Office of Civil Rights

Subscribe to Office of Civil Rights

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “6 Compliance Trends Likely to Affect Your Practices in 2016.” Full text can be found in the January 13, 2016, issue, but a synopsis is below.

For her article, Marla asked various health law professionals to make predictions on matters such as HIPAA enforcement, the involvement of federal agencies in privacy and data security, and actions related to the Office for Civil Rights (“OCR”) of the federal Department of Health and Human Services (“HHS”).

After the interview with Marla was published, I noted that each of Elizabeth’s and my predictions described below happened to touch on our anticipation of the expansion by HHS and other federal agencies of their scope and areas of healthcare privacy regulation and enforcement. I believe that this trend is not a coincidence in this Presidential election year, as such agencies endeavor to showcase their regulatory activities and enlarge their enforcement footprints in advance of possible changes in the regulatory environment under a new administration in 2017. If an agency can demonstrate effectiveness and success during 2016 in new areas, it can make a stronger case for funding human and other resources to continue its activities in 2017 and thereafter.

Our predictions that were quoted by Marla follow.

Kline Prediction: Privacy and data enforcement actions will receive more attention from federal agencies outside of the OCR.

In light of the amount of breaches that took place in 2015, the New Year will most likely see an increase of HIPAA enforcement. However, regulators outside of healthcare –such as the Department of Homeland Security, the Securities and Exchange Commission and the Federal Communications Commission — also try to extend their foothold into the healthcare compliance realm, much in a way that the Federal Trade Commission has.

Litten Prediction: The Department of Justice (DOJ) and the OCR will focus more on individual liability

In September of 2015, the DOJ announced through the Yates Memo, that they would be shifting their strategy to hold individuals to a higher level of accountability for an entity’s wrongdoing. The OCR has also mentioned that they will focus more on individuals who violate HIPAA. “They’re trying to put the fear in smaller entities. A small breach is as important as a big one,” says Litten.

Kline Prediction: OCR will examine business associate relationships.

The HIPAA permanent audit program, which has been delayed by the OCR, will be rolled out in 2016 and will scrutinize several business associates. In turn, all business associate relationships will receive increased attention.   According to Kline, “There will be more focus on how you selected and use a business associate and what due diligence you used. People also will be more careful about reviewing the content of business associate agreements and determining whether one between the parties is needed.”

We shall continue to observe whether the apparent trend of federal agencies to grow their reach into regulation of healthcare privacy continues as we approach the Presidential election.

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Misapplication of Internet Application Triggers $218,400 Settlement” and “Protect Patient Data on the Internet with These 6 Steps.”  The three of us together were able to come up with a number of ideas to assist physicians in improving the likelihood that protected health information (“PHI”) will be more secure. The full text can be found in the August 17, 2015 issue of Medical Practice Compliance Alert, but a synopsis of our input is included below.

Internet applications and files should be included in a physician practice’s HIPAA compliance plan, or a violation may result.  As an example, St. Elizabeth’s Medical Center (“SEMC”) in Brighton, MA recently settled several potential HIPAA violations for $218,400 with the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”).  One of the incidents involved SEMC’s use of an unauthorized internet-based document. The size of this settlement highlights the concerns of OCR about misuse by healthcare providers of internet-based document sharing or other applications.

Some steps to protect patient data on the internet include the following:

  1. Review the internet applications your practice uses. Litten says, “Take steps such as encryption to protect the data when it’s shared, transmitted and stored.”
  2. Ask the application’s manufacturer about its security safeguards. “If a manufacturer claims that (its application) is HIPAA protected, ask what that means,” Litten urges.
  3. Investigate all internal and external complaints and concerns. Kline says, “Expect the government to find out about PHI exposed on the Internet from a third party.”
  4. Keep track of the steps you take to identify and fix the problem. “You do better if you have a history that you endeavored to comply with HIPAA,” says Kline.
  5. Provide a mechanism by which employees can report concerns anonymously. Kline suggests, “You need a private place where people feel they’re not being watched.”
  6. Don’t allow staff to use unauthorized public networks. “Don’t open documents in, say, a Starbucks,” warns Litten.

