Archives: Privacy & Security

Co-authored by Elizabeth G. Litten and Michael J. Kline

HIPAA turns 20 today.   A lot has changed in the two decades since its enactment.  When HIPAA was signed into law by President Bill Clinton on August 21, 1996, DVDs had just come out in Japan, most people used personal computers solely for word processing, the internet domain myspace.com had just come online, Apple stock was at a ten-year low, and Microsoft Windows CE 1.0 would soon be released (in November of 1996 as a portable operating system solution).  In December of 1996, Microsoft’s Office 97 was published in CD ROM and also available on a set of 45 3 ½ inch floppy disks.  The internet did not exist in many countries, and The New York Times took the bold step of starting its own website.  Google was also born in 1996, but few people had heard of it outside of Stanford University. Pokémon hit the market for the first time, but it wasn’t a game played on cell phones.  Even texting was a rarity:

“Most early GSM mobile phone handsets did not support the ability to send SMS text messages, and Nokia was the only handset manufacturer whose total GSM phone line in 1993 supported user-sending of SMS text messages. According to Matti Makkonen, the inventor of SMS text messages, Nokia 2010, which was released in January 1994, was the first mobile phone to support composing SMSes easily … Initial growth was slow, with customers in 1995 sending on average only 0.4 messages per GSM customer per month.” [https://en.wikipedia.org/wiki/Short_Message_Service]

According to Wikipedia, the first secure data kidnapping attack was invented by experts at Columbia University and was presented at an IEEE Privacy and Security conference in 1996.   Fast forward 20 years to the first six months of 2016, and ransomware attacks of hospitals made headlines after a hospital in Hollywood, California paid $17,000 in ransom (reportedly in bitcoins, another digital invention never considered in 1996).

The Department of Health and Human Services (HHS) released a “FACT SHEET: Ransomware and HIPAA” in July of 2016, reporting a 300% increase in ransomware attacks reported in the first 6 months of 2016 as compared with those reported in all of 2015.  It’s hard to imagine that, back in 1996 (or even in 2000 or 2003, when the Privacy Rule and Security Rule, respectively, were first promulgated) HIPAA compliance would require staving off and responding to cybersecurity attacks involving data “kidnapping”.

Over the years, this blog site has addressed many issues that were not a gleam in the eyes of the federal and state governments, healthcare organizations, insurers, patients and many other stakeholders in 1996.  Ten of these issues featured in the last two years on this blog and their links and posting dates are noted below.

  • Is Your Facility a PokéStop? (A what?) – July 20, 2016
  • HIPAA audits – April 10, 2016
  • Health Information Mobile Apps – March 31, 2016
  • The Federal Trade Commission becomes one of several competing new sheriffs in town for regulating healthcare privacy and security – January 11, 2016
  • Stolen laptops as constant sources of HIPAA privacy breaches – September 3, 2015
  • Dumpster diving as a common source of HIPAA breaches respecting paper records – July 31,  2015
  • Federal and state governments become victims of HIPAA breaches even with high levels of security – June 26, 2015
  • Countless cases of alleged theft and other crimes involving PHI or other HIPAA breaches by employees, including physicians – March 24, 2015
  • Numerous lawsuits by State Attorneys General to enforce HIPAA and state health information privacy laws – December 17, 2014
  • The “Wall of Shame” features many highly respected and well-known hospitals, universities, insurers, Fortune 500 companies and numerous other lesser-known victims – July 30, 2014

It can be expected that many more unanticipated and challenging issues will confront HIPAA in the future as the dizzying advance of technology surges onward, matched only by the boundless ingenuity of hackers and others seeking to profit from illegal activities relating to PHI.

The aftermath of the Orlando nightclub tragedy has led to much discussion about ways that healthcare providers can and should deal with compliance with health information privacy requirements in the face of disasters that injure or sicken many individuals in a limited time frame. One aspect is the pressure to treat patients while simultaneously fulfilling the need to supply current and relevant information to family, friends and the media about patient status without breaching HIPAA by improperly disclosing protected health information (PHI).

Our partner Elizabeth Litten has already posted a prior blog entry on some HIPAA issues that surfaced in the Orlando disaster. She and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August, 2016 issue of Medical Practice Compliance Alert entitled “After Orlando: Keep family, friends informed without violating HIPAA.” Full text can be found in the August, 2016 issue, but a synopsis is below.

