A thoughtful reader responded to our last post, Debunking a Viral “Medical Hack” Meme,  which advised health plan subscribers to cite certain HIPAA compliance issues in efforts to overturn unfavorable insurance coverage decisions.

Jeff Knapp wrote:

This meme just popped up in my Facebook news feed this morning, and I was happy to see you addressed it so quickly. I too immediately noticed several flaws. In addition to the ones you noted here, there is certainly no right under HIPAA for an individual to speak with a covered entity’s privacy officer. While it’s true that a covered entity must designate a contact person or office, in my experience the contact person/office and the privacy officer are not the same. Typically, a privacy officer is dealing with higher-level issues than responding to requests for documents. I always enjoy reading your blog posts.

Mr. Knapp accurately notes that there is no right to contact a privacy officer, and in fact, HIPAA provides no private right of action for an individual whose protected health information was improperly accessed.  See Why Can’t I Sue Under HIPAA for a Breach of my Protected Health Information? What Can I Do?

Moreover, if the individual disputing a coverage decision is covered by a self-insured plan sponsored by his or her employer, the strategy advocated by the meme could easily backfire, notwithstanding any separation of insurance administration and human resources functions within an employer’s management structure, whether nominal or reasonable.

Since the early days of HIPAA, a steady trickle of misinterpretations, misunderstandings and half-truths have circulated informally both within the medical community and among the general public.  The prevalence of social media only amplifies the effect. For example, a meme currently making the rounds on Facebook suggests using HIPAA as a strategy for convincing a health insurer to reverse a coverage denial decision.  The post, entitled “Medical Hack,” began appearing this month.  While containing some accurate information, the post contains a number of flaws.

hipaa-medical-hack-insurance

It reads as follows:

So, your doctor ordered a medical test or treatment and your insurance company denied it. That is a typical cost saving method.

OK, here is what you do:

1. Call the insurance company and tell them you want to speak with the “HIPAA Compliance/Privacy Officer” (By federal law, they have to have one)

2. Then ask them for the NAMES and CREDENTIALS of every person accessing your record to make that decision of denial. By law you have a right to that information.

3. They will almost always reverse the decision very shortly rather than admit that the committee is made of low paid HS graduates, looking at “criteria words,” making the medical decision to deny your care. Even in the rare case it is made by medical personnel, it is unlikely it is made by a board certified doctor in that specialty and they DO NOT WANT YOU TO KNOW THIS!

4. Any refusal should be reported to the US Office of Civil Rights (OCR.gov) as a HIPAA violation.

As with any viral post, it is prudent to fact-check this advice with reliable sources such as Snopes.com.  Sure enough, Snopes has addressed the “hack” and classified it a mixture of true, false and undetermined information.   See http://www.snopes.com/hipaa-medical-hack-insurance-claim-denials/

To their credit, the fact-checkers at Snopes picked up on several flaws in the strategy suggested in the hack, particularly the fact that neither HIPAA nor the Affordable Care Act require insurers to base decisions to deny coverage of services or medications on the decision of a doctor, let alone a doctor that is board certified in the specialty under which that treatment fell.  (In fact, these issues are primarily regulated by state insurance laws.)   To that effect, Snopes notes:

… if insurance companies are entitled to deny coverage on a discretionary basis without the say-so of a doctor, there’s no reason a non-mandated process would be outlined through any plan resource or HHS guideline. Asking for such documentation would make as much sense as someone demanding a receipt for a donut you didn’t buy.

However, the most critical flaw in the suggested strategy is the fact that insurers and other covered entities are not required to account for all internal disclosures (and even many external disclosures for that matter), and disclosures for payment or health care operations purposes are specifically carved out of the accounting requirement in 45 C.F.R. 164.528(a).  Insurance clerks, regardless of their level of education, are likely to be utilizing patient records for payment and operations purposes when processing claims denials.

With regard to the requirement to designate a  “HIPAA Compliance/Privacy Officer,” the Snopes report stated “We were unable to locate any relevant portion of the act that specifically mandated what the meme claimed.”   In fact,  45 C.F.R. § 164.530 states:

(a)(1) Standard: Personnel designations.(i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.

A better approach for health insurance subscribers facing denial of a treatment ordered by their physician is to follow the appeal mechanisms specified in their plans, and check their rights under applicable state law. For instance, Pennsylvania’s Act 68 includes certain standards for managed care plans and offers complaint and grievance procedures for individuals.

