A patient requests a copy of her medical record, and the hospital charges the per-page amount permitted under state law. Does this violate HIPAA? It may.

In the spring of 2016, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services, the agency that enforces HIPAA, issued a new guidance document on individuals’ right to access their health information under HIPAA (“Access Guidance”).   The Access Guidance reminds covered entities that state laws that provide individuals with a greater right of access (for example, where the state law requires that access be given within a shorter time frame than that required by HIPAA, or allows individuals a free copy of medical records) preempt HIPAA, but state laws that are contrary to HIPAA’s access rights (such as where the state law prohibits disclosure to an individual of certain health information, like test reports) are preempted by HIPAA.

For New Jersey physicians, for example, this means they may not automatically charge $1.00 per page or $100.00 for the a copy of the entire medical record, whatever is less, despite the fact that the New Jersey Board of Medical Examiners (“BME”) expressly permits these charges.  In fact, according to the Access Guidance, physicians should not charge “per page” fees at all unless they maintain medical records in paper form only.  New Jersey physicians also may not charge the “administrative fee” of the lesser of $10.00 or 10% of the cost of reproducing x-rays and other documents that cannot be reproduced by ordinary copying machines.  Instead, a New Jersey physician may charge only the lesser of the charges permitted by the BME or those permitted under HIPAA, as described below.

HIPAA limits the amount that covered entities may charge a patient (or third party) requesting access to medical records to only a “reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy” of the record.  Only the following may be charged:   

(1) the reasonable cost of labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, but not costs associated with reviewing the request, searching for or retrieving the records, and segregating or “otherwise preparing” the record for copying;  

(2) the cost of supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests the records in portable electronic media; and  

(3) actual postage costs, when the individual requests mailing. 

The fee may also include the reasonable cost of labor to prepare an explanation or summary of the record, but only if the individual, in advance, chooses to receive and explanation or summary AND agrees to the fee to be charged for the explanation or the summary.   

A provider may calculate its actual labor costs each time an individual requests access, or may develop a schedule of costs for labor based on the average (and HIPAA-permitted types of) labor costs incurred in fulfilling standard types of access requests.  However, a provider is NOT permitted to charge an average labor cost as a per-page fee unless the medical record is: (1) maintained in paper form; and (2) the individual requests a paper copy or asks that the paper record be scanned into an electronic format.  Thus, under HIPAA, a per-page fee is not permitted for medical records that are maintained electronically.  As stated in the Access Guidance, “OCR does not consider per page fees for copies of … [protected health information] maintained electronically to be reasonable” for purposes of complying with the HIPAA rules.   

A provider may also decide to charge a flat fee of up to $6.50 (inclusive of labor, supplies, and any applicable postage) for requests for electronic copies of medical records maintained electronically.    OCR explains that the $6.50 is not a maximum, simply an alternative that may be used if the provider does not want to go through the process of calculating actual or average allowable costs for requests for electronic copies. 

OCR has identified compliance with “individual access rights” as one of seven areas of focus in the HIPAA audits of covered entities and business associates currently underway, signaling its concern that physicians and other covered entities may be violating HIPAA in this respect.  All covered entities should, therefore, calculate what HIPAA permits them to charge when copies of medical records are requested by an individual (or someone acting at the direction of or as a personal representative of an individual), compare that amount to the applicable state law charge limits, and make sure that only the lesser of the two amounts is charged.

 

The answer to this question has changed yet again. I’ve blogged on this topic several times in the past (see here, here and here), and described the question as a wriggling worm. Plaintiff Ciox Health, LLC has finally managed to catch that worm and share its bounty among those looking to charge third-party requestors more than the limited “reasonable, cost-based fee” that may be charged to individuals.

On January 23, 2020, a federal court found in favor of plaintiff Ciox, a specialized medical records processing vendor, on its challenge to 2016 Guidance issued by the U.S. Department of Health and Human Services. The 2016 Guidance provided, among other things, that when either an individual request copies of his or her medical records or a third party requests copies on behalf of the individual, the amount that can be charged is limited to a “reasonable, cost-based” fee. According to Ciox’s President of Life Sciences (and as noted in the court’s decision), the effect of the 2016 Guidance was to cause law firms and other third parties to use the individual access request, with its “reasonable, cost-based fee” limitation, as the means to request patient records, rather than having individuals sign HIPAA authorizations which implicate only state law fee caps (if any). The frequency of records requests made by third parties on behalf of individuals (“third-party directives”) increased by nearly 700 percent following the issuance of the 2016 Guidance.

