . . .” Because Note 17 does not contain such “risk of harm” language, it would appear that (i) there may have been a change in the assessment of risk by SAIC six months after the SAIC Breach or (ii) SAIC did not want to state such a judgment in an SEC filing.

Note 17 also discloses that SAIC has reflected a $10 million loss provision in its financial statements relating to the  SAIC Class Action and various other putative class actions respecting the SAIC Breach filed between October 2011 and March 2012 (for a total of seven such actions filed in four different federal District Courts).  In Note 17 SAIC states that the $10 million loss provision represents the “low end” of SAIC’s estimated loss and is the amount of SAIC’s deductible under insurance covering judgments or settlements and defense costs of litigation respecting the SAIC Breach.  SAIC expresses the belief in Note 17 that any loss experienced in excess of the $10 million loss provision would not exceed the insurance coverage.  

Such insurance coverage would, however, likely not be available for any civil monetary penalties or counsel fees that may result from the current investigation of the SAIC Breach being conducted by the Office of Civil Rights of the Department of Health and Human Services (“HHS”) as described in Note 17.

Initially, SAIC did not deem it necessary to offer credit monitoring to the almost 5 million reportedly affected individuals. However, SAIC urged anyone suspecting they had been affected to contact the Federal Trade Commission’s identity theft website. Approximately 6 weeks later, the DoD issued a press release stating that TRICARE had “directed” SAIC to take a “proactive” response by covering a year of free credit monitoring and restoration services for any patients expressing “concern about their credit as a result of the data breach.”   The cost of such a proactive response easily can run into millions of dollars in the SAIC Breach. It is unclear the extent, if any, to which insurance coverage would be available to cover the cost of the proactive response mandated by the DoD, even if the credit monitoring, restoration services and other remedial activities of SAIC were to become part of a judgment or settlement in the putative class actions.

We have blogged about what constitutes an impermissible acquisition, access, use or disclosure of unsecured PHI that poses a “significant risk” of “financial, reputational, or other harm to the individual” amounting to a reportable HIPAA breach, and when that “significant risk” develops into harm that may create claims for damages by affected individuals. Our partner William Maruca, Esq., artfully borrows a phrase from former Defense Secretary Donald Rumsfeld in discussing a recent disappearance of unencrypted backup tapes reported by Women and Infants Hospital in Rhode Island. If one knows PHI has disappeared, but doubts it can be accessed or used (due to the specialized equipment and expertise required to access or use the PHI), there is a “known unknown” that complicates the analysis as to whether a breach has occurred. 

As we await publication of the “mega” HIPAA/HITECH regulations, continued tracking of the SAIC Breach and ensuing class action litigation (as well as SAIC’s SEC filings and other government filings and reports on the HHS list of large PHI security breaches) provides some insights as to how covered entities and business associates respond to incidents involving the loss or theft of, or possible access to, PHI.   If a covered entity or business associate concludes that the incident poses a “significant risk” of harm, but no harm actually materializes, perhaps (as the SAIC Motion repeatedly asserts) claims for damages are inappropriate. When the covered entity or business associate takes a “proactive” approach in responding to what it has determined to be a “significant risk” (such as by offering credit monitoring and restoration services), perhaps the risk becomes less significant. But once the incident (a/k/a, the ubiquitous laptop or computer tape theft from an employee’s car) has been deemed a breach, the chasm between incident and harm seems to open wide enough to encompass a mind-boggling number of privacy and security violation claims and issues.

• Print
• Comments
• Trackbacks
• Share Link

A thoughtful reader commented on the recent blog post in this series that asked whether the 2012 Breach of Massachusetts Eye and Ear Infirmary (“MEEI”) should have by now been reflected in a third posting respecting MEEI on the HHS List. (Capitalized terms not otherwise defined herein shall have the meanings assigned to them in the earlier blog post.) 

The reader’s comments included the following:

I have been wondering—and this article [the blog post] continues to make me wonder—whether covered entities will be less likely to “err on the side of caution” in making breach reports, now that they see the potentially draconian consequences of making such a report. I think it’s pretty clear (and I think OCR [the Office of Civil Rights] has even said publicly) that large breach reports will trigger investigations and, as we have seen, investigations are likely to open to scrutiny all aspects of the covered entity’s HIPAA policies, practices and procedures. Seeing million dollar resolution agreements may give covered entities pause about blowing the whistle on themselves, particularly where there is room to argue whether the disclosure creates a significant risk of harm. . . .

The reader’s comments point out the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach, even if it appears not to rise to the level of a potential List Breach. I concur with the reader that more attention may be given by a covered entity in the future to make a risk analysis of the probable harm of a potential List Breach. One of the purposes will be to determine the number of involved individuals and whether the entity can reasonably conclude that a List Breach has not occurred, and, therefore, there may be no need for a List Breach report to HHS. 

The covered entity may so conclude even if it publicizes the PHI security breach, notifies “potentially affected individuals,” posts information about the breach on its Web site, engages in some “voluntary” remedial action for such potentially affected individuals, disciplines involved employees and makes improvements to its policies and procedures. Repeat marchers in the Breach Parade may be especially motivated to conclude that a List Breach has not occurred.

However, the stakes may be high for a covered entity to conclude that a List Breach has not occurred. The penalties that can flow from the potentially “draconian consequences of making such a report” to HHS can be greatly amplified if the conclusion not to report the security breach as a List Breach turns out to be erroneous. The failure to report a List Breach is a separate violation and can give rise to significant penalties. Moreover, the covered entity must consider that most states have adopted their own requirements to make timely reports to state regulators about a PHI security breach, often with different standards for reporting, and state Attorneys General can seek to enforce a failure to make a mandatory report under both state law and HIPAA.

To some observers, elements of the risk analysis of a covered entity for reporting a possible List Breach may be somewhat analogous to the considerations that exist for self-reporting by healthcare providers of potential false claims to the HHS Office of Inspector General under its voluntary disclosure program. The important difference is that voluntary disclosure is optional; reporting a PHI security breach that is a List Breach to HHS is mandatory, with potential materially adverse consequences for failure to comply.

• Print
• Comments
• Trackbacks
• Share Link

Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services (“HHS”) the sum of $1.5 million to settle potential violations involving an alleged security breach (the “2010 Breach”) of Protected Health Information (“PHI”) under HIPAA. However, relatively little has been written that the 2010 Breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years. 

This blog series has been following breaches of PHI that have been reported on the HHS list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 502 List Breaches. The first List Breach posted for MEEI on the HHS List (the “2009 Breach”) was reported to have occurred by reason of a theft on November 10, 2009 that was said to have affected 1,076 individuals. 

The 2010 Breach was reported to have occurred on February 19, 2010, only slightly more than three months after the 2009 Breach. According to the HHS List, it affected 3,621 individuals. A statement from MEEI on its Web site reports that HHS review of the 2010 Breach was “triggered by the hospital’s proactive self-reporting of a doctor’s unencrypted laptop being stolen while he was traveling abroad in 2010.”  MEEI further stated that it “has no indication that any patients were harmed by this isolated incident.” Query: How “isolated” was the incident in view of the fact that the 2010 Breach occurred soon after the 2009 Breach?

Potential entries in the PHI Breach Parade did not end for MEEI, however, with the 2010 Breach. On April 16, 2012, during a time that MEEI was likely to have been heavily negotiating with HHS about the $1.5 million payment, MEEI posted the following statement on its Web site (the “2012 Statement”), about which relatively little was reported in the media:

On March 5, 2012, the Quincy, Massachusetts, Police Department informed [MEEI] that they were investigating a [MEEI] employee for inappropriately using the names, Social Security numbers and dates of birth of certain individuals, some of whom were believed to be MEEI patients. . . .

While [MEEI] is only aware of four individuals whose personal information was actually misused, as a precaution we are notifying, by mail,  approximately 3,600 patients whose Social Security numbers were available to the former employee in the course of performing her assigned duties.

The 2012 Statement went on to say that MEEI will “provide one year of free credit monitoring to potentially affected individuals to protect them against possible harm resulting from this incident.”  [Emphasis supplied.]

It is perplexing that nothing about the 2012 Breach has been posted on the HHS List to this point, although

(i)         the MEEI Web site reported the event more than six months ago,

(ii)        the number of “potentially” affected individuals far exceeded the 500 minimum threshold for placement on the HHS List, and

(iii)       the period during which MEEI was dealing with HHS after the 2010 Breach overlapped with the occurrence and aftermath of the 2012 Breach.

Queries: Did MEEI not report the 2012 Breach to the HHS List because it ultimately concluded that the 2012 Breach did not involve more than 500 individuals even though it does offer credit monitoring to more than 3,600 individuals? (As a potential third time marcher in the Breach Parade, MEEI was certainly aware of its reporting obligations to HHS.) In other words, did MEEI determine by a reasonable risk assessment that the potential access by the former employee to PHI of 3,600 individuals was not sufficient to require a report for the HHS List, absent more substantial proof that the PHI of 500 or more individuals was actually accessed and/or that 500 or more individuals were actually harmed by such access?

Alternatively, is it simply possible that HHS has been slow in reporting additional List Breaches on the HHS List, similar to a suggestion in an earlier post in this blog series that HHS may be slow in posting Summaries of cases that it has investigated and closed?

This blog series will continue to monitor developments in this area.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 498 List Breaches reported by covered entities (“CEs”), of which approximately 102 (20.5%) have been reported as also involving business associates (“BAs”).  

As stated in an earlier posting in this blog series, the HHS List includes valuable guidance for CEs and BAs in the form of “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” To date, the HHS List has posted approximately 96 summaries (“Summaries”) respecting the 498 current postings for CE marchers in the Breach Parade (which include some multiple postings of List Breaches where a single alleged breach by a BA caused a number of CEs to have List Breaches). Of the 96 List Breaches for which Summaries have been posted by OCR, 19 (19.8%) were reported as involving BAs.  

Unfortunately, since May 10, 2012, it would appear that only one new Summary has been posted by OCR, which relates to List Breach number 337 reported by Indiana University School of Optometry as CE. According to the OCR Summary, that List Breach affected 757 individuals and resulted in accessibility over the Internet of patient names, birth dates, medical history, diagnoses and treatment plans for the period from August 8, 2011 through September 9, 2011.  

No Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011, already a year ago. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011, as discussed in an earlier posting in this blog series. 

Moreover, the substantial majority of Summaries posted by OCR relate to List Breaches affecting fewer than 10,000 persons. While this Summary history may be reflective of the population of List Breaches as discussed in an earlier post in this blog series, the largest number of affected individuals for which a Summary has been posted to date is 83,000. That List Breach, which occurred on November 12, 2009 and was number 21 on the HHS List, related to unauthorized access/disclosure of paper information and was reported by Universal American in New York as the CE with Democracy Data & Communications, LLC as an involved BA. In light of the existence of complex List Breaches that reportedly affect hundreds of thousands or even millions of individuals, Summaries respecting larger List Breaches may be helpful in providing new and different insights for CEs and BAs.

There is great value in the guidance provided by the posted Summaries for educating CEs and BAs as to what OCR may deem to be significant with respect to List Breaches. OCR Summaries may provide analysis not only of the List Breaches themselves but also subsequent actions taken by the affected CEs and BAs. However, because the paucity of recent postings of Summaries can dampen their overall educational benefit, OCR is encouraged to increase the frequency, number, currentness and diversity of the Summaries posted.  

• Print
• Comments
• Trackbacks
• Share Link

A previous post to this blog by Patricia McManus pointed out that individuals whose protected health information (“PHI”) is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws. That may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11^th Circuit.

The 11^th Circuit District Court (Southern District of Florida) decision that came out  on September 5, 2012 involved stolen unencrypted laptops containing PHI of approximately 1.2 million AvMed (health plan) patients. The lower court had dismissed the originally-filed class action because plaintiffs sought "to predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft."  The case was re-filed, naming as plaintiffs a subset of patients whose identities had been actually stolen since the laptop theft, alleging negligence by AvMed in protecting the sensitive information, breach of contract, unjust enrichment, breach of the implied covenant of good faith and fair dealing, and breach of fiduciary duty. 

The District Court's decision to deny AvMed's motion to dismiss plaintiffs' claim that AvMed's data breach caused plaintiffs' identity theft was based on its finding that plaintiffs "sufficiently alleged a nexus between the data theft and the identify theft and therefore meet the federal pleading standards...  ," even though the computers were stolen 10 and 14 months prior to the identity thefts of the two specific plaintiffs named in the action. The court pointed out that both individuals were very protective of their personal data and did not transmit sensitive data electronically or store it on computers. One plaintiff's sensitive information was used to open a Bank of America account and change her address with the US Post Office, while the other plaintiff's sensitive information was used to open an E*Trade Financial account. Neither had experienced identify theft before the theft of the AvMed laptops. 

