The more famous the patient, the greater the temptation to peek at his or her medical records. This is why California enacted health privacy legislation in 2008. Among the latest providers to be fined by the state is Ronald Reagan UCLA Medical Center in Los Angeles,  reportedly as a result of two employees’ unauthorized access of Michael Jackson’s medical records. The LA Times indicates that the employees who accessed the records have been fired.  State regulators would not confirm that the records were Jackson’s, but the Times cites sources close to Jackson’s case who said his legal team had previously been informed by UCLA officials that Jackson’s medical files had been improperly accessed shortly after his death last year.

 

California’s state privacy laws, SB 541 and AB 211, which parallel HIPAA in many respects, established the California Office of Health Information Integrity which is authorized to enforce health privacy rules and impose fines on violators.  Fines range from $25,000 to $250,000 per violation.

 

Well-known persons whose records have been improperly viewed in California include Farrah Fawcett, Britney Spears, “Octomom” Nadya Suleman, and Maria Shriver, wife of Governor Arnold Schwarzenegger.

 

In a related item, the Riverside, CA Press-Enterprise reports that Community Hospital of San Bernadino has been fined $325,000 as a result of unauthorized access of over 200 patient records by a radiology technologist in 2009. Other hospitals fined include Enloe Medical Center, Rideout Memorial Hospital and San Joaquin Community Hospital, according to the California Department of Public Health.

 

A UCLA hospital employee was sentenced to the first reported prison term for unauthorized access of medical records earlier this year.

On November 6, 2023, the HHS Office of Inspector General published a new compilation of compliance guidance under the title General Compliance Program Guidance (GCPG) for the healthcare compliance community and other health care stakeholders. Consistent with the OIG’s April 24, 2023 announcement of its plan to issue modernized, improved, and accessible guidance, the 91-page document is now available on the OIG’s website.

You can view the full post authored by Fox Rothschild’s Terri Harris at the Health Care Law Matters blog, here:

In Case You Missed It: New OIG General Compliance Program Guidance | Health Care Law Matters (foxrothschild.com)

Watch out HHS, the FTC is taking the lead in enforcing privacy violations by companies also subject to HIPAA. BetterHelp, an on-line mental health platform, engaged in unfair and unreasonable privacy practices according to the FTC’s complaint, leading to a proposed $7.8 million settlement payment to customers.

The U.S. Department of Health and Human Services (HHS) warned us that use of on-line tracking technologies can violate HIPAA. Now the Federal Trade Commission (FTC) is flexing its enforcement muscles. Last month, it published a post about the $1.5 million civil monetary penalty it imposed on drug discount and telehealth provider GoodRx for violating the FTC act’s prohibition on unfair and deceptive practices. According to the FTC complaint, GoodRx shared sensitive health information with third parties using automated data tracking tools from Facebook, Google, Criteo, and other third parties into its websites and Mobile App. These tracking tools collected and sent data to third parties so that they could provide advertising, data analytics, or other business services to GoodRx.

Those of us attuned to HIPAA requirements shouldn’t be surprised by anything here, but these quotes from the FTC’s BetterHelp blog post are worth noting.

Generally speaking, an email address might not be considered “health information” – unless, of course, the source of the information is a health-related service. In the case of BetterHelp, most people visited the site to seek mental health assistance. Therefore, just the fact that BetterHelp, Pride Counseling, or Faithful Counseling was the source of their email or IP address revealed highly sensitive information to third parties. The message for others in the industry: Context counts.”

HIPAA translation: Yes, the patient’s or member’s email or IP address or cell phone number is protected health information, even as a stand-alone identifier.

Although BetterHelp hashed people’s email addresses before sharing them with third parties – in other words, converted them into a sequence of letters and numbers through a cryptographic tool – the hashing was done just to hide the addresses in case of a security breach. The FTC says BetterHelp knew that third parties like Facebook would effectively undo the hashing to reveal the email addresses of people who had gone to the BetterHelp site for mental health services. Once Facebook had those addresses, it would easily match them to the email of people with Facebook accounts. What can other companies learn from that example? Certainly there are instances where hashing may be called for, but it won’t protect the privacy of consumers’ information if third parties can un-hash the data.

HIPAA translation: Hashing data is not the same as de-identifying data in accordance with HIPAA. Beware of vendors who say they don’t access PHI simply because it’s hashed.

