On the sixth day of CCPA the California Senate Health Committee gave to me … a HIPAA carve-out.

AB 713, reported favorably by the California Senate Health Committee, would expand the exemption related to HIPAA and medical research.

Specific carve-outs:
  • De-identified PHI or medical information, provided that the business does not attempt nor actually re-identify the information
  • “Business associates”
  • Personal information collected for, or used in, biomedical research subject to institutional review board standards and the Common Rule.
  • Personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the information is either individually identifiable health information or medical information.
Additional change:

Required disclosure, in the privacy notice, of whether information de-identified under HIPAA has been disclosed in the preceding 12 months and if so, whether it had been de-identified using the “expert method” or the “safe harbor method.”

For additional insights on the interplay between HIPAA and CCPA, check out previous posts on this blog looking at health organizations’ overall exposure to CCPA and the law’s interaction with HIPAA, as well as the California Attorney General’s comments that his office would focus early enforcement efforts on how large companies handle sensitive personal information such as PHI.

Details on the Senate Amendment are available on the California Legislative Information website.

More than eleven years have passed since the U.S. Department of Health and Human Services (HHS), the agency responsible for the privacy of protected health information under HIPAA, and the U.S. Department of Education (DOE), the agency responsible for the privacy of student records under FERPA, issued joint guidance on the interplay between HIPAA and FERPA.

New joint guidance issued earlier this month (the “2019 Update”) provides updates and helpful clarifications as to when and how HIPAA and FERPA apply. The following 6 topics caught my attention:

  1. Emergency Situations.  A new section on when disclosures may be made in emergency situations under HIPAA paraphrases a 2014 HHS Bulletin and FAQ issued, respectively, following the Ebola outbreak and questions about disclosure standards in the wake of the shooting at the Pulse Nightclub in Orlando (see here for my 2016 post on this topic). It also incorporates DOE guidance and regulatory preamble statements concerning disclosure of FERPA-protected information in the event of a health or safety emergency.
  2. School-Employed Health Care Providers. The 2019 Update also includes a clarified description of when a school that employs a health care provider and conducts covered transactions electronically is subject to the FERPA privacy standards instead of the HIPAA privacy standards. The prior guidance stated that even when a school is a covered entity under HIPAA, it might not have protected health information. The 2019 Update more helpfully states that compliance with “the HIPAA Rules” is not required where the school’s only health records are considered “education records” or “treatment records” under FERPA (note that the 2019 Update would be even more helpful if it added the word “Privacy” between “HIPAA” and “Rules”, since such the school would still be subject to the HIPAA “Transactions Rule” when submitting claims electronically).
  3. University-Affiliated Hospitals and Clinics. Records maintained by a hospital affiliated with a university that is subject to FERPA are generally subject to HIPAA because the hospital provides health services to individuals regardless of whether they are students of the university. On the other hand, if the hospital runs a separate student health clinic, those clinic records are subject to FERPA as either “education records” or “treatment records”.
  4. Disclosure for Treatment, Payment and “Legitimate Educational Interests” Purposes. Under FERPA, “treatment records” (see 34 C.F.R. 99.3) must be made, maintained, and used only in connection with treatment. They can be disclosed to treating health care professionals who are not part of or acting on behalf of the school, if used solely for treatment. However, if the records are used for billing, they are “education records” and, unless another FERPA exception applies, cannot be disclosed without the prior written consent of the parent or eligible student (meaning a student who reaches the age of 18 or attends a postsecondary institution). However, schools can share information, including health and medical information, from a student’s education record without prior written consent with teachers and other school officials if they have “legitimate educational interests” in the information pursuant to FERPA regulations and the school’s annual notification of FERPA rights. On the other hand, HIPAA allows protected health information to be disclosed to a health plan for payment purposes without the individual’s prior written consent, and for other purposes as permitted under the HIPAA regulations and in accordance with the covered entity’s notice of privacy practices.
  5. Disclosure to Parents. Under FERPA, a physician at a university-operated health clinic may disclose information form the education records of an eligible student without the student’s consent: (i) if the student is claimed as a dependent for federal tax purposes; (ii) in connection with a health or safety emergency if disclosure is needed to protect the student or other persons; or (iii) if the eligible student is under the age of 21 disclosing that the student has committed a disciplinary violation related to the use or possession of alcohol or a controlled substance. FERPA also allows an educational agency or institution to disclose education records of a deceased eligible student to the parent or other third party “at its discretion or consistent with State law.” The privacy rights of a non-eligible student rest with the parent(s), but once the “parents are deceased, the records are no longer protected by FERPA.” On the other hand, HIPAA generally allows covered entities to disclose protected health information about a minor child to the child’s parent or personal representative when consistent with State law. However, if the minor is permitted to receive treatment without a parent’s consent under State law, HIPAA only permits parental disclosure in limited situations, like when the minor presents serious danger to self or others. With respect to deceased students, HIPAA defers to applicable State law to determine who can make disclosure decisions following death.
  6. Disclosure to the National Instance Criminal Background Check System (NCIS).  While HIPAA generally does not permit a school-based health care provider to report a student to NCIS (see here for Fox partner Bill Maruca’s post on this topic), FERPA generally permits the records of a law enforcement unit of an educational agency or institution to be reported to NCIS without prior written consent.

