The New York City skyline, including the Empire State Building

“New York Gov. Andrew Cuomo recently signed legislation that will effectively prohibit ambulance and first response service providers from disclosing or selling patient data to third parties for marketing purposes.

The bill was signed into law on October 7. The new law bans the sale of patient data, or individually identifying information to third parties, outside of sales to health providers, the patient’s insurer, and other parties with appropriate legal authority.

Under the law, all information that can be used to identify a patient is protected from sales for marketing purposes, such as advertising, detailing, marketing, promotion, or any activity used to influence sales.”

Details from HealthIT Security.

This post also appears on Fox Rothschild’s Privacy Compliance & Data Security blog.

Artificial Intelligence (“AI”) refers to algorithm tools that simulate human intelligence, mimic human actions, and can incorporate self-learning software. The benefits of AI tech can reduce spending, provide alternative treatment ideas, and improve patient experience, diagnosis, and outcome.

Consider virtual health assistants who deliver medication alerts and patient education, AI used to detect abnormalities in x-rays and MRIs, and AI that gives simultaneous feedback to patients and their physicians from elements captured on patient smartphones and wearable devices.  But with the advent of unchecked AI comes concerns related to health information  privacy and unconscious bias.

Privacy Concerns in AI Health Tech

AI advances could negatively impact health data privacy. The level of impact depends, to some extent, on how we define health data. “Health data” generally refers to information concerning the physical or mental health status of an individual and the delivery of or payment for health services to the individual. It incorporates data exchanged through traditional health technologies used by health care providers and health plans, as well as data exchanged through newer technologies, like wearable devices and virtual assistants.

Regulations do not yet fully address privacy concerns in AI health tech. HIPAA, for example, legislation that was originally enacted in 1996, requires covered entities and business associates to implement standards to ensure the privacy and security for protected health information. Those standards, however, may not apply to tech companies that use ever-evolving third party apps or algorithms to access the data. Experts express concerns with companies collaborating to re-identify data formerly considered de-identified.[1] Consider data brokers who mine personal health data with AI tech who then sell their acquired health data to third parties like marketers, employers, and insurers. While a tech company’s relationship with a health insurance company falls under HIPAA’s scope, it is less clear what privacy laws would apply to tech companies that limit clientele to entities that are not otherwise directly or indirectly subject to HIPAA, such as life or disability insurers, which may be the case for marketers and employers.

Bias Concerns in AI Health Tech

AI health tech must be developed and trained responsibly. AI learns by identifying patterns in data collected over many years. If the data collected reflects historical biases against vulnerable populations, the data projected will only exasperate those biases. Biases creep into data sets through various ways. Consider whether input data has incomplete data sets for “at-risk” populations (groups with a historically higher risk for certain health conditions or illnesses). Consider the potential for under-diagnosis of health conditions within certain populations. Correcting for these biases in the development of the data set and in training processes will help to avoid the creation of biased results in AI health tech.

Companies should consider safeguards when employing their AI health tech. Employee training is paramount. While AI promises a host of benefits, those involved in its creation and use must be aware of the potential for bias. Companies should also consider data integrity and built in biases. Consider the information AI tech relies on and consider rechecking the data reviewed by AI.  Lastly, diversifying those engaged in creating, testing, and using the health care tech could also decrease bias.

[1]              https://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/2017-Ltr-Privacy-DeIdentification-Feb-23-Final-w-sig.pdf

Last May, around the time many schools let out for the summer, the Office for Civil Rights (“OCR”) published guidance entitled “Direct Liability of Business Associates” (the “Guidance”), which focuses, not surprisingly, on OCR’s ability to take enforcement action directly against HIPAA business associates. I meant to write about this guidance before Memorial Day, but since the back-to-school season is a good time to get things (including business associate agreements or “BAAs”) in order, this timing feels right.

The Guidance caught my attention not because it lists ten HIPAA failures or violations for which business associates are directly liable, but it calls out one specific HIPAA violation that will fall on the shoulders of the contracted covered entity:

… OCR lacks the authority to enhance the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates … .

In other words, the OCR explains that, if a covered entity engages a business associate to fulfill an individual’s request for access to protected health information, it is the covered entity’s responsibility to ensure that the business associate complies with HIPAA’s “reasonable, cost-based fee” limitation (and any more stringent state law requirement).

We’ve posted on the topic of individual access rights under HIPAA (see here and here), and have also posted on the topic of what amounts can be charged, both under HIPAA and under state law (see here and here). What the Guidance compels me to point out, though, is that covered entities often include a provision in BAAs that requires the business associate to respond to an individual’s access request by either notifying the covered entity of the request or by providing the requested electronic or paper copy directly. The provision may require the business associate to comply with the HIPAA regulatory requirements regarding the timing of the response, either in terms of notifying the covered entity within a specified time period or by responding directly to the individual.

However, a provision stating simply that the business associate must “comply with 45 C.F.R. § 164.524 [the regulation governing individuals’ access rights]” may not be enough to ensure that the business associate limits the amount charged as per the regulation, which potentially creates unexpected exposure for noncompliance for the covered entity. Thus, in light of the Guidance, covered entities should review their BAAs and consider whether updates are required to such provisions. If they don’t they may end up dealing with an OCR enforcement action that could have been prevented with a few well-placed BAA words.

GDPR Lock EU

The Dutch Data Protection Authority has levied a fine of 460,000 euros on Haga Hospital for insufficient security following an investigation revealing that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person.

In addition, if the hospital has not improved security before October 2, 2019, it must pay 100,000 euros every two weeks, up to a maximum of 300,000 euros.

According to DutchNews.nl, the authority’s chairman Aleid Wolfsen said: “The relationship between a healthcare provider and a patient should be completely confidential. Also within the walls of a hospital. It doesn’t matter who you are.”

Key takeaways:
  • Have adequate logs in place: The hospital must regularly check who consults which file.
  • Good security requires authentication that involves at least two factors.

Details from the Dutch Data Protection Authority.

The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020 and regulates most entities that collect personal information of California residents.  CCPA was patterned after the European Union’s General Data Protection Regulation (GDPR) which went online on May 28, 2018 and has been called “GDPR-Lite.”  In May, Fox Rothschild partner Odia Kagan described when CCPA applies in an Alert that listed the categories of entities who are affected: generally,  for-profit businesses who do business in California, collect California consumers’ personal information and determine the purposes and means of processing that information, and have at least $25 million in annual gross revenues, buy, sell, share and/or receive the personal information of at least 50,000 California consumers, households or devices, per year, or derive at least 50 percent of their annual revenue from selling California consumers’ personal information, as wells as entities that control or are controlled by such businesses and share common branding.  Each of those terms has a technical definition that should be carefully reviewed.   But isn’t there a HIPAA exception?

Yes, CCPA contains a carve-out for HIPAA covered entities, but it is not as broad as you may have heard.  In a recent alert entitled  Where HIPAA Stops, CCPA Begins – Why Covered Entities and Business Associates Cannot Ignore the New California Data Privacy Law, Fox Rothshchild partners Odia Kagen and Elizabeth Litten explain when information that appears to be exempt PHI may fall under the new CCPA:

Personal information created, received, maintained or transmitted by companies subject to HIPAA is likely subject to CCPA if it falls into one of the following five categories:

  1. It is not created or collected as part of the payment, treatment or health care operations trifecta
  2. It was never PHI (or is excluded from the definition of PHI) under HIPAA
  3. It was once PHI, but has been de-identified under HIPAA
  4. It is not PHI, but is derived from PHI
  5. It is PHI that is used for research purposes in accordance with HIPAA

The bottom line is that what you think is PHI and exempt from CCPA may not be covered by the carve-out after all. For details, see the Alert.

GDPR Lock EU

“The right to be forgotten does not apply in principle to medical records. However, as a patient, you may ask your health care provider to remove data from your medical record,” according to the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AG), which has issued a guidance on GDPR and medical records.