As the FTC’s complaint makes clear, a lack of appropriate safeguards can lead to unfair and deceptive practices related to the collection, use, and disclosure of health information. For example, the complaint alleged that BetterHelp failed to have written policies and procedures for protecting the privacy of health information. And it failed to properly train and supervise employees that handled that health information. It also didn’t get consumers’ affirmative express consent before disclosing their health information to third parties and it failed to contractually limit those third parties from using the data for their own purposes.”

HIPAA translation: Covered entities — make sure your HIPAA Notice of Privacy Practices is accurate and up-to-date. Business Associates make sure your website Privacy Notices are up-to-date and accurately describe your role under HIPAA and your business associate agreements. Both — comply with these notices.

And my personal favorite:

“Almost all of BetterHelp’s pages displayed multiple seals from third parties. Among them was a depiction of the medical caduceus and the term “HIPAA.” The complaint alleges that BetterHelp’s use of that visual falsely signaled to consumers that a government agency or other third party had reviewed the company’s practices and determined they met HIPAA’s requirements. Have you checked your site recently for graphics that could send similar deceptive messages?”

Interestingly, GoodRx also allegedly displayed a “HIPAA seal” on its website for several months in 2019. The implication (let alone outright statement) that a company is “HIPAA compliant” is risky. Even the most HIPAA=conscious covered entity or business associate is one small HIPAA violation away from making a false (aka deceptive) statement.

For more on FTC’s BetterHelp action, see fellow Fox partner Odia Kagan’s post here.

Earlier this week, our Fox partner Odia Kagan spoke on HIMSS TV about the risks associated with what may be a “blind spot” in your data privacy compliance efforts: the use of data trackers (such as cookies, tracking pixels, session replay scripts) on company websites or apps. This blind spot is particularly perilous when the data being tracked is patient medical information or other personal data subject to data privacy laws. Perhaps the HIPAA regulators were listening.

Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Bulletin warning HIPAA covered entities and business associates about the use of tracking technologies that may collect protected health information (PHI) in violation of HIPAA. The Bulletin is a comprehensive description of how and when patient data trackers present HIPAA compliance hurdles. A few good take-aways::

  1. Make sure you have a business associate agreement (BAA) in place with any company (including a data tracking company) that can access and use protected health information
  2. Even trackers on unauthenticated webpages (those not requiring user log-in) may collect PHI. As per OCR: “Tracking technologies on a regulated entity’s unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.”
  3. It’s not good enough to have the tracking technology remove or de-identify the PHI it collects: “[i]t is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.”
  4. Remember that even an IP address alone can be PHI when collected on a covered entity or business website or app: “Regulated entities disclose a variety of information to tracking technology vendors through tracking technologies placed on a regulated entity’s website or mobile app, including individually identifiable health information (IIHI) that the individual provides when they use regulated entities’ websites or mobile apps. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code. All such IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.”

If you are a HIPAA-covered entity or business associate, you likely know that patient PHI may only be created, received, maintained, and transmitted as permitted by the HIPAA Security Rule and the HIPAA Privacy Rule.  Yet you may not have focused on your company’s website as a place where PHI is collected and transmitted.  If you are subject to HIPAA, you should continually assess your website data practices.  As described in this blog post, you should make sure third-party trackers like Meta Pixel are not accessing and disclosing data behind the scenes.  But common customer-facing tools should not be overlooked.  Common ways in which PHI may be collected and transmitted include:

  • Live Chat
  • Patient Portals
  • Online Patient Forms
  • Online Scheduling Tools
  • Reviews and Testimonials
  • Email
  • Online loyalty Programs

The HIPAA Privacy Rule requires that entities that create, receive, maintain, and/or transmit PHI take specific measures to protect it. For example, if your company keeps individually identifiable medical information on a server, that server must be encrypted and secure. Transmitting PHI includes sending information via email, text, web forms or other types of digital messaging. Storing PHI includes storing information in apps, data centers, etc. If your company website collects, stores, or transmits PHI and does not take reasonable measures to secure that data, it may violate HIPAA.

