Fellow Fox Rothschild LLP Partner (and former hospital system General Counsel) Salvatore J.  Russo generously contributed this post.

Some twenty-three years ago, the first well-publicized incident of the re-identification of de-identified personal health data was brought to the attention of the American public. It involved the then governor of Massachusetts, William Weld.   Dr. Latanya Sweeney a graduate student from MIT successfully combined de-identified data with the publicly available Cambridge voter registration list, and successfully translated de-identifiable data into identifiable data using privacy technology, and identified the Governor’s health records, including diagnosis and prescriptions.

In 2008, after Netflix publicly released movie rating records, two researchers from the University of Texas, Arvind Narayanan and Vitaly Shmatikov, matched the released data with the Internet Movie Database and successfully re-identified the users. In 2018, using publicly available Amazon review data, a group from MIT re-identified persons from the Netflix dataset.

Finally, it was reported in the December 2018 issue of the Journal of the American Medical Association that researchers from the United States and China collaborated on a project to re-identify individuals from a national de-identified physical activity data set.  Using an algorithm employed in machine learning to pair daily patterns in physical activity data with corresponding demographic data, they were fairly successful in de-anonymizing the information.

HIPAA seeks, among other things, to protect the privacy of health information by de-identification. The HIPAA gold standard for de-identification for protected health information is achieved by one of two means.   De-identification can result from the stripping of the 18 types of identifiers from protected health information.   Alternatively, it can be accomplished by expert determination that there is a very small risk of identification. This approach must be reconsidered. Moreover, HIPAA only governs “covered entities,” and not the vast array of business enterprises that possess private health information.

It is the development of big data and advances in artificial intelligence that are truly the game changers in discussion of de-identification and privacy.  These two forces create a major concern for safeguarding private health information where sophisticated companies with large repositories of big data combine with health care systems with the goal of improving medical care.

The dilemma that the regulators must confront going forward, particularly in the context of personal health data, is how to strike a balance between providing adequate privacy protections without imposing unnecessary barriers to the medical advancements that result from the workings of AI and big data?

Society must engage in a policy cost-benefit-risk type analysis to inform our conversation.  Risk tolerance is the pivotal judgment that needs to be undertaken to assess what cost does society wish to pay to protect privacy.

In view of the rapid advances in AI, and the continuing amassing of personal health data, absolute personal health privacy protection may be elusive while we seek the medical benefits obtained from the intersection of AI with big data.  Maybe certainty and absolute guarantees should not be the goal.  However, we must strive for a standard that we can live with that reasonably protects our personal health information from unconsented disclosure.




If you are a covered entity who experienced a breach of unsecured protected health information affecting fewer than 500 individuals , you must notify the Office of Human Rights of the Department of Health and Human Services of the breach within 60 days of the end of the calendar year in which the breach was discovered.  For breaches that occurred in calendar year 2019, that deadline is February 29, 2020.

To report a breach, go to the Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, which is at https://ocrportal.hhs.gov/ocr/breach/breach_form.jsf.   That link will take you to a step-by-step process which walks you through how to submit the required disclosures.  Since you cannot move past a screen on this site without entering data, you may want to download and print this OCR document which lists all the information you will need for your report: https://ocrportal.hhs.gov/ocr/breach/doc/Breach%20Portal%20Questions%20508.pdf.

Note that you must submit the notice electronically via the OCR portal.

Also note that a covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals.  A covered entity may report such breaches at the time they are discovered.

You may report all of your breaches affecting fewer than 500 individuals on one date, but you must complete a separate notice for each breach incident.

If you are a business associate who is required to report breaches on behalf of a covered entity under the terms of the applicable business associate agreement, you may also use this portal.



The answer to this question has changed yet again. I’ve blogged on this topic several times in the past (see here, here and here), and described the question as a wriggling worm. Plaintiff Ciox Health, LLC has finally managed to catch that worm and share its bounty among those looking to charge third-party requestors more than the limited “reasonable, cost-based fee” that may be charged to individuals.

On January 23, 2020, a federal court found in favor of plaintiff Ciox, a specialized medical records processing vendor, on its challenge to 2016 Guidance issued by the U.S. Department of Health and Human Services. The 2016 Guidance provided, among other things, that when either an individual request copies of his or her medical records or a third party requests copies on behalf of the individual, the amount that can be charged is limited to a “reasonable, cost-based” fee. According to Ciox’s President of Life Sciences (and as noted in the court’s decision), the effect of the 2016 Guidance was to cause law firms and other third parties to use the individual access request, with its “reasonable, cost-based fee” limitation, as the means to request patient records, rather than having individuals sign HIPAA authorizations which implicate only state law fee caps (if any). The frequency of records requests made by third parties on behalf of individuals (“third-party directives”) increased by nearly 700 percent following the issuance of the 2016 Guidance.