Key takeaways:

  • For medical data that are not covered by the Medical Treatment Agreement Act, such as nursing care and in-home care, personal data should not be kept longer than necessary.
  • The personal data that you have actively and consciously provided is covered by the right to data portability. This also applies to the data that you have provided indirectly through the use of a service or device. For example, the data that your pacemaker or blood pressure monitor generates.
  • The right to data portability does not apply to the conclusions, diagnoses, suspicions or treatment plans that your health care provider establishes on the basis of the information you provide.
  • As a health care provider, you must in any case use two-factor authentication. Such as logging in with DigiD in combination with SMS.

Read the full guidance.

“TMI” usually means “too much information”, but it was used aptly by the Office for Civil Rights (OCR) as an acronym for a covered entity that exposed protected health information (PHI) of more than 300,000 patients through an insecurely configured server. According to the April 5, 2019 Resolution Agreement, the covered entity, Touchstone Medical Imaging, Inc. (TMI), not only used an insecure file transfer protocol (FTP) that allowed visibility to patient information via google searches, but it seemingly dragged its HIPAA compliance feet upon learning of the PHI exposure.

TMI was notified of its insecure FTP on May 9, 2014 and apparently implemented technical safeguards to limit access rights to the FTP server that maintained PHI to approved persons and software programs, but TMI failed to provide notice to individuals and the media of the breach until October 3, 2014, 147 days after discovery of the breach. Adding insult to injury, TMI failed to enter into a business associate agreement with its IT vendor until June 2, 2016, and (as of the date of the Resolution Agreement) “continues” to engage another business associate “without the protections of a business associate agreement in place.”

It is not clear from the Resolution Agreement exactly how the insecurity of the FTP was initially discovered or by whom. The Resolution Agreement states that TMI conducted a HIPAA security risk assessment on April 3, 2014, but the Press Release states that TMI was notified by the FBI and OCR in May of 2014. The Press Release also says that TMI “initially claimed that no patient PHI was exposed,” and that OCR found that TMI did not thoroughly investigate the incident until several months after notice of the breach by both the FBI and OCR.

A more immediate and robust breach response may very well have saved this covered entity millions, let alone negative publicity. The PHI exposure was significant (especially when combined with the delayed and seemingly insufficient security risk assessment), but the combination of TMI (as in too much information) and not enough in terms of response activity is the perfect recipe for a HIPAA settlement.

Illustration of stethoscope and mobile phone, symbolizing telemedicine

A study shows that “92 percent of 36 mental health apps shared data with at least one third party — mostly services that help with marketing, advertising, or data analytics.”

“About half of those apps did not disclose that third-party data sharing, for a few different reasons: nine apps didn’t have a privacy policy at all; five apps did but didn’t say the data would be shared this way; and three apps actively said that this kind of data sharing wouldn’t happen.”

While some of this information is not immediately identifying, that could soon change.

“We live in an age where, with enough breadcrumbs, it’s possible to reidentify people” says John Torous, director of digital psychiatry at Beth Israel Deaconess Medical Center. “Advertisers could use this to compromise someone’s privacy … For example, if an advertiser discovers someone is trying to quit smoking … would they be interested in electronic cigarettes … Or other similar products, like alcohol?” says Steven Chan, a physician at Veterans Affairs Palo Alto Health Care System.

Details from The Verge.

A two-physician practice in Battle Creek, Michigan is reportedly the first health care provider to cease operations as a result of a ransomware attack.  The Minneapolis Star Tribune reports that Brookside ENT experienced a malware attack that deleted and overwrote every medical record, bill and appointment in the practice’s system, including backups, and created encrypted duplicates.  The attacker then attempted to extort $6,500 from the group, to be wired to an anonymous account, in order to decrypt the files.