Lesson: Viral memes are often an unreliable source of legal advice.  I’m a major fan of Snopes.com, but sometimes even Snopes doesn’t get all the details.

Our partners Elizabeth Litten and William H. Maruca and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “Watch for HIPAA Pitfalls When Involving Police in ID Checks.” Full text can be found in the October 26, 2015, issue, but a synopsis is below. Marla’s article was also featured in Part B News.

Houston area OB/GYN clinic Northeast Women’s Healthcare has received attention due to a situation involving the verification of a patient’s identification by contacting law enforcement.  The clinic believed that a patient was attempting to use false identification in order to receive treatment at the facility, which prompted them to contact law enforcement. When local authorities were given the license number, it was determined that the information provided was false which led to the arrest of the individual seeking treatment.

Although the individual was alleged to have tampered with government records and has been noted as an undocumented immigrant, some questions have surfaced whether the clinic’s procedure violated HIPAA regulations by disclosing protected health information.

Some of the considerations identified in the article for providers that are concerned about possible false identification submitted by a patient data include the following from Marla’s article:

  1. “Providers appear to be under no obligation under HIPAA to report suspicious documents,” points out Maruca.
  2. “It’s not up to a doctor’s office to be a cop. You need to balance quality and safety issues versus the veneer of not wanting to treat the undocumented,” Litten says.
  3. “The controversy also is fueled by its occurrence in Texas, with not only a large demographic of immigrants but also where immigration status is a hot button issue and has garnered significant publicity.” Kline says.
  4. Kline continues by stating, “Emotions on this are high in Texas. It heightens the sexiness of the case.”

The obligations of providers to report to authorities that an individual has submitted suspected false identification to secure healthcare services can be complex and fact-specific.  Depending on the fact pattern, the matter can even become a media event.  In light of heightened sensitivities to immigration status, this issue can be expected to be a developing area of HIPAA and State law on identity theft, which may differ from HIPAA.

A Houston-area woman was arrested at her gynecologist’s office by Sheriff’s deputies because she presented a false ID and now may face deportation, according to a September 11, 2015 report in the Houston Press.  The woman, Blanca Borrego, was reportedly visiting Northeast Women’s Healthcare for an annual check-up and to follow up on a painful abdominal cyst that had been identified a year earlier.   The Houston Press goes on to say that after filling out paperwork and waiting two hours, she was called into an exam room and met by law enforcement officers, who led her out in handcuffs in front of her young daughters.

“We’re going to take her downtown, she presented a form of false identification,” Borrego’s daughter recalled the deputy saying. He said their mother’s bond would probably be around $20,000, and added, “She’s going to get deported.”

Ms. Borrego had reportedly remained in the U.S. for 12 years on an expired visa.  It was her first visit to this clinic, although she had been treated previously by the same physician.  However, one commentator suggests she may have been eligible for protection from deportation under current law:

In fact, Borrego would have qualified for President Obama’s Deferred Action for Parents of Americans and Lawful Permanent Residents (DAPA) administrative reform program, which was announced last year. For the estimated 4.1 million undocumented individuals like Borrego—who have been in the United States since January 1, 2001 and have a son or daughter who is a U.S. citizen or lawful permanent resident—DAPA allows work permit applications and protection from deportation.  – Ana DeFrates, Texas Latina Advocacy Network, National Latina Institute for Reproductive Health

When can a physician practice, clinic, hospital or other healthcare provider reveal protected health information to law enforcement?  Section 164.512(j) of the HIPAA rule permits such disclosures to avert a serious threat to health or safety, and only in limited situations:

(j) A covered entity may,consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure:

(i)(A) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

(B) Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or

(ii) Is necessary for law enforcement authorities to identify or apprehend an individual:

(A) Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim; or

(B) Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody, as those terms are defined in §164.501.

Covered entities may also disclose to law enforcement officials protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.  It is not clear whether at this time if Northeast will rely on that provision to justify their call to the police.  There are no allegations of identity theft and in fact Ms. Borrego reportedly was covered by her husband’s health insurance policy.

Ironically, when asked by the Houston Press about its policies regarding informing authorities about suspected undocumented aliens, the Houston Press reports that Memorial Hermann spokeswoman Alex Loessin replied  “As you know, because of patient privacy, I am unable to provide comment.”

The HIPAA implications of this emerging story have yet to fully play out.  Covered entities and their business associates should use caution before voluntarily disclosing PHI to law enforcement agencies, particularly when there is no indication of violent crime or serious threats to health or safety.