HHS published an “Important Notice Regarding Individuals’ Right of Access to Health Records” on January 28, 2020, noting the Ciox decision and the fact that the “reasonable, cost-based fee” limitation no longer applies to third party directives. In addition, the records are not required to be produced in electronic format in response to a third-party directive.

What does this mean for covered entities and business associates trying to figure out how to respond to a HIPAA authorization, an individual access request, or a third-party directive?

Consider who is making the records request and where the records are to be sent. If the individual who is the subject of the records wants copies transmitted electronically to the individual, treat the request as an access request. If a third party seeks the records, it is likely sufficient to provide the third party with HIPAA authorization form and treat the request as a third-party directive. However, if the individual initiates the request and wants the records sent to a third party, it may be prudent to treat the request as an access request, limiting fees and endeavoring to comply with requests to transmit records in electronic format.  Don’t dangle the Ciox worm in front of individuals seeking their own medical records.

As she has done for a number of years now, our good friend Marla Durben Hirsch highlighted Fox Rothschild (Fox) lawyers in her annual predictions articles in the January 2020 issue of Medical Practice Compliance Alert (MPCA).  In her first article entitled “Technology will propel compliance trends in 2020”, Marla included the following quotes for Fox attorneys on a number of prediction items:

In making a prediction “Ransomware will not abate”, Fox partner William Maruca stated, “Cybersecurity attacks will ramp up as hackers get even more sophisticated.” Fox partner Elizabeth Litten added, “Practices that entrust all of their data to one cloud vendor are particularly vulnerable.  The HHS Office for Civil Rights (OCR) issued yet another notice about ransomware in December 2019, which indicates that this will be high on its radar in 2020.”

In making another prediction “Ownership transfers will subject practices to scrutiny”, Maruca observed, “Private equity investments will restructure practices and create new compensation arrangements, which may lead to compliance scrutiny.” Michael Kline, another Fox partner added, “Physician retirement, mergers and closures of practices may raise issues related to ownership, responsibility for medical records and more.”

In making another prediction “The focus on interoperability of patient records will increase”,  Litten warned, “Physicians will face more pressure to transmit and receive electronic patient information seamlessly and to provide patients with easier access to their records. . . . Rules implementing the 21st Century Cures Act will impose additional requirements on data sharing and penalties for information blocking. The government wants to see interoperability.”



Marla also wrote a companion article in the January 2020 issue of MPCA entitled “MPCA‘s expert sources earn another perfect predictions score”, in which she reported on results of her  predictions article in the January 2019 issue of MPCA, which included Fox attorney predictions.

Litten’s 2019 prediction “States will step up privacy and security regulations,” has proven to be true, as California and other states are picking up the slack for inaction by Congress.   Litten warned, “It’s not enough to be HIPAA compliant. This will be an increasing headache.”  (This 2019 prediction continues to be true for 2020, as medical practices and other healthcare providers will likely find themselves confronted by multiple new, complex, confusing and often conflicting federal and state rules on privacy and security medical records.)

Kline’s 2019 prediction “Apps and other health data devices will bring more compliance issues” has proven to be true, according to Marla.  Kline was quoted, “There is increased concern regarding how health data is being used and whether it’s protected under any laws.”  (Indeed, even with the spate of new state regulations described in the immediately preceding paragraph, the pace of change and complexity respecting health data will continue to accelerate and challenge healthcare providers.)

We wish to thank Marla for the opportunity of participating in her predictions articles. It remains to be seen whether the predictions for 20/20 provide a “clear vision” of future directions in health information privacy and security.

On the sixth day of CCPA the California Senate Health Committee gave to me … a HIPAA carve-out.

AB 713, reported favorably by the California Senate Health Committee, would expand the exemption related to HIPAA and medical research.

Specific carve-outs:
  • De-identified PHI or medical information, provided that the business does not attempt nor actually re-identify the information
  • “Business associates”
  • Personal information collected for, or used in, biomedical research subject to institutional review board standards and the Common Rule.
  • Personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the information is either individually identifiable health information or medical information.
Additional change:

Required disclosure, in the privacy notice, of whether information de-identified under HIPAA has been disclosed in the preceding 12 months and if so, whether it had been de-identified using the “expert method” or the “safe harbor method.”