HHS published an “Important Notice Regarding Individuals’ Right of Access to Health Records” on January 28, 2020, noting the Ciox decision and the fact that the “reasonable, cost-based fee” limitation no longer applies to third party directives. In addition, the records are not required to be produced in electronic format in response to a third-party directive.

What does this mean for covered entities and business associates trying to figure out how to respond to a HIPAA authorization, an individual access request, or a third-party directive?

Consider who is making the records request and where the records are to be sent. If the individual who is the subject of the records wants copies transmitted electronically to the individual, treat the request as an access request. If a third party seeks the records, it is likely sufficient to provide the third party with HIPAA authorization form and treat the request as a third-party directive. However, if the individual initiates the request and wants the records sent to a third party, it may be prudent to treat the request as an access request, limiting fees and endeavoring to comply with requests to transmit records in electronic format.  Don’t dangle the Ciox worm in front of individuals seeking their own medical records.

Last May, around the time many schools let out for the summer, the Office for Civil Rights (“OCR”) published guidance entitled “Direct Liability of Business Associates” (the “Guidance”), which focuses, not surprisingly, on OCR’s ability to take enforcement action directly against HIPAA business associates. I meant to write about this guidance before Memorial Day, but since the back-to-school season is a good time to get things (including business associate agreements or “BAAs”) in order, this timing feels right.

The Guidance caught my attention not because it lists ten HIPAA failures or violations for which business associates are directly liable, but it calls out one specific HIPAA violation that will fall on the shoulders of the contracted covered entity:

… OCR lacks the authority to enhance the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates … .

In other words, the OCR explains that, if a covered entity engages a business associate to fulfill an individual’s request for access to protected health information, it is the covered entity’s responsibility to ensure that the business associate complies with HIPAA’s “reasonable, cost-based fee” limitation (and any more stringent state law requirement).

We’ve posted on the topic of individual access rights under HIPAA (see here and here), and have also posted on the topic of what amounts can be charged, both under HIPAA and under state law (see here and here). What the Guidance compels me to point out, though, is that covered entities often include a provision in BAAs that requires the business associate to respond to an individual’s access request by either notifying the covered entity of the request or by providing the requested electronic or paper copy directly. The provision may require the business associate to comply with the HIPAA regulatory requirements regarding the timing of the response, either in terms of notifying the covered entity within a specified time period or by responding directly to the individual.

However, a provision stating simply that the business associate must “comply with 45 C.F.R. § 164.524 [the regulation governing individuals’ access rights]” may not be enough to ensure that the business associate limits the amount charged as per the regulation, which potentially creates unexpected exposure for noncompliance for the covered entity. Thus, in light of the Guidance, covered entities should review their BAAs and consider whether updates are required to such provisions. If they don’t they may end up dealing with an OCR enforcement action that could have been prevented with a few well-placed BAA words.

The recent criminal conviction of a Massachusetts physician provides a stark reminder that violating HIPAA can result in more than civil monetary penalties and the financial and reputational fall-out that results from a breach. In this case, perhaps the cover-up was worse than the crime, or maybe prosecutors decided that a conviction on other charges would have been harder to get. Either way, the case should alert covered entities and business associates to the fact that HIPAA violations can result in jail time and criminal fines.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) investigates complaints and may impose civil monetary penalties (CMPs) for violations of HIPAA.   The U.S. Department of Justice (DOJ) handles criminal investigations and penalties.  This may not provide much comfort, but a CMP will not be imposed if the HIPAA violation is determined to constitute a criminal offense.

OCR will refer matters to DOJ for criminal enforcement in some cases or will work cooperatively with DOJ where a DOJ investigation on other grounds reveals a potential HIPAA violation.  HHS reported that OCR had referred 688 cases to the DOJ for criminal investigation as of June 30, 2018.

