Filefax, Inc., a defunct Illinois medical records storage and management company, has been fined $100,000 for improperly handling medical data under an agreement with the court-appointed receiver managing the company’s assets on behalf of its creditors.  This settlement has implications for both service providers and their covered entity clients.  Fox Rothschild partners Elizabeth Litten and Michael Kline were quoted in an article by Marla Durben Hirsch entitled “Be prepared for HIPAA Issues if a business associate shuts down” in the August issue of Medical Practice Compliance Alert.

As the HHS press release stated, the consequences for HIPAA violations don’t stop when a business closes.  In this case, Filefax had been under investigation by state and federal authorities since 2015 for careless handling of medical records which had been abandoned at a shredding facility.   Medical Practice Compliance Alert notes:

This settlement shows that  a provider or business associate that has violated HIPAA can’t avoid the consequences by shutting down.  “OCR is saying that you’re still responsible if you close your doors.” Says attorney Elizabeth Litten with Fox Rothschild in Princeton, NJ.

But it also provides a cautionary tale for providers who work with business associates that go under because providers are ultimately responsible for their patients’ records.

The article suggests the following tips for a covered entity to reduce its risks when a business associate may be in shaky financial shape:

  1. Keep an inventory of your business associate relationships.
  2. Choose business associates carefully.
  3. Monitor your business associates’ compliance with HIPAA.
  4. Expect increased scrutiny if a business associate is already on the government’s radar.
  5. Watch for signs that the business associate may be running into financial trouble.
  6. Don’t sit idly if the business associate files for bankruptcy.

What should a covered entity do when it learns that a business associate may have violated its HIPAA responsibilities?  For starters, see our previous post entitled Ten Tips for Actions by a Covered Entity after a HIPAA Breach by a Business Associate.  And if that BA has ceased operations, be prepared to take control of the situation even if the BA may not have enough resources left to reimburse you for its mistakes. Remember, the buck always stops with the Covered Entity.

Harry S. Truman Library & Museum 2017

The recent criminal conviction of a Massachusetts physician provides a stark reminder that violating HIPAA can result in more than civil monetary penalties and the financial and reputational fall-out that results from a breach. In this case, perhaps the cover-up was worse than the crime, or maybe prosecutors decided that a conviction on other charges would have been harder to get. Either way, the case should alert covered entities and business associates to the fact that HIPAA violations can result in jail time and criminal fines.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) investigates complaints and may impose civil monetary penalties (CMPs) for violations of HIPAA.   The U.S. Department of Justice (DOJ) handles criminal investigations and penalties.  This may not provide much comfort, but a CMP will not be imposed if the HIPAA violation is determined to constitute a criminal offense.

OCR will refer matters to DOJ for criminal enforcement in some cases or will work cooperatively with DOJ where a DOJ investigation on other grounds reveals a potential HIPAA violation.  HHS reported that OCR had referred 688 cases to the DOJ for criminal investigation as of June 30, 2018.

The criminal enforcement of HIPAA was described in a Memorandum Opinion issued in 2005 jointly to HHS and the Senior Counsel to the Deputy Attorney General by Steven Bradbury, then-acting Assistant Attorney General of the Office of Legal Counsel within DOJ (the DOJ Memo). The DOJ Memo explains that HIPAA allows for criminal penalties only for violations that involve the disclosure of “unique health identifiers” or “individually identifiable health information” (IIHI) that are made “knowingly” and in violation of HIPAA.   Specifically, a person may be subject to criminal penalties if he or she knowingly (and in violation of HIPAA):  (i) uses or causes to be used a unique health identifier; (ii) obtains IIHI; or (iii) discloses IIHI to another person.  Criminal penalties range from misdemeanors to felonies.  The maximum criminal penalty (a fine of up to $250,000 and imprisonment of up to 10 years) can be imposed if one of these offenses is committed “with intent to sell, transfer, or use [IIHI] for commercial advantage, personal gain, or malicious harm.”  The DOJ Memo explains that “knowingly” refers to knowledge of the facts that constitute the offense, not knowledge of the law being violated (HIPAA).