The court also refused to dismiss the plaintiffs' unjust enrichment claim, which was based on the fact that AvMed received premiums that were payments, at least in part, to protect sensitive information with "data management and security measures that are mandated by industry standards." Plaintiffs alleged AvMed failed to implement or inadequately implemented these policies. 

If plaintiffs are ultimately successful in obtaining refunds of premiums and/or payments from AvMed for damages incurred as a result of the identity thefts, it could set an interesting precedent for future HIPAA breach victims, particularly if the court’s decision relies (as it seemed to rely in this decision) on the fact that the victims could show they were extremely careful not to store or transmit personal information via electronic means.  In this age of intensive use of computers and the Internet for financial transactions, such plaintiffs are probably highly unusual. An individual who makes frequent or even occasional on-line purchases or pays bills electronically and who becomes the victim of  a HIPAA breach might have difficulty demonstrating that a subsequent identity theft was the direct result of the breach. 

• Print
• Comments
• Trackbacks
• Share Link

A recent posting by our partner Christina Stoneburner, Esq., on the Fox Rothschild Employment Discrimination blog discussed the need by employers to limit protected health information (“PHI”) that they provide with respect to medical examinations of employees and job applicants to the least amount of medical information necessary for evaluation.  Interestingly, the focus of her posting was not disclosure under HIPAA/HITECH, or even state statutes regulating the use of PHI; it dealt with allegations that employees and job applicants had been sent for unnecessary medical examinations in violation of the Americans with Disabilities Act and the Genetic Information Nondisclosure Act. 

Christina summarizes her posting with the following:

In short, the least amount of medical information necessary to evaluate an employee is what should be provided to examiners.  For example, if you have an employee being evaluated to see if he can perform the essential functions of his job after a shoulder injury, the examining doctor should not be given the medical records relating to his planter's wart being removed.

In her discussion, Christina noted our blog series respecting large breaches and a particular recent posting by Elizabeth Litten, Esq.  Christina also mentioned that the complaint on which her posting focused had alleged, "the employer often turned over Workers' Compensation records . . . , even where those records were not relevant to the examination.”

Workers’ compensation is an area where Christina’s posting comes full circle to our blog’s focus on HIPAA;  as HIPAA directly confronts such area by making it clear that only the “minimum necessary” disclosure of PHI is permitted by covered entities without patient authorization pursuant to 45 CFR 164.512(l):

A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published further advice on how the workers’ compensation Regulation works:

Covered entities are required reasonably to limit the amount of protected health information disclosed . . . to the minimum necessary to accomplish the worker’s compensation purpose. Under this requirement, protected health information may be shared for such purposes to the full extent authorized by State or other law. 

In summary, to avoid needless and costly violations, employers and other covered entities must be constantly aware of the need to comply with multiple regulatory schemes that may govern PHI, beyond those of HIPAA and State laws governing PHI;  there is not unlimited flexibility to disclose PHI even within the context of State-governed workers’ compensation matters. When the long-anticipated “mega-regulation” regarding HIPAA/HITECH is finally published by HHS, special attention must be given to potential changes that may further tighten the “minimum necessary" standards.

• Print
• Comments
• Trackbacks
• Share Link

A recent post in this blog series has discussed the valuable guidance for covered entities (“CEs”) and business associates (“BAs”) that can be contained in the U.S. Department of Health and Human Services list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”), especially within the “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” (“Summaries”). 

An example is List Breach number 265 (“LB 265”), which reported a theft of a laptop in Alaska from Trisha Elaine Cordova,  a BA of Catholic Social Services (“CSS”), the related CE, on February 1, 2011. The laptop reportedly contained approximately 493 adoption home studies affecting 1,700 individuals.  LB 265 also happens to be the most recent List Breach involving a BA for which a Summary has been provided by OCR. (As an aside, LB 265 actually appears on line 266 of a chronological schedule of List Breaches because the first line was used by HHS for column headings.)

According to the LB 265 Summary: “The protected health information involved in the breach included names, addresses, phone numbers, dates of birth, driver’s license numbers, and health information; 20% of the files contained social security numbers.”

While the PHI involved covered a broad range, there was nothing unusual about the items. What makes LB 265 Summary worthy of discussion is its final two sentences:

The covered entity did not have a business associate contract with the contractor at the time of the breach. OCR’s investigation resulted in the covered entity developing policies and procedures for obtaining business associate contracts when required by the Privacy Rule and verifying that the contractor involved was not an independent covered entity. 

The LB 265 Summary identified what OCR deems to be two related important elements of compliance with the HHS Privacy Rule when a CE contracts with another person with respect to PHI - the first of which is obvious and well-known but the second of which is more subtle and less recognized: 

1.   The requirement that a CE have a business associate agreement or contract (“BAA”) with the contractor and

2.   The need for the CE to verify in what capacity the contractor is serving with respect to the CE’s PHI, that is, whether the contractor is only a BA or is a CE as well as a BA (a “BA/CE”). 

In its LB 265 Summary, OCR is pointing out its expectation that a contractor like Ms. Cordova may be a BA with respect to the PHI of CSS, but, depending upon her status and activities with respect to such PHI, she could also be a BA/CE. Furthermore, it is viewed by OCR to be the obligation of CSS as a CE (and presumably Ms. Cordova as a BA as well) to have policies and procedures in place to verify if Ms. Cordova was a BA/CE with respect to the PHI.

Ms. Cordova was apparently provided with PHI by CSS for the purpose of conducting adoption home studies for CSS respecting applicants seeking to adopt children through the auspices of CSS. It is conceivable that the CSS PHI in Ms. Cordova’s hands could have been reformulated and processed by her in her BA activities to such an extent that she could have been a BA/CE.  

The discussion by OCR in LB 265 of the need by a CE for a BAA under the HIPAA Privacy Rule in the same sentence as the verification activity is consistent with OCR’s sentence in its “OCR Privacy Brief” section on CEs as follows: “A covered entity can be the business associate of another covered entity.”  In requiring a CE to establish policies and procedures to verify whether a BA is also a BA/CE, OCR would appear to have extended CE obligations. However, because no further comment was made on the matter by OCR in LB 265, it would appear that Ms. Cordova was not deemed to be a BA/CE.

Separate and apart from OCR’s position on verification, unless a CE (and its contractor as well) has done sufficient analysis of the status of its BA and the character of the BA’s activities, how can the CE properly draft applicable provisions of its BAA? One form of BAA does not necessarily fit all BAs, as much as CEs would like to believe. For example, if a BA of a CE is also a BA/CE with respect to specific PHI, the BA/CE has primary reporting and/or documentation obligations to HHS in the event of a privacy breach, even to the extent of a separate report to HHS for a List Breach. If a BA/CE were to fail to notify HHS of a List Breach, the BA/CE may incur significant penalties and sanctions. 

The BAA should take cognizance of whether the BA is deemed by the parties to be a BA/CE and in such case, discuss procedures and methods to confront, among other things, a List Breach, other breaches and the parties' relative investigation, documentation and reporting responsibilities under HIPAA/HITECH, and even data breach insurance. Without proper coordination, in the event of a List Breach or other breach, there can be (i) unnecessary and costly duplication of investigation efforts and evaluation of risk of harm, (ii) inappropriately inconsistent reporting of the event to affected individuals, HHS and state agencies, (iii) inconsistent statements to the media, etc. 

In summary, the OCR deems it a requirement for a CE to verify the status of its BA and the character of the BA’s activities with respect to the CE’s PHI; in turn such CE and BA and their respective counsel should use the verification process to develop provisions in the BAA. 

• Print
• Comments
• Trackbacks
• Share Link

As part of our healthcare practice, we frequently field questions from individuals from the general public about alleged violations of the HIPAA law that have affected them.  Many people have been in the unfortunate situation where they believe that their protected health information (PHI) has been compromised inappropriately, and they want to know what they can do about it.  Such individuals are often surprised and deeply disappointed to learn that the HIPAA law does not provide a "private right of action" in the event of unlawful  access, use or disclosure of PHI.  That means that under HIPAA, an individual cannot file a private lawsuit  to recover damages against a party that  allegedly improperly accessed, used or disclosed their PHI.  

Such improper disclosures, however, may violate other state or federal laws or common law rights of privacy, so that  individuals may wish to reach out to an attorney who is licensed in their state of residence to determine whether they have any specific claims, rights or remedies related to the improper access, use or disclosure.   The statute of limitations on such claims may be very short-lived, so those who wish to pursue such potential claims should do so without undue delay. 

Under HIPAA, if you feel that your PHI has been accessed, used or disclosed inappropriately, you may contact the Office of Civil Rights within the U.S. Department of Health and Human Services (HHS) to file a complaint (go to the OCR website to acquire a form that you may fill out online to file a complaint).  Additionally, each state's Attorney General is authorized to bring lawsuits under HIPAA on behalf of individuals whose medical records have been improperly disclosed, and to share any proceeds of such suits with the affected individuals.   

While it may be viewed as unfair by victims of inappropriate access, use or disclosure of PHI that they cannot sue under HIPAA themselves, they should act promptly to seek assistance of HHS or their state's Attorney General to assert what rights they do have under HIPAA.

• Print
• Comments
• Trackbacks
• Share Link

As reported in the Houston Chronicle on June 28, 2012, an unencrypted laptop computer containing data on more than 30,000 patients of the University of Texas MD Anderson Cancer Center (“MD Anderson”) was stolen from a faculty member’s home on April 30, 2012. The stolen laptop scenario has become all too familiar (this blog series has reported on the high proportion of breaches resulting from the theft or loss of laptops or other portable devices), and even the high number of patients affected pales in comparison with the roughly 5 million patients affected in the SAIC breach. 

What caught my attention was the fact that MD Anderson posted notice of the breach on its website on June 28^th, exactly 59 days after the theft took place. Pursuant to the interim final breach notification regulations, a covered entity must provide notice to affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.”   Although an exception exists for prompt notification where a law enforcement official tells the covered entity (or business associate) that notification would impede the criminal investigation or cause damage to national security, the time required for performance of a criminal investigation is, presumably, less than 60 days. MD Anderson’s website notice gives every indication that it acted promptly and investigated thoroughly:

MD Anderson was alerted to the theft on May 1 and immediately began a thorough investigation to determine what information was contained on the laptop. After a detailed review with outside forensics experts, we have confirmed that the laptop may have contained some of our patients’ personal information, including patients’ names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers.

Would patients have been better off knowing their data might have been illegally accessed prior to day 59 following the breach, or does the benefit of a thorough investigation outweigh the risk that earlier notification would have benefited patients? 

Navigant Consulting released an “Information Security and Data Breach Report” in April of this year that found that the average number of days between discovery of a breach involving medical records and disclosure was 63 days in the third quarter of 2011, compared with 65 days in the fourth quarter of 2011, an increase of 3%, despite the requirement that applicable HIPAA law requires patients to be notified “without unreasonable delay” and no later than 60 days following the breach. When analyzed in terms of the entity reporting the breach, “[h]ealthcare entities registered an 84% increase between discovery and disclosure from 51 days in Q3 to 94 days in Q4.” 

From this perspective, it seems MD Anderson did pretty well. Had the faculty member delayed his or her original notification to MD Anderson regarding the theft, however, MD Anderson might have been hard-pressed to meet the 60 day deadline. Covered entities such as MD Anderson (and business associates who provide protected health information to subcontractors) should be reminded that prompt communication and investigation is essential to meeting the “without unreasonable delay and in no case later than 60 calendar days” notification requirement, and must balance the need to get the facts straight with the need to alert affected individuals, and, where applicable, the Department of Health and Human Services and state agencies, as quickly as possible. 

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As reported in a recent posting, the HHS List includes guidance that covered entities (“CEs”) and business associates (“BAs”) can use in the event of a PHI security breach in the form of brief summaries (“Summaries”) of the breach cases that the federal Office of Civil Rights (“OCR”) has investigated and closed. 

On June 26, 2012, HHS and OCR reported in a press release (the “Press Release”) that Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), had agreed to pay HHS $1.7 million with respect to a resolution of possible violations of HIPAA, which included the compromising of PHI of 501 affected individuals by means of a theft that occurred on October 12, 2009 of an “Other Portable Electronic Device” (the “2009 Breach”).  Alaska Medicaid has also agreed, among other things, to take corrective action to properly safeguard the PHI of Medicaid beneficiaries. An official statement by Alaska Medicaid Commissioner Bill Streur relating to the resolution with HHS of the 2009 Breach is posted on the Alaska Medicaid Web site.

While the Alaska Medicaid resolution has not yet been reported in a Summary on the HHS List, visiting the HHS List reveals that the 2009 Breach was originally posted by HHS in the very first batch of List Breaches on February 22, 2010. What is also interesting is that Alaska Medicaid had a later separate List Breach, reportedly involving the compromising of PHI of approximately 2,000 affected individuals by means of a theft on September 7, 2010 of an “Other Portable Electronic Device” (the “2010 Breach”). The 2010 Breach was reported as involving Alaskan AIDS Assistance Association as a BA.