The criminal enforcement of HIPAA was described in a Memorandum Opinion issued in 2005 jointly to HHS and the Senior Counsel to the Deputy Attorney General by Steven Bradbury, then-acting Assistant Attorney General of the Office of Legal Counsel within DOJ (the DOJ Memo). The DOJ Memo explains that HIPAA allows for criminal penalties only for violations that involve the disclosure of “unique health identifiers” or “individually identifiable health information” (IIHI) that are made “knowingly” and in violation of HIPAA.   Specifically, a person may be subject to criminal penalties if he or she knowingly (and in violation of HIPAA):  (i) uses or causes to be used a unique health identifier; (ii) obtains IIHI; or (iii) discloses IIHI to another person.  Criminal penalties range from misdemeanors to felonies.  The maximum criminal penalty (a fine of up to $250,000 and imprisonment of up to 10 years) can be imposed if one of these offenses is committed “with intent to sell, transfer, or use [IIHI] for commercial advantage, personal gain, or malicious harm.”  The DOJ Memo explains that “knowingly” refers to knowledge of the facts that constitute the offense, not knowledge of the law being violated (HIPAA).

The DOJ Memo emphasizes the fact that criminal penalties are reserved for limited and specific violations of HIPAA:  “Such punishment is reserved for violations involving `unique health identifiers’ and [IIHI]…  Thus, the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals.”  The DOJ Memo focuses on violations by covered entities. It notes that when a covered entity is not an individual, but is a corporate entity, the conduct of agents may be imputed to the entity when the agents act within the scope of employment, and the criminal liability of a corporate entity may be attributed to individuals in managerial roles.

DOJ might decide to seek a conviction for a violation of HIPAA when it believes such a conviction would be easier to get than a conviction for a violation of other federal laws governing health care providers (such as the anti-kickback statute).   After all, the DOJ Memo makes it clear that “knowing” refers to the conduct, not the state of the law.  However, it should be noted, as per the DOJ Memo, that the DOJ’s interpretation of “`knowingly’ does not dispense with the mens rea requirement of section 1320d-6 [HIPAA] and create a strict liability offense; satisfaction of the ‘knowing’ element will still require proof that the defendant knew the facts that constitute the offense.”

When a health care entity (like a large hospital system or health plan) has deep pockets, the OCR may decide to pursue very high civil monetary penalties and rely on the financial and reputational implications of the civil monetary penalties to act as a deterrence.  On the other hand, the DOJ may seek to deter behavior associated with a wider range of criminal activities by pursuing jail time for a HIPAA violation.

In the case of the Massachusetts physician, it is also likely that the DOJ pursued the criminal charge because she lied about her relationship with the third party to which she disclosed patient information. My law partner Charles DeMonaco, a white collar defense attorney and former DOJ prosecutor, agrees:

It is understandable why this doctor was indicted and convicted for these offenses.  She was accused of lying to the agents, which is always a major hurdle in a criminal case.  Even if an underlying crime cannot be established, a lie of a material fact to a government agent is a stand-alone false-statement felony.  It also establishes consciousness of guilt. The doctor could have asserted her Fifth Amendment privilege against self-incrimination to avoid talking to the government agents.  It is never a good thing for a doctor to speak with agents who are investigating the doctor’s conduct without counsel and without proper protection of limited use immunity being sought prior to the interview.  The government also proved that she accepted fees from the pharma company after providing the [IIHI] in violation of HIPAA.  Under these facts, it is not surprising that this case was brought as a criminal prosecution and that a guilty verdict was returned.

Everyone subject to HIPAA should be aware that a HIPAA violation involving disclosure or breach of IIHI may be the low-hanging fruit for criminal prosecutors originally focused on other violations of law.   In particular, covered entities should carefully evaluate arrangements with third parties that involve the sharing of IIHI with those parties for commercial/personal gain or commercial harm. If the sharing of IIHI is not permitted under HIPAA and commercial gain or harm is involved, these violations could result in the most severe level of criminal penalties, including significant jail time.