A recent post on this blog by our partner Elizabeth Litten was quoted in the Dissenting Statement (the “Dissent”) of FTC Commissioner Maureen K. Ohlhausen in the Matter of Nomi Technologies, Inc., Matter No. 1323251. Ms. Ohlhausen disagreed with the views of the majority of the Commissioners in the Matter because she believed that

. . . by applying a de facto strict liability deception standard absent any evidence of consumer harm, the proposed complaint and order inappropriately punishes a company that acted consistently with the FTC’s privacy goals by offering more transparency and choice than legally required.

To buttress her viewpoint, Ms. Ohlhausen quoted as follows from Elizabeth’s post, which was referenced at footnote 9:

In response to the case’s release, one legal analyst [Elizabeth Litten] advised readers that ‘giving individuals more information is not better’ and that where notice is not legally required, companies should ‘be sure the benefits of notice outweigh potential risks.’

The takeaway from the FTC decision in Nomi and the Dissent appears to be that, in setting and publishing privacy policies, an organization should carefully consider whether adopting standards in excess of legal requirements is advisable if there is a reasonable possibility that the organization may find such standards difficult or costly to attain and maintain, thereby increasing the risk of regulatory scrutiny and sanctions.

Cancer Care Group, P.C., a 13-physician radiation oncology practice in Indiana (group), has agreed to pay $750,000 and implement a comprehensive corrective action plan in a settlement resulting from the theft of a laptop and backup media containing unencrypted patient information.  As is often the case, the breach incident triggered an investigation that revealed deeper deficiencies in the physician group’s HIPAA compliance efforts.  The Office of Civil Rights of the Department of Health and Human Services (OCR) announced the settlement in a September 2, 2015 press release entitled “$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies.”  That heading alone strongly suggests that OCR chose this case to send a clear and powerful message to smaller covered entities and business associates that neglecting basic compliance efforts can and will result in heavy fines, especially if meaningful corrective action is not undertaken after a breach occurs.

The practice first notified OCR of the theft of an employee’s laptop bag in 2012 from the employee’s car. The bag contained a laptop, which did not contain ePHI, and unencrypted computer server backup media with names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former patients.   OCR learned upon further investigation that the group had taken its HIPAA obligations less than seriously for years preceding the breach.

It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

In addition to the fine, the group adopted a Corrective Action Plan as part of its Resolution Agreement with OCR, which can be read here.

Much like the Phoenix Cardiac Surgery settlement that we discussed on this blog in 2012, this case involved  not just a one-time negligent breach, but a systematic, ongoing failure to adopt and implement appropriate HIPAA safeguards, policies and compliance efforts.  The Resolution Agreement indicates that such failures continued for a significant time after the theft of the devices.

The Resolution Agreement states that the payment of the $750,000 “Resolution Amount” does not preclude the government from imposing civil monetary penalties in the future if the deficiencies are not cured, and the group agreed to extend the statute of limitations on such penalties during the three-year term of the Resolution Agreement and Corrective Action Plan and for one year afterwards.  During the term of the Agreement, the group is required to complete a comprehensive Risk Analysis of all security risks and vulnerabilities posed by its electronic equipment, data systems, and applications that contain, store, transmit, or receive electronic protected health information (“ePHI”) and report the results to OCR; develop and implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis; revised and update its policies and procedures to OCR’s satisfaction; revise its current Security Rule Training Program; investigate any workforce member’s violation of such policies and report the results to OCR (even if such violation did not result in a breach); and file detailed annual reports with OCR.

There are plenty of lessons to learn from this settlement, but one of the most critical lessons may be the easiest to implement: encrypt your data, particularly any data that is stored in portable devices which have a disturbing tendency to disappear.  Had the backup device been encrypted, it is likely that the outcome of this incident would have been very different. Another lesson is that, if a breach of HIPAA is discovered, be proactive and act immediately to assess and address the risk and mediate the potential damage, update your policies and procedures, implement changes designed to avoid another breach, etc.  Do not wait for OCR to tell you how to respond to the breach.

HIPAA has made an unlikely appearance twice already this month in news reports involving famous athletes.

Between the Pierre-Paul medical record tweet by ESPN reporter Adam Schefter earlier this month (discussed by my partner and fellow blogger Bill Maruca here) and the ticker-tape parade featuring confetti made of shredded (but apparently legible) medical information raining down on U.S. Women’s soccer team in New York City (reported by WFMY news here), it seems HIPAA breaches and athletes have had an uncanny affinity for one another this summer, particularly in New York City.

