HIPAA

Subscribe to HIPAA

The aftermath of the Orlando nightclub tragedy has led to much discussion about ways that healthcare providers can and should deal with compliance with health information privacy requirements in the face of disasters that injure or sicken many individuals in a limited time frame. One aspect is the pressure to treat patients while simultaneously fulfilling the need to supply current and relevant information to family, friends and the media about patient status without breaching HIPAA by improperly disclosing protected health information (PHI).

Our partner Elizabeth Litten has already posted a prior blog entry on some HIPAA issues that surfaced in the Orlando disaster. She and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August, 2016 issue of Medical Practice Compliance Alert entitled “After Orlando: Keep family, friends informed without violating HIPAA.” Full text can be found in the August, 2016 issue, but a synopsis is below.

Some of the tips provided by Litten and Kline in the article include the following:

  1. Kline: Review and update your practice’s disaster/emergency plan. “[Orlando] was such a disaster, and [there was an appearance created that] the hospital didn’t approach it with calmness and a professional approach.”
  2. Litten: One of the easily forgotten parts of HIPAA is that a covered entity can exercise professional discretion. “It’s best if the patient can agree [to the disclosure]. But if the patient can’t give consent, the provider has ways to provide information and exercise that discretion.” Kline added, “So there’s no need for a HIPAA waiver; the rule anticipates such situa­tions.”
  3. Litten: Make sure that the practice’s desig­nated spokesperson is knowledgeable about HIPAA. “This includes what can and can’t be divulged to friends, family members and the media.
  4. Litten: Educate clinicians on professional discretion. “Remember when disclosing information to view it through the eyes of the patient. If you reasonably believe that a patient would want the information communicated, it’s OK. The professional is acting as proxy for a patient who can’t speak.” 
  5. Kline: Share contact information so staff can quickly get guidance from the practice’s compliance officer, especially during emer­gency situations. “For instance, a clinician being bombarded in the emergency department may have a question regarding whether she can tell a patient’s relative that the patient has been treated and released (she can).”
  6. Kline: Add this information to your practice’s HIPAA compliance program. “If you have policies and procedures on this, docu­ment that training occurred, and [if it] can show you attempted to comply with HIPAA, a court would be very hard pressed to find liability if a patient later claims invasion of privacy.” 
  7. Kline: Don’t discriminate. “So clinicians exercis­ing their professional discretion in informing friends and family members need to be gender neutral and objective.”
  8. Kline and Litten: Train administrative staff about HIPAA. “Not only should medical staff know the rules, but so should other staff members such as front desk staff, managers and billing personnel. It’s pretty bad when the head of a hospital is so uninformed about HIPAA that he provides misinformation to the mayor.”
  9. Kline and LittenHighlight the limitations of the disclosure. “You can’t go overboard and reveal more than is allowed. For instance, a provider can tell a friend or family member about an incapacitated patient’s location, general condition or death. But that doesn’t mean that he can divulge that the lab tests indicate the patient has hepatitis. HIPAA also requires that a disclosure be made only of information that’s ‘minimally necessary.'”

Planning ahead by healthcare providers can help them comply with HIPAA if a disaster situation occurs to keep family and friends informed as to patient status, while contemporaneously carrying out their most important tasks: saving lives, alleviating pain and providing quality care to victims. This approach, however, combined with a good helping of common sense and professionalism, is not confined to disasters – it should be the practice of providers for non-emergent situations as well.

 

We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights.

In an email sent to listserv participants on July 12, 2016 from OCR-SECURITY-LIST@LIST.NIH.GOV, the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk audits:

Requirements Selected for Desk Audit Review
Privacy Rule
Notice of Privacy Practices & Content Requirements  [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Rule
Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule
Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

As discussed in our prior post, HHS issued guidance regarding individuals’ rights to access PHI earlier this year. Here is a link to this PHI access guidance:  Individuals’ Right under HIPAA to Access their Health Information | HHS.gov

The HHS access guidance stresses that Covered Entities should provide individuals with “easy access” to their PHI and cannot impose “unreasonable measures” on the individuals with respect to this right to access. The HHS access guidance provides important information regarding the different rules that apply when an individual provides a signed authorization for release of their PHI versus when an individual is really making a request for access to his or her PHI.

If an individual is asking for the PHI to be provided to him or her, this is really a request for access even if the individual is providing a signed authorization for release of the PHI.