The Report to Congressional Committees of the U.S. Government Accountability Office (“GAO Report”), required under the 21st Century Cures Act, came out about a month earlier than required, but this early bird failed to catch what continues to be a wriggling worm – what can a covered entity charge for these copies?

As discussed in our February 2017 blog post, the Office for Civil Rights issued guidance (“OCR Guidance”) over 2 years ago attempting to clarify that HIPAA charge limits (to a “reasonable, cost-based fee”) apply when an individual (or a third party) requests access to the individual’s medical records. The HIPAA charge limits applicable to access requests apply even if state law permits higher charges for the copies. The OCR Guidance includes a table illustrating the differences between a HIPAA authorization and an access request and notes that the “primary difference” between the two being that one (the authorization) is a “permitted disclosure” and one (the access request) is a “required disclosure”.

In another of our posts on this topic (back in May of 2016), we highlighted the difficulty faced by a covered entity in knowing what amounts may be charged for medical records copies, particularly when a third party requests the copy. We noted HHS’s suggestion that the covered entity ask the individual “whether the request was a direction of the individual or a request from the third party.” The former would be an access request subject to charge limits and other HIPAA requirements, whereas the latter would be “merely a HIPAA authorization”. A wriggling worm, indeed.

The GAO Report attempts to pin down the worm. It describes three types of medical record requests:

*          a patient request, whereby the patient or former patient requests access to or a copy of medical records

*          a patient-directed request, whereby the patient or former patient requests that a copy of the patient’s medical records be sent directly to another person or entity (“For example, a patient might request that her medical records be forwarded to another provider because the patient is moving or wants a second opinion.”)

*          a third-party request, whereby a third party, such as an attorney, obtains permission from the patient (via a HIPAA authorization) to access the patient’s medical records

An explanatory footnote suggests that the first two types of requests are access requests under HIPAA (meaning that charge limits and other HIPAA requirements apply), while the third type of request is an authorization under HIPAA (meaning that the provider is not required to disclose the records and the access request charge limits do not apply). Later, the GAO Report states: “In contrast with patient and patient-directed requests, the fees for third-party requests are not limited by HIPAA’s reasonable, cost-based standard for access requests and are instead governed by state laws.”

Unfortunately, this is where the worm has a chance to get away. First, the example used to describe a patient-directed request implies that a patient access request is required for the provider to forward the medical records to another treating provider. In fact, HIPAA permits disclosure of medical records for treatment purposes without the need for a HIPAA authorization or access request (see OCR Guidance language following table), and, thus, charging even a “reasonable, cost-based” fee for such disclosures may be frowned upon by OCR. Second, these three examples overlook the possibility that a patient-directed request may come from a third party. An access request must be in writing, be signed by the individual, and clearly identify where the medical record copies should be sent, but HIPAA does not prohibit the individual from directing that a third party (such as the individual’s attorney) transmit the individual’s access request to the provider.

Moreover, a recent court decision further muddies this issue. In a February 2018 U.S. district court decision from Alabama, Bocage v. Acton Corp., the court rejected plaintiffs’ claim that they were overcharged search and retrieval fees in violation of HIPAA. The plaintiffs’ attorneys had requested medical records by way of HIPAA authorizations, so the court determined that the fee limitations associated with individual access requests did not apply. Unfortunately, while the decision quotes the OCR Guidance (“The [access request] fee limits apply … regardless of whether the access request was submitted to the covered entity by the individual directly or forwarded to the covered entity by a third party on behalf and at the direction of the individual (such as by an app being used by the individual)… ”), the decision incorrectly suggests that the individual’s attorney cannot be the third party making an access request on behalf of and at the direction of the individual.

The short-term fix for patients hoping to avoid high fees when requesting medical records? Make sure the request is not identified as a HIPAA authorization and, if you are requesting the records in connection with litigation, consider sending it yourself rather than directing your attorney to send it.

Daily struggles to protect personal data from hacking, phishing, theft and loss make it easy to forget that HIPAA is not just about privacy and security.  It also requires covered entities (CEs) to make an individual’s protected health information (PHI) accessible to the individual in all but a few, very limited circumstances.  Recent guidance published by the Department of Health and Human Services (HHS Guidance) emphasizes the need for covered entities to be able to respond to an individual who says “I want my PHI” in a way that complies with HIPAA and state law access requirements, even when these requirements seem confusing and contradictory.

