In 1973, President Richard Nixon’s Chief of Staff H.R. Haldeman warned White House Counsel John Dean against talking to prosecutors investigating the growing Watergate scandal, telling him “Once the toothpaste is out of the tube, it’s going to be very hard to get it back in,” and a useful idiom was born. Personal electronic data, including protected health information, once disclosed, can be equally difficult to recapture and contain.

A recent article in Slate entitled You Can’t Clean Up a Data Spill describes the obstacles to effectively remediating a data breach or improper disclosure in the wake of revelations about the breach involving Facebook data and Cambridge Analytica. As author April Glaser stated, “There’s no such thing as a cleanup site for data spills. That’s because when data leaks, it can be duplicated far faster than anyone can mop it up.”

Cambridge Analytica, a British political consulting firm, provided research, data mining and communication services to campaigns including those of Ted Cruz and Donald Trump. The firm claimed to have developed “psychographic” profiles of voters that could predict their personality traits and political leanings. The New York Times reported that the firm had harvested information from the Facebook profiles of over 50 million users without their permission, and a subsequent CNN report estimates the breach may have affected up to 87 million users. The firm’s chief executive has claimed that the data had been deleted when the improper acquisition was brought to their attention two years prior to the Times article. But how much toothpaste is still in circulation, and can anything be done to recover it?

Facebook founder Mark Zuckerberg has told CNN that Cambridge Analytica provided them with a formal certification from the firm that it had deleted all user data acquired through improper means. Unfortunately, even if that is accurate, it cannot address whether the data had been copied or further disclosed prior to such deletion. According to Slate:

Tracking down and searching where that data has gone will be incredibly difficult,” says Sarah Aoun, a digital security specialist and open web fellow at the Mozilla Foundation. “I’m not even sure it would be realistic.” Maybe it would be easier if the data was “watermarked,” meaning there was some tag on the data to indicate it was the Cambridge Analytica–obtained Facebook data. But Facebook didn’t do that, as Zuckerberg explained to Wired, and even if it had, Aoun says that “any identifiable trace relating it back to Facebook can be altered and then changed and could exist in 10 different shapes and forms online or in the hands of anyone.”

The Facebook/Cambridge Analytica breach is a sobering cautionary tale for covered entities and business associates subject to HIPAA who routinely handle large amounts of PHI. Once a breach occurs and is discovered, it may be impossible to definitively account for all data that may have been copied or transmitted. All the more reason to secure the cap on your EHR tube.

The New York City skyline, including the Empire State BuildingIn a post on February 28, Fox associate Kristen Marotta discussed the privacy and security issues arising from the growing use of telemedicine, particularly for mental health treatment. Now on the firm’s Physician Law blog, Kristen continues her discussion of telepsychiatry by diving into recent developments in New York State surrounding the innovative practice model. Kristen notes new funding from the New York Office of Mental Health to expand its use, and breaks down the OMH regulations that psychiatrists and physicians will need to consider before offering telepsychiatry services.

We invite you to read Kristen’s piece.

Kristen Marotta writes:

Many believe that educated millennials are choosing to work in urban, rather than rural areas, during their early career due to societal milestones being steadily pushed back and the professional opportunities and preferences of a young professional. Recent medical school graduates are a good example of this dichotomy. The shortage of physicians in rural areas is a well-known phenomenon. Over the years, locum tenens staffing has helped to soften the impact and, recently, so has telemedicine.

Illustration of stethoscope and mobile phone, symbolizing telemedicineThe growing prevalence of telemedicine around the country is an important consideration for new physicians as they decide where to settle down and establish their careers.  In New York, medical graduates should be aware that a $500,000 federal grant was given to New York State’s Office of Mental Health this month, February 2018 by the U.S. Department of Agriculture Rural Development Distance Learning and Telemedicine program.  Using telemedicine to provide mental health services may be a productive and efficient way to deliver healthcare, not only because many mental health examinations would not have to be conducted in-person, but also because of the general shortage of psychiatrists and mental health providers to meet these patient needs. Now, medical graduates who would like to establish their lifestyle in a city can simultaneously care for patients living miles apart from them.