If the individual is asking the PHI to be directed to a third party, this can be either a situation when a signed authorization is needed or can be an access request, depending on who is really originating the request (the individual or the third party). A Covered Entity cannot require an individual to provide a signed authorization to make an access request.  A Covered Entity can require that the access request be in writing and can require use of a form as long as it does not impose undue burden on the individual’s right to access.

The HHS access guidance also indicates that if an individual requests that his or her PHI be provided by email, the Covered Entity is required to do so and further, if the individual requests in writing that the PHI be provided by unsecure, unencrypted email, the Covered Entity is required to do so after notifying the individual in writing of the risks of this method of transmission. (This notice can be included on the access request form.)

As a result of the HHS access guidance, a Covered Entity may need to review and amend its HIPAA Privacy Policies and Procedures governing individual rights with respect to access to PHI, the form it uses for individual access requests, and its employee training protocols to be sure employees aren’t requiring a patient  (or member, in the case of a health plan Covered Entity) to sign an authorization form when the patient is requesting access to PHI.

Contributed by Elizabeth R. Larkin and Jessica Forbes Olson

Health care providers know about and have worked with HIPAA privacy and security rules for well over a decade. They have diligently applied it to their covered entity health care provider practices and to their patients and think they have HIPAA covered.

What providers may not realize is that they may actually have two separate HIPAA covered entities. A provider that offers an employee group health plan (which includes a self-insured medical, dental, or vision plan, an employee assistance program, a health reimbursement arrangement, and any health flexible spending account benefits) has a covered entity health plan and there are some additional and different HIPAA requirements that must be addressed.

Health care providers need to ensure they have implemented HIPAA for their covered entity group health plans and plan participants (employees) and their dependents who are enrolled in coverage. Providers should not rely on the HIPAA compliance documentation that they use for patients for use with their group health plans.

HIPAA applies differently to covered entity health care providers and covered entity group health plans. For example:

  • A group health plan is required to have a HIPAA plan document amendment that includes specific promises to comply with the HIPAA rules, including an obligation of the plan sponsor (employer) to not use protected health information (PHI) for employment related reasons or for any benefits other than the group health plan without signed authorizations from impacted group health plan participants and their dependents. The plan document amendment needs to be adopted (signed) in the same manner as other group health plan amendments.
  • A group health plan needs to indicate in the plan document amendment which employees are allowed to have access to group health plan PHI to perform group health plan administration activities. This will be limited to a small group of individuals (e.g., individuals in HR/benefits and payroll and IT personnel who provide support services to them along with the HIPAA privacy and security officials for group health plans).
  • A group health plan is required to have a document certifying that they have the appropriate HIPAA plan document amendment in place.
  • HIPAA training for the group health plans is limited to those workforce members listed in the HIPAA plan amendment as being entitled to access PHI in connection with performing plan administration functions (instead of the entire company workforce).
  • A group health plan needs its own HIPAA notice of privacy practices that describes how the group health plan will use and disclose PHI, which will be different from the notice of privacy practices it uses as a health care provider. (For example, one main reason a provider will use PHI is for treatment for its patients.  This will not apply to a group health plan since it does not provide treatment, but instead pays for covered treatment.)
  • The posting and distribution requirements for a group health plan notice of privacy practices to plan participants are different than the posting and distribution requirements that apply to patients.
  • A group health plan may not have to comply with more stringent state privacy or security laws due to ERISA preemption.
  • A group health plan needs HIPAA policies and procedures, but due to the differences between covered entity providers and covered entity group health plans, they will be different.
  • A group health plan needs a HIPAA privacy and HIPAA security official appointed. They can be the same individuals that act in this capacity for the covered entity provider, but do not have to be and often are not, at least for the HIPAA privacy official.  Group health plans often appoint as their HIPAA privacy official someone senior who is responsible for overseeing employee benefits (e.g., VP of Compensation and Benefits or Director of Benefits), while covered entity providers often appoint an organization-wide compliance officer or someone who works closely with that person to be the HIPAA privacy official.

The U.S. Department of Health and Human Services (HHS) is in the process of selecting covered entities and their business associates to audit for HIPAA compliance, and it is possible that HHS could select the health care provider’s covered entity group health plan to audit rather than (or in addition to) the covered entity health care provider practice. HHS can impose separate penalties for covered entity group health plan violations.  The range of possible penalties is the same for covered entity group health plans and covered entity health care providers.