HIPAA authorizations are, perhaps, one of the most commonly misunderstood and misused forms. The HHS Guidance helpfully reminds CEs that authorizations are not needed for a CE to share PHI for treatment, payment and health care operations, and, of course, a CE can share PHI with a business associate under a HIPAA-compliant business associate agreement.  But when an individual requests PHI, whether directly or through a third party, it’s critical that the CE understand whether it is an access request or a request for disclosure pursuant to a HIPAA-compliant authorization.

My law partner and fellow HIPAA enthusiast Beth Larkin comments on some of the difficulties a CE faces when responding to an individual’s access request, highlighting the need to distinguish between an access request and disclosure pursuant to an authorization:

The HHS guidance wants CEs to provide individuals “easy access” to their health information.  CEs still, however, have to deal with other HIPAA requirements, including verification of the identity of the requestor, securing the PHI from unauthorized access and determining breach if there is unauthorized access.  Also, it is not always clear whether a patient is exercising an access right or requesting PHI pursuant to an authorization.  The patient may not know the difference and just indicates he or she wants copies of records and may present either an access request or an authorization form.

The HHS Guidance explains that while a CE can require an individual to submit a written access request, it can’t do so in a manner that creates a barrier or would delay the individual’s access:

For example, a doctor may not require an individual: …  [t]o use a web portal for requesting access, as not all individuals will have ready access to the portal …

If a CE uses a written form for individuals to request access to records (and ensures the form is readily accessible in multiple ways), the CE should give individuals as much information as possible about each form.

For example, as illustrated in the chart included in the HHS Guidance, a HIPAA authorization permits, but does not require, a CE to disclose the PHI.  An access request requires the disclosure (and requires the CE to act on the request within 30 days).  In addition, HHS explains that fees charged by the CE are limited when the individual requests access, and not when PHI is requested pursuant to an authorization (though certain charges might be prohibited under HIPAA regulations proscribing the receipt of remuneration for the disclosure of PHI). Finally, HHS notes that PHI sent pursuant to an authorization must be sent securely, while an individual can request that PHI sent pursuant an access request can be sent through an unsecure medium (though the risks of such a choice should be communicated to the individual if feasible).  If the CE makes all of this information clear and encourages the individual to ask questions as to which form should be used, it seems reasonable for a CE to then be able to rely on the individual’s choice of form.

When a third party requests an individual’s PHI, though, it can be especially difficult for a CE to figure out whether an authorization form has been sent when an access request would have been appropriate. Here, HHS suggests the CE reach out to the individual:

Where it is unclear to a covered entity, based on the form of request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to a third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party.

In short, if a HIPAA authorization is really an individual’s misguided attempt to say “I want my PHI!”, the CE will need to make sure it follows the individual access right requirements in responding.

Health care vendors beware: if you tell customers that your product provides industry-standard encryption of protected health information in compliance with HIPAA, you’d better be sure it doesn’t simply “camouflage” the data.

The FTC recently announced a $250,000 settlement with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for falsely advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA.

In fact, according to the FTC’s Complaint, the software (called “Dentrix G5”) actually used a data protection tool Henry Schein knew was “less secure and more vulnerable than widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.” The Complaint states that Henry Schein was aware that the Department of Health and Human Services (“HHS”) directs health care providers to guidance promulgated by the National Institute of Standards and Technology (“NIST”), which recommends AES encryption to protect patient data.

The Complaint states that Henry Schein’s product did not use AES encryption, and alleges that Henry Schein was notified that its database engine vendor had agreed to re-brand the data protection used by Henry Schein as “Data Camouflage” so it would not be confused with standard encryption algorithms, like AES encryption. Still, Henry Schein allegedly continued to market its product as offering data encryption needed for HIPAA compliance.

