This blog recently discussed tips for a covered entity (CE) in dealing with a HIPAA business associate (BA). Now, even though you have adopted all of the tips and more, in this dangerous and ever more complex data security world, one of your BAs suffers a breach and it becomes your responsibility as the victim CE to respond. What should you do?

Our partner Elizabeth Litten and I discussed aspects of this issue with our good friend Marla Durben Hirsch who included some of our discussion in her article in the June 2017 issue of Medical Practice Compliance Alert entitled “6 ways practices can reduce the risk of delegating breach-notification duties.” Full text of the article can be found in the June, 2017 issue, but a number of the items included below are drawn from the article.

  1. Locate the most recent Business Associate Agreement (BAA) with the BA who experienced the breach, and see what it says about the post-breach obligations of the CE and the BA. Two important threshold issues are whether the BA complied with the time period for reporting breaches to the CE contained in the BAA and the remaining time, if any, available to the CE for complying with any reporting requirements under HIPAA and state law, remediation and limitation of loss requirements, and notification requirements to affected individuals (collectively, the Requirements).
  2. Determine promptly what are the time deadlines for notification to insurance carriers if cybersecurity or general liability insurance may be available to the BA and/or the CE for payment of expenses of the breach and its remediation.
  3. Spell out any circumstances where the BA will handle the consequences of a breach that occurred on its watch, and the scope of its responsibilities vs. that of the CE. These can range from delegating to the BA the entire range of Requirements to assumption by the CE of complying with the Requirements with payment by the BA of the costs thereof.
  4.  Make sure that the required reporting and notification Requirements are sent on CE stationery or, if such Requirements are being delegated to the BA (especially where the breach affected a number of different CEs), the notifications make it clear that the breach was attributable to the acts of the BA and not the CE. As CE, insist that the final wording of the required reporting and notification documents be subject to your approval.
  5.  Ensure that your staff is familiar with the circumstances of the breach so that they will be able to answer questions from affected individuals and the media intelligently. It may be advisable to designate a single trained and articulate person to be referred all inquiries, so that the responses are uniform, accurate and clear.
  6.  Assess whether the BA handled the breach adequately and whether you want to retain your relationship with the BA. Did the BA comply with HIPAA and the BAA in the post-breach period? Did the BA cooperate with the CE? What is the likelihood of a repeat breach by the BA? Is the CE assuming the risk of potential repeat HIPAA breaches if the BA relationship is continued?
  7. If you determine as CE that you will continue your relationship with the breaching BA, consider whether the BAA with the BA requires changes based upon the experience of the breach and its aftermath.
  8. As CE, consider modifying, updating and/or strengthening all of your BAAs as a result of your experience.
  9. As CE, you may require improving and/or changing your cybersecurity insurance coverage as a result of experience with the breach.
  10.  As CE, document all activities and decisions respecting HIPAA made in the post-breach period to defend your actions as reasonable and to provide concrete planning steps for future HIPAA compliance.

While all the precautions in the universe by a CE cannot eliminate a HIPAA breach by a BA, a CE that is victimized by such a HIPAA breach can do many things to reduce its liability and image damage and strengthen its own HIPAA compliance and risk avoidance efforts for the future by adopting the steps described above.

A registered nurse employed by Minnesota Blue Cross Blue Shield (BC/BS) with a history of drug offenses allegedly accessed a prescription drug database 249 times without a legitimate purpose, according to a report by Minneapolis CBS affiliate WCCO posted by reporter Esme Murphy.

The nurse, Jim Johnson, reportedly had been previously assigned by BC/BS under the insurer’s contract with the state Department of Health to monitor prescription drug use in state-run medical programs. In that capacity, he was given access to the Minnesota Prescription Monitoring Program (MNPMP), which is generally limited to licensed prescribers and pharmacists, and their delegated staff. The MNPMP was established to detect diversion, abuse and misuse of prescriptions for controlled substances.

For a period of eight months after Johnson had been reassigned to other duties, he apparently had not been removed from the list of authorized users despite BC/BS having notified the state of the change. WCCO reports that during that time Johnson had accessed 56 individuals’ records, and had viewed a number of records multiple times. Investigations also revealed that Johnson had accessed some of these same individuals’ social media profiles. There reportedly is no indication at this time that Johnson disclosed any of the information he obtained or that he misused that information to obtain narcotics.