Not only do covered entity health care providers have an obligation to ensure that their separate covered entity group health plans are in compliance with HIPAA, it will reflect poorly on a practice to have a HIPAA violation with respect to its group health plan. If you don’t comply with HIPAA for your employee group health plans, patients may assume that you don’t comply with HIPAA for your practice.

In short, health care providers need to make certain that they comply with HIPAA with respect to both their practices and their employee group health plans.

My heart goes out to any family member trying desperately to get news about a loved one in the hours and days following an individual or widespread tragedy, irrespective of whether it was triggered by an act of nature, an act of terrorism, or any other violent, unanticipated, life-taking event. My mind, though, struggles with the idea that HIPAA could actually exacerbate and prolong a family member’s agony.

HIPAA is, generally speaking, intended to protect our privacy when it comes to health status, treatment, or payment and to facilitate appropriate access to our health information. But, as is typical with federal laws intersecting areas historically governed by State law, HIPAA defers to State law in some key respects.  For example, if a HIPAA provision is contrary to a similar provision of State law, it preempts State law unless the State law relates to the privacy of individually identifiable health information and is “more stringent” than the comparable HIPAA provision.  HIPAA also references “applicable law” in describing who can get information as a personal representative of an individual or act on behalf of a deceased individual.

So what does this mean in the context of family members seeking information about loved ones following the devastating Orlando, Florida night club shooting or following some other violent tragedy?

If a victim is hospitalized and a friend or family member is trying to get information about the victim, HIPAA permits the hospital to share information under the following circumstances:

*          A hospital may use protected health information (PHI) to notify or assist in the notification of a family member, personal representative or other person responsible for the patient’s care of the patient’s location, general condition or death

*          A hospital can use a facility directory to inform visitors and callers of a patient’s location and general condition

*          A hospital can release information as to the victim of a crime in response to law enforcement’s request for such information under certain circumstances, and law enforcement can notify the families

*          If the patient is competent, the patient can tell the hospital that it may release all information to their family and friends

*          If the patient is not competent to authorize release of information, a “personal representative” (a person authorized under State law to act on behalf of the patient to make health care decisions) can have all information necessary to make decisions.  That person can also authorize release of information to others

Sadly, the agony of loved ones seeking information about a patient may be prolonged if they are not viewed as family members or if State law does not recognize the loved one as a “personal representative”.  Sure, the federal Department of Health and Human Services (HHS) could amend the HIPAA regulations to deem certain individuals (for example, same-sex partners who are not legally married) to be personal representatives for purposes of access to PHI.  [Note: HHS treats legally married same-sex spouses as “family members” under HIPAA — see special topic publication available here.]

However, if the State law does not recognize these certain individuals as personal representatives, perhaps because the State law is “more stringent than” HIPAA in affording the patient greater privacy, HHS might also have to amend its HIPAA preemption regulations.

Hospitals and other health care professionals are constantly called upon to exercise discretion in dealing with requests for PHI from family members and loved ones of patients while complying with HIPAA.   HIPAA regulations may need to be modified or perhaps could be “waived” (as described yesterday’s Washington Post article) in some cases, but only when doing so furthers the fundamental HIPAA goals of privacy protection and facilitation of appropriate access.

Because of the enormity of the Orlando tragedy, some State legislatures may be expected to consider whether changes are necessary to promote information sharing in exigent circumstances while preserving the State’s interest in affording patients greater privacy protection than that afforded by HIPAA.

Daily struggles to protect personal data from hacking, phishing, theft and loss make it easy to forget that HIPAA is not just about privacy and security.  It also requires covered entities (CEs) to make an individual’s protected health information (PHI) accessible to the individual in all but a few, very limited circumstances.  Recent guidance published by the Department of Health and Human Services (HHS Guidance) emphasizes the need for covered entities to be able to respond to an individual who says “I want my PHI” in a way that complies with HIPAA and state law access requirements, even when these requirements seem confusing and contradictory.

HIPAA authorizations are, perhaps, one of the most commonly misunderstood and misused forms. The HHS Guidance helpfully reminds CEs that authorizations are not needed for a CE to share PHI for treatment, payment and health care operations, and, of course, a CE can share PHI with a business associate under a HIPAA-compliant business associate agreement.  But when an individual requests PHI, whether directly or through a third party, it’s critical that the CE understand whether it is an access request or a request for disclosure pursuant to a HIPAA-compliant authorization.