Some of the tips provided by Litten and Kline in the article include the following:

  1. Kline: Review and update your practice’s disaster/emergency plan. “[Orlando] was such a disaster, and [there was an appearance created that] the hospital didn’t approach it with calmness and a professional approach.”
  2. Litten: One of the easily forgotten parts of HIPAA is that a covered entity can exercise professional discretion. “It’s best if the patient can agree [to the disclosure]. But if the patient can’t give consent, the provider has ways to provide information and exercise that discretion.” Kline added, “So there’s no need for a HIPAA waiver; the rule anticipates such situa­tions.”
  3. Litten: Make sure that the practice’s desig­nated spokesperson is knowledgeable about HIPAA. “This includes what can and can’t be divulged to friends, family members and the media.
  4. Litten: Educate clinicians on professional discretion. “Remember when disclosing information to view it through the eyes of the patient. If you reasonably believe that a patient would want the information communicated, it’s OK. The professional is acting as proxy for a patient who can’t speak.” 
  5. Kline: Share contact information so staff can quickly get guidance from the practice’s compliance officer, especially during emer­gency situations. “For instance, a clinician being bombarded in the emergency department may have a question regarding whether she can tell a patient’s relative that the patient has been treated and released (she can).”
  6. Kline: Add this information to your practice’s HIPAA compliance program. “If you have policies and procedures on this, docu­ment that training occurred, and [if it] can show you attempted to comply with HIPAA, a court would be very hard pressed to find liability if a patient later claims invasion of privacy.” 
  7. Kline: Don’t discriminate. “So clinicians exercis­ing their professional discretion in informing friends and family members need to be gender neutral and objective.”
  8. Kline and Litten: Train administrative staff about HIPAA. “Not only should medical staff know the rules, but so should other staff members such as front desk staff, managers and billing personnel. It’s pretty bad when the head of a hospital is so uninformed about HIPAA that he provides misinformation to the mayor.”
  9. Kline and LittenHighlight the limitations of the disclosure. “You can’t go overboard and reveal more than is allowed. For instance, a provider can tell a friend or family member about an incapacitated patient’s location, general condition or death. But that doesn’t mean that he can divulge that the lab tests indicate the patient has hepatitis. HIPAA also requires that a disclosure be made only of information that’s ‘minimally necessary.'”

Planning ahead by healthcare providers can help them comply with HIPAA if a disaster situation occurs to keep family and friends informed as to patient status, while contemporaneously carrying out their most important tasks: saving lives, alleviating pain and providing quality care to victims. This approach, however, combined with a good helping of common sense and professionalism, is not confined to disasters – it should be the practice of providers for non-emergent situations as well.

 

Are strangers wandering around your health care facility with their noses buried in their smartphones? And if so, what should you do about it? They’re playing Pokémon GO, a location-based augmented reality mobile game that was released for iOS and Android devices on July 6, 2016. Its popularity exceeded all expectations (my kids are probably playing it right now).

The game’s objective requires players to search in real-world locations for icons that appear on a GPS-like virtual map. The icons may represent PokéStops where players may find and capture Pokémon (“pocket monster” characters) that appear on the player’s phone superimposed over images of the real-world location when in augmented reality (AR) mode, and “Gyms” where they can virtually battle other players. Niantic, Inc., a Google spinoff, developed the game and based its PokéStops and Gyms on user-contributed locations (“portals”) from its previous augmented reality game, Ingress. These sites include businesses, parks, public buildings, museums, churches, private homes, and yes, even hospitals.

When players encounter Pokémon, they can take screen shots using their phone’s camera, which in AR mode will also capture whatever is in the background at the time. Naturally, this is giving hospitals and other healthcare facilities some concerns about safety, privacy, and maintaining a peaceful healing environment.  Indeed, in extreme cases of “invasion by Pokémon GO players,” the law of tort or criminal trespass could possibly be invoked by a health care facility in many jurisdictions. Simply stated, the action of trespass can be maintained against anyone who interferes with the right of ownership or possession of land, whether the invasion is by a person or by something that a person has set in motion. However, such an action would undoubtedly create a media sensation and must be carefully considered before undertaking it

The game has already made headlines for contributing to incidents where deeply-absorbed players have been injured by following their phones into the path of danger. The Advisory Board reports that the game has directed players near a hospital’s helipad Amid ‘Pokémon Go’ craze, hospitals say game players could jeopardize patient safety. Healthcare Business and Technology reports “The sheer amount of unauthorized visitors has raised safety concerns about everything from security issues to increased germ exposure that heightens patients’ risk of infections.” Pokemon Go causes problems for hospitals: How to respond.