For additional insights on the interplay between HIPAA and CCPA, check out previous posts on this blog looking at health organizations’ overall exposure to CCPA and the law’s interaction with HIPAA, as well as the California Attorney General’s comments that his office would focus early enforcement efforts on how large companies handle sensitive personal information such as PHI.

Details on the Senate Amendment are available on the California Legislative Information website.

More than eleven years have passed since the U.S. Department of Health and Human Services (HHS), the agency responsible for the privacy of protected health information under HIPAA, and the U.S. Department of Education (DOE), the agency responsible for the privacy of student records under FERPA, issued joint guidance on the interplay between HIPAA and FERPA.

New joint guidance issued earlier this month (the “2019 Update”) provides updates and helpful clarifications as to when and how HIPAA and FERPA apply. The following 6 topics caught my attention:

  1. Emergency Situations.  A new section on when disclosures may be made in emergency situations under HIPAA paraphrases a 2014 HHS Bulletin and FAQ issued, respectively, following the Ebola outbreak and questions about disclosure standards in the wake of the shooting at the Pulse Nightclub in Orlando (see here for my 2016 post on this topic). It also incorporates DOE guidance and regulatory preamble statements concerning disclosure of FERPA-protected information in the event of a health or safety emergency.
  2. School-Employed Health Care Providers. The 2019 Update also includes a clarified description of when a school that employs a health care provider and conducts covered transactions electronically is subject to the FERPA privacy standards instead of the HIPAA privacy standards. The prior guidance stated that even when a school is a covered entity under HIPAA, it might not have protected health information. The 2019 Update more helpfully states that compliance with “the HIPAA Rules” is not required where the school’s only health records are considered “education records” or “treatment records” under FERPA (note that the 2019 Update would be even more helpful if it added the word “Privacy” between “HIPAA” and “Rules”, since such the school would still be subject to the HIPAA “Transactions Rule” when submitting claims electronically).
  3. University-Affiliated Hospitals and Clinics. Records maintained by a hospital affiliated with a university that is subject to FERPA are generally subject to HIPAA because the hospital provides health services to individuals regardless of whether they are students of the university. On the other hand, if the hospital runs a separate student health clinic, those clinic records are subject to FERPA as either “education records” or “treatment records”.
  4. Disclosure for Treatment, Payment and “Legitimate Educational Interests” Purposes. Under FERPA, “treatment records” (see 34 C.F.R. 99.3) must be made, maintained, and used only in connection with treatment. They can be disclosed to treating health care professionals who are not part of or acting on behalf of the school, if used solely for treatment. However, if the records are used for billing, they are “education records” and, unless another FERPA exception applies, cannot be disclosed without the prior written consent of the parent or eligible student (meaning a student who reaches the age of 18 or attends a postsecondary institution). However, schools can share information, including health and medical information, from a student’s education record without prior written consent with teachers and other school officials if they have “legitimate educational interests” in the information pursuant to FERPA regulations and the school’s annual notification of FERPA rights. On the other hand, HIPAA allows protected health information to be disclosed to a health plan for payment purposes without the individual’s prior written consent, and for other purposes as permitted under the HIPAA regulations and in accordance with the covered entity’s notice of privacy practices.
  5. Disclosure to Parents. Under FERPA, a physician at a university-operated health clinic may disclose information form the education records of an eligible student without the student’s consent: (i) if the student is claimed as a dependent for federal tax purposes; (ii) in connection with a health or safety emergency if disclosure is needed to protect the student or other persons; or (iii) if the eligible student is under the age of 21 disclosing that the student has committed a disciplinary violation related to the use or possession of alcohol or a controlled substance. FERPA also allows an educational agency or institution to disclose education records of a deceased eligible student to the parent or other third party “at its discretion or consistent with State law.” The privacy rights of a non-eligible student rest with the parent(s), but once the “parents are deceased, the records are no longer protected by FERPA.” On the other hand, HIPAA generally allows covered entities to disclose protected health information about a minor child to the child’s parent or personal representative when consistent with State law. However, if the minor is permitted to receive treatment without a parent’s consent under State law, HIPAA only permits parental disclosure in limited situations, like when the minor presents serious danger to self or others. With respect to deceased students, HIPAA defers to applicable State law to determine who can make disclosure decisions following death.
  6. Disclosure to the National Instance Criminal Background Check System (NCIS).  While HIPAA generally does not permit a school-based health care provider to report a student to NCIS (see here for Fox partner Bill Maruca’s post on this topic), FERPA generally permits the records of a law enforcement unit of an educational agency or institution to be reported to NCIS without prior written consent.