It is essential that health care providers engaging in telemedicine understand the implications of this practice model with respect to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Providers rendering health care services via telemedicine should update and adjust their security risk assessments and HIPAA privacy and security policies and procedures, because protected health information is likely to be created in two separate locations (i.e., the location of the provider and the location of the patient).  Providers should also make sure that their (or their practice’s) Notice of Privacy Practices has been updated to reflect the provision of services via telemedicine, so that the patient has the opportunity to make an informed decision about engaging in this type of health care. Additionally, new business associate agreements may be required with telehealth vendors that do not meet the narrow “mere conduit” exception and any new parties who will have access to the individual’s protected health information as a result of the provision of services via telemedicine. In connection with these efforts, Providers should research and conduct due diligence on vendors to confirm that they understand the services model and are HIPAA-compliant.

As telemedicine emerges and gains more traction in health care, state laws and regulations will also be created and/or updated, and physicians will need to keep abreast of these changes. A good example of this is the State of New York, which has an entire section of mental health regulations dedicated to telepsychiatry. Stay tuned to Fox Rothschild’s Physician Law Blog for further updates on these specific New York regulations, as well as the developments in telemedicine.


Kristen A. Marotta is an associate in the firm’s Health Law Department, based in its New York office.

Text messaging is a convenient way for busy doctors to communicate, but for years, the question has remained: are doctors allowed to convey sensitive health information with other members of their provider team over SMS? The answer is now “yes,” thanks to a memo published last week by the U.S. Department of Health & Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).   The memo clarifies that “texting patient information among members of the health care team is permissible if accomplished through a secure platform.”

However, texting patient orders is prohibited “regardless of the platform utilized” under the CMS hospital Conditions of Participation or Conditions of Coverage, and providers should enter orders into an electronic health record (EHR) by Computerized Provider Order Entry (CPOE).

According to the memo, CMS expects providers and organizations to implement policies and procedures that “routinely assess the security and integrity of the texting systems/platforms that are being utilized” to avoid negatively affecting patient care.

What’s interesting about the CMS memo is that texting on a cell phone has become as routine (if not more routine) as speaking into a cell phone – and HHS published guidance way back in 2013 explaining that the HIPAA Privacy Rule permits doctors and other health care providers to share protected health information over the phone. Telling a 21st century doctor not to communicate by text message (within the proper HIPAA parameters, of course) is like telling the President he can’t communicate on Twitter.

CMS’s restriction on texting patient orders appears to relate to concerns about medical record accuracy, not privacy and security. “CMS has held to the long standing practice that a physician … should enter orders into the medical record via a hand written order” or by CPOE, “with an immediate download into the … [EHR, which] would be dated, timed, authenticated, and promptly placed in the medical record.”

I asked a couple of IT security experts here at Fox how a provider or organization would go about “routinely assessing the security and integrity of the texting systems/platforms” being used by doctors. According Fox partner and Chief Privacy Officer Mark McCreary, CIPP/US, the provider or organization might want to start by:

“… receiv[ing] and review[ing] their third party audits and certifications.  Most platform providers would make those available to customers (if not the public).  They like to tout their security.”

Matthew Bruce, Fox’s Information Security Officer, agreed:

“That is really the only practical way to routinely assess. SMS, which is standard text messaging, isn’t secure so it would likely require the potential use of third party app like Signal.  iMessages are encrypted and secure but only between iPhone users. Both companies should publish their security practices.”

So, providers or organizations participating in Medicare can (continue to) allow doctors to communicate (but not enter treatment orders) by text, but should periodically review the security of the texting systems or platforms the doctors are using. They may also want to remind doctors to make sure they know when and how to preserve text messages, whether by taking screen shots, using an SMS backup app, or some other method.

“Maybe” is the take-away from recent guidance posted on OCR’s mHealth Developer Portal, making me wonder whether the typical health app user will know when her health information is or is not subject to HIPAA protection.

