According to this article, 2021 has been a “particularly dire year” for health care data breaches.   So, it may not seem shocking that a hacker gained access to the protected health information of approximately 400,000 Planned Parenthood Los Angeles patients in October.  What is unusual about this particular hacking incident is its timing.  Planned Parenthood Los Angeles published Notice of the incident on Wednesday, December 1, 2021, the same day the U.S. Supreme Court heard oral argument on the controversial issue in the highly publicized case of Dobbs v. Jackson Women’s Health.

As described in the Notice, Planned Parenthood Los Angeles acted quickly, completed an initial forensic review of affected data in less than 3 weeks, and published the Notice less than 45 days after discovery.  Yet, Planned Parenthood Los Angeles now faces a class action lawsuit over the breach.

Although HIPAA does not provide a private right of action, the lawsuit alleges negligence, invasion of privacy, and violations of three California state laws: (1) the California Confidentiality of Medical Information Act, (2) the California Consumer Records Act, and (3) California’s Unfair Competition Law.

California claims aside, Planned Parenthood Los Angeles appears to have taken its HIPAA breach notification obligations very seriously, perhaps in recognition of the need to alert women as quickly as possible of an incident involving uniquely sensitive health information.

Unfortunately, not all entities entrusted with maintaining health information, even uniquely sensitive information about women’s sexual and reproductive health, take their federal breach notification obligations as seriously. Flo Health, Inc., an app used by more than 100 million women to track personal menstruation and fertility information didn’t provide notice until reaching a settlement with the Federal Trade Commission in January 2021.  Its breach came to light as a result of an investigation by the Wall Street Journal published in February 2019.  (For more about the Flo Health breach and settlement, you can read our blog here.)

The timing of the Planned Parenthood Los Angeles incident and the legal and political spotlight on Roe v. Wade is most likely coincidental.  It serves as a stark reminder, though, that personally (and politically) sensitive information may be targeted by hackers despite the provider’s best efforts to avoid data breaches.

I dive into the HIPAA weeds on a daily basis, and am sometimes asked about similarities and differences between HIPAA and the European Union’s General Data Protection Regulation (GDPR).  Fox colleague Nate Williams provoked me to think more about this topic.  Nate took a close look at key definitions and provisions in these privacy laws to examine how they compare in an excellent article published by OneTrust DataGuidance.

A key difference between the laws is the breadth of their applicability.  GDPR applies to almost anyone who handles data that identifies or can be used to identify an individual.  Yet HIPAA is more limited — it HIPAA applies only to covered entities (generally, health plans and health care providers) and their business associates and subcontractors and their handling of health-related data that identifies or can be used to identify an individual.

To make the analysis more of an apples-to-apples comparison, Nate focuses on GDPR’s requirements related to “data concerning health.”  Despite differences in scope and breadth, both laws are based on very similar underlying principles.  Some examples: the lawfulness and fairness of collection and retention; the protection of individual rights (authorization, restriction, and data access); the transparency of purpose and use; the obligation to minimize data collected, used, disclosed, and maintained; and the responsibility for data accuracy, integrity, and confidentiality.

These principles should be considered by any entity collecting individually identifiable information, regardless of applicability of HIPAA and/or GDPR.

The Federal Trade Commission seems to be getting serious about unauthorized disclosures of data collected by health apps.  In a Policy Statement issued on September 15, 2021, the FTC says it will enforce its Health Breach Notification Rule, 16 C.F.R. Part 318 (the “Rule”):

This Policy Statement serves to clarify the scope of the Rule, and place entities on notice of their ongoing obligation to come clean about breaches.

This past January, I wrote about the FTC’s failure to require Flo Health to provide individuals with notice as required by the Rule:

Flo Health failed to notify its millions of female users that it allowed their personal and uniquely sensitive health information to be used by third parties, including Google and Facebook, for their own purposes, including advertising.

The FTC’s Policy Statement clarifies that health app developers are subject to the Rule if they are capable of drawing information from various sources, such as consumer inputs and application programming interfaces (APIs), even if the health information only comes from one source.  By way of example, if a consumer inputs her glucose levels or other health-related information into an app that combines that information with non-health-related information retrieved from another source, the Rule applies.

The bottom line is that app developers that collect any health-related data need to be alert to the likely applicability of the Rule and the FTC’s recent enforcement stance.

President Biden issued an Executive Order on September 9, 2021 (the “EO”) that will lead to required COVID-19 vaccinations for workers in most health care facilities that receive Medicare or Medicaid funds.  This covers approximately 50,000 health care providers across the country.

The EO also triggers COVID-19 vaccination requirements for many of these health care providers’ HIPAA business associates, if the contracts are entered into, renewed, or extended on or after October 15, 2021.