However, it is difficult to identify readily that the 2009 Breach and the 2010 Breach involved the same CE, Alaska Medicaid. The 2009 Breach is alphabetically indexed under “Alaska Department of Health and Social Services,” while the 2010 Breach is indexed under “State of Alaska, Department of Health and Social Services.” It would be helpful for HHS to endeavor to use CE and BA names consistently to assist in analysis by those visiting the HHS List.

The Press Release of HHS regarding the 2009 Breach quotes OCR Director Leon Rodriguez: “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

It commendable that OCR enforces compliance with HIPAA against private and public entities with the same vigor. Query, however, to what extent is it wise for HHS to exact a $1.7 million payment from Alaska Medicaid? Alaska Medicaid oversees a program to provide medical care to the indigent in Alaska, a program that is funded by the taxpayers of Alaska and the U.S. In almost all states, Medicaid programs are financially embattled and under severe economic and political stress. The large payment by Alaska Medicaid to HHS is an enforced shifting by a state agency of “other people’s money” to HHS that may have to be replaced by increased taxes or reductions in future benefits for Alaskan indigents.

This blog series will continue to review various of the OCR Summaries and resolutions to give guidance to CEs and BAs.  We will also monitor future developments with respect to the 2010 Breach.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 435 List Breaches affecting marchers in the ever-lengthening parade, although the number of marchers has remained unchanged for several weeks.

The most recent posting on this blog series by my partner Elizabeth Litten, Esq., discussed a recent presentation by Linda Sanches, Office of Civil Rights ("OCR") Senior Advisor and the lead on HIPAA Compliance Audits, on the progress of the 2012 HIPAA Privacy and Security Audit Program.  As pointed out in the earlier posting, the presentation by Ms. Sanches included some general tips that covered entities (“CEs”) and business associates ("BAs") can use to reduce the likelihood of HIPAA violations, one of which is PHI security breaches.

The HHS List includes additional focused guidance from OCR that CEs and BAs can use in efforts to avoid, or in the event of, a PHI security breach (even if it does not rise to the level of a List Breach) in the form of  brief summaries of the breach cases that OCR has investigated and closed. To date, the HHS List has posted approximately 93 summaries (“Summaries”) out of the 435 postings respecting marchers in the Breach Parade (which include some multiple postings of List Breaches where an alleged breach by one BA caused a number of CEs to have List Breaches). Of the 93 List Breaches for which Summaries have been prepared by OCR, 18 (approximately 20%) were reported as involving BAs.  

These Summaries can provide valuable clues for CEs and BAs on how to deal with a HIPAA security breach. One example is contained in a Summary respecting a List Breach reported on January 29, 2010 by Thrivent Financial for Lutherans (“Thrivent”) in Wisconsin. The List Breach, which did not report an involved BA, related to a theft of laptops that contained the PHI of approximately 9,400 individuals. (The original report by Thrivent had stated that approximately 9,500 individuals had been affected.) The OCR Summary included the following statement:

The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR’s formal investigation brought the CE into compliance.

OCR clearly viewed it as noteworthy and commendable that Thrivent had voluntarily taken necessary steps for compliance before OCR conducted its investigation. That should be an alert for those who suffer HIPAA breaches that all appropriate and reasonable remedial measures should be undertaken promptly to demonstrate and document compliance before OCR comes knocking on the door of the CE. This blog series will continue to review various of the OCR Summaries as to guidance that they may contain respecting PHI security breaches.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the ever-growing parade of large security breaches of Protected Health Information (“PHI”). Within the last week, The Boston Globe reported that venerable Boston Children’s Hospital (the “Hospital”), the primary pediatric teaching hospital of Harvard Medical School, has notified the public media and affected individuals of a large PHI security breach (the “Breach”). The Globe article by Chelsea Conaboy reported that the Breach occurred when an employee of the Hospital, while at a conference in Buenos Aires, Argentina, “lost a laptop containing a file with information about 2,159 patients, including names, birth dates, diagnoses, and treatment information.” The laptop, which was reported by the Hospital as having been password protected but not encrypted, did not include financial data or Social Security numbers.

The Breach is one of the first reported instances of the loss or theft outside of the United States of a laptop that contained unsecured PHI. Nonetheless, it is uncertain as to whether the PHI stored on the computer has been or will be inappropriately accessed and used.

The Breach has not yet been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of reported breaches of unsecured PHI affecting 500 or more individuals. Nor does a visit to the Hospital's Web site and its on-line “Newsroom” and Press Releases for 2012 reveal any reference to the Breach.  

The Hospital does have a Code of Conduct on its Web site that contains a short reference to “Patient Privacy and Confidentiality.” However, an endeavor to open the links under that heading to referenced “Patient Health Information Policies” and “Information Security Policies” only results in “Oops! There was an error finding that page” and instructions to try again. Moreover, the Code of Conduct has a bottom line on each page that recites a publication date of 12/06, well before the enactment of the federal HITECH Act.

A number of conclusions can be drawn from the information currently available regarding this unfortunate Breach. If the Hospital takes “this incident and the protection of protected health and personal information extremely seriously,” as the Hospital’s chief information officer was quoted in the Globe article, the Hospital should, at a minimum, as many other covered entities that have suffered PHI security breaches have done, prominently place its press release respecting the Breach on its Web site.

The Hospital should also appropriately update its Code of Conduct respecting patient privacy and confidentiality and rectify the “dead” links that would provide meaningful information on such subjects to those who seek it.

Finally, the Hospital and other covered entities should consider adopting clear policies governing the protection and transporting outside of the United States of laptops and other electronic devices that contain PHI.

• Print
• Comments
• Trackbacks
• Share Link

Postings on this blog series have been following the continuing parade of security and privacy breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals. On March 30, 2012, a large data security breach (the “Utah Breach”) that has not yet been posted on the HHS List was experienced by the Utah Department of Technology Services (“DTS”) on a computer server (the “DTS Server”) that stores Medicaid and Children’s Health Insurance Program (“CHIP”) claims data.  

DTS detected the Utah Breach on Monday, April 2, 2012 after the putative thieves began removing data from the DTS Server. Upon detection, DTS stated that it immediately shut down the DTS Server, has identified where the breakdown in security occurred and has implemented new processes to ensure this type of breach will not happen again.

DTS and the Utah Department of Health (“UDOH”) have established a separate Web page to provide “Latest Information” respecting the Utah Breach (the “Update Page”). The Update Page has turned out to be a useful reporting mechanism for what has become a continuously rising count of individuals affected by the Utah Breach. Currently the Update Page reports that “approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen.” Therefore, the total current number of identified affected individuals of the Utah Breach appears to be approximately 780,000. However, the various numbers of victims reflected on the Update Page are somewhat confusing, possibly due at least in part to the addition on a serial basis of newly discovered victims.

Information on the DTS Server included claims payment and eligibility inquiries regarding potential Medicaid and CHIP claimants. According to UDOH:

This could include sensitive, personal health information from individuals and health care providers such as Social Security numbers, names, dates of birth, addresses, diagnosis codes, national provider identification numbers, provider taxpayer identification numbers, and billing codes.

Interestingly, UDOH and DTS have made a clear distinction as to the assistance and support that they will provide to identified victims of the Utah Breach. Victims who had their Social Security numbers (“SSNs”) stolen will be offered one year of free credit monitoring services. Those victims of the Utah Breach who did not have SSNs stolen will not be offered free credit monitoring services, even though they have had other information compromised that has been characterized by UDOH as “less-sensitive.” Moreover, those who had SSNs stolen will receive priority in being alerted as to the Utah Breach over those victims who did not have stolen SSNs.

The Utah Breach is not the first large PHI breach experienced by UDOH.  The HHS List reports that on March 1, 2010, UDOH had an "Unauthorized Access/Disclosure" affecting 1,298 individuals respecting "Computer, Paper."  The HHS List also reflects that Utah Department of Workforce Services was involved as a Business Associate in the 2010 UDOH PHI breach.

It is possible that the current offering by UDOH of free credit monitoring services only to those Utah Breach victims who had stolen SSNs may be reevaluated or changed in the future. This blog series has previously reported the abrupt about-face by SAIC to offer credit monitoring services to the millions of victims of its large 2011 PHI breach after pressure by the Department of Defense to do so.

We will continue to monitor developments with regard to the Utah Breach.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). A recent posting in this blog series reported that, on February 24, 2012, HHS recorded number 400 in the ever-lengthening parade of List Breaches.

Such posting also noted that more than half (223) of the 400 List Breaches attributed the breach to “Theft.” Of the 223 thefts reported, 93 of them were characterized as theft of a laptop. Therefore, it is not surprising that the 400^th List Breach affecting Triumph, LLC (“Triumph”) was reported to be a theft on December 13, 2011 of a laptop affecting 2,000 individuals (the “Triumph Breach”) respecting several of its North Carolina behavioral and psychiatric facilities.

While the facts of the Triumph Breach were not remarkable in themselves, the event is worthy of review as being a typical List Breach involving a theft of a laptop that contained PHI of several thousand individuals. A closer look at the Triumph Breach reveals that it was an event as to which Triumph appears to have been a victim with little ability to avoid the loss. 

To its credit, Triumph has placed a HIPAA Breach Notification (the “Notification”) on its Web site with a prominent notice on its Home page in red with a link to the Notification and the following advice: “Please click here to read the public notice which may affect consumers receiving services from our Winston-Salem, Mocksville and King facilities.” As this blog series has pointed out in previous postings, many covered entities do not detail List Breaches on their Web sites.

The Notification states that the Triumph Breach occurred on December 13, 2011 when three men entered the 2nd floor lobby. While two of them were distracting the receptionist, the third entered a hallway and stole a laptop computer from an office. Because the Notification says that the laptop was password protected, one can reasonably conclude that there was no encryption. The information on the computer was reported in the Notification to have included names, dates of birth, medical record numbers, insurance/Medicaid numbers, billing codes  and authorization status for services, but not social security numbers, diagnostic codes or specific financial information.

Although the HHS List states that 2,000 individuals were affected by the Triumph Breach, no reference to the number of affected individuals was contained in the Notification. Additionally, while the Notification included contact information for questions about the Triumph Breach, no reference was made in the Notification as to the offering by Triumph of credit monitoring or other security services to affected individuals as has been done for many other List Breaches. Perhaps the explanation for the latter omission is the following statement by Triumph in the Notification:

We believe the motive for the theft was for the computer not for the information stored on the computer. In light of this theft, we are examining our policies, procedures and protocols to safeguard against any future incidents. 

Nonetheless, it is unclear whether the PHI stored on the computer will be inappropriately accessed and used.  Triumph was clearly an unfortunate victim of a theft of PHI as many other providers have been. Nonetheless, the Triumph Breach is a reminder that it does not matter how a List Breach is caused. It will be costly for the covered entity in every case on many levels, and the ultimate extent of the adverse impact cannot be known with certainty.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). On February 24, 2012, HHS posted number 400 in the ever-lengthening parade of List Breaches.

The first postings on the HHS List occurred on March 4, 2010.  Therefore, it took almost exactly two years to reach the 400 level, which means that an average of 200 postings of List Breaches have been occurring each year.

A closer look at the 400 List Breaches reveals that there are an appreciable number of repeat entrants into the parade. This blog series has reported on a number of them, such as Henry Ford Health System with 3 List Breaches and University of Rochester Medical Center with 2 List Breaches. (In some cases assumptions had to be made as to repeat entrants because the names of some covered entities on the HHS List were similar but not identical to others or appeared to be different divisions of the same covered entity.) 

Based on the assumptions and the review, there were 28 covered entities with 2 List Breaches, 16 covered entities with three List Breaches and 1 covered entity with four List Breaches (counting multiple divisions as one covered entity). Therefore, there were 337 separate covered entities that reported the total of 400 List Breaches.

Of the total of 400 List Breaches, 223 of them attributed the cause or partial cause of the breach to be “Theft.” As a matter of fact the 400^th List Breach was reported by Triumph, LLC as a theft on December 13, 2011 of a laptop affecting 2,000 individuals at several of its North Carolina behavioral and psychiatric facilities.

While the Parade of List Breaches continues to grow, there are many more PHI data breaches involving fewer than 500 individuals that are occurring as well. As this blog series has emphasized in the past, it is more a question of when a covered entity will suffer a PHI data breach and how severe the breach will be, rather than if it will suffer a breach.

• Print
• Comments
• Trackbacks
• Share Link

In a recent posting on this blog series, my partner William Maruca mentioned the multiple reported “snooping” intrusions from 2005 to 2009 by employees at UCLA Health System (“UCLA”) into medical records of celebrities “without a permissible reason.” Such snooping would constitute violations of the requirements under HIPAA/HITECH statutes and regulations.  Ultimately, UCLA entered into a settlement agreement (the “Settlement Agreement”) with federal health regulators with respect to such incursions, which among other things, socked UCLA with a fine of $865,000. 