In January of 2014, the Complaint concedes, Henry Schein published an announcement in the Spring 2014 issue of Dentrix Magazine stating:

“Available only in Dentrix G5, we previously referred to this data protection as encryption. Based on further review, we believe that referring to it as a data masking technique using cryptographic technology would be more appropriate.”

Alas, the admission that the product provided mere “data masking” or “camouflaging” rather than encryption was, apparently, too little and too late to avoid the FTC enforcement action and ensuing settlement payment and negative publicity. Though no data breach was alleged to have occurred, the damage had been done by the “false or misleading” claims already made by Henry Schein.

The lessons for covered entities and business associates using and marketing patient data tools? Simple:

(1) Encrypt, don’t camouflage (check NIST guidance and recommendations for current encryption standards).

(2) Don’t exaggerate your capabilities (don’t say you encrypt, when you merely camouflage, and if you only use some process like password protection, don’t suggest that you encrypt or even camouflage – potential misleading in this area can bring FTC sanctions).

(3) As we’ve said before on this blog, don’t forget that the FTC is watching – health care providers, payers, and vendors must remember that HHS isn’t the only sheriff in town when it comes to data protection, HIPAA isn’t the only law that governs patient data and privacy, and the States are also increasingly active in enforcing data privacy and security.

Already many blogs and articles have been written on Chief Administrative Law Judge D. Michael Chappell’s November 13, 2015 92-page decision exonerating LabMD from the FTC’s charges that it failed to provide reasonable and appropriate security for personal information maintained on its computer networks in violation of Section 5(a) of the FTC Act.  A number of the commentators accurately point out that this ruling makes it clear the FTC does not have unbridled enforcement authority over allegedly “unfair” data security cases.

The FTC would have had Chief Judge Chappell believe that liability should be imposed for conduct that is theoretically “likely” to cause consumer harm, despite its inability to identify a single instance of consumer harm over the course of 7 years since the allegedly “unfair” conduct occurred. Judge Chappell refused to drink the FTC’s Kool-Aid, though, restoring my faith in the ability of logic and rational thinking to outweigh agency fluff and bluster in an administrative judicial proceeding.  Section 5(n) of the FTC Act requires a showing that the conduct “caused, or is likely to cause, substantial injury to consumers,” and while the Act doesn’t define the word “likely”,  Judge Chappell concluded that:

The term “likely” in Section 5(n) does not mean that something is merely possible.  Instead, “likely” means that it is probable that something will occur.”

Hardly complex legal reasoning – just basic, simple common sense.

We blogged on this case and the FTC’s enforcement activities in the data security realm in October of 2014 (read here), as well as in March, April, May and June of 2014 (read here), and have closely followed LabMD founder Michael Daugherty’s tireless battle to defend his small, now-defunct cancer testing company from what has seemed an outrageous abuse of regulatory enforcement power from the beginning.

It’s refreshing (and relieving, for other businesses facing FTC investigations over what may seem to be minor and inconsequential infractions) that Judge Chappell carefully considered the evidence presented over the course of approximately two years and injected intelligence and reason into a case that seemed shockingly deficient in these traits.  Thank goodness Judge Chappell refused to drink from the FTC’s “possible-means-likely” cup of legal reasoning.  However, the Judge’s painstakingly articulated factual findings, enumerated in 258 paragraphs, reveal the unsettling back-story behind this case.

The FTC’s case was built around information provided to it by a company affiliated with Tiversa, a business involved in finding security vulnerabilities in companies’ computer networks and then selling remediation services to the companies to prevent similar infiltrations.  LabMD declined Tiversa’s offer to sell it remediation services.  Chief Judge Chappell found:

158.  Mr. Boback’s motive to retaliate against LabMD for refusing to purchase remediation services from Tiversa … resulted in Tiversa’s decision to include LabMD in the information provided to the FTC… .”

The FTC may be wishing it had heeded the warning and advice of FTC Commissioner J. Thomas Rosch, who had initially suggested (in his Dissenting Statement issued June 21, 2012) that FTC staff should not rely on Tiversa for evidence or information related to LabMD, given Tiversa’s business model and prior attempts to sell its services to LabMD, in order to avoid the appearance of impropriety.  Instead, FTC staff readily accepted Tiversa’s Kool-Aid, relying on evidence it might have realized was tainted at the outset.