In summary, in order for physicians to protect their practices, they must be certain that they understand HIPAA obligations with respect to privacy and security in the context of internet application usage.

As she had done in 2014, Marla Durben Hirsch interviewed my partner Elizabeth Litten and me for her annual Medical Practice Compliance Alert article on compliance trends for the New Year.  While the article, which was entitled “6 Compliance Trends That Will Affect Physician Practices in 2015,” was published in the January 5, 2015 issue of Medical Practice Compliance Alert, a synopsis of the article can be found here. As we have previously pointed out, we always enjoy our talks with Marla because she never fails to direct our thinking to new areas.   We look forward to the opportunity for further encounter sessions with her.

While the article discussed a diverse range of topics affecting physician practices, including accountable care organizations (ACOs) and telemedicine, this blog post will focus on HIPAA-related areas.

Even more HIPAA and related enforcement activities can be expected in 2015.

The article observed that providers will not see a reprieve in this area. Breaches of patient and consumer data continue to proliferate; the tremendous publicity that breaches outside of the HIPAA area have received, such as the hacking of Home Depot and Sony, will create more pressure on HHS’ Office for Civil Rights (OCR) to enforce HIPAA breaches.  The article quotes us as saying “It’s [A HIPAA privacy breach is] very personal to people when their health data is filched; it’s creepy.”  

The article also quotes Elizabeth, who warns that practices also should expect increased activity by the Federal Trade Commission in the area of healthcare data breaches through its enforcement of consumer protection laws and from the Food and Drug Administration’s protection of the integrity of medical devices, even though those federal agencies do not have the same comprehensive standards and clear regulations that OCR does to enforce HIPAA.

Additionally, there is likely to be more private litigation using HIPAA compliance as the standard of care, even though HIPAA itself does not give patients the right to sue for violations. The November 2014 ruling in the Connecticut Supreme Court discussed on this blog here and here recognized HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit. Elizabeth and I observed that the Connecticut case will spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

Covered entities and business associates will refine their agreements, all as they come under more scrutiny.

Many practices and their business associates scrambled to sign business associate agreements (BAAs), often using model forms from OCR and professional societies, to ensure that they had them in place by the September 2013 effective date — and for those who needed only to update an existing BAA, September 2014. However, as discussed in the article, covered entities and business associates now are negotiating the language in BAAs and customizing them to their individual needs, such as choice of law and indemnification requirements.

One provision that may become more prevalent in newer BAAs would allow a business associate that deals with large amounts of data — such as a cloud electronic health records vendor — to use covered entity’s de-identified patient data for the business associates’ own uses. An industry is developing around the aggregation of data for purposes such as research or predicting patient outcomes, and some business associates are moving to capitalize on that data and use it or market it to others. According to Elizabeth, covered entities will need to determine whether they want to grant such business associates permission to use the data that way.

Business Associates Can Expect Audits by OCR in 2015.

The activities of business associates also will be under the microscope. The permanent HIPAA audit program, slated to begin in 2015, is expected to audit business associates as well as covered entities. Elizabeth observed that the use of subcontractors by business associates also will be examined more carefully, especially those who use off-shore subcontractors.

Again, to read more, click here and see the full article in the January 5, 2015 issue of Medical Care Compliance Alert.

The threats to health privacy in the face of the Ebola scare has not escaped the notice of the Office of Civil Rights (OCR).  As we reported last month, a great deal of information regarding the identity and condition of individuals who may have been exposed to or treated for Ebola has appeared in news reports. Ebola In The News – Is Too Much PHI Being Revealed And By Whom?  and Which Privacy Protections Apply? HIPAA, FERPA and Ebola.  On November 10, OCR issued a bulletin entitled HIPAA Privacy in Emergency Situations reminding covered entities and business associates that their obligations under HIPAA do not change during emergency situations such as the Ebola outbreak.