These 6 topics and the related clarifications reveal two sobering realities. First, in this age of mass shootings and public health emergencies, there’s a risk that efforts to comply with privacy laws will get in the way of effective emergency response. Second, the inconsistencies and complexity of various U.S. privacy laws are likely to mean continued confusion, despite the best efforts of HHS, DOE, and other state and federal agencies to provide clarification.

It’s that time again for year-in-review articles. On December 16, 2019,  Modern Healthcare has published an infographic that compares HIPAA breaches which occurred in 2019 to aggregate breach statistics from 2010-2018.  The 2019 data was analyzed through the end of November. A few interesting trends appear.  Let’s go to the numbers:

Breaches by Location:

In 2019, 40% of breaches involved email, compared to only 13% during 2010-2018.  This may suggest an increase in phishing and more sophisticated “spear-phishing” techniques.  Privacy officers should alert their organizations to be more vigilant about clicking links and opening emails from unverified sources, even where the emails look deceptively legitimate.

Network server breaches were up slightly, from 16% to 22%

Laptop-related breaches are down sharply, from 12% to only 3%, and desktop computer breaches are down from 6% to 3%.  This could mean more covered entities and business associates are using appropriate encryption, or may also reflect migration of data to the cloud instead of storing it on laptops and desktop computers.

Electronic medical record breaches are steady, declining slightly from 4% to 3%.

Breaches by Type:

Hacking/IT Incidents represented 57% of breaches in 2019, up sharply from 22% for the prior 8 years.  Coupled with the email breach increase, this trend would suggest infiltration or malware-related breaches that are accomplished by inattention to best practices, both in terms of recognizing and resisting phishing attempts and in failing to maintain up-to-date security measures.

Unauthorized access/disclosure remains steady, representing 30% for 2019 versus 28% for the prior 8 years.

Theft is down significantly, from 33% to only 7%.  Once again, like bank robbers go where the money is, hackers go where the data is, and that is increasingly in the cloud.

Improper disposal is a minor factor, only 1% in 2019, down from 3%.

Breaches by Month:

The report also tracked the average number of individuals affected per breach by month reported.  A significant spike occurred in July, 2019, representing the second-highest reported number of individuals affected by healthcare breaches since 2010.  This anomaly was attributed largely to a massive data breach at billing collections vendor American Medical Collection Agency that affected nearly 20 million individuals.

The wrap-up:

Statistics can be misleading, but if these trends continue, expect more issues involving email scams, malware that can infect systems via email and similar approaches, and unauthorized access, all of which focus on what is often the weakest link in any system – between the chair and the keyboard.

As Fox partner Odia Kagan posted yesterday, early enforcement of CCPA will focus on data related to kids.   In addition, according to a recent article in the San Francisco Chronicle, the California Attorney General will focus on how large companies that deal with sensitive information, including health data, comply with CCPA.

A post this past summer warned that compliance with HIPAA or California’s Confidentiality of Medical Information Act (CMIA) does not give a free pass for HIPAA-regulated covered entities, business associates, or subcontractors or CMIA-regulated providers to ignore CCPA. CCPA does not apply to protected health information governed by HIPAA or to medical information governed by CMIA. CCPA also does not apply to a covered entity subject to HIPAA or a provider of health care subject to CMIA, but there’s a caveat: the covered entity or provider must maintain “patient information in the same manner as medical information [maintained under CMIA] or protected health information [maintained under HIPAA].”

This exclusion leaves HIPAA business associates and subcontractors that are otherwise in scope for CCPA out in the cold. It also forces covered entities and CMIA providers to make sure they maintain all personal information that might also be “patient information” in the same manner as they maintain protected health information and medical information.

For example, if a consumer (who also happens to be a patient or who later becomes a patient) checks out a health care facility’s website to see if a particular type of care is offered or to get directions to the facility, it is unlikely that the data collected as a result of the consumer’s use of the website is maintained “in the same manner” as protected health information. If the facility sells this data (say, perhaps, hits on a sleep center page to a mattress or sleep aid manufacturer) and the AG views the data as sensitive health data, the fact that the facility complies with HIPAA with respect to its maintenance of protected health information is likely not going to impress the AG.

Although the California AG will not commence enforcement activities until July 2020, entities subject to HIPAA or CMIA should take note of the AG’s comments and evaluate the need for CCPA compliance now.

Last week, the Office for Civil Rights (OCR) announced its second enforcement action and settlement with a provider  for failing to comply with HIPAA’s patient access requirements.  Korunda Medical, LLC, a primary care and pain management practice in Florida, agreed to pay $85,000 and comply with a Corrective Action Plan (CAP) as a result of a patient’s complaint that it refused to provide the records in the requested electronic format and charged more than the reasonable, cost-based fee prescribed under HIPAA.