As per the EO, the Safer Federal Workforce Task Force will issue further guidance by September 24, 2021, including language that affected covered entities and business associates must incorporate into their contracts and subcontracts.  The EO contains few exceptions:

This order shall not apply to:
(i)    grants;
(ii)   contracts, contract-like instruments, or agreements with Indian Tribes under the Indian Self-Determination and Education Assistance Act (Public Law 93-638), as amended;
(iii)  contracts or subcontracts whose value is equal to or less than the simplified acquisition threshold, as that term is defined in section 2.101 of the Federal Acquisition Regulation;
(iv)   employees who perform work outside the United States or its outlying areas, as those terms are defined in section 2.101 of the Federal Acquisition Regulation; or
(v)    subcontracts solely for the provision of products.

Many covered entity health care providers have been implementing worker vaccination mandates for some time, and have grappled in recent months with the breadth and scope of COVID-19 vaccination mandates affecting workers, volunteers, vendors, and other individuals who enter their facilities.  Business associates who provide services to these health care providers are less likely to have developed policies and procedures dealing with workforce and subcontractor vaccination requirements.  The EO should serve as a wake-up call to business associates who may face a COVID-19 employee and subcontractor vaccination requirement in the near future.

 

 

Cyber security

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory aimed at reminding businesses to be on guard over the Labor Day and other holiday weekends against cyberattacks.

History has shown threat actors often ramp up ransomware and other attacks over holidays when businesses let down their guard.

Nate Williams of the firm’s Privacy & Data Security Practice and Data Breach Prevention & Response Team summarizes the guidance in this client alert.

HIPAA has been around for a quarter century, but confusion continues as to its scope and applicability.   The COVID pandemic, surge in Delta variant cases, and increasing number of employer and government vaccine mandates has triggered a new wave of interest in other people’s’ vaccination status. Many people are surprised to learn that HIPAA does not prevent you from asking or answering the question “Are you vaccinated?”

Fellow Fox partner Bill Maruca was recently interviewed by his local (Pittsburgh) NPR affiliate in this piece:  UPMC’s New CEO Says No Vaccine Mandates, Will Focus On Education.

Here’s an excerpt:

There have been questions, and misunderstandings about what is and isn’t legal for an employer, healthcare provider or even individual to know about others’ vaccination status. For example, Republican Representative Marjorie Taylor Greene of Georgia has said reporters asking about her vaccine status is a violation of the Health Insurance Portability and Accountability Act (HIPAA).

That’s absolutely wrong,” says Bill Maruca, an attorney at Fox Rothschild LLP and expert in health care laws, including HIPAA.

If they were to ask her doctor if she was vaccinated, that would be covered by HIPAA and her doctor would not be permitted to reveal that information. … Asking her directly is not a HIPAA violation, but she doesn’t have to answer.”

 

Artificial Intelligence (AI) is widely viewed as a valuable tool for improving health and healthcare. It is being used by major technology companies such as Google, small start-up companies, and researchers to collect and analyze health data collected from a variety of sources.  As stated by Abhimanyu S. Ahjula in this October 2019 article:

AI is poised to play an increasingly prominent role in medicine and healthcare because
of advances in computing power, learning algorithms, and the availability of large datasets (big data) sourced from medical records and wearable health monitors.

However, if the health data involved is subject to HIPAA, extra precautions are required.  Fox Rothschild LLP associate Kristina Neff Burland and I examined the interplay between HIPAA and the use of AI in this article published on January 21, 2021 by OneTrust DataGuidance.   Key take-aways described in the article include:

  1.  Determine whether HIPAA may apply — consumer-generated and submitted data may provide an out
  2.  De-identifying protected health information (PHI)?  Proceed with caution
  3.  Have a business associate agreement in place before transferring PHI to a third party
  4.  Make sure processing PHI for purposes of AI is a permissible “use” under HIPAA

Flo Health, Inc., which marketed an app used by more than 100 million women interested in tracking their personal menstruation and fertility information, seems to be getting off easily as compared with HIPAA-covered entities who misuse individual health information.  The FTC’s January 13, 2021 press release announcing its proposed settlement with Flo Health sidesteps mention (let alone enforcement) of a federal law (and the FTC’s own rule).  This puzzling sidestep deserves attention, not only in light of the proliferation of the use of personal health apps, but given the particularly sensitive nature of the health information collected by the Flo Health app.