Shortly after the Settlement Agreement was reported in July 2011, a new and different security breach was posted for UCLA (the “2011 Breach”) on the U.S. Department of Health and Human Services (“HHS”) Web site that lists breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”).  (Presumably the snooping intrusions were not on the HHS List because they affected fewer than 500 individuals.) The 2011 Breach was reported on the HHS List as a theft of an “Other Portable Electronic Device” on September 7, 2011, that affected the protected health information (“PHI”) of 2,761 individuals.  UCLA has developed a mixed record of disclosure with respect to this most recent security breach.

UCLA is to be commended for having posted and maintained on its Web site (the “UCLA Web Site”) information on the 2011 Breach, as it has done with respect to the Settlement Agreement. This can be contrasted to a number of other covered entities previously identified in this blog series, such as Eisenhower Medical Center, that have not seen fit to post such security breaches on their Web sites. As a matter of fact, the posting on the UCLA Web Site about the 2011 Breach goes beyond the usual minimum level of disclosure to have a user-friendly, plain-language series of questions and answers to assist the site visitor. 

The UCLA Web Site reported 

The documents containing information did not include Social Security numbers or any financial information. They did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information. . . . UCLA has engaged Kroll, a global leader in data security, to provide assistance to individuals affected by this incident.

Even though UCLA has retained a consultant to provide advice to potential victims of the 2011 Breach, to this point no credit monitoring has been offered, while other covered entities have done so in similar circumstances because some of the information that was included in theft could heighten identity theft risks.

There is also a perplexing discrepancy between the 2,761 individuals reported on the HHS List as having been affected in the 2011 Breach, as compared to 16,288 individual reported on the UCLA Web Site. The HHS Web site provides the following instructions regarding amendments to the number of affected individuals in a large PHI security breach:

If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected.  As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.

While there can only be speculation as to the source of the discrepancy, best disclosure practices would appear to dictate that UCLA provide information to HHS to permit the HHS List to be corrected from the current number to the materially higher number of 16,288 individuals. If UCLA has reported the higher figure to HHS, which did not correct it on the HHS List, then there is a flaw in the HHS List posting process that does not update amended information received from covered entities.

More recently, an additional factor has surfaced to detract from the quality of UCLA disclosures respecting the 2011 Breach. Derek Hawkins of Law360 discusses the filing by a UCLA patient of a putative class action against UCLA in December 2011 relating to the 2011 Breach. The Hawkins posting criticizes UCLA for not commenting at all on the lawsuit.

Thus UCLA has been inconsistent in its post-2011 Breach disclosures. Prompt, decisive and compliant action by covered entities affected by PHI security breaches, including transparency and accurate and consistent disclosure, is necessary to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches. 

• Print
• Comments
• Trackbacks
• Share Link

The Order of Judge Richard Smoak in a recent Federal District Court case (Opis Management, LLC, et. al. v. Dudek, No. 4:11-cv-400/RS-WCS (N.D. Fla., Tallahassee Division)) (the “Opis Order”) reminds us of the attention that must be paid to the interaction and potential conflicts or dual applicability of state law with HIPAA compliance. While the Opis Order dealt with a relatively narrow issue that did not involve a data security breach, as will be hereinafter discussed, its focus highlights the broader concern about conflicts or dual law coverage involving  HIPAA and state law.

The Opis Order itself dealt with the concern of plaintiffs that compliance with a Florida law would violate federal law under HIPAA, and compliance with federal law under HIPAA would violate state law.As a result, plaintiffs argued that the Florida law was invalid. More specifically they argued that

Florida law requires nursing homes to “furnish to the spouse, guardian, surrogate, proxy, or attorney in fact . . . of a former resident . . . a copy of that resident’s records which are in the possession of the facility.” Further, the law provides that “copies of such records shall not be considered part of the deceased resident’s estate and may be made available prior to the administration of an estate, upon request, to the spouse, guardian, surrogate, proxy, or attorney in fact.” FLA. STAT. § 400.145 . . . Plaintiffs claim that their non-compliance is excusable because Section 400.145 is preempted by the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”). They seek a declaratory judgment that Section 400.145 is invalid and injunctive relief prohibiting its enforcement. [For whatever reason, the Opus Order uses the definition “HIPPA” rather than the much more widely-used acronym “HIPAA.” Except in quotations taken directly from the OPIS Order, this posting will use the more prevalent “HIPAA.”] 

Under HIPAA, a more stringent state law preempts HIPAA as to a particular matter. HIPAA defines more stringent as meaning “with respect to a use or disclosure, the [state] law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted.” In granting plaintiff’s declaratory judgment petition, the Court found that, rather than being more stringent than HIPAA, Florida provision Section 400.145 actually afforded less protection of protected health information (“PHI”) than HIPAA.  The Opis Order concluded as follows:

Section 400.145 is preempted because it is contrary to HIPPA. It affords a patient far less protection than the heightened privacy requirements imposed by the federal requirement and is, therefore, not more stringent than HIPPA. For this reason, Section 400.145 “stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPPA].” 45 C.F.R. § 160.202.

The Opis Order serves as a case in point of the need to analyze state law whenever considering compliance issues involving HIPAA. However, the Opis Order is only one example of potential conflicts, overlapping or inconsistencies that can exist between HIPAA and state law relative to the same or similar subject matter. A proper analysis requires a comparison of HIPAA and state law definitions of terms, scope of applicability and procedural requirements. Moreover, it must be remembered that, to the extent a HIPAA item is not “contrary to” a state law provision, both HIPAA and state law provisions must be followed. For example, some areas where differences between HIPAA and state law may surface in connection with notification of security breaches include the following:

• To what persons does the law apply? - HIPAA applies to covered entities and business associates/state law may apply to different persons, e.g., all businesses and/or public entities.

• What type of information is covered? – HIPAA applies to PHI, a very broad range of information/state law may apply to more limited information primarily associated with potential identity theft, such as credit card numbers, social security numbers and dates of birth.

•  In what medium is the information contained? -  HIPAA covers PHI in electronic, paper and oral format/state law may only cover one or two of these formats.

• What constitutes a security breach? – HIPAA and state law may diverge greatly.

• In what cases, who, how and when must regulatory authorities be notified of a data security breach? – HIPAA and state law may have provisions that differ greatly and may conflict with each other, overlap or have dual applicability, while not conflicting.

In summary, while HIPAA requires careful compliance in the event of a security breach, state law provisions must also be considered and analyzed as well.

Happy New Year and thank you to each of our readers.

• Print
• Comments
• Trackbacks
• Share Link

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings) can be accessed, can we trust that any electronically transmitted or stored information is really safe?  

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases. 

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.  

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology. 

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage. 

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

• Print
• Comments
• Trackbacks
• Share Link

Five members of Congress (two Republicans and three Democrats) representing districts from far-flung states (Colorado, Florida, Massachusetts, New Jersey and Texas) are co-signers of a bipartisan letter dated December 2, 2011 (the “December 2 Letter”), addressed to the Director of the TRICARE Management Authority. The December 2 Letter was written to express the Congress members’ “deep concerns about a major breach of personally identifiable and protected health information” by TRICARE contractor Science Applications International Corporation (SAIC).” 

Michael Kline and I have previously blogged about the SAIC PHI breach in four previous postings on this blog series, the most recent posting of which was on November 9, 2011, shortly after TRICARE did an about-face and announced that it was directing SAIC to offer the 4.9 million affected individuals credit monitoring services and assistance.

The December 2 Letter requests “timely and thorough responses” by no later than February 2, 2012 to seventeen startlingly direct and often blame-loaded questions. The questions make it very clear that the authors believe SAIC (and/or TRICARE) should have done more to prevent the SAIC breach and should be doing more to protect affected individuals. Question 9 notes that SAIC offered to provide “victims” (note the word choice) credit monitoring services for a year, but goes on to point out that “such services are useless in protecting against medical identity theft and fraudulent health insurance claims.” It then asks whether victims will also be provided with “newly available medical identity theft monitoring,” and, if not, to explain why such monitoring would not be provided.

The December 2 Letter closes with a brief and scathing chronology of recent SAIC misconduct, after noting that “SAIC has received more than $20 billion in federal contracts over the previous three fiscal years,” and asks: “Why does [TRICARE] continue to contract with SAIC for its data handling and IT needs despite these major performance problems?”

The members of Congress who authored the December 2 Letter hail from both sides of the aisle and from various parts of the country, but a common link seems to be a strong interest in information privacy and security. For example, Edward Markey (D-Mass) and Joe Barton (R-Texas) co-chair the Bi-Partisan Privacy Caucus and recently focused on Facebook privacy issues.    Cliff Stearns (R-Florida) introduced an online privacy bill last spring. Diana DeGette (D-Colorado) has commented publicly on the importance of online privacy. 

While Rob Andrews (D-New Jersey) has no apparent recent history with respect to information privacy and security, he was the sponsor in 2003 of a bill, which was not ultimately enacted, designed to afford students and parents with private civil remedies for the violation of their privacy rights under the General Education Provisions Act. Moreover, in his continuing role as a member of the House Committee on Armed Services and its Subcommittee on Oversight and Investigation, he has a deep interest and abiding concern regarding large scale threats to the privacy and security of protected health information of millions of service individuals and their families.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the list (the “HHS List”) posted by the U.S. Department of Health and Human Services (“HHS”) that reports breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Four months ago a blog posting in this series did some analysis as to the extent to which such List Breaches are being reported by covered entities (“CEs”) as attributable to events involving business associates (“BAs”). 

A December 2, 2011 article in MedPage Today by Cole Petrochko reported on a survey conducted by the Ponemon Institute (the “Survey”) that was conducted based on "interviews with senior-level staff at 72 healthcare organizations regarding data loss and theft experiences at their facilities. Sites included parent holding companies of healthcare organizations, parts of a healthcare network, and individual hospitals or clinics."

This interesting Survey acknowledged that it had a number of limiting factors, including self-reporting from only 14% of the organizations, mostly larger-sized groups, that were contacted by the Ponemon Institute to participate in the interview process. It is therefore likely that data derived from the HHS List is more reliable in light of the adverse consequences and penalties that can be incurred by a CE from inaccurately reporting in writing to HHS. Nonetheless, according to the Survey, "two out of five respondents (41%) blamed data breaches on employee negligence -- not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices -- and 49% reported lost or stolen devices. Third-party errors were responsible for 46% of breaches."  [Emphasis supplied.]

It is not clear that the incidents involving “third-party errors” in the Survey are coincident with events that would have been reportable as involving BAs had they been on the HHS List. Moreover, the Survey covered institutional healthcare providers only and not other types of CEs such as insurers, government agencies and individual physicians and physician practice groups. However, the Survey results as to third party errors mirror to some extent the proportion of reported BA involvement with respect to the largest of the List Breaches on the HHS List as of December 2, 2011. 

As of that date, only 83 of the total of 372 List Breaches (22.3%) reportedly involved BAs of the reporting CEs.

This overall amount is far lower than the 46% of breaches that was attributable to third-party errors in the Survey. However, further analysis of the HHS List as of December 2, 2011 reveals the following information that more closely parallels the Survey at higher numbers of involved individuals:

•   3 of the 6 List Breaches (50%) that affected 1,000,000 or more individuals reportedly involved BAs of the reporting CEs.

•   13 of the 29 List Breaches (44.8%) that affected between 30,000 and 999,999 individuals reportedly involved BAs of the reporting CEs.

•   14 of the 47 List Breaches (29.8%) that affected between 10,000 and 29,999 individuals reportedly involved BAs of the reporting CEs.

•   53 of the 290 List Breaches (18.3%) that affected between 500 and 9,999 individuals reportedly involved BAs of the reporting CEs.

While the foregoing review is only a snapshot of the HHS List as of a given date, the review would indicate that, as the size of a List Breach increases, it is more likely that involvement of a BA will be reported. However, the overwhelming proportion of List Breaches (77.7%) on the HHS List that affected fewer than 10,000 individuals have reported no involvement of a BA. 

More data will be required before the impact of BA involvement in smaller and larger List Breaches becomes clearer.  However, there are indications that the larger the List Breach that is reported by a CE, the greater the likelihood that it will involve an alleged BA.

• Print
• Comments
• Trackbacks
• Share Link

By: Elizabeth Litten and Michael Kline

[Capitalized terms not otherwise defined in this Part 4 shall have the meanings assigned to them in Part 3 or earlier Parts.]

As reported in Part 3 of this blog series, Tricare and SAIC did not initially offer credit monitoring services to patients affected by the 2011 Breach made public on September 29, 2011, due to what was then judged to be the low “risk of harm” to those affected.  The Public Statement specifically answered the question “Will credit monitoring and restoration services be provided to protect affected individuals against possible identity theft?” as follows:

No.  The risk of harm to patients is judged to be low despite the data elements involved. Retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. To date, we have no conclusive evidence that indicates beneficiaries are at risk of identify theft, but all are encouraged to monitor their credit and place a free fraud alert of their credit for a period of 90 days using the Federal Trade Commission (FTC) web site.  