My law partner and fellow HIPAA enthusiast Beth Larkin comments on some of the difficulties a CE faces when responding to an individual’s access request, highlighting the need to distinguish between an access request and disclosure pursuant to an authorization:

The HHS guidance wants CEs to provide individuals “easy access” to their health information.  CEs still, however, have to deal with other HIPAA requirements, including verification of the identity of the requestor, securing the PHI from unauthorized access and determining breach if there is unauthorized access.  Also, it is not always clear whether a patient is exercising an access right or requesting PHI pursuant to an authorization.  The patient may not know the difference and just indicates he or she wants copies of records and may present either an access request or an authorization form.

The HHS Guidance explains that while a CE can require an individual to submit a written access request, it can’t do so in a manner that creates a barrier or would delay the individual’s access:

For example, a doctor may not require an individual: …  [t]o use a web portal for requesting access, as not all individuals will have ready access to the portal …

If a CE uses a written form for individuals to request access to records (and ensures the form is readily accessible in multiple ways), the CE should give individuals as much information as possible about each form.

For example, as illustrated in the chart included in the HHS Guidance, a HIPAA authorization permits, but does not require, a CE to disclose the PHI.  An access request requires the disclosure (and requires the CE to act on the request within 30 days).  In addition, HHS explains that fees charged by the CE are limited when the individual requests access, and not when PHI is requested pursuant to an authorization (though certain charges might be prohibited under HIPAA regulations proscribing the receipt of remuneration for the disclosure of PHI). Finally, HHS notes that PHI sent pursuant to an authorization must be sent securely, while an individual can request that PHI sent pursuant an access request can be sent through an unsecure medium (though the risks of such a choice should be communicated to the individual if feasible).  If the CE makes all of this information clear and encourages the individual to ask questions as to which form should be used, it seems reasonable for a CE to then be able to rely on the individual’s choice of form.

When a third party requests an individual’s PHI, though, it can be especially difficult for a CE to figure out whether an authorization form has been sent when an access request would have been appropriate. Here, HHS suggests the CE reach out to the individual:

Where it is unclear to a covered entity, based on the form of request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to a third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party.

In short, if a HIPAA authorization is really an individual’s misguided attempt to say “I want my PHI!”, the CE will need to make sure it follows the individual access right requirements in responding.

Our partner Elizabeth Litten and I were featured again by our good friend Marla Durben Hirsch in her article in the April 2016 issue of Medical Practice Compliance Alert entitled “5 safeguards to take with patient-employee health records.” Full text can be found in the April, 2016 issue, but a synopsis is below.

For her article, Marla asked us to comment about physician medical practices that provide medical treatment to their own employees and other staff or affiliates (collectively, “Patient-Employees”). She observed that “These medical records [of Patient-Employees] are not fair game for colleagues to view unless there’s a job-related reason for them to do so.”

Marla quoted Kline as saying that “It’s human nature to talk about others [that you know]. You also have rogue employees who are ‘frenemies’ [Or simply curious about a co-worker’s treatment].” Nonetheless, as Marla observed, events of improper access are not just potential HIPAA violations; they can also have a negative impact on the workplace.

Our five tips for reducing the risks of improper breaches of Patient-Employees’ health information that were developed with Marla follow:

Litten: Include employee privacy in your HIPAA education. “This is a topic for specific training.” For example, make sure that everyone in the office knows the practice’s HIPAA policies and procedures, and that all patients, even those who are employees are entitled to their privacy rights. Emphasize the fact that employees should only review records when it is necessary to do their job.

Kline: Limit access to the records. “For instance, not all employees need unfettered access to electronic medical records, so different staff members can have different levels of access.    Human resources shouldn’t be able to find out that an employee came in for [medical] help.”

Litten and Kline: Take consistent disciplinary action when warranted. An employee may need to be retrained, disciplined or even fired, and treat all workforce members the same, whether licensed professionals or other staff.

Litten: Require staff to report these kinds of breaches. “At the least the practice can argue that the employee had an obligation to report, and by not doing so the fault lay with the employee, not the employer.”