The guidance is clear and straightforward and contains no real surprises to those of us familiar with HIPAA, but it highlights the reality that HIPAA, originally enacted close to 20 years ago, often becomes murky in the context of today’s constantly developing technology. Here’s an excerpt from the guidance that illustrates this point:

Consumer downloads to her smart phone a mobile PHR app offered by her health plan that offers users in its network the ability to request, download and store health plan records. The app also contains the plan’s wellness tools for members, so they can track their progress in improving their health.  Health plan analyzes health information and data about app usage to understand the effectiveness of its health and wellness offerings.  App developer also offers a separate, direct-to-consumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits and to send health information to providers.

Is the app developer a business associate under HIPAA, such that the app user’s information is subject to HIPAA protection?

Yes, with respect to the app offered by the health plan, and no, when offering the direct-to-consumer app. Developer is a business associate of the health plan, because it is creating, receiving, maintaining, or transmitting protected health information (PHI) on behalf of a covered entity.  Developer must comply with applicable HIPAA Rules requirements with respect to the PHI involved in its work on behalf of the health plan.  But its “direct-to-consumer” product is not provided on behalf of a covered entity or other business associate, and developer activities with respect to that product are not subject to the HIPAA Rules.  Therefore, as long as the developer keeps the health information attached to these two versions of the app separate, so that information from the direct-to-consumer version is not part of the product offering to the covered entity health plan, the developer does not need to apply HIPAA protections to the consumer information obtained through the “direct-to-consumer” app.

So if I download this app because my health plan offers it, my PHI should be HIPAA-protected, but what if I inadvertently download the “direct-to-consumer” version? Will it look different or warn me that my information is not protected by HIPAA?  Will the app developer have different security controls for the health plan-purchased app versus the direct-to-consumer app?

HIPAA only applies to (and protects) individually identifiable health information created, received, maintained or transmitted by a covered entity or business associate, so perhaps health app users should be given a “Notice of Non-(HIPAA) Privacy Practices” before inputting health information into an app that exists outside the realm of HIPAA protection.

Whether it was an apple or a quince, pomegranate, or some other more botanically-likely fruit growing in the Garden of Eden, God’s command in Genesis was clear: do not eat the fruit from the tree of the knowledge of good and evil.  When Adam and Eve ate the apple (or other fruit) anyway, they gained knowledge of evil (they already knew good).

Apple
Copyright: Spanishalex / 123RF Stock Photo

Many thousands of years later, the battle between Apple and the FBI over device encryption oddly echoes themes from this ancient biblical story.   Is the knowledge of evil potentially gained by unlocking an evildoer’s iPhone worth breaking society’s trust in the security of encryption?

Our law partner Amy Purcell recently posted the following on the Fox Rothschild “Privacy Compliance & Data Security” blog:

Fox Partner and Chair of the Privacy and Data Security Practice Scott L. Vernick was a guest on Fox Business’ “The O’Reilly Factor” and “After the Bell” on February 17, 2016, to discuss the controversy between Apple and the FBI over device encryption.

A federal court recently ordered Apple to write new software to unlock the iPhone used by one of the shooters in the San Bernardino attacks in December. Apple CEO Tim Cook has vowed to fight the court order.

The Federal Government vs. Apple (The O’Reilly Factor, 02/17/16)

Apple’s Privacy Battle With the Federal Government (After the Bell, 02/17/16)

I agree with Scott.

In January, I wrote here about the FTC’s announcement of a settlement with Henry Schein Practice Solutions, Inc. for falsely advertising that the software it marketed to dental practices provided the encryption necessary to protect patient data from breach. In reality, the software did not encrypt the data, but merely “camouflaged” or masked it from access by third parties.  The FTC’s action and settlement seemed to reflect the fact that encryption is viewed as the “gold standard” for protecting protected health information and other sensitive personal information, and advertising that a software product provides encryption when it really doesn’t is a problem.