Now, less than 6 weeks later, Tricare has directed SAIC to provide one year of credit monitoring and restoration services to patients “who express concern about their credit” as a result of the 2011 Breach.  In a press release issued by the DoD on November 4, 2011, entitled "Proactive Response to Recent Data Breach Announced" (the “DoD Press Release”), Tricare Management Activity's deputy director explains,

These additional proactive security measures exceed the industry standard to protect against the risk of identity theft.  We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will be unaffected by this breach.  

It is unclear that the new security measure exceeds the “industry standard,” as evidenced by numerous past postings respecting PHI security breaches in this blog series. In some cases as long as two years of credit monitoring was offered to affected individuals. However, given the assurances in the Public Statement to the “approximately 4.9 million patients treated at military hospitals and clinics during the past 20 years” that the risk of harm was low and there was no conclusive evidence that patients were at risk of identity theft, one can speculate as to whether Tricare’s abrupt about-face relates to new evidence, a revised judgment as to the risk of harm to affected patients and/or simply an abundance of caution as to its own exposure to risk. 

Then again, Tricare's new position could have less to do with new concerns related to patient identity theft risk, and more to do with a “proactive response” or even a preemptive strike by Tricare and DoD to combat certain of the allegations in the putative class action lawsuit filed against them  in the U.S. District Court for the District of Columbia on October 11, 2011 (Gaffney v. Tricare Management Activity, et. al., Case No. 1:2011cv01800) (the “Class Action Complaint”).  Each of Virginia Gaffney and Adrienne Taylor, two of the plaintiffs named in the Class Action Complaint, has alleged that she had “incurred an economic loss as a result of having to purchase a credit monitoring service to alert her to potential misappropriation of her identity.” 

By offering the credit monitoring services to all of the 4.9 million affected individuals, Tricare and DoD may be endeavoring to render moot or at least mitigate the risk from those allegations in the Class Action Complaint. [Note: The recent posting of the 2011 Breach in the HHS List, which did not provide any information beyond that reflected in the Public Statement, earlier reported “5,117,799” as the approximate number of individuals affected, but the current number reported is “4,901,432.”]

The Class Action Complaint seeks judgment against Tricare and DoD for damages in an amount of $1,000 for each affected individual.  Perhaps Tricare and DoD did the quick math and realized that the cost of credit monitoring and restoration for a subset (those “expressing concern”) of the roughly 4.9 million affected patients would be far less than the almost $5 billion aggregate damages award sought in the Class Action Complaint.  Tricare may have reversed its stance as a result of this “risk of harm” analysis, and not because of new information or a revised evaluation related to a heightened risk of harm to affected individuals.

• Print
• Comments
• Trackbacks
• Share Link

By Michael Kline and Elizabeth Litten

[Capitalized terms not otherwise defined in this Part 3 shall have the meanings assigned to them in Parts 1 and 2.]

The Public Statement reports that SAIC and Tricare are cooperating in the notification process but that no credit monitoring or restoration services will be provided in light of the “low risk of harm.” This was in contrast to the decision of Nemours in the Nemours Report to provide such services.

Since the release by SAIC of the Public Statement, Law 360 has reported that

(i)   According to Tricare, SAIC was “on the hook for the cost of notifying nearly 5 million program beneficiaries that computer tapes containing their personal data had been stolen”;

(ii)  A putative class action lawsuit was filed against Tricare and DoD (but not SAIC) respecting the 2011 Breach; and

(iii) Another putative class action lawsuit was filed against SAIC (but not Tricare and DoD) respecting the 2011 Breach. 

Further review of SAIC and its incidents regarding PHI reveals that the 2011 Breach was not the first such event for SAIC. However, it appears to the first such breach since the adoption of the Breach Notification Rule in August of 2009.

On July 21, 2007 The Washington Post reported that SAIC had acknowledged the previous day that “some of its employees sent unencrypted data -- such as medical appointments, treatments and diagnoses -- across the Internet” that related to 867,000 U.S. service members and their families. The Post article continues:

So far, there is no evidence that personal data have been compromised, but ‘the possibility cannot be ruled out,’ SAIC said in a press release. The firm has fixed the security breach, the release said.

Embedded later in the Post article is the following: 

The [2007] disclosure comes less than two years after a break-in at SAIC's headquarters that put Social Security numbers and other personal information about tens of thousands of employees at risk. Among those affected were former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq, and a former director who was a top CIA official.

It is not clear whether the earlier 2005 breach reported in the Post involved PHI or other personal information.

On January 20, 2009, SPAMfighter reported that SAIC had informed the Attorney General of New Hampshire of a data breach that had occurred involving malware. The SPAMfighter report continues that SAIC wrote a letter to many affected users to inform them about the potential compromise of personal information.  (A portion of such personal information would have been deemed PHI had it been part of health-related material.)

The SPAMfighter report also discloses the following:

Furthermore, the current [2009] breach at SAIC is not the only one. There was one other last year (2008), when keylogging software managed to bypass SAIC's malware detection system. That breach had exposed mainly business account information.

As of the date of this blog post, the “News Releases” section on the SAIC Web site has no reference to the 2011 Breach. Nor does the “SEC Filings” section under “Investor Relations” on the SAIC Web site indicate any recent SEC filing that discloses the 2011 Breach. 

Coincidentally, the SEC issued a release on October 13, 2011 containing guidelines for public companies regarding disclosure obligations relating to cybersecurity risks and cyber incidents. In the context of SAIC, an $11 billion company, while the actual costs of notification and remediation of the 2011 Breach may run into millions of dollars, the 2011 Breach may not be deemed a “material” reportable event for SEC purposes by its management.

It is likely that much more will be heard in the future about the mammoth 2011 Breach and its aftermath that may give covered entities and their business associates valuable information and guidance to consider in identifying and confronting a future large PHI security breach. The 2011 Breach has not even yet appeared on the HHS List. The regulatory barriers preventing private actions under HIPAA/HITECH may be tested by the putative class action lawsuits. It will also be interesting to see whether the cooperation of SAIC with Tricare and DoD may wither in the face of the pressures of the lawsuits and potential controversy regarding the decision of SAIC not to provide credit monitoring and identity theft protection to affected individuals.

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

[Capitalized terms not otherwise defined in this Part 2 shall have the meanings assigned to them in Part 1.]

In an October 3, 2011 Securities and Exchange Commission (“SEC”) filing posted on its Web site, SAIC described itself as

a FORTUNE 500^® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. The company’s approximately 41,000 employees serve customers in the U.S. Department of Defense, the intelligence community, the U.S. Department of Homeland Security, other U.S. Government civil agencies and selected commercial markets. Headquartered in McLean, Va., SAIC had annual revenues of approximately $11 billion for its fiscal year ended January 31, 2011.

The SAIC PHI breach, which potentially affected nearly 5 million individuals, was reported despite the fact that the PHI was contained on backup tapes used by the military health system, and despite, as explained in the Public Statement: 

The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure…  [Q and A] Q. Can just anyone access this data? A. No. Retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure.

The Public Statement goes on to say the following in another answer:

After careful deliberation, we have decided that we will notify all affected beneficiaries. We did not come to this decision lightly. We used a standard matrix to determine the level of risk that is associated with the loss of these tapes. Reading the tapes takes special machinery. Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low. Nevertheless, the tapes are missing and given the totality of the circumstances, we determined that individual notification was required in accordance with DoD guidance. [Emphasis supplied.]

The lynchpin of SAIC’s final decision to notify all of the potentially affected individuals appeared to be the DoD guidance. In SAIC’s position as an $11 billion contractor that is heavily dependent on DoD and other U.S. government contracts as described above, it would appear that SAIC may not have had many practical alternatives but to notify beneficiaries.

SAIC conducted “careful deliberation” before reaching its result and indicated that the risk of breach was “low.” Had the DoD guidance not been a factor and had SAIC concluded that the case was one where an unlocked file or unencrypted data was discovered to exist, but it appeared that no one had opened such file or viewed such data, would SAIC’s conclusion have been the same? Would SAIC have come to the same conclusion as Nemours and decided to report? 

What is clear is that the breach notice determination should involve a careful risk and impact analysis, as SAIC asserts that it performed. Even the most deafening sound created by a tree crashing in the forest is unlikely to affect the ears of the airplane passengers flying overhead. Piping that sound into the airplane, though, is very likely to disgruntle (or even unduly panic) the passengers. 

[To be continued in Part 3]

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

A recent public statement (the “Public Statement”) was published regarding a breach (the “2011 Breach”) of protected health information (“PHI”) of nearly 5 million military clinic and hospital patients that involved Science Applications International Corporation (SAI-NYSE) (“SAIC”). The 2011 Breach occurred in SAIC’s apparent role as a business associate and/or subcontractor for Tricare Management Activity, a component of Tricare, the military health plan (collectively, “Tricare”) for active duty service members of the U.S. Department of Defense (“DoD”). 

According to the Public Statement the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the Public Statement says that there is no financial data, such as credit card or bank account information, on the backup tapes.

The 2011 Breach is the largest single PHI security breach reported to date. The 2011 Breach highlights the decision-making process that covered entities and business associates should employ with respect to notifying the Department of Health and Human Services (“HHS”), other regulators and potentially affected individuals of a PHI breach.

The published “interim final rule” governing “Breach Notification for Unsecured Protected Health Information” (the “Breach Notification Rule”)  defines “breach” as “the acquisition, access, use or disclosure of protected health information [“PHI”] in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” It further explains that “compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”  The Breach Notification Rule also defines the term “access” for purposes of the interim final rule as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”

These definitions, reviewed in the context of several recent PHI breaches (including those “marchers in the parade” previously discussed on this blog), raise an important issue: at what point does “access” matter?   When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?  

In this regard, an event reported on the Nemours Web site on October 7, 2011 (the “Nemours Report”), about a PHI security breach involving approximately 1.9 million individuals at a Nemours facility in Wilmington, DE is relevant. The Nemours Report stated that three unencrypted computer backup tapes containing patient billing and employee payroll were missing. The tapes reportedly were stored in a locked cabinet following a computer systems conversion completed in 2004. The tapes and locked cabinet were reported missing on September 8, 2011 and are believed to have been removed on or about August 10, 2011 during a facility remodeling project. 

Significantly, the Nemours Report stated the following:

There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused. Independent security experts retained by Nemours determined that highly specialized equipment and specific technical knowledge would be necessary to access the information stored on these backup tapes. There are no medical records on the tapes.

The Nemours Report reveals that, in spite of the low likelihood of access, it not only disclosed the breach but was offering free credit monitoring, identify theft protection, and call center support to affected individuals. 

If the analysis as to whether access “poses a significant risk of … harm” takes into account the likelihood that PHI was actually accessed, rather than simply whether a theoretical “ability or means” to read, write, modify, or communicate PHI existed at some point in time, perhaps the “possible breach” floodgates will not burst open unnecessarily.  

[To be continued in Part 2]

• Print
• Comments
• Trackbacks
• Share Link

 By Elizabeth Litten and Michael Kline

What was the highlight of the Macy’s® Thanksgiving Day parade when we were kids? The Snoopy® float (shown below) was probably right up there, along with the Sesame Street® and Disney® floats. Spectators of the Protected Health Information (“PHI”) Breach Parade (and of the “silent brigade” of Business Associate breaches, discussed in this blog series on August 1, 2011) will be awed by the sight of the recent, somewhat bizarre, Business Associate (“BA”) breach involving Stanford Hospital’s emergency room data, as reported in the New York Times by Kevin Sack on September 8, 2011. The PHI of 20,000 emergency room patients seen in the Palo Alto, CA hospital reportedly somehow made its way from the hospital’s BA, Multi-Specialty Collection Services, to a public website used by students. The publicly-posted information included names and diagnoses for patients who visited the emergency room during a 6 month period in 2009.

This PHI breach stands out for a couple of unusual aspects. First, the data was allegedly made publicly accessible in September of 2010 as a spreadsheet attached to a document on the Web site “Student of Fortune,” a site describing itself as “Your source for easy online homework help!” As reported in the Sack article: “Gary Migdol, a spokesman for Stanford Hospital and Clinics, said that the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph."  The PHI breach was purportedly discovered on August 22, 2011 by a Stanford Hospital patient and reported to the hospital. The fact that nearly a year had lapsed from the time of the breach to its reported discovery suggests that the PHI was

(i)   not recognized as “real” by viewers,

(ii)  not thought by viewers to be worth noting or reporting, and/or

(iii) not actually viewed by anyone during the year it was accessible to students seeking bar graph tutorial. 