Litten and Kline: Don’t let Patient-Employees take shortcuts to access their records. All patients are entitled to access their records; Patient-Employees should be required to go through the same procedures to access their records as any non-Patient-Employee.

In this ever more-challenging environment of compliance with the privacy and security requirements of HIPAA (and other applicable federal and state laws), a health care provider should limit the risks appurtenant to providing treatment to its own employees as patients, especially since it may be an economical and efficient alternative. There are enough external risks lurking about. Through establishing discrete policies and procedures, a provider can do much to control its internal risks involving Patient-Employees.

“Maybe” is the take-away from recent guidance posted on OCR’s mHealth Developer Portal, making me wonder whether the typical health app user will know when her health information is or is not subject to HIPAA protection.

The guidance is clear and straightforward and contains no real surprises to those of us familiar with HIPAA, but it highlights the reality that HIPAA, originally enacted close to 20 years ago, often becomes murky in the context of today’s constantly developing technology. Here’s an excerpt from the guidance that illustrates this point:

Consumer downloads to her smart phone a mobile PHR app offered by her health plan that offers users in its network the ability to request, download and store health plan records. The app also contains the plan’s wellness tools for members, so they can track their progress in improving their health.  Health plan analyzes health information and data about app usage to understand the effectiveness of its health and wellness offerings.  App developer also offers a separate, direct-to-consumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits and to send health information to providers.

Is the app developer a business associate under HIPAA, such that the app user’s information is subject to HIPAA protection?

Yes, with respect to the app offered by the health plan, and no, when offering the direct-to-consumer app. Developer is a business associate of the health plan, because it is creating, receiving, maintaining, or transmitting protected health information (PHI) on behalf of a covered entity.  Developer must comply with applicable HIPAA Rules requirements with respect to the PHI involved in its work on behalf of the health plan.  But its “direct-to-consumer” product is not provided on behalf of a covered entity or other business associate, and developer activities with respect to that product are not subject to the HIPAA Rules.  Therefore, as long as the developer keeps the health information attached to these two versions of the app separate, so that information from the direct-to-consumer version is not part of the product offering to the covered entity health plan, the developer does not need to apply HIPAA protections to the consumer information obtained through the “direct-to-consumer” app.

So if I download this app because my health plan offers it, my PHI should be HIPAA-protected, but what if I inadvertently download the “direct-to-consumer” version? Will it look different or warn me that my information is not protected by HIPAA?  Will the app developer have different security controls for the health plan-purchased app versus the direct-to-consumer app?

HIPAA only applies to (and protects) individually identifiable health information created, received, maintained or transmitted by a covered entity or business associate, so perhaps health app users should be given a “Notice of Non-(HIPAA) Privacy Practices” before inputting health information into an app that exists outside the realm of HIPAA protection.

The following post was contributed by our colleague Lucy Li.

HIPAA itself does not provide a private right of action. So when a hacker or rogue employee impermissibly accesses or interferes with electronic data or data systems containing protected health information, an employer subject to HIPAA cannot sue the perpetrator under HIPAA.  Similarly, when a ransomware attack blocks access to protected health information, employers also cannot sue under HIPAA.  HIPAA violations and ransomware attacks and can be costly to deal with.  Just ask Hollywood Presbyterian Medical Center. But employers have one potential remedy: suing the perpetrator of the access, interference, or misuse for violating the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is a federal law that prohibits fraudulent access to protected computer information. The law prevents unauthorized access or access that exceeds the user’s authority to a protected computer to obtain private information, such as patient data or trade secrets.  The law also prohibits the use of ransomware to extort money or anything of value. If these cyber-attacks occur, the CFAA allows the employer to file a civil lawsuit against the hacker or the rogue employee to recover damages for economic harm.

Best Practices and CFAA Tips

  1. Prevention is best. Encrypt your data and use sophisticated firewalls and security patches to prevent hackers from accessing protected information. Litigation is a tool to recover for economic harm, but it is costly.
  2. Limit electronic access. Give employees or contractors just enough access to perform their job duties. Nothing more.
  3. Disable log-in rights of an ex-employee or contractor as soon as the employment or contractual relationship ends.
  4. State law. The applicability of the CFAA varies by state. Individual states may also have their own causes of action under state computer fraud laws or trade secret appropriation for stealing patient lists.  These laws may be additional tools to help you recover from a HIPAA violation or a ransomware attack.