Ban it? Embrace it?

Accordingly, some hospitals have asked players to avoid their campuses or banned the game outright. Others have forbidden their staffs from playing the game while on site, according to Healthcare IT News. The game appeals to a surprisingly wide age group since many adults have fond memories of playing the original Nintendo game in the mid-1990’s.

For HIPAA purposes, the use of smartphone cameras in the game can be problematic. At a recent meeting of the Healthcare Council of Western Pennsylvania, compliance officers reported that they had discovered PokéStops in their facility near patient care areas where records were potentially visible. Hospitals certainly do not want to encourage or permit individuals to wander their halls who are not there to obtain care or visit patients they know.

Many hospitals have policies on use of cameras or camera phones on campus, and those policies should be reviewed and recirculated to staff as well as communicated to patients and visitors in light of the popularity of the game.

Some children’s hospitals, however, are big fans of the game and its ability to motivate hospitalized kids to be more physically active and socially interactive. USA Today reports:

In the past, young patients at C.S. Mott Children’s Hospital in Ann Arbor, Mich., shuffled down the hallways without speaking to each other, but now it’s not uncommon to see them stop and talk near a Pokémon Go hotspot.

Advocate Children’s hospital in Oak Lawn/Park Ridge, IL tweeted a photo of a young patient playing the game with the caption “Luke’s mom says @Pokemon Go has been a lifesaver to get him out of his hospital room and moving around!” We hope they had Luke’s mom’s permission for the tweet. Toronto’s Sunnybrook Hospital tweeted : “We love that #PokemonGO encourages exercise! Remember: stay alert & safe. Can’t catch ’em all from a hospital bed.” Of course HIPAA is not an issue in Canada, but there is Ontario’s Personal Health Information Protection Act (PHIPA). And a meme is circulating featuring an anime-style nurse which reads “

Hey Pokémon Go players. Have extra lures? Then drive to your nearest Children’s Hospital and drop the lure there. There are plenty of kids who would love to go out and collect Pokémon, but they are stuck in bed, so this will help them.”

(Lures are markers players can collect and distribute within the game that help attract Pokémon).

Wipe yourself off the map?

Hospitals are not the only unwilling hosts of PokéStops and Gyms. The Holocaust Museum and Arlington National Cemetery are among locations that are included in the game’s map. As a result of objections, Niantic has set up a link to a form on its web site through which you can request removal of a PokéStop or Gym. It is not clear how long it will take for the company to remove an unwelcome site.

It’s common these days for technology to outpace policy, but it’s a good idea to understand this sudden craze and decide how to approach it in your organization.

The private sector is still not prepared – and generally lacks the knowledge – to respond effectively to a major cyber breach, according to 80 percent of respondents in a survey released by Fox Rothschild LLP.

“There is an alarming lack of awareness at the senior level when it comes to data governance practices in the private sector” said Fox partner Scott Vernick, who chairs the firm’s data security and privacy practice.

In its survey of cybersecurity professionals and risk experts across insurance, legal and other industries, Fox found that despite companies’ pouring real money and resources into data security:

  • 65 percent said the private sector is only “somewhat prepared” to respond to a data breach;
  • 15 percent stated it is “not prepared” at all; and
  • Only 20 percent said the private sector is “very prepared.”

The survey’s 75 respondents also expressed significant concern about senior management’s understanding of how data is, and can be, vulnerable. In fact, more than 85 percent said senior business leaders could “not accurately” or only “somewhat accurately” identify and address their companies’ data collection and storage practices.

“Companies in all sectors need to understand what types of data they collect, who has access to it and how it is stored well before a breach takes place,” Vernick added. “If they don’t follow best practices, it will cripple their ability to respond effectively and lead to costly litigation.”

In the debate over encryption and “access to data,” 84 percent of the Fox survey respondents favored the private sector’s right to guard customer data against government access in the event data was encrypted and otherwise not accessible. Nearly 75 percent also believe the private sector should be permitted to tell customers when the government subpoenas their data.

Survey respondents cited the following areas as requiring the most improvement by the private sector when it relates to cybersecurity strategy:

  • Employee training (29 percent);
  • Vendor management (24 percent);
  • Security and protection of systems, networks, firewalls and applications (19 percent);
  • Funding and resources (19 percent);
  • Encryption of data (5 percent); and
  • BYOD security (4 percent).