The DOJ Memo emphasizes the fact that criminal penalties are reserved for limited and specific violations of HIPAA:  “Such punishment is reserved for violations involving `unique health identifiers’ and [IIHI]…  Thus, the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals.”  The DOJ Memo focuses on violations by covered entities. It notes that when a covered entity is not an individual, but is a corporate entity, the conduct of agents may be imputed to the entity when the agents act within the scope of employment, and the criminal liability of a corporate entity may be attributed to individuals in managerial roles.

DOJ might decide to seek a conviction for a violation of HIPAA when it believes such a conviction would be easier to get than a conviction for a violation of other federal laws governing health care providers (such as the anti-kickback statute).   After all, the DOJ Memo makes it clear that “knowing” refers to the conduct, not the state of the law.  However, it should be noted, as per the DOJ Memo, that the DOJ’s interpretation of “`knowingly’ does not dispense with the mens rea requirement of section 1320d-6 [HIPAA] and create a strict liability offense; satisfaction of the ‘knowing’ element will still require proof that the defendant knew the facts that constitute the offense.”

When a health care entity (like a large hospital system or health plan) has deep pockets, the OCR may decide to pursue very high civil monetary penalties and rely on the financial and reputational implications of the civil monetary penalties to act as a deterrence.  On the other hand, the DOJ may seek to deter behavior associated with a wider range of criminal activities by pursuing jail time for a HIPAA violation.

In the case of the Massachusetts physician, it is also likely that the DOJ pursued the criminal charge because she lied about her relationship with the third party to which she disclosed patient information. My law partner Charles DeMonaco, a white collar defense attorney and former DOJ prosecutor, agrees:

It is understandable why this doctor was indicted and convicted for these offenses.  She was accused of lying to the agents, which is always a major hurdle in a criminal case.  Even if an underlying crime cannot be established, a lie of a material fact to a government agent is a stand-alone false-statement felony.  It also establishes consciousness of guilt. The doctor could have asserted her Fifth Amendment privilege against self-incrimination to avoid talking to the government agents.  It is never a good thing for a doctor to speak with agents who are investigating the doctor’s conduct without counsel and without proper protection of limited use immunity being sought prior to the interview.  The government also proved that she accepted fees from the pharma company after providing the [IIHI] in violation of HIPAA.  Under these facts, it is not surprising that this case was brought as a criminal prosecution and that a guilty verdict was returned.

Everyone subject to HIPAA should be aware that a HIPAA violation involving disclosure or breach of IIHI may be the low-hanging fruit for criminal prosecutors originally focused on other violations of law.   In particular, covered entities should carefully evaluate arrangements with third parties that involve the sharing of IIHI with those parties for commercial/personal gain or commercial harm. If the sharing of IIHI is not permitted under HIPAA and commercial gain or harm is involved, these violations could result in the most severe level of criminal penalties, including significant jail time.

Individuals who have received notice of a HIPAA breach are often offered free credit monitoring services for some period of time, particularly if the protected health information involved included social security numbers.  I have not (yet) received such a notice, but was concerned when I learned about the massive Equifax breach (see here to view a post on this topic on our Privacy Compliance and Data Security blog).

The Federal Trade Commission’s Consumer Information page sums it up well:

If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax… .”

I read the news reports this morning, and decided to go on the Equifax site, equifaxsecurity2017.com, to see if my information may have been affected and to sign up for credit file monitoring and identify theft protection (the services are free to U.S. consumers, whether or not affected by the breach, for one year).

The Equifax site describes the breach and lets users click on a “Potential Impact” tab to find out whether their information “may have been impacted” by the breach. Users can find out by clicking on the “Check Potential Impact” link and following these steps:

  1. Click on the below link, “Check Potential Impact,” and provide your last name and the last six digits of your Social Security number.
  2. Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident.
  3. Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier. You will receive an enrollment date. You should return to this site and follow the “How do I enroll?” instructions below on or after that date to continue the enrollment and activation process. The enrollment period ends on Tuesday, November 21, 2017.