The Health Information Technology for Clinical and Economic Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), not only amended HIPAA, but added HIPAA-like breach notification requirements that apply to vendors of “personal health records” (PHRs) that are not covered entities, business associates, or subcontractors subject to HIPAA.  As described by the FTC in a “request for comment” published last May:

The Recovery Act recognized that vendors of personal health records and PHR related entities (i.e., companies that offer products and services through PHR websites or access information in or send information to PHRs) were collecting consumers’ health information but were not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (‘‘HIPAA’’).  The Recovery Act directed the FTC to issue a rule requiring these entities, and their third-party service providers, to provide notification of any breach of unsecured individually identifiable health information. Accordingly, the HBN [Health Breach Notification] Rule requires vendors of PHRs and PHR related entities to provide: (1) Notice to consumers whose unsecured individually identifiable health information has been breached; (2) notice to the media, in many cases; and (3) notice to the Commission…

The [HBN] Rule requires notice ‘‘without unreasonable delay and in no case later than 60 calendar days’’ after discovery of a data breach. If the breach affects 500 or more individuals, notice to the FTC must be provided ‘‘as soon as possible and in no case later than ten business days’’ after discovery of the breach.”

Yet, surprisingly, the FTC’s Flo Health press release and proposed settlement is completely silent with respect to Flo Health’s failure to abide by the Recovery Act and the FTC’s own breach notification rule.  Although its impermissible practices seem to have been “discovered” back in February of 2019 (see here for original WSJ revealing Flo Health’s data practices), Flo Health failed to notify its millions of female users that it allowed their personal and uniquely sensitive health information to be used by third parties, including Google and Facebook, for their own purposes, including advertising.

While the proposed settlement requires website notice and individual email/mobile app notice within 14 days after the filing of the Consent Order, such notice would come well beyond the “60-day following discovery” deadline.   In addition, as drafted by the FTC, the notice is focused on what was not improperly disclosed (name, address, or birthday), rather than what was.  When a covered entity notifies individuals, regulators, and the media of a HIPAA breach, it must include a description of the types of information involved in the breach.

Two FTC commissioners, Rohit Chopra and Rebecca Kelly Slaughter, picked up on the FTC’s failure to enforce the Recovery Act and FTC breach notification rule. Their Joint Statement points out that the “explosion in connected health apps” make the breach notification rule “more important than ever”:

[S]ervices like Flo need to come clean when they experience privacy or security breaches.”

Unless they do, health app users will have no idea when their trust is misplaced.

Prior to the holiday, the OCR settled its thirteenth enforcement action under the HIPAA Right of Access Initiative, which involved a primary care physician practicing in the State of Georgia.  Dr. Peter Wrobel, M.D., P.C., operating under the fictitious name of Elite Primary Care, became subject to an OCR investigation (twice) for his alleged violations of the HIPAA Privacy Rule.

In 2019, the OCR received a complaint stating that Elite Primary Care failed to provide a patient timely access to his medical records.  The OCR assisted Elite Primary Care by providing technical assistance, which ultimately led to the OCR closing the complaint.  Just a few months later, the OCR received a second complaint from the same patient stating he still did not receive his medical records.  As a result, Dr. Wrobel must pay a Resolution Amount of $36,000.00 and implement a two year Corrective Action Plan following the OCR’s second investigation.

Again, yet another single  patient complaint leads to a substantial penalty under the Right of Access Initiative.  Although not specifically stated within the Corrective Action Plan, the steep Resolution Amount seems like a by-product of the OCR’s frustration with providing technical assistance and receiving a second complaint involving the same patient and issue.  For the entire press release, please click here.

Additionally, for more information on past enforcement actions under the HIPAA Right of Access Initiative, please click here.

H.R. 7898, sent to the President for signature on December 24, 2020 may be the HIPAA holiday gift covered entities and business associates have been waiting for.  The bill requires the Secretary of the Department of Health and Human Services, when considering penalties, audits and other actions related to HIPAA breaches and security incidents, to take into consideration whether the covered entity or business associate has had “recognized security practices” in place for at least 12 months.

“Recognized security practices” broadly include:

[S]tandards, guidelines, best practices, methodologies, procedures and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity that are developed, recognized, or promulgated through regulations under other statutory authorities.

It is up to the covered entity or business associate to decide which recognized security practices to implement, consistent with the HIPAA Security Rule.

Almost exactly two years ago, HHS announced the publication of “Health Industry Cybersecurity Practices” developed as per the mandate under section 405(d) of the Cybersecurity Act of 2015.  The HICP are practical, cost-effective guidelines to reduce cybersecurity risks.  They include two separate sections: one designed for small health care organizations, and one designed for medium and large organizations.  Though published as “voluntary” practices, entities hoping to avoid HIPAA penalties will have a new reason to voluntarily adopt them if and when H.R. 7898 takes effect.

Since entities must have had HICP or another recognized cybersecurity practice in place for at least 12 months in order to fall within the protections of H.R. 7879, the sooner such practices are implemented, the better.  Every covered entity and business associate should resolve to start 2021 with a renewed commitment to implementing and/or reviewing and updating their cybersecurity practices.