Nonetheless, the volume of patients affected, the sensitivity of the PHI data (more on that in a minute), the apparent lack of sufficient care by the BA, and the surprising nonchalance of whoever posted the PHI to be sifted and sorted by “Students of Fortune” accessing a publicly available Web site combine to make an attention-grabbing PHI breach event (the Snoopy float). 

Also reported on a New York Times blog site by Nick Bilton on September 8, 2011, Senator Richard Blumenthal (D-CT) introduced a bill, the Personal Data Protection and Breach Accountability Act of 2011, that, if passed, would impose strict storage and protection requirements for companies that store online data for more than 10,000 people. (Senator Blumenthal was previously highlighted in several postings in this blog series for his groundbreaking activities as Attorney General of Connecticut in investigations and enforcement actions against entities involved in PHI security breaches.)

While “Student of Fortune” was certainly not “storing” the emergency room PHI, the bill would likely affect BAs such as Multi-Specialty Collection Services. To the extent the Blumenthal bill imposes new or additional privacy and security provisions, Covered Entities and BAs handling large amounts of PHI would be subject to these provisions in addition to existing HIPAA/HITECH and state law requirements.

Back to the Snoopy float – the Stanford Hospital PHI breach (and the manner in which it was reported in the Sack article) stands out for a number of ironies. A large amounts of sensitive PHI was accessible to the public, but obscurely so (only to Students of Fortune using a particular learning tool and astute enough to recognize, or care about, the sensitivity of the information). If the Stanford Hospital patient had not noticed and reported the PHI breach, would the breach have ever been noticed? Would any patient have been harmed? (If a tree falls in the forest when no one is present, does it make a sound?) 

Even more ironic is the fact that one affected patient may actually have been harmed as a result of the breach reporting, rather than from the breach itself. The Sack article quotes (by name) a patient’s mother who “intercepted” the breach notice mailed from Stanford Hospital to her 21-year-old son (leaving the reader to wonder why Mom is opening her adult son’s mail and whether she was authorized to access his PHI). Mom is quoted as stating (i) that her son received psychiatric treatment at Stanford in 2009 and (ii) “My son, I can tell you [Kevin Sack], is fragile and confused enough that this would have sent him over the edge."  One can only hope that the disclosure of his "fragile" state in a national newspaper will not have a similar effect.  Perhaps, in this post-Facebook and Twitter age, we could all use reminders about what kind of information is private and sensitive, when we should report breaches of it, and with whom we should share it.  The Snoopy float is a good reminder.    

A final irony is that Michael Mucha, the Stanford Hospital Chief Information Security Officer at the time of the Stanford PHI breach, has written extensively and has been widely-quoted regarding information security. He has been quoted as saying, “The biggest thing we [Stanford Hospital] focus on with all of this is control of the data.” Unfortunately the Snoopy float PHI breach belies the level of control of the data that can be exercised by Stanford and other Covered Entities, even with safeguards in place.

This story will undoubtedly have further developments. It will be especially interesting to see what statement, if any, Stanford provides to the U.S. Department of Health and Human Services (“HHS”) about its PHI breach for posting on the HHS list of reported large breaches of unsecured PHI affecting 500 or more individuals.

[Capitalized items that have ® after their names may be registered trademarks of other entities as to which no claim is made.]

From Heather Cross, About.com Guide 

 The Snoopy Balloon floats along Central Park West in the 2000 Thanksgiving Day Parade.

• Print
• Comments
• Trackbacks
• Share Link

Postings on this blog series have been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. A recent posting highlighted an area that has received relatively little media attention respecting the HHS list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”) - the extent to which such Large Breaches are stated to be attributable to events involving business associates (“BAs”) of the reporting covered entities (“CEs”). Some Large Breaches involving BAs will be reviewed in this and future postings.

The HHS List reveals that Ohio Health Plans (“OHP”), the public health care program overseen by the Ohio Department of Jobs and Family Services, reported as a CE that a Large Breach on June 3, 2011 involving 78,042 individuals had resulted from the theft of a laptop (the “OHP Breach”). The HHS List states that “Area Agency on Aging, Ohio District 5” was a “Business Associate Involved.” Unlike some other disclosures respecting Large Breaches reported on the HHS List, no further information is available on the HHS List for the OHP Breach.

A June 20, 2011 report of the OHP Breach in CrawfordCountyNow.com (the “Internet Report”) indicates that the correct corporate name of the affected BA is Ohio District 5 Area Agency on Aging, Inc. (the “Agency”). The Internet Report states:

A laptop computer assigned to a PASSPORT case manager with the Ohio District 5 (Mansfield) Area Agency on Aging, Inc. containing consumer’s personal health information was stolen from a vehicle on June 3. The computer contained personal health information of up to 43,000 consumers and the personal contact information of up to 35,000 related clients’ personal representatives.

The Internet Report quotes an apology from the CEO of the Agency, Duana Patton, and describes steps that the Agency was taking to mitigate the loss to affected individuals, including access to credit protection services and an 800 number to answer questions. Nowhere in the Internet Report is there any reference to OHP or the fact that the Agency was in possession of the PHI as a BA of a CE.

A visit to the Internet Web site of each of OHP and the Agency reveals no information respecting the OHP Breach. There is no reference to the OHP Breach in the links on the Home page of the OHP Web site or the links accessible through the  “News & Events” link, including the “What’s New” and “News Releases” links. 

The Agency Web site describes the Agency as

a private non-profit Agency, designated by the State of Ohio to be a Planning and Service Area (PSA) as mandated in the Older Americans Act, as enacted by the Federal Government in 1965. The Agency administers Title III, State Block Grant, Medicaid and other grant funds.

Again there is no reference to the OHP Breach on the Agency Web site, either in the “News and Events” links, the “Privacy Information” link or elsewhere, or the efforts of the Agency to mitigate adverse consequences to affected individuals that may result from the OHP Breach.

It appears that OHP, as the CE with respect to the OHP Breach and the entity required to report the OHP Breach to the HHS for placement on the HHS List, left it to the Agency as the apparently responsible BA to confront the aftermath. Moreover, OHP and the Agency appear to have consciously limited disclosures regarding the status of OHP as the CE to avoid adverse publicity for OHP, perhaps because it is part of the Ohio state sponsored health programs. 

Other Large Breaches involving BAs that have been reported on the HHS List will be reviewed in future postings on this blog.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. As required by HITECH, the HHS Web site posts a list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”). One area that has received relatively little attention from postings on the HHS List is the extent to which such Large Breaches are reported to be attributable to events involving business associates (“BAs”) of covered entities (“CEs”). 

The HITECH Act provides at Section 13402 (42 U.S.C. Section 17932) that, following a Large Breach of unsecured PHI, a CE must provide notification of the breach to affected individuals, the Secretary of HHS, and, in certain circumstances, to the media.  The HITECH Act imposed on a BA many of the obligations that only a CE previously had under the original HIPAA, unless the BA had specifically assumed such obligations contractually in an agreement with a CE. 

However, while Section 17932(b) of  HITECH requires a BA to notify the associated CE that a PHI breach has occurred, under HITECH, such a BA has no obligation or even authority for mandatory or voluntary reporting of a Large Breach directly to HHS. That is solely the obligation of the CE under HITECH Section 17932(e)(3).  Nonetheless, the form of "Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information" to be filed by a CE calls for a disclosure by the CE of information about any breach that occurred at or by a BA.

The effect is that a BA has no effective voice, which has been authorized by HITECH or the interim HHS rules, to allow such BA to make a statement to HHS that could be posted on the HHS List to correct, amend, modify, supplement or even deny a CE report on the HHS List regarding such BA.

Of the 292 PHI breaches listed on the HHS List as of July 31, 2011, the following information has been reported regarding BAs:

•   Approximately 53 of the Large Breaches or 18% allegedly involved BAs of the reporting CEs.

•   Approximately 12 of the Large Breaches of reported Large Breaches allegedly involving BAs contained a narrative as to the Large Breach event.

•   Approximately 8 of the narratives stated that the CE had enforced its agreement with the allegedly involved BA and/or modified or terminated its relationship with such BA.

It is clear that a Large Breach can generate substantial costs, embarrassment and loss of reputation to a CE and an involved BA.  It is in the interest of both parties that prompt, accurate and complete notification of a Large Breach be made to the public and HHS.  Cooperative efforts that optimally should exist between the CE and an involved BA in remediating a Large Breach should also include drafting a mutually acceptable narrative, if such a narrative is to be included in the report to HHS. However, it may not be possible to have agreement on remediation itself or the description that will be reported by the CE to HHS and posted on the HHS List.  HHS should consider giving a BA an opportunity to report its own responsive version of a Large Breach event in a case where a CE attributes involvement to such BA.

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog series, the requirements under HIPAA/HITECH and state statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches. 

An earlier posting on November 2, 2010 in this blog series (the “2010 Posting”) reported that, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “2010 Press Release”) that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

As reported by Ben Keller on DataGuidance.com from London, Indiana Attorney General Greg Zoeller announced on July 5, 2011, that WellPoint agreed to pay $100,000 after the company failed to notify customers and the state Attorney General "without unreasonable delay" of a data breach that occurred between October 2009 and March 2010. In response to a request by Mr. Keller to comment for the article, I was quoted as follows:

By settling with WellPoint Inc., the Attorney General of Indiana joins the Attorneys General of Connecticut and Vermont in recovering a substantial sum for the state. . . . [U]nlike Connecticut and Vermont, the Attorney General of Indiana however proceeded solely under a state law enacted by Indiana in 2009. With this variety of successes, it is likely that more Attorneys General will become aggressive in this area in the future.

This posting will endeavor to make some additional observations about the Indiana case. As reported in the 2010 Posting, the Connecticut case proceeded under the federal HIPAA/HITECH statute, while Mr. Zoeller proceeded only under an Indiana state law. Subsequent to the 2010 Posting, this blog series reported on a settlement in Vermont in January 2011 that was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. 

In summary, there have now been three reported settlements by Attorneys General for PHI security breaches:

(i) one that proceeded solely under the federal HIPAA/HITECH statute (Connecticut);

(ii) another that proceeded under both the federal HIPAA/HITECH statute and state law (Vermont); and

(iii) a third one that proceeded solely under state law (Indiana).

The 2010 Posting raised the question as to why Mr. Zoeller had proceeded only under the Indiana state law and not under HIPAA/HITECH as well. The press release issued by his office on July 5, 2011, about the WellPoint settlement sheds some light on the matter:

In 2009, Zoeller advocated for passing a new state law the Legislature enacted that session that now requires companies, in the event of a security breach, to notify consumers and the Attorney General's Office without unreasonable delay. Companies who detect an internal breach should make a written disclosure to the Attorney General's Identity Theft Unit.

It is clear that Mr. Zoeller wanted to achieve a successful result under the state statute for which he had personally urged passage. However, while the 2010 Posting reported that Mr. Zoeller was seeking $300,000 in civil penalties from WellPoint, he settled for $100,000 in penalties, plus, among other sanctions, the requirements that WellPoint provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach and that WellPoint reimburse any WellPoint consumer up to $50,000 for any losses that result from identity theft due to the breach.

As stated earlier, it can be expected that other attorneys general around the country will follow suit in investigating PHI security breaches and seeking civil monetary payments and other sanctions under HIPAA/HITECH and/or state law. Such actions can generate significant revenues for the state, act as a deterrent to others and generate positive media coverage for successful attorneys general. 

Prompt, decisive and compliant action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches. 

• Print
• Comments
• Trackbacks
• Share Link

Several recent PHI-related news items, including two that were commented upon by Michael Kline in this blog series in his posts dated June 27, 2011 (regarding Google Health’s announced shut down) and July 3, 2011 (regarding the Spartanburg (S.C.) Regional Health System PHI security breach), and one that was described by Bill Maruca in a post dated June 22, 2011 (regarding the safety of “cloud-based” data storage systems), share a common feature – they underscore our need to trust the keepers of our PHI. We need to trust that, whether PHI is in the cloud or on a server, in a thumb drive or on a hard drive, only those who have a right and a need to access it can and will do so. 

A recent petition (“Petition”), filed as a putative class action in federal court in St. Louis, Missouri against The Siteman Cancer Center at Barnes Jewish Center (“Siteman”) and the Washington University (St. Louis) School of Medicine provides an example of insult adding to injury when the trust in our PHI-keeper is broken. Mistakes may happen, but trust is really breached when the mistakes that involve PHI are not admitted and addressed immediately.

The Petition alleges that, sometime over the weekend of December 4, 2010, “an unencrypted laptop computer,” which contained the PHI of “hundreds of cancer patients,” was stolen from Siteman’s Gynecological Treatment Center.  While the exact number of individuals affected is not identified in the Petition, there has been no posting of the breach in the list maintained on the U.S. Department of Health and Human Services Web site respecting  breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”). This suggests that fewer than 500 individuals were affected. 