Before satisfying my curiosity, though, I decided to click on the “Terms of Use”, that too-rarely-used link typically included at the bottom of a webpage that sets forth the quid pro quo of using a website. Perhaps it was because my law partner (and the firm’s Chief Privacy Officer), Mark McCreary, has instilled some cautiousness in me, or because I wondered if there might be a catch. Why would Equifax offer a free year of credit monitoring to everyone, even those not affected by the breach? What would Equifax get in return?

I skimmed the “Product Agreement and Terms of Use”, noted the bolded text requiring arbitration of disputes and waiving my right to participate in a class action, but wasn’t concerned enough to resist the urge to find out if my information was affected.

I then followed the “Getting Started” process by following the TrustedID Premier link, and quickly received a notice stating that my information “may have been impacted” and that I could enroll on September 11, 2017 (my “designated enrollment date”).

Not more than a couple of hours later, I came across an article warning of the legal rights consumers give up by signing up on Equifax’s website. The article describes the arbitration clause in the Terms of Use provisions, and reports on New York Attorney General Eric Schneiderman’s tweet stating that the arbitration provision is “unacceptable and unenforceable”. The article also reports that, today, Equifax updated the Terms of Use language to include a new provision allowing a user to write to Equifax to opt-out of the arbitration provision within 30 days of the date the user first accepts the Product Agreement and Terms of Use.

My curiosity got the best of me and I now know I’m on the “affected persons” list, but I haven’t yet signed up for my free TrustedID Premier credit monitoring service. I have the weekend to decide whether to sign up for the service, and 30 days from Monday (if I actually sign up for the service) to decide whether to accept the “cost” of agreeing to binding arbitration.

The private sector is still not prepared – and generally lacks the knowledge – to respond effectively to a major cyber breach, according to 80 percent of respondents in a survey released by Fox Rothschild LLP.

“There is an alarming lack of awareness at the senior level when it comes to data governance practices in the private sector” said Fox partner Scott Vernick, who chairs the firm’s data security and privacy practice.

In its survey of cybersecurity professionals and risk experts across insurance, legal and other industries, Fox found that despite companies’ pouring real money and resources into data security:

  • 65 percent said the private sector is only “somewhat prepared” to respond to a data breach;
  • 15 percent stated it is “not prepared” at all; and
  • Only 20 percent said the private sector is “very prepared.”

The survey’s 75 respondents also expressed significant concern about senior management’s understanding of how data is, and can be, vulnerable. In fact, more than 85 percent said senior business leaders could “not accurately” or only “somewhat accurately” identify and address their companies’ data collection and storage practices.

“Companies in all sectors need to understand what types of data they collect, who has access to it and how it is stored well before a breach takes place,” Vernick added. “If they don’t follow best practices, it will cripple their ability to respond effectively and lead to costly litigation.”

In the debate over encryption and “access to data,” 84 percent of the Fox survey respondents favored the private sector’s right to guard customer data against government access in the event data was encrypted and otherwise not accessible. Nearly 75 percent also believe the private sector should be permitted to tell customers when the government subpoenas their data.

Survey respondents cited the following areas as requiring the most improvement by the private sector when it relates to cybersecurity strategy:

  • Employee training (29 percent);
  • Vendor management (24 percent);
  • Security and protection of systems, networks, firewalls and applications (19 percent);
  • Funding and resources (19 percent);
  • Encryption of data (5 percent); and
  • BYOD security (4 percent).

The following post was contributed by our colleague Lucy Li.

HIPAA itself does not provide a private right of action. So when a hacker or rogue employee impermissibly accesses or interferes with electronic data or data systems containing protected health information, an employer subject to HIPAA cannot sue the perpetrator under HIPAA.  Similarly, when a ransomware attack blocks access to protected health information, employers also cannot sue under HIPAA.  HIPAA violations and ransomware attacks and can be costly to deal with.  Just ask Hollywood Presbyterian Medical Center. But employers have one potential remedy: suing the perpetrator of the access, interference, or misuse for violating the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is a federal law that prohibits fraudulent access to protected computer information. The law prevents unauthorized access or access that exceeds the user’s authority to a protected computer to obtain private information, such as patient data or trade secrets.  The law also prohibits the use of ransomware to extort money or anything of value. If these cyber-attacks occur, the CFAA allows the employer to file a civil lawsuit against the hacker or the rogue employee to recover damages for economic harm.