If Apple is forced to create software that will break “gold standard” encryption so the FBI can gain knowledge of the evil that may lurk within a particular iPhone, this “gold standard” will be immediately devalued. In the HIPAA context, we will need another technology to render PHI “unusable, unreadable, or indecipherable to unauthorized persons” because, in essence, the biblical apple will have been bitten.

Our partner Elizabeth Litten and I had a recent conversation with our good friend Marla Durben Hirsch who quoted us in her Medical Practice Compliance Alert article, “Beware False Promises From Software Vendors Regarding HIPAA Compliance.” Full text can be found in the February, 2016, issue, but some excerpts regarding 6 tips to reduce the risk of obtaining unreliable HIPAA compliance and protection software from vendors are summarized below.

As the backdrop for her article, Marla used the $250,000 settlement of the Federal Trade Commission (the “FTC”) with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for alleged false advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA. Elizabeth has already posted a blog entry on aspects of the Henry Schein matter that may be found here.

During the course of our conversation with Marla, Elizabeth observed, “This type of problem [risk of using unreliable HIPAA software vendors] is going to increase as more physi­cians and health care professionals adopt EHR systems, practice management systems, patient portals and other health IT.”

The six tips listed by Marla are summarized as follows:

  1. Litten and Kline:

Vet the software vendor regarding the statements it’s making to secure and protect your data. If the vendor is claiming to provide NIST-standard encryption, ask for proof. See what it’s saying in its marketing brochures. Check references, Google the company for lawsuits or other bad press, and ask whether it suffered a security breach and if so, how the vendor responded.

 

  1. Kline: Make sure that you have a valid business associate agreement that protects your interests when the software vendor is a business associate.” However, a provider must be cautious to determine first whether the vendor is actually a business associate before entering into a business associate agreement.

 

  1. Litten: “Check whether your cyberinsurance covers this type of contingency. It’s possible that it doesn’t cover misrepresentations, and you should know where you stand.”

 

  1. Litten and Kline: See what protections a software vendor contract may provide you.”   For instance, if a problem occurs with the software or it’s not as advertised, if the vendor is not obligated to provide you with remedies, you might want to add such protections, using the Henry Schein settlement as leverage.

 

  1. Litten and Kline: Don’t market or advertise that you provide a level of HIPAA protection or compliance on your web-site, Notice of Privacy Practices or elsewhere unless you’re absolutely sure that you do so.” The FTC is greatly increasing its enforcement activity.

 

  1. Kline:Look at your legal options if you find yourself defrauded.” For instance, the dentists who purchased the software [from Henry Schein] under allegedly false pretenses have grounds for legal action.

The primary responsibility for compliance with healthcare data privacy and security standards rests with the covered entity. It must show reasonable due diligence in selecting, contracting with, and monitoring performance of, software vendors to avoid liability for the foibles of its vendors.

Health care vendors beware: if you tell customers that your product provides industry-standard encryption of protected health information in compliance with HIPAA, you’d better be sure it doesn’t simply “camouflage” the data.

The FTC recently announced a $250,000 settlement with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for falsely advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA.

In fact, according to the FTC’s Complaint, the software (called “Dentrix G5”) actually used a data protection tool Henry Schein knew was “less secure and more vulnerable than widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.” The Complaint states that Henry Schein was aware that the Department of Health and Human Services (“HHS”) directs health care providers to guidance promulgated by the National Institute of Standards and Technology (“NIST”), which recommends AES encryption to protect patient data.

The Complaint states that Henry Schein’s product did not use AES encryption, and alleges that Henry Schein was notified that its database engine vendor had agreed to re-brand the data protection used by Henry Schein as “Data Camouflage” so it would not be confused with standard encryption algorithms, like AES encryption. Still, Henry Schein allegedly continued to market its product as offering data encryption needed for HIPAA compliance.

In January of 2014, the Complaint concedes, Henry Schein published an announcement in the Spring 2014 issue of Dentrix Magazine stating:

“Available only in Dentrix G5, we previously referred to this data protection as encryption. Based on further review, we believe that referring to it as a data masking technique using cryptographic technology would be more appropriate.”