These 6 topics and the related clarifications reveal two sobering realities. First, in this age of mass shootings and public health emergencies, there’s a risk that efforts to comply with privacy laws will get in the way of effective emergency response. Second, the inconsistencies and complexity of various U.S. privacy laws are likely to mean continued confusion, despite the best efforts of HHS, DOE, and other state and federal agencies to provide clarification.

It’s that time again for year-in-review articles. On December 16, 2019,  Modern Healthcare has published an infographic that compares HIPAA breaches which occurred in 2019 to aggregate breach statistics from 2010-2018.  The 2019 data was analyzed through the end of November. A few interesting trends appear.  Let’s go to the numbers:

Breaches by Location:

In 2019, 40% of breaches involved email, compared to only 13% during 2010-2018.  This may suggest an increase in phishing and more sophisticated “spear-phishing” techniques.  Privacy officers should alert their organizations to be more vigilant about clicking links and opening emails from unverified sources, even where the emails look deceptively legitimate.

Network server breaches were up slightly, from 16% to 22%

Laptop-related breaches are down sharply, from 12% to only 3%, and desktop computer breaches are down from 6% to 3%.  This could mean more covered entities and business associates are using appropriate encryption, or may also reflect migration of data to the cloud instead of storing it on laptops and desktop computers.

Electronic medical record breaches are steady, declining slightly from 4% to 3%.

Breaches by Type:

Hacking/IT Incidents represented 57% of breaches in 2019, up sharply from 22% for the prior 8 years.  Coupled with the email breach increase, this trend would suggest infiltration or malware-related breaches that are accomplished by inattention to best practices, both in terms of recognizing and resisting phishing attempts and in failing to maintain up-to-date security measures.

Unauthorized access/disclosure remains steady, representing 30% for 2019 versus 28% for the prior 8 years.

Theft is down significantly, from 33% to only 7%.  Once again, like bank robbers go where the money is, hackers go where the data is, and that is increasingly in the cloud.

Improper disposal is a minor factor, only 1% in 2019, down from 3%.

Breaches by Month:

The report also tracked the average number of individuals affected per breach by month reported.  A significant spike occurred in July, 2019, representing the second-highest reported number of individuals affected by healthcare breaches since 2010.  This anomaly was attributed largely to a massive data breach at billing collections vendor American Medical Collection Agency that affected nearly 20 million individuals.

The wrap-up:

Statistics can be misleading, but if these trends continue, expect more issues involving email scams, malware that can infect systems via email and similar approaches, and unauthorized access, all of which focus on what is often the weakest link in any system – between the chair and the keyboard.

As Fox partner Odia Kagan posted yesterday, early enforcement of CCPA will focus on data related to kids.   In addition, according to a recent article in the San Francisco Chronicle, the California Attorney General will focus on how large companies that deal with sensitive information, including health data, comply with CCPA.

A post this past summer warned that compliance with HIPAA or California’s Confidentiality of Medical Information Act (CMIA) does not give a free pass for HIPAA-regulated covered entities, business associates, or subcontractors or CMIA-regulated providers to ignore CCPA. CCPA does not apply to protected health information governed by HIPAA or to medical information governed by CMIA. CCPA also does not apply to a covered entity subject to HIPAA or a provider of health care subject to CMIA, but there’s a caveat: the covered entity or provider must maintain “patient information in the same manner as medical information [maintained under CMIA] or protected health information [maintained under HIPAA].”