Our partner Elizabeth Litten and I were featured again by our good friend Marla Durben Hirsch in her article in the April 2016 issue of Medical Practice Compliance Alert entitled “5 safeguards to take with patient-employee health records.” Full text can be found in the April, 2016 issue, but a synopsis is below.

For her article, Marla asked us to comment about physician medical practices that provide medical treatment to their own employees and other staff or affiliates (collectively, “Patient-Employees”). She observed that “These medical records [of Patient-Employees] are not fair game for colleagues to view unless there’s a job-related reason for them to do so.”

Marla quoted Kline as saying that “It’s human nature to talk about others [that you know]. You also have rogue employees who are ‘frenemies’ [Or simply curious about a co-worker’s treatment].” Nonetheless, as Marla observed, events of improper access are not just potential HIPAA violations; they can also have a negative impact on the workplace.

Our five tips for reducing the risks of improper breaches of Patient-Employees’ health information that were developed with Marla follow:

Litten: Include employee privacy in your HIPAA education. “This is a topic for specific training.” For example, make sure that everyone in the office knows the practice’s HIPAA policies and procedures, and that all patients, even those who are employees are entitled to their privacy rights. Emphasize the fact that employees should only review records when it is necessary to do their job.

Kline: Limit access to the records. “For instance, not all employees need unfettered access to electronic medical records, so different staff members can have different levels of access.    Human resources shouldn’t be able to find out that an employee came in for [medical] help.”

Litten and Kline: Take consistent disciplinary action when warranted. An employee may need to be retrained, disciplined or even fired, and treat all workforce members the same, whether licensed professionals or other staff.

Litten: Require staff to report these kinds of breaches. “At the least the practice can argue that the employee had an obligation to report, and by not doing so the fault lay with the employee, not the employer.”

Litten and Kline: Don’t let Patient-Employees take shortcuts to access their records. All patients are entitled to access their records; Patient-Employees should be required to go through the same procedures to access their records as any non-Patient-Employee.

In this ever more-challenging environment of compliance with the privacy and security requirements of HIPAA (and other applicable federal and state laws), a health care provider should limit the risks appurtenant to providing treatment to its own employees as patients, especially since it may be an economical and efficient alternative. There are enough external risks lurking about. Through establishing discrete policies and procedures, a provider can do much to control its internal risks involving Patient-Employees.

Jessica Forbes Olson and T.J. Lang write:

In Part 1, we noted that on March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits this year. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

A HIPAA compliance checklist for health care providers and insurers follows:

  • Determine whether for HIPAA purposes you are a hybrid entity, an affiliated covered entity or part of an organized health care arrangement. Document that status.
  • Appoint a HIPAA privacy official.
  • Appoint a HIPAA security official.
  • Appoint a HIPAA privacy contact person who will handle complaints and respond to the exercise of patient or participant rights.
  • Determine where PHI is located, whether hard copy, electronic, or spoken.
  • Determine the reasons why PHI is used or disclosed (e.g., treatment, payment, health care operations, public health reasons, public policy reasons, to government agencies or officials).
  • Determine which departments and workforce members have access to PHI, why they have such access and the level of access needed.
  • Identify and document the routine requests, uses and disclosures of PHI and the minimum necessary for those requests, uses and disclosures.
  • Identify all business associates: vendors that create, maintain, use or disclose PHI when performing services for your entity.
  • Have executed business associate agreements with all business associates.
  • Have and follow written HIPAA privacy, security and breach notification policies and procedures.
  • Train all workforce members who have access to PHI on the policies and procedures and document the training.
  • Have and use a HIPAA-compliant authorization form.
  • Have and follow process for verifying the status of personal representatives.
  • Distribute a notice of privacy practices and providers must attempt to obtain acknowledgment of receipt of notice from patients and post one in each facility where patients can view it.
  • Establish and document reasonable administrative, technical and physical safeguards for all PHI, including hard copy and spoken PHI.
  • Conduct and document a HIPAA security risk analysis for all electronic PHI (e.g., PHI on desktops, laptops, mobile phones, iPads and other electronic notebooks, copy machines, printers, discs and thumb drives).
  • Address risks to ePHI that are identified in the HIPAA security risk analysis.
  • Update your HIPAA security risk analysis periodically or when there is a material change in your environment that does or could impact PHI or if there are changes in the law impacting PHI.
  • Encrypt PHI to fall within the breach safe harbor.
  • Have written disaster recovery and contingency plans.
  • Prepare for and respond to security incidents and breaches.
  • Comply with HIPAA standard transactions and code set rules related to electronic billing and payment.
  • Although it will not be covered by the audits, comply with more stringent state privacy and security laws (e.g., document retention; patient consent; breach reporting).
  • Maintain HIPAA compliance documentation in written or electronic form for at least 6 years from the date the document was created or last in effect.