Best Practices and CFAA Tips

  1. Prevention is best. Encrypt your data and use sophisticated firewalls and security patches to prevent hackers from accessing protected information. Litigation is a tool to recover for economic harm, but it is costly.
  2. Limit electronic access. Give employees or contractors just enough access to perform their job duties. Nothing more.
  3. Disable log-in rights of an ex-employee or contractor as soon as the employment or contractual relationship ends.
  4. State law. The applicability of the CFAA varies by state. Individual states may also have their own causes of action under state computer fraud laws or trade secret appropriation for stealing patient lists.  These laws may be additional tools to help you recover from a HIPAA violation or a ransomware attack.

Matthew Redding contributed to this post.

It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement.  A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu.

North Memorial Health Care of Minnesota, a not-for-profit health care system, settled with the Office of Civil Rights for the Department of Health and Human Services (OCR) for $1.55 million resulting from allegations that it violated HIPAA by failing to timely implement a Business Associate Agreement with Accretive Health, Inc., a major contractor, and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

The OCR’s investigation arose following North Memorial’s reporting of a HIPAA breach on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a workforce member of a business associate’s (BA’s) locked vehicle, impacting the ePHI of almost 10,000 individuals. The investigation further revealed that, North Memorial began providing Accretive with access to its PHI on March 21, 2011, and the parties did not enter into a business associate agreement until October 14, 2011

In addition to the fine, North Memorial is required to develop policies and procedures specific to documenting the BA relationship, modify its existing risk analysis process, and develop and implement an organization-wide risk management plan. The Resolution Agreement is available here.

In a press release, OCR director Jocelyn Samuel said:

“Two major cornerstones of the HIPAA Rules were overlooked by this entity.  Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

Accretive Health, Inc. may be a familiar name to readers of this blog.  In 2012, the Minnesota Attorney General’s office filed suit against Accretive for allegedly mining, analyzing and using their hospital clients’ data for purposes that were not disclosed to patients and which may adversely affect their access to care.  This suit was subsequently settled for $2.5 million under an agreement under which Accretive agreed to cease operations in Minnesota.  The AG’s lawsuit was triggered by the same laptop theft which compromised the healthcare data of North Memorial and another facility, Fairview Health  Services.  One stolen, unencrypted laptop of a BA has resulted in over $4 million in aggregate liabilities to three covered entities.

The lessons for covered entities from this continuing saga are clear:

  • Encrypt your electronic data. All of it, everywhere it resides and whenever it is transmitted, and pay particular attention to laptops, mobile devices and media.  (While you’re at it, be sure to protect paper data as well and shred it when it is no longer needed  — it can be easily exploited by thieves and dumpster-divers).
  • Make sure you have Business Associate Agreements with all business associates, and review them to make sure they are current and require appropriate safeguards and indemnify you from the costs of the BA’s breaches.
  • Know your BAs and control what they do with your data.  Accretive’s alleged aggressive collection efforts, such as accosting patients on gurneys in the emergency department or while recovering from surgery, did not reflect well on their hospital clients.
  • Do not take your HIPAA obligations lightly.  North Memorial’s incomplete HIPAA implementation and lack of attention to risk analysis may have contributed to the severity of the result.

We know by now that protected health information (PHI) and other personal information is vulnerable to hackers.  Last week, the Washington Times reported that the Department of Health and Human Services (HHS), the agency responsible for HIPAA enforcement, had suffered security breaches at the hands of hackers in at least five separate divisions over the past three years.  The article focused on a House Committee on Energy and Commerce report that described the breaches as having been relatively unsophisticated and the responsible security officials as having been unable to provide clear information regarding the security incidents.

We know it’s not a question of “if” sensitive information maintained electronically will be compromised by a hacking or other type of cyber security incident, but “when” — regardless of who maintains it — and how destructive an incident it will be. Even HHS and its operating divisions, which include both the Office of Civil Rights (OCR), charged with protecting PHI privacy and security, and the Food and Drug Administration (FDA), the country’s principal consumer protection and health agency, are vulnerable.