State Nursing Board disciplinary records indicate that Johnson had been fired by two previous employers because of narcotic violations. He reportedly admitted to stealing drugs from Children’s Hospital in St. Paul in 2000 and was fired by Unity Hospital after admitting to stealing morphine. He had not been charged criminally but had been fined and subjected to additional supervision. BC/BS was apparently unaware of Johnson’s disciplinary history when he was hired.

There is plenty of blame in this situation to go around. Although the MNPMP apparently had a process in place for credentialing legitimate users, it failed to revoke those credentials when they were notified that Johnson’s job no longer required him to access the database. BC/BS may have failed to monitor its employees’ access to such a highly-confidential trove of information, and may have exercised poor judgment in not thoroughly vetting an employee before assigning him to such a sensitive role.

Employee “snooping” has led to serious consequences in a number of high profile cases, including a Vermont ultrasound technologist who peeked at her ex-husband’s family’s records, a UCLA researcher who was sentenced to prison for looking at celebrity charts, California and New York hospital workers who accessed celebrity records and 16 Houston hospital employees fired for accessing a resident’s medical records after she was injured in a shooting incident.

A surprising footnote to WCCO’s story is the fact that the state Department of Health reportedly misstated HIPAA’s breach reporting requirements and claimed that only breaches involving 500 or more individuals were reportable. Such large-scale breaches require notice within 60 days of discovery, but, as indicated in the WCCO report, breaches involving fewer than 500 individuals must still be reported within 60 days of the close of the calendar year.

This is not BC/BS’s first brush with medical privacy violations. According to the Star Tribune, in 2010, a subscriber sued the insurer for violating the Minnesota Health Records Act and breaching her privacy by disclosing her name and providing confidential information about her medical treatment. Amazingly, the patient’s information was reproduced in illustrations that appeared in handbooks and marketing pamphlets instead of “dummy” information. Her ID and claims information appeared in 400 copies of a pamphlet and in 95,000 copies of a member handbook. Previously, the State Department of Commerce suspended the license of a BC/BS agent after a life insurance customer complained that the agent had improperly disclosed the customer’s personal information.

Once again the temptation to rummage around in an inadequately-secured repository of information has proven too hard for an employee to resist. Few covered entities and business associates have implemented safeguards to protect data from curious (or dishonest) employees’ eyes. Heightened employee training about prohibition of snooping with emphasis on discipline up to and including discharge is one step. However, the time may have come when relying on the honor system and training may be insufficient to meet HIPAA’s poorly-defined “minimum necessary” standard and more robust technical solutions may be called for. Even when, as in this case, only certain individuals are given access to PHI on a need-to-know basis, there is room for improvement of monitoring and oversight of those individuals’ actual behavior.

Our partner Keith McMurdy posted this analysis of a recent HIPAA settlement involving a physician practice on our Employee Benefits Legal Blog:

HIPAA Failure Results In Penalties: Lack of Compliance the Key

By Keith R. McMurdy on January 1, 2014Posted in Plan Administration, Welfare Plans

Often, when I am discussing HIPAA privacy compliance, I am asked about possible penalties for privacy breaches. Plan sponsors sometimes overlook the fact that failing to have a privacy compliance package in place is itself a violation and can lead to some hefty penalties. Such was the case for Adult & Pediatric Dermatology, P.C., a medical provider that had a security breach. While the facts may not be specific to a covered plan, they should serve as a reminder of the potential consequences for failing to be HIPAA compliant.

The provider had a thumb drive stolen from one of the vehicles of a staff member. It was unencrypted and had PHI for about 2,200 people. The Department of Health and Human Services Office for Civil Rights opened an investigation that revealed that the provider had not conducted an analysis of the potential risks and vulnerabilities as part of its security management process. More importantly, HHS also determined that the provider did not fully comply with requirements of the Breach Notification Rule and that it did not have written policies in place or procedures to train employees on HIPAA privacy and handling of PHI. The provider ended up settling the claim for a $150,000 penalty.

This result is significant for 2 reasons. First, it is the first reported settlement of a claim for failure to have policies and procedures in place under the Breach Notification rules under the HITECH Act. Second, it shows that the Office of Civil Rights is serious about investigating instances of an alleged breach and enforcing the rules related to privacy compliance. Covered entities (like health plans) are under an affirmative obligation to implement HIPAA Privacy and Security compliance policies, monitor and train employees and take steps to avoid breaches. There is a reporting obligation if a breach occurs and penalties can come into play not just for the breach, but for failing to comply to prevent the breach from occurring.