The bulletin notes that HIPAA balances the interests of patient privacy in a manner that ensures that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

Patient information can be shared for “treatment” purposes, and OCR notes  that “covered entities may disclose, without a patient’s authorization, protected health information [PHI] about the patient as necessary to treat the patient or to treat a different patient.” Further, treatment includes the coordination or management of health care, which may be critical when handling a communicable and dangerous infection such as Ebola.

OCR summarizes the disclosures which are permissible for public health purposes to agencies like the Centers for Disease Control and Prevention (CDC) or state or local health departments. “For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease.”

Other situations where disclosure is permissible include:

  • At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority. (Highly relevant when coordinating information with government agencies in West Africa and other affected regions)
  • To persons at risk of contracting or spreading a disease or condition, but only if authorized under state or federal law.
  • To a patient’s family members, relatives, friends or others involved in the patient’s care.
  • When necessary to identify, locate, and communicate with family members, guardians, or anyone else responsible for the patient’s care, to notify them of the patient’s location, general condition, or death. OCR notes such disclosures may include police, the press, or the public at large. However, it is not a blanket authority to release PHI to the media unless there is a valid reason to do so. OCR also notes that verbal permission should be sought from the patient if possible.
  • To disaster relief organizations such s the Red Cross, but only for the coordination of contacting family members and others involved in the patient’s care.
  • To anyone else as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.
  • Limited “directory” condition information may be released when a patient is identified by name. OCR warns: In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient).

Health care providers and their business associates are now clearly on notice that OCR will not look the other way if information relating to individuals potentially exposed to Ebola or similar diseases is disclosed without meeting a valid exception, no matter how persistently media outlets press for details.  Each covered entity and business associate should take the time to remind their personnel that the privacy rule remains in effect in emergencies.

 

 

Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule.  You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human Services (HHS) and its Office of Civil Rights (OCR), as well as media reporters and others, that you exercised due diligence and should not be penalized. Your expenditure of time and money will help ensure your compliance with federal law.

Unfortunately, however, HHS is not the only sheriff in town when it comes to data breach enforcement.  The Federal Trade Commission (FTC) has been battling LabMD for the past few years in a case that gets more interesting as the filings and rulings mount (In the Matter of LabMD, Inc., Docket No. 9357 before the FTC).  LabMD’s CEO Michael Daugherty recently published a book on the dispute with a title analogizing the FTC to the devil, with the byline, “The Shocking Expose of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine, and Small Business.”  Daugherty issued a press release in late January attributing the shutdown of operations of LabMD primarily to the FTC’s actions.

Among many other reasons, this case  is interesting because ofthe dual jurisdiction of the FTC and HHS/OCR over breaches that involve individual health information.

On one hand, the HIPAA regulations detail a specific, fact-oriented process for determining whether an impermissible disclosure of PHI constitutes a breach under the law.  The pre-Omnibus Rule breach analysis involved consideration of whether the impermissible disclosure posed a “significant risk of financial, reputational, or other harm” to the individual whose PHI was disclosed.  The post-Omnibus Rule breach analysis presumes that an impermissible disclosure is a breach, unless a risk assessment that includes consideration of at least four specific factors demonstrates there was a “low probability” that the individual’s PHI was compromised.

In stark contrast to HIPAA, the FTC can bring an enforcement action based upon its decision that an entity’s data security practices are “unfair”, but it has not promulgated regulations or issued specific guidance as to how or when a determination of “unfairness” is made.  Instead, the FTC routinely alleges that entities’ data security practices are “unfair” because they are not “reasonable” – two vague words that leave entities guessing about how to become FTC compliant.

In 2013, LabMD filed a motion to have the FTC’s enforcement action dismissed.  LabMD argued, in part, that the FTC does not have the authoritiy to bring actions under the “unfairness” prong of Section 5 of the FTC Act.  LabMD further argued that there should only be one sheriff in town – not both HHS and the FTC.  Not surprisingly, in January 2014, the FTC denied the motion to dismiss, finding that HIPAA requirements are “largely consistent with the data security duties” of the FTC under the FTC Act.The opinion speaks of “data security duties” and “requirements” of the FTC Act, but these “duties” and “requirements” are not spelled out (much less even mentioned) in the FTC Act.  As a result, how can anyone arrive at the determination that the standards are consistent?  Instead, entities that suffer a data security incident must comply with the detailed analysis under HIPAA, as well as the absence of any clear guidance under the FTC Act.