Just one day before its coverage of the House Committee report on the cyber security vulnerabilities that exist within the very government agencies charged with protecting us, the Washington Times reported on an even more alarming cyber security risk: the vulnerability of common medical devices, such as x-ray machines and infusion pumps, to hacks that could compromise not just the privacy and security of our health information, but our actual physical health.

This report brought to mind a recent report on the ability of hackers to remotely access the control systems of automobiles.  While the thought of losing control of my car while driving is terrifying, the realization that medical devices are vulnerable to hackers while being used to diagnose or treat patients is particularly creepy.  The two situations may present equally dangerous scenarios, but hacking into a medical device is like hacking into one’s physical being.

So while it’s one thing to have PHI or other sensitive information compromised by a hacking incident, it’s much more alarming to think that one’s health status, itself, could be compromised by a hacker.

A Chicago record storage and disposal company has been named in a complaint filed by the Illinois Attorney General as a result of the negligent disposal of a medical practice’s patient records in an unlocked dumpster.   The complaint alleges that FileFax, Inc. violated the Illinois Consumer Fraud and Deceptive Business Practices Act by failing to handle the records entrusted to it for secure disposal by the practice, Suburban Lung Associates, as required by the Illinois Personal Information Protection Act as well as HIPAA.

Not only did FileFax allegedly discard the records in its unlocked dumpster adjacent to its place of business, but more incredibly, a FileFax employee permitted another individual to remove 1,100 pounds of records and take them to another facility for recycling.  The recycler, Shred Spot, recognized the documents as protected health records and refused to recycle them.  After consulting his trade association, the National Association for Information Destruction, Shred Spot owner Paul Kaufmann contacted the office of Attorney General Lisa Madigan, according to the Chicago Tribune.

Adding to the perfect storm, shortly after the records were delivered to Shred Spot, Dave Savini, an investigative reporter for CBS Chicago, took a film crew to the dumpster outside of the FileFax facility which remained full of Suburban Lung’s records and remained unlocked, accessible by the general public.  He noted:

“It is an identity thief’s dream, and a nightmare for patients. Medical files, tossed in the trash, contain personal information including drivers’ licenses, Social Security numbers and even medical histories.”

Watch his report here:savini-medical-files[1]
Illinois Attorney General agents and representatives of the Department of Health and Human Services then conducted a site visit of the Shred Spot facility, and documented the return of the records to the practice.

FileFax faces civil penalties and injunctive relief under the AG’s suit including a $50,000 fine for violation of the Consumer Fraud Act and an additional $10,000 for each violation that involved a senior citizen, plus costs of investigation and prosecution, along with another civil penalty of $50,000  for improperly disposing of sensitive personal information and protected health information under the state’s Personal Information Protection Act.  At this point it is not clear what additional sanctions may be sought by HHS under HIPAA.  Further, Suburban Lung Associates may face vicarious liability for the negligence of its business associate, FileFax.

My partners Elizabeth Litten and Michael Kline were quoted by Marla Durben Hirsch in the July 27, 2015 issue of Part B News in an article entitled “Faulty record disposal by business associate exposes physician practice” (subscription required).

“Reporters love to dumpster dive. It’s more sexy [than some other HIPAA violations],” says Kline. “It’s a horror show for the covered entity. And if there’s no business associate agreement, it’s even worse,” he adds.

In the interview, they emphasized the need to treat record storage and disposal companies as seriously as other third-party contractors handling patient-related items, to verify a vendor’s HIPAA compliance efforts before engaging them and to continue monitoring their compliance.

“Consider medical information as other waste, as if it’s toxic. If it’s not disposed of properly, there could be liability,” says Litten.

Further, a covered entity’s business associate agreement is its best defense when a business associate drops the ball.  “You need to know that the business associate knows and complies with HIPAA and state law,” says Litten.

In addition, business associates should be required to report to covered entities within a few days of discovering a breach, and should be required to pay for any costs incurred by the covered entity they have caused, including credit monitoring.