For more information about OCR audits or assistance in conducting a HIPAA compliance review, please contact any member of the Fox Rothschild Health Law practice group.


Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.

Jessica Forbes Olson and T.J. Lang write:

HIPAA and Health Records
Copyright: zimmytws / 123RF Stock Photo

On March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits during 2016. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

The round two audits will occur in three phases: desk audits of covered entities, desk audits of business associates, and finally, follow-up onsite reviews. It is reported OCR will conduct about 200 total audits; the majority of which will be desk audits.

OCR has already begun the process of identifying the audit pool by contacting covered entities and business associates via email.  Health care providers,   insurers and their business associates should be on the lookout for automated emails from OCR which are being sent to confirm contact information. A response to the OCR email is required within 14 days. OCR instructed covered entities and business associates to check their spam or junk email folders to verify that emails from OCR are not erroneously identified as spam.

After the initial email, OCR will send a pre-audit questionnaire to entities it may choose to audit. Receiving a pre-audit questionnaire does not guarantee your entity will be audited. The purpose of the questionnaire is to gather information about entities and their operations, e.g., number of employees, level of revenue, etc. The questionnaire will also require covered entities to identify all of their business associates. Health care providers and insurers who have not inventoried business associates should do so now.

Entities who fail to respond to the initial OCR email or questionnaire will still be eligible for audit. OCR will use publicly available information for unresponsive entities to create its audit pool.

OCR will then, in the “coming months,” randomly select entities to audit and notify them via email that they have been selected for audit.

Health care providers, health insurers and business associates should check their HIPAA compliance status before they are contacted by OCR. Once selected for an audit, entities will only have 10 business days to provide the requested information to OCR.

Recent OCR enforcement activity has shown that noncompliance with HIPAA can be costly:

  • A Minnesota-based hospital entered into a $1.55 million settlement for failure to implement one business associate agreement and failure to conduct a HIPAA security risk analysis;
  • A teaching hospital of a university in Washington entered into a $750,000 settlement for failure to conduct an enterprise-wide HIPAA security risk analysis;
  • An insurance holding company based in Puerto Rico entered into a $3.5 million settlement for failure to implement a business associate agreement, conduct a HIPAA security risk analysis, implement security safeguards and for an improper disclosure of protected health information (“PHI”);
  • A radiation oncology physician practice in Indiana entered into a $750,000 settlement for failure to conduct a HIPAA security risk analysis and implement security policies and procedures.

If you receive any communications from OCR, please contact a member of the Fox Rothschild Health Law practice group immediately. A proactive review of your HIPAA compliance status can identify potential gaps and minimize the risk of potential penalties.

In Part 2, we’ll provide a HIPAA compliance checklist for healthcare providers and insurers. Stay tuned!


Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.

The following post was contributed by our colleague Lucy Li.

HIPAA itself does not provide a private right of action. So when a hacker or rogue employee impermissibly accesses or interferes with electronic data or data systems containing protected health information, an employer subject to HIPAA cannot sue the perpetrator under HIPAA.  Similarly, when a ransomware attack blocks access to protected health information, employers also cannot sue under HIPAA.  HIPAA violations and ransomware attacks and can be costly to deal with.  Just ask Hollywood Presbyterian Medical Center. But employers have one potential remedy: suing the perpetrator of the access, interference, or misuse for violating the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is a federal law that prohibits fraudulent access to protected computer information. The law prevents unauthorized access or access that exceeds the user’s authority to a protected computer to obtain private information, such as patient data or trade secrets.  The law also prohibits the use of ransomware to extort money or anything of value. If these cyber-attacks occur, the CFAA allows the employer to file a civil lawsuit against the hacker or the rogue employee to recover damages for economic harm.

Best Practices and CFAA Tips

  1. Prevention is best. Encrypt your data and use sophisticated firewalls and security patches to prevent hackers from accessing protected information. Litigation is a tool to recover for economic harm, but it is costly.
  2. Limit electronic access. Give employees or contractors just enough access to perform their job duties. Nothing more.
  3. Disable log-in rights of an ex-employee or contractor as soon as the employment or contractual relationship ends.
  4. State law. The applicability of the CFAA varies by state. Individual states may also have their own causes of action under state computer fraud laws or trade secret appropriation for stealing patient lists.  These laws may be additional tools to help you recover from a HIPAA violation or a ransomware attack.