Facing the expense and uncertainty of recovering from this attack, the two physicians, Dr. William Scalf, 64, and Dr. John Bizon, 66 (who also serves as a Republican Michigan state senator), decided to close their practice and accelerate their planned retirement by a year.  Unfortunately, with all their records wiped clean, they did not even have a list of patients and their contact information to allow them to communicate the closure of the practice.  Instead, Dr. Scalf said, “… what I did was just sort of sat in the office and saw whoever showed up. For the next couple of weeks.”  Patients were given referrals to other otolaryngologists in the area, but their records, including test results, remained unavailable.

The doctors had decided against paying the ransom because there was no way to ensure they would get a valid code to unlock the files in return, and no way to prevent being extorted again in the future. The Star-Tribune cited Brian Stevenson, president of Roseville cyber security firm FocusPoint Technologies, who reported that only about one-third of ransomware victims who pay the ransoms end up getting their data back. Symantec reports a little better average, with 47% of those who pay receiving a valid unlock code.

The group consulted an IT expert who verified that the attack did not grant the hackers access to any protected health information, so no HIPAA breach needed to be reported.   Note that the HHS Office of Civil Rights Fact Sheet on Ransomware and HIPAA states:

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

In some states physicians can be sanctioned by their medical boards and/or held civilly liable for “patient abandonment,” which is defined in Pennsylvania as “when a physician withdraws his services after a physician-patient relationship has been established, by failing to give notice to the patient of the physician’s intention to withdraw in sufficient time to allow the patient to obtain necessary medical care.”  It is unclear what responsibilities a physician would have in a situation where due to a malicious attack they no longer have access to records that would allow them to provide notice to patients.

One lesson from this catastrophe is to take steps to properly insulate your backup system from external infection. Use multiple backups including a cloud-based system for redundancy. If practical, keep any local backup servers disconnected from the Internet.  The Office of Civil Rights of the Department of Health and Human Services reminds covered entities that “Implementing a data backup plan is a Security Rule requirement for HIPAA covered entities and business associates as part of maintaining an overall contingency plan. Additional activities that must be included as part of an entity’s contingency plan include: disaster recovery planning, emergency operations planning, analyzing the criticality of applications and data to ensure all necessary applications and data are accounted for, and periodic testing of contingency plans to ensure organizational readiness to execute such plans and provide confidence they will be effective. See 45 C.F.R. 164.308(a)(7).”

This attack may have caused an unusually comprehensive loss of data including all patient contact information.  Maintaining a separate patient contact list and printing out appointment schedules may have helped this group reach out to affected patients.  In today’s wired environment it is too easy to assume that our electronic resources will always be available, and when they are suddenly vaporized, the consequences can be severe to providers and patients alike.

If you are a covered entity health plan or clearinghouse, you may be among the nine (un)lucky entities randomly chosen this month for review into compliance with HIPAA’s Administrative Simplification rules governing electronic transactions, code sets, and unique identifiers.  According to an FAQ published in March, the Centers for Medicare & Medicaid Services (CMS), acting on behalf of the U.S. Department of Health and Human Services (HHS) will select five health plans and four clearinghouses for this new compliance review.

CMS has been actively investigating complaints (which can be filed here) related to the Administrative Simplification Rules for some time, publishing summary reports covering complaints submitted beginning in January of 2017.

What will happen if any of these nine selected entities is determined to be non-compliant?

According to CMS,

If an organization isn’t compliant, HHS will work with the entity to resolve any issues. Corrective Action Plans are commonly used to address non-compliance. In cases of willful and egregious noncompliance, monetary penalties may be assessed and calculated on a case by case basis.

Although covered entity health care providers will not be a part of this 2019 compliance review, health care providers may avoid random selection in a future compliance review if they participate in the voluntary compliance program for providers expected to be rolled out this year.  Participants in the 2018 voluntary compliance program (the “Optimization Pilot Program”) for health plans and clearinghouses are exempt from the 2019 random selection process.  Then again, CMS reported that nine of the ten entities participating in the Optimization Pilot Program were required to undergo a Corrective Action Plan.

Covered entity health care providers may decide to play the odds and forego participation in the voluntary program, but this new round of compliance reviews is another reminder to HIPAA covered entities that HIPAA compliance isn’t solely about privacy and data security.