Setting the attenuated coincidence of these events aside, the Pierre-Paul incident provides an opportunity to review when medical information that relates to one’s employment is protected under HIPAA and when it isn’t.

In 2002, the U.S. Department of Health and Human Services (HHS), the agency responsible for enforcing HIPAA, considered a comment to a proposed HIPAA regulation suggesting that “health information related to professional athletes should qualify as an employment record,” and, thus, not be considered protected health information under HIPAA.  HHS was quite clear in responding that a professional athlete has the same HIPAA rights as any other individual:

If this comment is suggesting that the records of professional athletes should be deemed “employment records” even when created or maintained by health care providers and health plan, the Department disagrees.  No class of individuals should be singled out for reduced privacy.

HHS refused to provide a definition of “employment record”, fearing that it might “lead to the misconception that certain types of information are never protected health information, and will put the focus incorrectly on the nature of the information rather than the reasons for which” the information was obtained.

HHS went on to explain how and when protected health information might become “employment record” information:

For example, drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee’s authorization, the test results are provided to the … employer and placed in the employee’s employment record.

HHS further clarified that:

… medical information needed for an employer to carry out its obligations under FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by … an employer.

Going back to Pierre-Paul, the mere fact that his injury could affect his ability to perform as a professional athlete did not automatically turn the protected health information related to the injury (the medical record created by the hospital) into “employment records” exempt from HIPAA protection.  It isn’t unless and until protected health information is disclosed to the employer pursuant to the individual’s authorization that it becomes an “employment record” no longer subject to HIPAA.  Even if an individual’s disclosure of medical records is a condition of employment (apparently not the case in Pierre-Paul’s situation), it is the individual’s authorization that allows its disclosure, not the category or class of the individual.

New York Giants’ defensive end Jason Pierre-Paul suffered hand injuries while handling fireworks on July 4.  A screenshot of a page from his hospital records was tweeted by ESPN reporter Adam Schefter on July 8, resulting in a flurry of speculation over whether the disclosure may have violated HIPAA or other privacy laws.  In an article by  published today by LXBN, the Lexblog Network, our partners and frequent blog contributors Michael Kline and Elizabeth Litten are quoted extensively about the implications of the publication of these records by a media outlet, the health privacy rights of public figures and the effect, if any, of the NFL’s collective bargaining agreement on such disclosures.  The article is here: Did That ESPN Reporter’s Tweet Violate HIPAA?

As noted in Elizabeth’s comments, there is no “public figure exception” to HIPAA, and as we have noted before in this blog, celebrities’ records are frequently the subject of unauthorized snooping.

A critical question is how the ESPN reporter obtained the records, from whom and under what circumstances.  Although HIPAA does not directly regulate parties other than Covered Entities and their Business Associates, the law provides for criminal penalties for unauthorized use or disclosure of individually identifiable health information with the intent to sell, transfer, or use such information for commercial advantage, personal gain or malicious harm, including fines of up to $250,000, and imprisonment for up to ten years.  The Department of Justice has stated that “the liability of persons for conduct that may not be prosecuted directly under section 1320d-6 will be determined by principles of aiding and abetting liability and of conspiracy liability.”

Illicitly obtained medical records should be contrasted with health information that is released voluntarily by the individual patient.  For instance, in the Ebola infection incidents of October 2014, it appears that some information reported in the media may have been voluntarily disclosed by the affected individuals or their families.  Nevertheless, famous individuals, whether their fame arises out of their health condition or because of their prominence as athletes, entertainers or politicians, have the same health privacy rights as others and those rights should be safeguarded by covered entities and their business associates.

I received a disturbing robo-call over the weekend informing me that someone had attempted to use my credit card number fraudulently in a retail store in the next county. When I called back and verified these were not legitimate charges, my card issuer assured me that I would not be financially responsible, canceled my card and sent me a replacement. My imposter was prevented from accessing my account by the issuer’s tight security system. Victims of healthcare identity theft may not get off so easily, which may explain why smarter thieves are increasingly targeting health records.

The relative value of health records and financial data can vary greatly according to different sources. As the Pittsburgh Post-Gazette reported today,

“The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.

Reuters reports that medical information is worth 10 times more than credit card numbers on the black market.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.