This exclusion leaves HIPAA business associates and subcontractors that are otherwise in scope for CCPA out in the cold. It also forces covered entities and CMIA providers to make sure they maintain all personal information that might also be “patient information” in the same manner as they maintain protected health information and medical information.

For example, if a consumer (who also happens to be a patient or who later becomes a patient) checks out a health care facility’s website to see if a particular type of care is offered or to get directions to the facility, it is unlikely that the data collected as a result of the consumer’s use of the website is maintained “in the same manner” as protected health information. If the facility sells this data (say, perhaps, hits on a sleep center page to a mattress or sleep aid manufacturer) and the AG views the data as sensitive health data, the fact that the facility complies with HIPAA with respect to its maintenance of protected health information is likely not going to impress the AG.

Although the California AG will not commence enforcement activities until July 2020, entities subject to HIPAA or CMIA should take note of the AG’s comments and evaluate the need for CCPA compliance now.

Last week, the Office for Civil Rights (OCR) announced its second enforcement action and settlement with a provider  for failing to comply with HIPAA’s patient access requirements.  Korunda Medical, LLC, a primary care and pain management practice in Florida, agreed to pay $85,000 and comply with a Corrective Action Plan (CAP) as a result of a patient’s complaint that it refused to provide the records in the requested electronic format and charged more than the reasonable, cost-based fee prescribed under HIPAA.

Korunda also apparently made the fatal mistake of ignoring OCR’s technical assistance. As I noted in connection with the $3 million resolution amount paid by a New York hospital system, when OCR offers technical assistance, the covered entity (or business associate) should follow it.

Payment of $85,000 may pale in comparison with payment of $3 million, but given the relative ease of complying with HIPAA’s patient access requirements, and added to the time and expense of responding to OCR’s investigation and negotiating the settlement agreement, it’s not an insignificant amount. In addition, compliance with the CAP will require additional expenditures of time and resources by Korunda. The CAP requires Korunda to submit the following to the U.S. Department of Health and Human Services (HHS):

* revised policies and procedures related to patient access that identify how Korunda calculates a reasonable, cost-based fee;

* training materials related to individual access rights, and then provide training to all workforce members;

* lists of requests for access (including date the request is received, the date the request is completed, the format requested, the format provided, the number of pages (if paper), the cost charged, including postage, as well as all documentation related to denials of requests)

* notification of any failure by a member of its workforce to comply with its access policies and procedures

* annual reports regarding the implementation of the CAP requirements

OCR has been focused on HIPAA’s access rights for the last few years. See here and here for posts from 2016 on this topic, and here for OCR’s first Resolution Agreement involving an access rights violation (also triggering an $85,000 settlement amount and similar CAP). Responding in a timely manner to patient access requests, providing the information in the format requested, not overcharging, and jumping on any technical assistance OCR sends your way are easy ways to avoid being the third example of, as OCR Director Severino put it,“bureaucratic inertia.”

More and more often, health care data is stolen or made inaccessible by targeted ransomware attacks. The Office for Civil Rights (OCR) published a newsletter this week that provides warnings for HIPAA covered entities and business associates. It also provides practical tips to prevent and help you survive these attacks.

OCR’s warnings should resonate with covered entities and business associates alike:

  1. You are a ransomware target. 

    “Cybercriminals … found that customizing their attacks to specific, “quality” targets led to an increase in the amount of ransom payments.  Organizations commonly targeted by this type of attack have sensitive data, high data availability requirements, low tolerance for system downtime, and the resources to pay a ransom.  Many healthcare organizations fit this profile, and have become targets.”

  2. Cybercriminals may already be lurking in your information system, waiting to attack. 

    “Prior to initiating an attack, a malicious actor usually gains unauthorized access to a victim’s information system for the purpose of performing reconnaissance to identify critical services, find sensitive data, and locate backup. After this is done, the ransomware is deployed in a manner that produces maximum effect, infecting as many devices and as much data as possible and encrypting backup files so that recovery is difficult, if not impossible.”

  3. Cybercriminals often gain access by tricking your employees and authorized system users. 

    “Information system users remain one of the weakest links in an organization’s security posture.  Social engineering, including phishing attacks, is one of the most successful techniques used by threat actors to compromise system security.”