To begin remediating risks, companies should:

  • Purchase and implement an SSL certificate for the company website
  • Ensure all web forms on the company website are encrypted and secure
  • Only send emails containing PHI through encrypted email servers
  • Partner with web hosting companies that are HIPAA-compliant and have processes for protecting PHI
  • Execute BAAs with third parties that have access to PHI (including web hosting companies)
  • Ensure that PHI is only accessible by authorized individuals within your company

On June 13th, U.S. Department of Health & Human Services (“HHS”) issued guidance advising that covered health care providers and health plans (covered entities) can provide audio-only telehealth services as long as they are compliant with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Breach Notification Rules (HIPAA Rules). As many individuals may not have access to technologies used for audio-video telehealth due to factors including financial limitations, disabilities, or limited English proficiency, audio-only telehealth is a good alternative that can still address these individuals’ needs. Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services.

In March 2020, in response to the COVID-19 Public Health Emergency (“PHE”), the HHS Office for Civil Rights (“OCR”) issued a Telehealth Notification to address permitted remote health care services. The Telehealth Notification will remain in effect until the Secretary of State declares that the PHE no longer exists, or upon the expiration date of the PHE, which is currently set for July 15, 2022. Per the Telehealth Notification, OCR will exercise its enforcement discretion and will not impose penalties on covered health entities for noncompliance with the requirements of the HIPAA Rules in connection with the good faith provision of telehealth using audio/video remote communication during the PHE.  The June 13th guidance supports and clarifies the Telehealth Notification and includes new FAQs to help covered entities when the Telehealth Notification is no longer in effect.

Covered entities are required to apply reasonable safeguards to protect protected health information (“PHI”) from non-permitted uses/disclosures—this applies to telehealth services as well. For example, telehealth services should be provided in a private area, when possible. Covered entities using telephone systems that transmit electronic protected health information (“ePHI”) need to apply the HIPAA Security Rule safeguards to those technologies. An individual patient may select which telephone service they would like to use, and a covered entity is not responsible for ePHI once it has been received by the individual’s receiver device. Covered entities must also verify the identity of the individual either orally or in writing.  When necessary, the covered entity must verify the individual’s identity using language assistance services to provide access to those with limited English proficiency. 

For additional information on a wide range of topics about the HIPAA Rules and their applicability to the Telehealth Notification, please visit the OCR Privacy website at Guidance: How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth | HHS.gov.

Attention hospitals, clinics, retirement homes and other long-term care providers! If you are collecting fingerprints to authenticate access to a medication dispensing system, then you need to be paying attention to Illinois’ Biometric Information Privacy Act (BIPA).

For more information, please check out this post on Fox’s Privacy Compliance & Data Security.

According to this article, 2021 has been a “particularly dire year” for health care data breaches.   So, it may not seem shocking that a hacker gained access to the protected health information of approximately 400,000 Planned Parenthood Los Angeles patients in October.  What is unusual about this particular hacking incident is its timing.  Planned Parenthood Los Angeles published Notice of the incident on Wednesday, December 1, 2021, the same day the U.S. Supreme Court heard oral argument on the controversial issue in the highly publicized case of Dobbs v. Jackson Women’s Health.

As described in the Notice, Planned Parenthood Los Angeles acted quickly, completed an initial forensic review of affected data in less than 3 weeks, and published the Notice less than 45 days after discovery.  Yet, Planned Parenthood Los Angeles now faces a class action lawsuit over the breach.

Although HIPAA does not provide a private right of action, the lawsuit alleges negligence, invasion of privacy, and violations of three California state laws: (1) the California Confidentiality of Medical Information Act, (2) the California Consumer Records Act, and (3) California’s Unfair Competition Law.

California claims aside, Planned Parenthood Los Angeles appears to have taken its HIPAA breach notification obligations very seriously, perhaps in recognition of the need to alert women as quickly as possible of an incident involving uniquely sensitive health information.

Unfortunately, not all entities entrusted with maintaining health information, even uniquely sensitive information about women’s sexual and reproductive health, take their federal breach notification obligations as seriously. Flo Health, Inc., an app used by more than 100 million women to track personal menstruation and fertility information didn’t provide notice until reaching a settlement with the Federal Trade Commission in January 2021.  Its breach came to light as a result of an investigation by the Wall Street Journal published in February 2019.  (For more about the Flo Health breach and settlement, you can read our blog here.)

The timing of the Planned Parenthood Los Angeles incident and the legal and political spotlight on Roe v. Wade is most likely coincidental.  It serves as a stark reminder, though, that personally (and politically) sensitive information may be targeted by hackers despite the provider’s best efforts to avoid data breaches.