At a time when plan sponsors are struggling to comply with the requirements of PPACA, other rules like ERISA and HIPAA Medical Privacy can get overlooked. Employers would do well to remember that sponsoring a health plan means complying with all of the various regulations, not just the ones in the media right now. For help locating and complying with all of the requirements for benefit plans, ask your attorney at Fox Rothschild for assistance.




 A New England hospital has reported the disappearance of backup tapes containing ultrasound images and personal data of 14,000 patients. How do you handle a data loss when you don’t have any way of determining where the data went or who may have seen it?  Is it still a “breach” in the technical sense?

These questions call to mind former Defense Secretary Donald Rumsfeld’s famous observation about assessing knowledge gaps:

 “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.”

And a less-famous Rumsfeld quote from the same press briefing, “The absence of evidence is not evidence of absence, or vice versa” may also be applicable.


What is known, according to the press release issued by Women and Infants Hospital of Rhode Island, is that on September 13, 2012, the institution learned that unencrypted backup tapes containing ultrasound images went missing from two ambulatory sites in Providence, Rhode Island and New Bedford, Massachusetts. The backup tapes contained ultrasound images and included patient names, dates of birth, dates of exams, physicians’ names, patient ultrasound images, and, in some instances, Social Security numbers. 


The hospital has concluded that they have no reason to believe that the information has been accessed or used improperly, because doing so would require specialized equipment and technical expertise. The fact pattern and analysis recalls the 2011 breaches involving SAIC/Tricare and Nemours discussed on this blog in October 2011 by my partner Elizabeth Litten. As she noted,


When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?  


At this time, Women & Infants has notified affected patients and established a hotline but is not yet offering credit monitoring or identity theft protection. Further, there is no indication of a report having been filed with HHS, but once again “absence of evidence is not evidence of absence.”


Applying the Rumsfeld test, I believe Women & Infants is facing both “known unknowns” and “unknown unknowns.” They know that they don’t and cannot be certain whether the data has been accessed, but if it has been, they cannot know the extent of the potential damage to the affected individuals.  The long-overdue “mega-regulation,” which may finally see the light of day now that the election is over, may provide some useful guidance. 


In the meantime, enjoy some of former Secretary Rumsfeld’s greatest hits.


This blog has been following the continuing flow of security breaches of Protected Health Information ("PHI") and how affected providers and insurers have been responding to their discovery. The University of Tennessee Medical Center ("UTMC" or the "hospital") based in Knoxville has apparently joined in the march.


On November 29, 2010, Angela Starke wrote an article entitled "Patients uneasy about possible security breach at UT Medical Center" that was posted on In the article, Ms. Starke reported that UTMC had announced that 8,000 patients’ medical and identity information may have been compromised. As part of her article, Ms. Starke reproduced in full the letter attributed to the Privacy Officer of UTMC that was sent to affected patients by the hospital (the "Letter"). The following was stated in the UTMC Letter: "Please note we have no reason to believe that any of your personal information has actually been accessed or inappropriately used. However, out of an abundance of caution, we want to make you aware of the incident."


What is interesting about the UTMC event is that the hospital apparently has not seen the incident as sufficiently newsworthy to publish the UTMC Letter on its website in the news section or elsewhere. In contrast, a recent post on this blog discussed a PHI security breach issue at Henry Ford Health System in Michigan ("HFHS"). That post raised questions as to the thoroughness of the report that HFHS had placed on its website relative to the incident.


Nonetheless, HFHS did at least disclose the matter on its website. UTMC has chosen not to do so. The article by Ms. Starke would indicate that patients who received notices from UTMC about the PHI incident considered it to be somewhat more of a concern than the hospital did, as evidenced by UTMC’s failure to make a disclosure on its website.


A visit today to the U.S. Department of Health and Human Service ("HHS") website which lists reported breaches of unsecured PHI incidents affecting 500 or more individuals reveals that the UTMC matter is now posted. Even that posting, however, is defective. The list reflects the "Date of Breach" of the UTMC event of "Improper Disposal of Paper Records" as "2009-09-23." Obviously the year should be "2010" not the "2009" date listed. It is unclear whether the hospital reported the wrong year to HHS or that HHS incorrectly transcribed it.

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself.

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public. Such action should include posting of the unfortunate event on the entity’s website.