According to the Petition, Siteman did provide notice to affected individuals – but, based on allegations in the Petition, the notice was too little and too late. The Petition contends that Siteman knew about the stolen laptop immediately after the December 4, 2010 weekend, but did not notify affected individuals until it sent out a letter dated January 28, 2011.   Adding apparent insult to this delayed notice of injury, the Petition asserts that Siteman also “downplayed the seriousness of the security breach” and failed to include complete information about (and thus “misrepresented”) the type of information that was stolen. 

In blogging about the Spartanburg breach, Michael writes, “[i]t is perplexing that a hospital would choose to withhold disclosure of the extent of its PHI security breach, as it risks a second round of significant media coverage when the posting on the HHS List takes place one to three months later.”   I find it similarly perplexing that a hospital, such as Siteman, might choose to withhold disclosure of the extent of an especially sensitive PHI security breach, particularly when the disclosure is being made directly to the potentially affected individuals. Failure to disclose promptly and accurately the nature and extent of a breach not only erodes patient trust, but also increases the likelihood of a “second round” of patient harm and ensuing litigation.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. Immediately before the July 4th weekend, there was a posting on the U.S. Department of Health and Human Services Web site, which lists breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”), of a PHI security breach affecting 400,000 individuals that was reported by Spartanburg Regional Healthcare System (the “System”).

The HHS posting respecting the System reports that a PHI breach (the “System Breach”) occurred on March 28, 2011 from the “Theft” of a “Desktop Computer.” As a result the System appears to have suffered the fourth largest PHI security breach reported on the HHS Web site during 2011, surpassed only by the following, each of which has been discussed earlier in this blog series:

(i) the Health Net breach that involved 1,900,000 persons;  

(ii) the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network breach with a reported 1,700,000 persons affected; and

(iii) the Eisenhower Medical Center breach with a reported 514,330 persons affected.

The history of reporting of the System Breach by the System has been somewhat puzzling. Although the Web site of the System had previously published for some period of time a prominent link on its home page to the letter that was sent by the System to the affected individuals (the “System Letter”), the link appears now to have been deleted from the System’s home page. After a search, there appears to be no other reference to the System Breach on the System’s Web site, including the news archive that is linked from the home page.   

The System Letter asserted that the computer was stolen from the car of an employee who was “authorized to have possession of the computer.” The computer reportedly contained a password-protected file with Social Security numbers as well as names, addresses, dates of birth and medical billing codes. The System Letter also reported that the System will make available to affected individuals enhanced identity theft consultation and restoration and one year of free credit monitoring, although the System “had no evidence that any information has been misused.”

For some reason, the System originally made no disclosure of the large number of persons affected. This is not the first time that a provider that suffered a significant PHI security breach did not report the number of affected persons. See, for example, the postings in this blog series respecting Henry Ford Health System. It is perplexing that a hospital would choose to withhold disclosure of the extent of its PHI security breach, as it risks a second round of significant media attention when the posting on the HHS List takes place one to three months later. It would appear that providers and insurers should understand that one major media encounter for a single PHI security breach event is more than enough publicity.

• Print
• Comments
• Trackbacks
• Share Link

On June 24, 2011 Steve Lohr reported in The New York Times that Google is ending its three year initiative into the world of online storing by consumers of personal health records.  Google Health had promoted this as a significant application of its “cloud computing” platform. 

A visit to the Google Health Web site reveals the following statement:

An Important Update about Google Health

Google Health will be discontinued as a service.

The product will continue service through January 1, 2012.
After this date, you will no longer be able to view, enter or edit data stored in Google Health. You will be able to download the data you stored in Google Health, in a number of useful formats, through January 1, 2013.

The Lohr article quotes a blog posting of Aaron Brown, senior product manager for Google Health, to which the Google Health Web site also directs readers. Mr. Brown states that the goal of Google was to “translate our successful consumer-centered approach from other domains to health care and have a real impact on the day-to-day health experiences of millions of our users.”  However, Mr. Brown admitted in his blog post, “Google Health is not having the broad impact we had hoped it would.”

Mr. Lohr points out, “Google is by no means the only company to abandon the field of consumer health records. Revolution Health, for example, retired its personal health record service last year, citing few users.”  He also quoted others who attributed the lack of users to a variety of causes, including heavy and continuous demands on the time of consumers to maintain current, accurate and complete online health records, loss of consumer appetite to other more appealing computer applications, the complexity of the health field, and greater success of online health records when providers or insurers are partnering in the process.

A significant reason for the lack of attraction to Google Health that was not mentioned in the Times article may be the reasonable uneasiness that consumers have about privacy and security of their personal health information (“PHI”). In April 2010, a posting was entered on our blog series entitled, “Does the Reported Massive Theft of Password Information at Google Undermine Confidence in the Privacy and Security of Google Health.” That posting addressed PHI privacy and security problems experienced by Google Health at that time. Specifically, according to a Times article by John Markoff, Google Health suffered a breach of the password system  that controlled access by millions of users worldwide to almost all of the company's Web services, including email and business applications. 

Thus the conclusion of our April 2010 posting may have been another significant reason for the termination of the Google Health experiment in online personal health records:

If the reported security breach at Google is as broad and comprehensive as reported, a subscriber to Google Health is not as in control of his or her PHI as the Google [Health Privacy] Policy may lead one to believe. . . . The potential damage to subscribers is catastrophic and perhaps should be the subject of investigation for potential regulation. 

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. A recent posting of a major PHI security breach was made regarding Eisenhower Medical Center (the “Center”) on the U.S. Department of Health and Human Services (“HHS”) Web site that lists breaches of unsecured PHI affecting 500 or more individuals.  The Center, which is located on Bob Hope Drive in Rancho Mirage, near Palm Springs, California, houses, among other areas, the famous Annenberg Center for Health Sciences at Eisenhower, the Barbara Sinatra Children’s Center at Eisenhower and the Betty Ford Center on the Eisenhower campus. 

The HHS posting respecting the Center reports that a PHI breach affecting 514,330 persons (the “Center Breach”) occurred on March 11, 2011 from the “Theft” of a "Desktop Computer." As a result the Center appears to have suffered the third largest PHI security breach reported on the HHS Web site during 2011 to date, trailing only

(i) the Health Net breach earlier reported in this series that involved 1,900,000 persons and

(ii) the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network breach with a reported 1,700,000 persons potentially affected.

The Center Breach was reported as item 38 on page 16 of the U.S. Department of Homeland Security (“DHS”) “Daily Open Source Infrastructure Report for 1 April 2011.”  The DHS report quoted Center officials and the Center’s Director of Marketing and Public Relations as saying,

The computer was password protected, but not encrypted. The information in the   . . . file included patient names, ages, dates of birth, the last four digits of the Social Security number, and the hospital’s medical record number. . .

The theft occurred late in the day March 11, but the hospital was not aware the computer had been stolen until March 14. On March 17, officials learned the backup patient file was on the stolen computer . . .  [T]he theft was reported to the Riverside County Sheriff’s Department March 18. The file was a backup file that was not displayed on the computer’s desktop.

In spite of the more than 500,000 individuals reported as having been affected by the Center Breach, the information made available to date by the Center has been sparse.  A visit to the home page of the Center’s own Web site does not reveal any mention of the Center Breach.  Similarly a search of the 1,446 items dating back to 2004 in the Center’s News Archives on its Web Site (the “News Archives”) has no reference to the Center Breach.

The only article in the News Archives relative to privacy, which appeared to be from early 2009, reported the rolling out by the Center of a privacy code system to augment guidelines for the use and disclosure under the privacy standards for PHI (excluding information available in the hospital directory) to a patient’s family, significant other and friends. That article also stated, “All Eisenhower employees are required to complete a mandatory privacy NetLearning training module in April.” 

(NOTE - The conclusion that the year of the privacy article in the News Archives was 2009 was only determinable from a review of surrounding news items. The News Archives are deficient because they have no reference as to the dates of postings, unless they are indicated in the bodies of the articles themselves.)

It is perplexing that a hospital of the stature of  Eisenhower Medical Center has been relatively silent about the Center Breach that has affected so many individuals.  Nor has the Center disclosed what, if any, proactive remedial actions it will be taking to avoid a similar occurrence in the future.  However, it is clear that more will be heard about this event, as CaliforniaHealthline.org has reported, "The not-for-profit medical center is sending notification letters to affected patients, and the California Department of Health will investigate the incident."

• Print
• Comments
• Trackbacks
• Share Link

By: Elizabeth Litten and Michael Kline

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. As reported in a recent posting, prior to yesterday, the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network was perhaps the largest marcher in the parade of large PHI security breaches with a reported 1,700,000 persons potentially affected.  As of March 14, 2011, it appears Health Net is grappling with a breach that could involve as many as 1,900,000 persons, which would give it the distinction of having the largest and potentially loudest marching band in the Security Breach Parade.

This breach was described in a press release (issued by the California Department of Managed Care (“DMHC”):

The company [Health Net] announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare. Health Net is conducting an investigation into the drives discovered missing from its Rancho Cordova data center.  

Health Net issued a press release that does not mention the number of persons affected, and implies that its vendor, IBM, may have responsibility for the breach:

This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information. While the investigation continues, Health Net has made the decision out of an abundance of caution to notify the individuals whose information is on the drives. To help protect the personal information of affected individuals, Health Net is offering them two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance. These services will be provided through the Debix Identity Protection Network.

Health Net’s press release then (tautologically, since the press release is accessible under the “Newsroom” link at the bottom of Health Net’s home page) directs readers to Health Net’s website for more information. I was unable to find additional information about the breach or Health Net’s investigation on the website. It’s good to know that, “out of an abundance of caution” (and at what must be quite an abundance of expense), Health Net will be notifying the 1.9 million affected persons and offering them two years of free credit monitoring services. Perhaps the next large entity entrusted with PHI will exercise an “abundance of caution” by encrypting the information contained on its server drives to avoid having to march in the ever-growing Security Breach Parade. 

Health Net, however, is no stranger to the Security Breach Parade. As reported previously on this blog series, Health Net and its affiliates have made payments to the states of Connecticut and Vermont in actions brought by the respective attorneys general of those states for HIPAA/HITECH violations. It does not end there. Today the Attorney General of the State of Washington published a release that Health Net had informed the Washington Attorney General’s Office on Monday that “approximately 39,877 Washington residents” may be affected by a data breach. This developing situation warrants continued monitoring.

• Print
• Comments
• Trackbacks
• Share Link

The requirements under the HIPAA/HITECH statutes and regulations for public disclosure of breaches of Protected Health Information (“PHI”) have brought to light an increasing volume of breaches of PHI involving highly respected and sophisticated providers and insurers. On November 21, 2010, a posting on this blog discussed a PHI security breach (the “September 2010 Breach”) involving Henry Ford Health System in Michigan (“Henry Ford” or the “health system”) that was discovered by the health system on September 24, 2010. A follow-up posting in this series on November 24, 2010 reported that 3,700 individuals had been affected in the September 2010 Breach.

On February 25, 2011, Robin Erb, Medical Writer at the Detroit Free Press, wrote an article entitled, “Lost Device Compromises Medical Information of 2,777 Patients” relative to another security lapse in less than a year within Henry Ford (the “January 2011 Breach”). According to Ms. Erb, an employee of the health system lost a flash drive with information on 2,777 patients on January 31, 2011.

As Ms. Erb reported,

Hospital officials said it's unclear how the flash drive was lost. The device is not encrypted, as required to protect individual patients' information, officials said.

The information involved patients tested for urinary tract infections between July and October 2010 and included names, medical record numbers, test information and results.

While the first blog posting in this series about the November 2010 Breach gave a link to the Henry Ford posting of on its Web site about the security breach, that posting and link have apparently been already taken down by the health system. However, more than 500 other earlier stories dating back as far as March of 2005 remain on the Henry Ford News list. A visit today to the News list on the health system’s Web site also reveals that Henry Ford has made no posting to date about the January 2011 Breach.

HIPAA/HITECH provides that the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” The maximum time, therefore, for Henry Ford to notify the HHS about the January 2011 Breach is 60 days after the discovery date of January 31,2011 or April 1, 2011. Soon after notification by the health system to the HHS, the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals would add the January 2011 Breach. 

It is interesting that, while Ms. Erb’s article was published almost three weeks ago, nothing has apparently been published by Henry Ford about the January 2011 Breach on its Web site. Nor has the January 2011 Breach yet appeared on the HHS Web site. This matter warrants further monitoring.

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog series, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing direct intervention by attorneys general with respect to enforcement actions regarding such breaches. Last week for the first time, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) exacted heavy financial obligations from (i) Cignet Health and its affiliates (“Cignet”) on February 22, 2011, with a $4.3 million civil monetary penalty assessment  (“CMP”) for violations of the HIPAA Privacy Rule and (ii) the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (collectively, “Mass General” ) on February 24, 2011, for a settlement that includes a payment to the U.S. government of $1,000,000 by Mass General for potential violations of HIPAA.