The newsletter then offers specific and practical tips as to how taking HIPAA Security Rule compliance seriously can help you avoid and/or quickly recover from targeted ransomware attacks. Here’s a summary of five key tips that should be at the top of your organization’s ransomware-prevention list:

  1. Train employees to avoid and report phishing scams. 

    “A training program should make users aware of the potential threats they face and inform them on how to properly respond to them.  This is especially true for phishing emails that solicit login credentials.  Additionally, user training on how to report potential security incidents can greatly assist in an organization’s response process by expediting escalation and notification to proper individuals.”

  2. Review and test security incident response procedures. 

    “Quick isolation and removal of infected devices from the network and deployment of anti-malware tools can help to stop the spread of ransomware and to reduce the harmful effects of such ransomware.  Response procedures should be written with sufficient details and be disseminated to proper workforce members so that they can be implemented and executed effectively.  Further, organizations may consider testing their security incident procedures from time to time to ensure they remain effective.”

  3. Maintain recoverable, secure, and up-to-data backups of all electronic protected health information. 

    “Organizations should keep in mind that threat actors have recently been actively targeting backup systems and backup data to prevent recovery.”

  4. Regularly check and strengthen access controls. 

    “[This measure will] stop or impede an attacker’s movements and access to sensitive data; e.g., by segmenting networks to limit unauthorized access and communications.  Further, because attacks frequently seek elevated privileges (e.g., administrator access), entities may consider solutions that limit the scope of administrator access, as well as solutions requiring stronger authentication mechanisms when granting elevated privileges or access to administrator accounts.”

  5. Regularly install software updates and patches.

With the explosion of health data sifting through cutting-edge companies, industry stakeholders are left to wonder how wearable devices, wellness programs, health applications, and the like should be regulated.

Despite current belief, the Health Insurance Portability and Accountability Act (“HIPAA”) does not regulate all health information. HIPAA regulates health information collected and retained by covered entities and imposes downstream obligations on entities called business associates. HIPAA began with a limited purpose and was not created to cover all health information held by all entities. Created in 1996, HIPAA was originally designed to address the exchange of electronic health information and portability, so that an employee could maintain health insurance between employers.

Today’s perceived gaps in HIPAA, therefore, seem plausible, given its history and the realization that when HIPAA was created 23 years ago, the health landscape was without today’s innovative health companies collecting and aggregating health data in new ways for new purposes and the accompanying geometric increase in the complexity and types of risk. While newer health tech companies may find themselves outside the HIPAA regime, a recent Senate Bill hopes to expand HIPAA to include health information collected by fitness trackers, health-focused social media sites, and direct to consumer genetic testing companies. Though the Senate Bill has stayed stagnate, companies have seen enforcement beyond the HIPAA regime.

In March 2017, New York Attorney General announced a settlement with developers of three health apps and alleged the creators used misleading claims and had irresponsible privacy practices with unclear and inconsistent statements about how they collected and shared users’ personal information with third parties. The Attorney General alleged violations to New York’s Consumer Protection Act and False Advertising laws.

So what is the moral of the story? Just because your health company does not fit squarely within the HIPAA regime, you aren’t excluded from being regulated. Keep in mind applicable state laws like a state’s Consumer Fraud Act. Consider obligations to federal regulators like the FTC regarding deceptive consumer practices and FDA’s oversight over medical devices, for example.

Have a good understanding of what your company is (and what it isn’t). If you’re a covered entity or business associate, your obligation to comply with HIPAA is clear. However, consider wearable devices, like Fitbit and smartwatches that track users’ heart rate and sync their health data to smartphone apps. Consider wearable biosensors that monitor patients’ vital signs, temperature, and body posture. A deeper analysis on when health information shifts from HIPAA protected to non-HIPAA protected, can be found on a separate Alert by Elizabeth Litten.

A large New York hospital system learned this lesson the expensive way.  According to a U.S. Department of Health and Human Services (HHS) press release issued earlier this week, the Office for Civil Rights (OCR) investigated a hospital system breach back in 2010 involving the loss of an unencrypted flash drive. According to the press release, OCR provided technical assistance to the hospital system as a result of that breach.

The hospital system apparently didn’t follow or benefit from OCR’s technical assistance, as it reported a breach in 2013 involving the loss of an unencrypted flash drive. According to OCR,

Despite the previous OCR investigation, and [the hospital system’s] own identification of a lack of encryption as a high risk to ePHI, [the hospital system] permitted the continued use of unencrypted mobile devices.”