Korunda also apparently made the fatal mistake of ignoring OCR’s technical assistance. As I noted in connection with the $3 million resolution amount paid by a New York hospital system, when OCR offers technical assistance, the covered entity (or business associate) should follow it.

Payment of $85,000 may pale in comparison with payment of $3 million, but given the relative ease of complying with HIPAA’s patient access requirements, and added to the time and expense of responding to OCR’s investigation and negotiating the settlement agreement, it’s not an insignificant amount. In addition, compliance with the CAP will require additional expenditures of time and resources by Korunda. The CAP requires Korunda to submit the following to the U.S. Department of Health and Human Services (HHS):

* revised policies and procedures related to patient access that identify how Korunda calculates a reasonable, cost-based fee;

* training materials related to individual access rights, and then provide training to all workforce members;

* lists of requests for access (including date the request is received, the date the request is completed, the format requested, the format provided, the number of pages (if paper), the cost charged, including postage, as well as all documentation related to denials of requests)

* notification of any failure by a member of its workforce to comply with its access policies and procedures

* annual reports regarding the implementation of the CAP requirements

OCR has been focused on HIPAA’s access rights for the last few years. See here and here for posts from 2016 on this topic, and here for OCR’s first Resolution Agreement involving an access rights violation (also triggering an $85,000 settlement amount and similar CAP). Responding in a timely manner to patient access requests, providing the information in the format requested, not overcharging, and jumping on any technical assistance OCR sends your way are easy ways to avoid being the third example of, as OCR Director Severino put it,“bureaucratic inertia.”

More and more often, health care data is stolen or made inaccessible by targeted ransomware attacks. The Office for Civil Rights (OCR) published a newsletter this week that provides warnings for HIPAA covered entities and business associates. It also provides practical tips to prevent and help you survive these attacks.

OCR’s warnings should resonate with covered entities and business associates alike:

  1. You are a ransomware target. 

    “Cybercriminals … found that customizing their attacks to specific, “quality” targets led to an increase in the amount of ransom payments.  Organizations commonly targeted by this type of attack have sensitive data, high data availability requirements, low tolerance for system downtime, and the resources to pay a ransom.  Many healthcare organizations fit this profile, and have become targets.”

  2. Cybercriminals may already be lurking in your information system, waiting to attack. 

    “Prior to initiating an attack, a malicious actor usually gains unauthorized access to a victim’s information system for the purpose of performing reconnaissance to identify critical services, find sensitive data, and locate backup. After this is done, the ransomware is deployed in a manner that produces maximum effect, infecting as many devices and as much data as possible and encrypting backup files so that recovery is difficult, if not impossible.”

  3. Cybercriminals often gain access by tricking your employees and authorized system users. 

    “Information system users remain one of the weakest links in an organization’s security posture.  Social engineering, including phishing attacks, is one of the most successful techniques used by threat actors to compromise system security.”

The newsletter then offers specific and practical tips as to how taking HIPAA Security Rule compliance seriously can help you avoid and/or quickly recover from targeted ransomware attacks. Here’s a summary of five key tips that should be at the top of your organization’s ransomware-prevention list:

  1. Train employees to avoid and report phishing scams. 

    “A training program should make users aware of the potential threats they face and inform them on how to properly respond to them.  This is especially true for phishing emails that solicit login credentials.  Additionally, user training on how to report potential security incidents can greatly assist in an organization’s response process by expediting escalation and notification to proper individuals.”

  2. Review and test security incident response procedures. 

    “Quick isolation and removal of infected devices from the network and deployment of anti-malware tools can help to stop the spread of ransomware and to reduce the harmful effects of such ransomware.  Response procedures should be written with sufficient details and be disseminated to proper workforce members so that they can be implemented and executed effectively.  Further, organizations may consider testing their security incident procedures from time to time to ensure they remain effective.”

  3. Maintain recoverable, secure, and up-to-data backups of all electronic protected health information. 

    “Organizations should keep in mind that threat actors have recently been actively targeting backup systems and backup data to prevent recovery.”

  4. Regularly check and strengthen access controls. 

    “[This measure will] stop or impede an attacker’s movements and access to sensitive data; e.g., by segmenting networks to limit unauthorized access and communications.  Further, because attacks frequently seek elevated privileges (e.g., administrator access), entities may consider solutions that limit the scope of administrator access, as well as solutions requiring stronger authentication mechanisms when granting elevated privileges or access to administrator accounts.”

  5. Regularly install software updates and patches.