This is the first time that the OCR has publicized its activities in enforcement actions involving heavy monetary payments. Until now, as reported previously on this blog series, the publicized enforcement activity for monetary recoveries from covered entities under HIPAA/HITECH has been by attorneys general in Connecticut, Indiana and Vermont.

The cases of Cignet and Mass General are efforts by the OCR to demonstrate its seriousness in taking action against violations or alleged violations of HIPAA/HITECH.  In the OCR press release relating to Cignet (the “Cignet Press Release”), Kathleen Sibelius, Secretary Of HHS stated the following:

Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.

In the OCR press release relating to Mass General (the “Mass General Press Release”), OCR Director Georgina Verdugo was quoted as follows: “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

The close proximity of the two OCR actions and press releases is noteworthy. According to the Cignet Press Release, the Cignet case involved 41 patients, while, according to the Mass General Press Release, the Mass General case involved 192 patients. Each of these numbers is far fewer than the threshold of 500 affected individuals for listing on the HHS website (the “HHS List”). Some of the 241 incidents reported on the current HHS List involved hundreds of thousands, or even more than one million, affected individuals. It is clear that OCR felt it necessary to make examples of Cignet and Mass General.

The two cases are very different in that the Cignet Health payment involves a CMP imposed by OCR for violations that the OCR found Cignet to have committed, including, according to the Cignet Press Release, the fact that “. . . Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.” Therefore, the heavy CMP on Cignet would appear to based in major part on OCR’s view that Cignet flouted the authority of OCR to investigate alleged HIPAA Privacy violations. 

On the other hand, according to the Mass General Press Release, Mass General settled for a $1,000,000 payment and other compliance actions for “potential violations of the HIPAA Privacy Rule.” It is clear that Mass General, while having an incident that affected almost five times as many individuals as that of Cignet, exhibited a spirit of cooperation with OCR and, therefore, settled for less than one-fourth of the CMP imposed on Cignet and was not found by OCR to have committed a violation.

The juxtaposition of the two cases by OCR shows that cooperation may achieve significant benefits for alleged HIPAA violators, while those who fail to cooperate can be severely punished. The importance of these two cases warrants further discussion in future blog entries.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. The New York City Health and Hospitals Corporation’s North Bronx Healthcare Network (“HHC”) has recently become perhaps the largest marcher in the parade of PHI security breaches with a reported 1,700,000 persons affected. 

The U.S. Department of Health and Human Services website, which provides a list (the “HHS List”) required by HIPAA/HITECH of large reported breaches of unsecured PHI incidents affecting 500 or more individuals, reveals that HHC had a PHI security breach on December 23, 2010 (the “Breach”). Of the 242 records currently reported on the HHS List, the Breach is by far the largest with 1,700,000 affected individuals. The Breach apparently resulted from a “Theft” of “Electronic Medical Record, Other.” 

Unlike some other participants in the parade of PHI security breaches that have been reported in this blog series, it is refreshing to see that HHC has tried to be forthright in its communication on the HHC Website. The information regarding the occurrence may be found in a number of ways, including a search for "PHI security breach" directly from the HHC Home Page or by clicking on "Publications and Reports" from the HHC Home Page and then clicking on "Press Releases" where the relevant Press Release dated February 11, 2011, is the only listing to date for 2011 (the “Press Release”).

The HHC breach can become a financially costly one for HHC, as it potentially affected information covering twenty years relative to (i) personal information such as social security numbers, names, addresses, and other information that may be used to identify individuals; (ii) personal information and patients' medical histories; and (iii) personal information and employees' health information. The Press Release states the following: “The loss of this data occurred through the negligence of a contracted firm [identified in the Press Release as GRM Information Management Services ("GRM")] that specializes in the secure transport and storage of sensitive data. There is no evidence to indicate that the information has been inappropriately accessed or misused.”  The Press Release also reported that HHC is making available free credit monitoring and fraud resolution services for one year to those affected individuals who request it.

The Press Release states that the information was stolen when "the GRM van was left unattended and unlocked while the driver made other pickups.  GRM reported the incident to the police and dismissed the driver of the vehicle.  To date, the files have not been recovered."  Therefore, it can be reasonably inferred from the Press Release that at least a portion of the financial burden for HHC from the Breach will be shared by GRM.  GRM may even have some type of liability insurance coverage that will pay for some of the expenses flowing from the Breach. 

In this regard, my partner Elizabeth Litten, Esq., had previously discussed in a blog entry in this series the need for healthcare providers and business associates to investigate the possibility of obtaining insurance covering potential losses arising out of large PHI security breaches. The case of HHC may encourage greater attention to this area.

The prominent posting of the Breach on the HHC website demonstrates that HHC has made a commitment to act responsibly and do more than what is (again borrowing a phrase from HITECH in a totally different context) “the minimum necessary” for communicating a large PHI security breach. This should accelerate the rehabilitation of confidence and relations with patients, employees and HHC’s larger constituency.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following the continuing flow of security breaches of Protected Health Information ("PHI") and how affected providers and insurers have been responding to their discovery. The University of Tennessee Medical Center ("UTMC" or the "hospital") based in Knoxville has apparently joined in the march.

On November 29, 2010, Angela Starke wrote an article entitled "Patients uneasy about possible security breach at UT Medical Center" that was posted on volunteertv.com. In the article, Ms. Starke reported that UTMC had announced that 8,000 patients' medical and identity information may have been compromised. As part of her article, Ms. Starke reproduced in full the letter attributed to the Privacy Officer of UTMC that was sent to affected patients by the hospital (the "Letter"). The following was stated in the UTMC Letter: "Please note we have no reason to believe that any of your personal information has actually been accessed or inappropriately used. However, out of an abundance of caution, we want to make you aware of the incident."

What is interesting about the UTMC event is that the hospital apparently has not seen the incident as sufficiently newsworthy to publish the UTMC Letter on its website in the news section or elsewhere. In contrast, a recent post on this blog discussed a PHI security breach issue at Henry Ford Health System in Michigan ("HFHS"). That post raised questions as to the thoroughness of the report that HFHS had placed on its website relative to the incident.

Nonetheless, HFHS did at least disclose the matter on its website. UTMC has chosen not to do so. The article by Ms. Starke would indicate that patients who received notices from UTMC about the PHI incident considered it to be somewhat more of a concern than the hospital did, as evidenced by UTMC’s failure to make a disclosure on its website.

A visit today to the U.S. Department of Health and Human Service ("HHS") website which lists reported breaches of unsecured PHI incidents affecting 500 or more individuals reveals that the UTMC matter is now posted. Even that posting, however, is defective. The list reflects the "Date of Breach" of the UTMC event of "Improper Disposal of Paper Records" as "2009-09-23." Obviously the year should be "2010" not the "2009" date listed. It is unclear whether the hospital reported the wrong year to HHS or that HHS incorrectly transcribed it.

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself.

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public. Such action should include posting of the unfortunate event on the entity’s website.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers. 

On November 21, 2010, a posting on this blog discussed a PHI security breach involving Henry Ford Health System (“Henry Ford” or the “health system”).

The blog posting observed that the disclosure by Henry Ford on its Web site did not divulge the number of patients affected by the security breach. As discussed in the posting, the required time frame for the health system to notify the U.S. Department of Health and Human Services (“HHS”) is the same as that for notifying affected patients; therefore, the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals would soon reveal the number of affected patients. Indeed, a visit today to the HHS Web site reveals that the Henry Ford security breach is now listed and that the breach affected 3,700 patients. 

It is somewhat perplexing as to why the health system would have chosen not to have reported the number of affected patients on its own Web site. While every PHI security breach is costly and makes providers and insurers potentially vulnerable to embarrassment, criticism and diminished reputation, proactive transparency assists in rehabilitating relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers. 

The giant Henry Ford Health System (“Henry Ford” or the “health system”) in Michigan has joined the march. On November 19, 1010, Henry Ford posted on its Web site a “Required Substitute Notice” (the “Notice”) under HIPAA/HITECH. The Notice discloses that the health system has notified and apologized to “affected patients” that their information related to prostate services received between 1997 and 2008 was affected by a breach of unsecured PHI.  Henry Ford reported that it learned on September 24, 2010, that  “an employee's laptop computer storing the information was stolen from an unlocked urology medical office.” 

While no Social Security numbers, health insurance identification numbers or medical records were apparently stored on the stolen laptop, other elements of PHI were present on the laptop. To provide support for those affected by the PHI breach, as has been done by other providers and insurers, Henry Ford has responsibly offered a free year of identity monitoring, protection and remediation service to the potential victims. 

There are a number of interesting aspects of the Notice itself. The Notice states that “[u]nder federal law, health care organizations are required to notify patients within 60 days of a breach of unsecured health information.” As stated in an earlier posting on this blog, the time frame for providers and insurers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.”

If the PHI breach was discovered by Henry Ford on September 24, 2010, the sixtieth day would be November 23, 2010. Therefore, that part of the notification requirement was clearly satisfied. It is a factual matter, however, as to whether, under the circumstances, the notification by the health system on or about the 53^rd day met the other standard that notice was provided “without unreasonable delay.”

Another aspect of the Notice was that it did not disclose the number of affected patients. A visit today to the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals reveals that the Henry Ford security breach is not yet posted.  Since the required time frame for the health system to notify the HHS is the same as that for notifying affected patients, the HHS Web site should soon post such information.

Perhaps one of the most concerning aspects of the security breach is the report by Henry Ford that “[w]hile the laptop was password protected, the patient information stored on the computer could potentially be viewed on the computer.” Chief Privacy Officer of Henry Ford, Meredith Phillips, was quoted as saying that, to prevent future patient information breaches, “employees will be re-educated in the steps necessary to protect patient information stored on computers.” She also stated that  “the process will be improved for how employees obtain a laptop computer for work purposes.”

Henry Ford is taking reasonable measures to forestall another similar incident. Clearly, however, current technological security protection practices, such as passwords, even if followed as in the Henry Ford case, are not sufficient to avoid a security breach. Unfortunately, re-education of employees and adding new limitations on issuance of laptops will not protect providers or insurers against negligence, rogue employees who may download PHI on their own computers,

outright thieves within or without the organization, computer hacking and a host of other threats. 

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself. 

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

Note: The title and substance of this blog entry has been substantially amended in response to a helpful comment by an anonymous fellow blogger. I am grateful that others are reading our blog posts and have sufficient interest in the topic to comment. To assist readers, the highly appreciated comment is set forth in full as follows:

I read your blog post, "MISSING FROM THE PARADE OF LARGE PHI SECURITY BREACHES - REASONABLY PROMPT POSTING BY THE SECRETARY OF HHS ON THE HHS WEBSITE," and wanted to let you know:

You've been looking at the wrong url. The HHS breach list has been updated frequently since June, but they moved the breach report url to here in July.

HHS never put a forward, redirect, or notice on the old url, and I've seen a number of sites, like yours, misled by the unannounced move and I've tried to let fellow bloggers know.

When you go to the new page, note that there are also csv and xml formats. Those files may, in some cases, be a bit more current than the list you see when you go to the web site.

Hope this helps.

The Breach Notification Rule in the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), relating to public disclosure of security breaches of Protected Health Information (“PHI”), has continuously been bringing to light new breaches of PHI involving highly respected and sophisticated healthcare providers and insurers (generally, “covered entities”). 

The HITECH Act requires covered entities to notify, among others,  Kathleen Sibelius, Secretary (the “Secretary”), of the U.S. Department of Health and Human Services (“HHS”), respecting a PHI breach involving 500 or more individuals. The notification to the Secretary is to be made “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach of PHI. . . .” 

What is supposed to happen, however, when the Secretary receives the report of a PHI breach involving 500 or more individuals? The Website “HIPAA Survival Guide” quotes Section 13402(e)(4) of HITECH as follows:

(4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach . . . in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

Unfortunately, the original URL address (the “Old URL”) for the HHS list relative to breach notification (the "List") was changed by HHS with no apparent notice in July 2010 and has not been updated since that time. From late June 2010 until the original posting of this blog entry, I was visiting the Old URL on at least a weekly basis on the assumption that HHS had simply not been updating the List on a timely basis. 

A fellow blogger advised me that HHS changed the Old URL to a new URL (the “New URL”) but never put a forward, redirect or notice on the Old URL as to the change. It would seem reasonable and relatively easy for the Secretary at a minimum to do one or more of the following to assist those who may mistakenly visit the obsolete Old URL:

(1) keep the Old URL, while prominently placing on the old URL information about the change to the New URL;

(2) close the Old URL and automatically redirect visitors to the New URL; and/or

(3) issue a press release or notice about the change from the Old URL to the New URL and post it prominently on the general HHS Website.

It is not too late for the Secretary to correct any further misunderstandings by appropriate action. If HHS is serious about encouranging compliance by covered entities, HHS should lead by example and act reasonably with respect to its own statutorily-mandated HITECH responsibilities.

• Print
• Comments
• Trackbacks
• Share Link