This week’s headlines read: “Scalia’s death probably linked to obesity, diabetes and coronary artery disease, physician says” and “Scalia suffered from many health problems”.   An article from a couple of weeks ago, immediately following reports of Justice Scalia’s February 13th death, reported that Scalia’s doctor said he had chronic cardiovascular disease.

These articles do not say whether the physician(s) who released Scalia’s health information did so in compliance with HIPAA, or whether any subsequent release of this information was HIPAA-compliant. The HIPAA regulations make it clear that the death of an individual does not mean the death of that individual’s right to have his or her individually identifiable health information protected under HIPAA (at least, not until the individual has been deceased for more than 50 years).

Justice Scalia’s status as a public figure, and the public’s general interest in the news of his death, also does not affect his HIPAA rights. As noted in Bill Maruca’s post about New York Giants’ defensive end Jason Pierre-Paul’s injuries last summer, there is no “public figure exception” to HIPAA.  Bill also accurately noted, in his blog about the Ebola cases treated in Texas in 2014, that there is no HIPAA exception for “newsworthy or unusually terrifying medical conditions.”

HIPAA permits a covered entity to disclose protected health information (PHI) to a coroner or medical examiner for the purpose of identifying a cause of death, but does not authorize  the coroner or medical examiner to further disclose the PHI. Because HIPAA also permits an executor, administrator, or other person who has authority to act on behalf of a deceased individual to act as the deceased person’s personal representative, such an authorized person might have provided a HIPAA-compliant authorization to Scalia’s health care providers to disclose Scalia’s PHI to third parties.  In addition, there are other ways in which PHI of someone who has died might be disclosed in compliance with HIPAA, but none of the articles I read provide the detail needed to see whether these circumstances existed.

The articles do, however, make it clear that the late Justice suffered an array of health issues that were not publicized prior to his death.

What would Justice Scalia have said, if, in fact, his PHI was disclosed improperly? His decisions involving the Fourth Amendment may provide some clues, but they are not precisely on point, and we cannot ask the Justice.  We can simply remind covered entities that HIPAA protections have an after-life —  and deserve (in fact, require) post-mortem respect.

 

Whether it was an apple or a quince, pomegranate, or some other more botanically-likely fruit growing in the Garden of Eden, God’s command in Genesis was clear: do not eat the fruit from the tree of the knowledge of good and evil.  When Adam and Eve ate the apple (or other fruit) anyway, they gained knowledge of evil (they already knew good).

Apple
Copyright: Spanishalex / 123RF Stock Photo

Many thousands of years later, the battle between Apple and the FBI over device encryption oddly echoes themes from this ancient biblical story.   Is the knowledge of evil potentially gained by unlocking an evildoer’s iPhone worth breaking society’s trust in the security of encryption?

Our law partner Amy Purcell recently posted the following on the Fox Rothschild “Privacy Compliance & Data Security” blog:

Fox Partner and Chair of the Privacy and Data Security Practice Scott L. Vernick was a guest on Fox Business’ “The O’Reilly Factor” and “After the Bell” on February 17, 2016, to discuss the controversy between Apple and the FBI over device encryption.

A federal court recently ordered Apple to write new software to unlock the iPhone used by one of the shooters in the San Bernardino attacks in December. Apple CEO Tim Cook has vowed to fight the court order.

The Federal Government vs. Apple (The O’Reilly Factor, 02/17/16)

Apple’s Privacy Battle With the Federal Government (After the Bell, 02/17/16)

I agree with Scott.

In January, I wrote here about the FTC’s announcement of a settlement with Henry Schein Practice Solutions, Inc. for falsely advertising that the software it marketed to dental practices provided the encryption necessary to protect patient data from breach. In reality, the software did not encrypt the data, but merely “camouflaged” or masked it from access by third parties.  The FTC’s action and settlement seemed to reflect the fact that encryption is viewed as the “gold standard” for protecting protected health information and other sensitive personal information, and advertising that a software product provides encryption when it really doesn’t is a problem.

If Apple is forced to create software that will break “gold standard” encryption so the FBI can gain knowledge of the evil that may lurk within a particular iPhone, this “gold standard” will be immediately devalued. In the HIPAA context, we will need another technology to render PHI “unusable, unreadable, or indecipherable to unauthorized persons” because, in essence, the biblical apple will have been bitten.