I dive into the HIPAA weeds on a daily basis, and am sometimes asked about similarities and differences between HIPAA and the European Union’s General Data Protection Regulation (GDPR).  Fox colleague Nate Williams provoked me to think more about this topic.  Nate took a close look at key definitions and provisions in these privacy laws to examine how they compare in an excellent article published by OneTrust DataGuidance.

A key difference between the laws is the breadth of their applicability.  GDPR applies to almost anyone who handles data that identifies or can be used to identify an individual.  Yet HIPAA is more limited — it HIPAA applies only to covered entities (generally, health plans and health care providers) and their business associates and subcontractors and their handling of health-related data that identifies or can be used to identify an individual.

To make the analysis more of an apples-to-apples comparison, Nate focuses on GDPR’s requirements related to “data concerning health.”  Despite differences in scope and breadth, both laws are based on very similar underlying principles.  Some examples: the lawfulness and fairness of collection and retention; the protection of individual rights (authorization, restriction, and data access); the transparency of purpose and use; the obligation to minimize data collected, used, disclosed, and maintained; and the responsibility for data accuracy, integrity, and confidentiality.

These principles should be considered by any entity collecting individually identifiable information, regardless of applicability of HIPAA and/or GDPR.

Flo Health, Inc., which marketed an app used by more than 100 million women interested in tracking their personal menstruation and fertility information, seems to be getting off easily as compared with HIPAA-covered entities who misuse individual health information.  The FTC’s January 13, 2021 press release announcing its proposed settlement with Flo Health sidesteps mention (let alone enforcement) of a federal law (and the FTC’s own rule).  This puzzling sidestep deserves attention, not only in light of the proliferation of the use of personal health apps, but given the particularly sensitive nature of the health information collected by the Flo Health app.

The Health Information Technology for Clinical and Economic Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), not only amended HIPAA, but added HIPAA-like breach notification requirements that apply to vendors of “personal health records” (PHRs) that are not covered entities, business associates, or subcontractors subject to HIPAA.  As described by the FTC in a “request for comment” published last May:

The Recovery Act recognized that vendors of personal health records and PHR related entities (i.e., companies that offer products and services through PHR websites or access information in or send information to PHRs) were collecting consumers’ health information but were not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (‘‘HIPAA’’).  The Recovery Act directed the FTC to issue a rule requiring these entities, and their third-party service providers, to provide notification of any breach of unsecured individually identifiable health information. Accordingly, the HBN [Health Breach Notification] Rule requires vendors of PHRs and PHR related entities to provide: (1) Notice to consumers whose unsecured individually identifiable health information has been breached; (2) notice to the media, in many cases; and (3) notice to the Commission…

The [HBN] Rule requires notice ‘‘without unreasonable delay and in no case later than 60 calendar days’’ after discovery of a data breach. If the breach affects 500 or more individuals, notice to the FTC must be provided ‘‘as soon as possible and in no case later than ten business days’’ after discovery of the breach.”

Yet, surprisingly, the FTC’s Flo Health press release and proposed settlement is completely silent with respect to Flo Health’s failure to abide by the Recovery Act and the FTC’s own breach notification rule.  Although its impermissible practices seem to have been “discovered” back in February of 2019 (see here for original WSJ revealing Flo Health’s data practices), Flo Health failed to notify its millions of female users that it allowed their personal and uniquely sensitive health information to be used by third parties, including Google and Facebook, for their own purposes, including advertising.

While the proposed settlement requires website notice and individual email/mobile app notice within 14 days after the filing of the Consent Order, such notice would come well beyond the “60-day following discovery” deadline.   In addition, as drafted by the FTC, the notice is focused on what was not improperly disclosed (name, address, or birthday), rather than what was.  When a covered entity notifies individuals, regulators, and the media of a HIPAA breach, it must include a description of the types of information involved in the breach.

Two FTC commissioners, Rohit Chopra and Rebecca Kelly Slaughter, picked up on the FTC’s failure to enforce the Recovery Act and FTC breach notification rule. Their Joint Statement points out that the “explosion in connected health apps” make the breach notification rule “more important than ever”:

[S]ervices like Flo need to come clean when they experience privacy or security breaches.”

Unless they do, health app users will have no idea when their trust is misplaced.