The hospital system then reported a third incident involving the theft of an unencrypted mobile device (an unencrypted personal laptop used by a resident surgeon) in 2017.  Although the laptop contained the PHI of only 43 patients, it wasn’t the size of the breach that likely triggered the $3 million payment amount.  The high payment amount seems directed at the hospital system’s apparent continuing failure to implement fairly straightforward security measures.

This hospital system had three strikes involving unencrypted devices before being hit with the $3 million resolution amount, and three important lessons can be learned from this resolution agreement. First, correct identified vulnerabilities. Second, when OCR offers technical assistance, follow it. And third, make sure you have a mobile device policy that requires encryption or addresses why encryption is not feasible.

OCR likely also considered the large size of the hospital system, and the relatively simple security policies and procedures the hospital system could have implemented to prevent the third breach when it imposed the $3 million penalty and two year corrective action plan.  However, even small covered entities and business associates should pay attention to this resolution agreement and take steps to minimize the risk of mobile device breaches.

“New York Gov. Andrew Cuomo recently signed legislation that will effectively prohibit ambulance and first response service providers from disclosing or selling patient data to third parties for marketing purposes.

The bill was signed into law on October 7. The new law bans the sale of patient data, or individually identifying information to third parties, outside of sales to health providers, the patient’s insurer, and other parties with appropriate legal authority.

Under the law, all information that can be used to identify a patient is protected from sales for marketing purposes, such as advertising, detailing, marketing, promotion, or any activity used to influence sales.”

Details from HealthIT Security.

This post also appears on Fox Rothschild’s Privacy Compliance & Data Security blog.

Artificial Intelligence (“AI”) refers to algorithm tools that simulate human intelligence, mimic human actions, and can incorporate self-learning software. The benefits of AI tech can reduce spending, provide alternative treatment ideas, and improve patient experience, diagnosis, and outcome.

Consider virtual health assistants who deliver medication alerts and patient education, AI used to detect abnormalities in x-rays and MRIs, and AI that gives simultaneous feedback to patients and their physicians from elements captured on patient smartphones and wearable devices.  But with the advent of unchecked AI comes concerns related to health information  privacy and unconscious bias.

Privacy Concerns in AI Health Tech

AI advances could negatively impact health data privacy. The level of impact depends, to some extent, on how we define health data. “Health data” generally refers to information concerning the physical or mental health status of an individual and the delivery of or payment for health services to the individual. It incorporates data exchanged through traditional health technologies used by health care providers and health plans, as well as data exchanged through newer technologies, like wearable devices and virtual assistants.

Regulations do not yet fully address privacy concerns in AI health tech. HIPAA, for example, legislation that was originally enacted in 1996, requires covered entities and business associates to implement standards to ensure the privacy and security for protected health information. Those standards, however, may not apply to tech companies that use ever-evolving third party apps or algorithms to access the data. Experts express concerns with companies collaborating to re-identify data formerly considered de-identified.[1] Consider data brokers who mine personal health data with AI tech who then sell their acquired health data to third parties like marketers, employers, and insurers. While a tech company’s relationship with a health insurance company falls under HIPAA’s scope, it is less clear what privacy laws would apply to tech companies that limit clientele to entities that are not otherwise directly or indirectly subject to HIPAA, such as life or disability insurers, which may be the case for marketers and employers.

Bias Concerns in AI Health Tech

AI health tech must be developed and trained responsibly. AI learns by identifying patterns in data collected over many years. If the data collected reflects historical biases against vulnerable populations, the data projected will only exasperate those biases. Biases creep into data sets through various ways. Consider whether input data has incomplete data sets for “at-risk” populations (groups with a historically higher risk for certain health conditions or illnesses). Consider the potential for under-diagnosis of health conditions within certain populations. Correcting for these biases in the development of the data set and in training processes will help to avoid the creation of biased results in AI health tech.

Companies should consider safeguards when employing their AI health tech. Employee training is paramount. While AI promises a host of benefits, those involved in its creation and use must be aware of the potential for bias. Companies should also consider data integrity and built in biases. Consider the information AI tech relies on and consider rechecking the data reviewed by AI.  Lastly, diversifying those engaged in creating, testing, and using the health care tech could also decrease bias.

[1]              https://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/2017-Ltr-Privacy-DeIdentification-Feb-23-Final-w-sig.pdf