Guest Blogger: Violetta Abinaked, Summer Associate (originally posted by Mark McCreary’s on Privacy Compliance & Data Security)

With data breaches being the quickly trending “flavor of the month” criminal activity, it’s no shock that on June 4, 2015 yet another system was hit. This time though, it may be one of the largest cyberattacks in U.S. history—compromising as many as 4 million current and former federal employees’ information. The U.S. Office of Personnel Management (OPM) handles security clearances and background checks and although many would assume that its security is top-notch, the facts on the ground reveal that every place taking in sensitive information—including the government—must update its privacy infrastructure.

In his press statement on Thursday, Rep. Adam Schiff, the ranking member of the House Permanent Select Committee on Intelligence echoed that sentiment and stated that “Americans may expect that federal computer networks are maintained with state of the art defenses [but] it’s clear a substantial improvement in our cyber-databases defenses is perilously overdue. This does not only apply to systems of this magnitude.

Any business that maintains data bases with private information must invest in the proper privacy infrastructure necessary to protect that information. Cyberattacks do not discriminate. From major retailers to well-respected state universities, data breaches run the gamut and from the looks of Thursday’s attack, they are getting more sophisticated. OPM is now working closely with the FBI and the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team to attempt to identify the extent of the harm on federal personnel. But not everyone has the luxury of the entire U.S. government as a “crisis manager” so preventive measures for businesses will make a difference.

At this time, one of the most troubling facts of cyberattacks is that the source is difficult to locate. Sen. Susan Collins, a member of the Senate Intelligence Committee, said the hack was “extremely sophisticated,” and “that points to a nation state” as the responsible party, likely China. No conclusive source has been discovered yet but the lesson here is clear—with private information being involved in almost every aspect of business, measures must be taken to protect it.

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her recent article in Medical Practice Compliance Alert entitled “Doctor is Arrested for Stealing Thousands of Patient Records.”  While the full text can be found in the February 16, 2015 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed in the article.

A theft of patient protected health information (“PHI”) may invoke more than federal and state privacy laws.  It can also mean criminal charges under state penal laws. Radiologist James Kessler learned the hard way when he was arrested for allegedly stealing the PHI of nearly 100,000 patients.

Elizabeth was quoted as observing, “There is no indication that it was difficult for Kessler to do this.  He didn’t treat all 100,000 patients, so why did he have the ability to copy all of those files?  There are technical safety mechanisms and audit controls to limit that access.”

The article pointed out that in some multi-physician situations, ownership of records may need to be negotiated, and the contract may need to specify who gets which records in the event of a separation.  For example, if a physician brings patients to a practice, the employee may be entitled to own and take those patients’ records.

I was quoted by Marla: “Implement safeguards to reduce the risk that an employee can access records outside of his or her job responsibilities.  Also ensure that the practice provides HIPAA training, so that if an employee does violate HIPAA the action is less likely to be attributed to the employer.”

In the article Elizabeth explained that it is important to have an action plan to handle data breaches.  “Be prepared to investigate an incident that may be a security breach using the four steps required by HIPAA’s breach-notification requirements to see whether the breach needs to be reported,” she noted.  “Also be prepared to report a breach not only to the HHS and the state under HIPAA and state-notification laws but also to law enforcement when dealing with criminal activity such as theft and hacking.”

Elizabeth also advises in the article to make sure that the employment agreement complies with state law.  “Many states have laws regarding the reach of an employment agreement with physicians, such as reasonable non-competes and continuity of care provisions,” she says. “For instance, it varies whether an individual doctor or the practice itself is seen as having the relationship with the patients; there may even be state laws on the rights of patients in the event of a physician’s separation from a practice.”

The article points out that there are many complexities involved in the ownership, custody, creation, access, use, maintenance, transmission and retention of PHI. It may not be possible to prevent hacking or theft of PHI, even with reasonable security and privacy policies and procedures in place that are being followed.  However, if a breach or other adverse event occurs, the covered entity or business associate will be well-served by being able to demonstrate that it had and followed such policies and procedures if and when a regulatory authority or court is reviewing a HIPAA violation and determining potential responsibility and liability.