Medscape reports that a stolen chart may be worth as much as $50, citing an FBI bulletin from April 2014:

Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

Criminals can monetize stolen health data in other creative ways. For example, some healthcare providers and their business associates have been victimized by so-called “ransomware,” which infects computers and encrypts files, then demands payment (often in untraceable Bitcoin) to unlock them. See the FBI’s January 20, 2015 alert entitled Ransomware on the Rise.

Willie Sutton was famously quoted as selecting banks for his robberies because “that’s where the money is.” Today’s healthcare scammers and hackers may be following his lead by focusing their efforts on the asset most valuable to illicit purchasers.

A registered nurse employed by Minnesota Blue Cross Blue Shield (BC/BS) with a history of drug offenses allegedly accessed a prescription drug database 249 times without a legitimate purpose, according to a report by Minneapolis CBS affiliate WCCO posted by reporter Esme Murphy.

The nurse, Jim Johnson, reportedly had been previously assigned by BC/BS under the insurer’s contract with the state Department of Health to monitor prescription drug use in state-run medical programs. In that capacity, he was given access to the Minnesota Prescription Monitoring Program (MNPMP), which is generally limited to licensed prescribers and pharmacists, and their delegated staff. The MNPMP was established to detect diversion, abuse and misuse of prescriptions for controlled substances.

For a period of eight months after Johnson had been reassigned to other duties, he apparently had not been removed from the list of authorized users despite BC/BS having notified the state of the change. WCCO reports that during that time Johnson had accessed 56 individuals’ records, and had viewed a number of records multiple times. Investigations also revealed that Johnson had accessed some of these same individuals’ social media profiles. There reportedly is no indication at this time that Johnson disclosed any of the information he obtained or that he misused that information to obtain narcotics.

State Nursing Board disciplinary records indicate that Johnson had been fired by two previous employers because of narcotic violations. He reportedly admitted to stealing drugs from Children’s Hospital in St. Paul in 2000 and was fired by Unity Hospital after admitting to stealing morphine. He had not been charged criminally but had been fined and subjected to additional supervision. BC/BS was apparently unaware of Johnson’s disciplinary history when he was hired.

There is plenty of blame in this situation to go around. Although the MNPMP apparently had a process in place for credentialing legitimate users, it failed to revoke those credentials when they were notified that Johnson’s job no longer required him to access the database. BC/BS may have failed to monitor its employees’ access to such a highly-confidential trove of information, and may have exercised poor judgment in not thoroughly vetting an employee before assigning him to such a sensitive role.

Employee “snooping” has led to serious consequences in a number of high profile cases, including a Vermont ultrasound technologist who peeked at her ex-husband’s family’s records, a UCLA researcher who was sentenced to prison for looking at celebrity charts, California and New York hospital workers who accessed celebrity records and 16 Houston hospital employees fired for accessing a resident’s medical records after she was injured in a shooting incident.

A surprising footnote to WCCO’s story is the fact that the state Department of Health reportedly misstated HIPAA’s breach reporting requirements and claimed that only breaches involving 500 or more individuals were reportable. Such large-scale breaches require notice within 60 days of discovery, but, as indicated in the WCCO report, breaches involving fewer than 500 individuals must still be reported within 60 days of the close of the calendar year.

This is not BC/BS’s first brush with medical privacy violations. According to the Star Tribune, in 2010, a subscriber sued the insurer for violating the Minnesota Health Records Act and breaching her privacy by disclosing her name and providing confidential information about her medical treatment. Amazingly, the patient’s information was reproduced in illustrations that appeared in handbooks and marketing pamphlets instead of “dummy” information. Her ID and claims information appeared in 400 copies of a pamphlet and in 95,000 copies of a member handbook. Previously, the State Department of Commerce suspended the license of a BC/BS agent after a life insurance customer complained that the agent had improperly disclosed the customer’s personal information.

Once again the temptation to rummage around in an inadequately-secured repository of information has proven too hard for an employee to resist. Few covered entities and business associates have implemented safeguards to protect data from curious (or dishonest) employees’ eyes. Heightened employee training about prohibition of snooping with emphasis on discipline up to and including discharge is one step. However, the time may have come when relying on the honor system and training may be insufficient to meet HIPAA’s poorly-defined “minimum necessary” standard and more robust technical solutions may be called for. Even when, as in this case, only certain individuals are given access to PHI on a need-to-know basis, there is room for improvement of monitoring and oversight of those individuals’ actual behavior.