This week’s headlines read: “Scalia’s death probably linked to obesity, diabetes and coronary artery disease, physician says” and “Scalia suffered from many health problems”.   An article from a couple of weeks ago, immediately following reports of Justice Scalia’s February 13th death, reported that Scalia’s doctor said he had chronic cardiovascular disease.

These articles do not say whether the physician(s) who released Scalia’s health information did so in compliance with HIPAA, or whether any subsequent release of this information was HIPAA-compliant. The HIPAA regulations make it clear that the death of an individual does not mean the death of that individual’s right to have his or her individually identifiable health information protected under HIPAA (at least, not until the individual has been deceased for more than 50 years).

Justice Scalia’s status as a public figure, and the public’s general interest in the news of his death, also does not affect his HIPAA rights. As noted in Bill Maruca’s post about New York Giants’ defensive end Jason Pierre-Paul’s injuries last summer, there is no “public figure exception” to HIPAA.  Bill also accurately noted, in his blog about the Ebola cases treated in Texas in 2014, that there is no HIPAA exception for “newsworthy or unusually terrifying medical conditions.”

HIPAA permits a covered entity to disclose protected health information (PHI) to a coroner or medical examiner for the purpose of identifying a cause of death, but does not authorize  the coroner or medical examiner to further disclose the PHI. Because HIPAA also permits an executor, administrator, or other person who has authority to act on behalf of a deceased individual to act as the deceased person’s personal representative, such an authorized person might have provided a HIPAA-compliant authorization to Scalia’s health care providers to disclose Scalia’s PHI to third parties.  In addition, there are other ways in which PHI of someone who has died might be disclosed in compliance with HIPAA, but none of the articles I read provide the detail needed to see whether these circumstances existed.

The articles do, however, make it clear that the late Justice suffered an array of health issues that were not publicized prior to his death.

What would Justice Scalia have said, if, in fact, his PHI was disclosed improperly? His decisions involving the Fourth Amendment may provide some clues, but they are not precisely on point, and we cannot ask the Justice.  We can simply remind covered entities that HIPAA protections have an after-life —  and deserve (in fact, require) post-mortem respect.

 

Whether it was an apple or a quince, pomegranate, or some other more botanically-likely fruit growing in the Garden of Eden, God’s command in Genesis was clear: do not eat the fruit from the tree of the knowledge of good and evil.  When Adam and Eve ate the apple (or other fruit) anyway, they gained knowledge of evil (they already knew good).

Apple
Copyright: Spanishalex / 123RF Stock Photo

Many thousands of years later, the battle between Apple and the FBI over device encryption oddly echoes themes from this ancient biblical story.   Is the knowledge of evil potentially gained by unlocking an evildoer’s iPhone worth breaking society’s trust in the security of encryption?

Our law partner Amy Purcell recently posted the following on the Fox Rothschild “Privacy Compliance & Data Security” blog:

Fox Partner and Chair of the Privacy and Data Security Practice Scott L. Vernick was a guest on Fox Business’ “The O’Reilly Factor” and “After the Bell” on February 17, 2016, to discuss the controversy between Apple and the FBI over device encryption.

A federal court recently ordered Apple to write new software to unlock the iPhone used by one of the shooters in the San Bernardino attacks in December. Apple CEO Tim Cook has vowed to fight the court order.

The Federal Government vs. Apple (The O’Reilly Factor, 02/17/16)

Apple’s Privacy Battle With the Federal Government (After the Bell, 02/17/16)

I agree with Scott.

In January, I wrote here about the FTC’s announcement of a settlement with Henry Schein Practice Solutions, Inc. for falsely advertising that the software it marketed to dental practices provided the encryption necessary to protect patient data from breach. In reality, the software did not encrypt the data, but merely “camouflaged” or masked it from access by third parties.  The FTC’s action and settlement seemed to reflect the fact that encryption is viewed as the “gold standard” for protecting protected health information and other sensitive personal information, and advertising that a software product provides encryption when it really doesn’t is a problem.

If Apple is forced to create software that will break “gold standard” encryption so the FBI can gain knowledge of the evil that may lurk within a particular iPhone, this “gold standard” will be immediately devalued. In the HIPAA context, we will need another technology to render PHI “unusable, unreadable, or indecipherable to unauthorized persons” because, in essence, the biblical apple will have been bitten.