Alas, the admission that the product provided mere “data masking” or “camouflaging” rather than encryption was, apparently, too little and too late to avoid the FTC enforcement action and ensuing settlement payment and negative publicity. Though no data breach was alleged to have occurred, the damage had been done by the “false or misleading” claims already made by Henry Schein.

The lessons for covered entities and business associates using and marketing patient data tools? Simple:

(1) Encrypt, don’t camouflage (check NIST guidance and recommendations for current encryption standards).

(2) Don’t exaggerate your capabilities (don’t say you encrypt, when you merely camouflage, and if you only use some process like password protection, don’t suggest that you encrypt or even camouflage – potential misleading in this area can bring FTC sanctions).

(3) As we’ve said before on this blog, don’t forget that the FTC is watching – health care providers, payers, and vendors must remember that HHS isn’t the only sheriff in town when it comes to data protection, HIPAA isn’t the only law that governs patient data and privacy, and the States are also increasingly active in enforcing data privacy and security.

When and how should you email PHI, if at all?  The Office for Civil Rights (OCR) offers guidance as to the permissibility of sending PHI via email in this “Frequently Asked Question” answer, but doesn’t provide specifics as to how PHI can be safely emailed.  Whether you are a covered entity or a business associate (or the CIO or Privacy Officer for a covered entity or business associate), an attorney trying to navigate privacy and security compliance under HIPAA and other laws, or an individual whose PHI is at stake, you may wonder what tools and resources are available to protect PHI transmitted via email.

The National Institute of Standards and Technology (NIST) has provided many such tools and resources, including its 2007 “Guidelines on Electronic Mail Security”.  Now, though, NIST is accepting comments through November 30, 2015 on its most recent proposed set of email security guidelines, “Special Publication 800-177, Trustworthy Email”.  Though this Trustworthy Email draft (available with other NIST computer security and privacy publications here) comes with a disclaimer that it is “written for the enterprise email administrator, information security specialists and network managers”, it’s worth review (even by the less tech-savvy among us) because it breaks down and describes each component of email functionality and the protocols and technology currently available to improve privacy and security.

Emailing PHI has become extremely common, but before deciding to send or receive PHI via email, it’s a good idea to make sure the Trustworthy Email protocols and technologies have been considered.   And if you have suggestions or comments as to how these protocols and technologies specifically relate to or can be improved in the context of emails containing PHI, here’s your chance to speak up!  Finally, remember that whatever comes out as the final set of NIST guidelines can become obsolete quickly in this rapidly developing and expanding e-world.

I must thank Justice Scalia for injecting this delightfully descriptive term into the realm of health care.  Justice Scalia’s scathing dissent from the majority in the recent Supreme Court decision interpreting the Patient Protection and Affordable Care Act is rife with memorable expressions, but this is my favorite.

The Merriam Webster definition of jiggery-pokery is:

dishonest or suspicious activity:  underhanded manipulation or dealings; trickery.”

It’s not a term I’ve ever used before, but this old-fashioned, Dickensian-sounding term somehow practically begs for use in the context of a very modern and increasingly common context:  the HIPAA hacking incident.  A recent article in Becker’s Hospital Review lists the “50 biggest data breaches in healthcare” and the most common breach causes are far-and-away hacking and theft.   Notably, hacking incidents result in the highest number of affected individuals.  Here is the break-down:

*          18 hacking incidents (approximately 94 million affected individuals)

*          18 thefts (approximately 14 million affected individuals)

*          9 unauthorized accesses

*          3 missing equipment (1 storage disk, 1 hard drives, and 1 computer server)

*          1 improper disposal

*          1 “other”

In short, it seems that jiggery-pokery is involved far more often than mere carelessness when it comes to HIPAA breaches.  Covered entities and business associates should be alert to dishonest or suspicious activity generally, including from within, but should be especially alert when that activity involves the systems or equipment on which protected health information is created, received, maintained, or transmitted.