Again, hardly complex reasoning – just basic, simple common sense:  if it doesn’t smell or taste right, don’t drink the Kool-Aid.

Regardless of whether the case is appealed and its ultimate outcome, the LabMD ruling  may serve as a precedent to encourage others to challenge the FTC’s enforcement authority under Section 5, authority that the agency has expanded over the years through consent decrees, particularly where there is no evidence that allegedly inadequate security practices have resulted in (or will probably result in) consumer harm.

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her recent article in Medical Practice Compliance Alert entitled “Doctor is Arrested for Stealing Thousands of Patient Records.”  While the full text can be found in the February 16, 2015 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed in the article.

A theft of patient protected health information (“PHI”) may invoke more than federal and state privacy laws.  It can also mean criminal charges under state penal laws. Radiologist James Kessler learned the hard way when he was arrested for allegedly stealing the PHI of nearly 100,000 patients.

Elizabeth was quoted as observing, “There is no indication that it was difficult for Kessler to do this.  He didn’t treat all 100,000 patients, so why did he have the ability to copy all of those files?  There are technical safety mechanisms and audit controls to limit that access.”

The article pointed out that in some multi-physician situations, ownership of records may need to be negotiated, and the contract may need to specify who gets which records in the event of a separation.  For example, if a physician brings patients to a practice, the employee may be entitled to own and take those patients’ records.

I was quoted by Marla: “Implement safeguards to reduce the risk that an employee can access records outside of his or her job responsibilities.  Also ensure that the practice provides HIPAA training, so that if an employee does violate HIPAA the action is less likely to be attributed to the employer.”

In the article Elizabeth explained that it is important to have an action plan to handle data breaches.  “Be prepared to investigate an incident that may be a security breach using the four steps required by HIPAA’s breach-notification requirements to see whether the breach needs to be reported,” she noted.  “Also be prepared to report a breach not only to the HHS and the state under HIPAA and state-notification laws but also to law enforcement when dealing with criminal activity such as theft and hacking.”

Elizabeth also advises in the article to make sure that the employment agreement complies with state law.  “Many states have laws regarding the reach of an employment agreement with physicians, such as reasonable non-competes and continuity of care provisions,” she says. “For instance, it varies whether an individual doctor or the practice itself is seen as having the relationship with the patients; there may even be state laws on the rights of patients in the event of a physician’s separation from a practice.”

The article points out that there are many complexities involved in the ownership, custody, creation, access, use, maintenance, transmission and retention of PHI. It may not be possible to prevent hacking or theft of PHI, even with reasonable security and privacy policies and procedures in place that are being followed.  However, if a breach or other adverse event occurs, the covered entity or business associate will be well-served by being able to demonstrate that it had and followed such policies and procedures if and when a regulatory authority or court is reviewing a HIPAA violation and determining potential responsibility and liability.

I received a disturbing robo-call over the weekend informing me that someone had attempted to use my credit card number fraudulently in a retail store in the next county. When I called back and verified these were not legitimate charges, my card issuer assured me that I would not be financially responsible, canceled my card and sent me a replacement. My imposter was prevented from accessing my account by the issuer’s tight security system. Victims of healthcare identity theft may not get off so easily, which may explain why smarter thieves are increasingly targeting health records.

The relative value of health records and financial data can vary greatly according to different sources. As the Pittsburgh Post-Gazette reported today,

“The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.

Reuters reports that medical information is worth 10 times more than credit card numbers on the black market.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.

Medscape reports that a stolen chart may be worth as much as $50, citing an FBI bulletin from April 2014:

Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

Criminals can monetize stolen health data in other creative ways. For example, some healthcare providers and their business associates have been victimized by so-called “ransomware,” which infects computers and encrypts files, then demands payment (often in untraceable Bitcoin) to unlock them. See the FBI’s January 20, 2015 alert entitled Ransomware on the Rise.

Willie Sutton was famously quoted as selecting banks for his robberies because “that’s where the money is.” Today’s healthcare scammers and hackers may be following his lead by focusing their efforts on the asset most valuable to illicit purchasers.