In a March 10th ruling, the judge ruled that he would permit LabMD to depose an FTC designee regarding consumers harmed by LabMD’s allegedly inadequate security practices.  However, the judge also ruled that LabMD could not “inquire into why, or how, the factual bases of the allegations … justify the conclusion that [LabMD] violated the FTC Act.”  So while the LabMD case may eventually provide some guidance as to the factual circumstances involved in an FTC determination that data security practices are “unfair” and have caused, or are likely to cause, consumer harm, the legal reasoning behind the FTC’s determinations is likely to remain a mystery.

My partner Bill Maruca was quoted in Jeff Overley’s article “Historic HIPAA Fine Will Push Feds To Get Tougher” published in Law360 on Friday, February 20, 2014.   The article reports on the nearly $7 million fine imposed by the Puerto Rico Health Insurance Administration on a contractor, health plan Triple-S Salud Inc. (“Triple-S”).  Bill’s quote sums it up:  “This is a shocking fine, given the circumstances.”  The breach affected roughly 13,000 individuals eligible for both Medicare and Medicaid (“dual eligibles”), but what were the circumstances that made this fine so large as to be shocking to my esteemed colleague and other observers? 

Here’s my take.  First, the fine was imposed by Puerto Rico, not the Office of Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), which is the federal agency generally associated with penalties for breaches involving protected health information (“PHI”), and is significantly higher than fines that have been reported by OCR as having been levied for breaches affecting many more individuals than the 13,000 affected here.  OCR has created training tools for state attorneys general and states that it “welcomes” collaborations with state attorneys general seeking to bring civil actions to enforce HIPAA, but no state has imposed such a large penalty for a HIPAA violation, either on its own or in collaboration with OCR. 

Second, the breach was not the result of a sophisticated hacking incident or careless laptop loss or theft capable of exposing thousands of individuals’ information in a single view.  Here, the breach resulted from Triple-S’s inclusion of individual Medicare health insurance claim numbers in plain sight on mailings addressed to the individuals.  This PHI would only have been viewed by those delivering or otherwise physically handling the mail addressed to the individuals, thereby subjecting the PHI to a relatively limited scope of potential viewers (presumably, the postal service and anyone retrieving a specific individual’s mail, with or without permission).    

Finally, while the disclosure of an individual’s Medicare health insurance claim number is a disclosure of PHI (and potentially might be used in an attempt to improperly claim health care benefits), it is not the type of PHI that most people are likely to consider sensitive and private.

More information about Triple-S and this incident (and perhaps past incidents involving HIPAA violations, such as the 2010 incident reported to HHS) is likely to surface in the coming weeks and months.

In the wake of the post-Omnibus Rule (the “Rule”) frenzy, it is necessary to consider some collateral effects that the Rule may have brought about with respect to compliance with HIPAA/HITECH.  The Office of Civil Rights (“OCR”) summaries of closed investigations (the “Summaries”) posted on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”) has been a source of meaningful guidance as discussed in previous posts on this blog.  For example, the summary (the “Tennessee Summary”) for a State of Tennessee Sponsored Group Health Plan breach (the “Tennessee Breach”) continues to provide an excellent road map of pre-Omnibus Rule actions for covered entities (“CEs”) or business associates (“BAs”)  that suffer List Breaches or PHI breaches of any size.  

 

While the Tennessee Breach itself dealt with mishandling of paper PHI and not electronic health records, the Tennessee Summary does give direction for early intervention by affected CEs or BAs before HHS knocks on their door.  However, while there was excellent compliance in the aftermath of the Tennessee Breach, advice from pre-Rule Summaries cannot be used without carefully taking into account the new requirements respecting PHI breaches under the Rule.  As will be further discussed below, the most important new requirement in this regard is the necessity for a CE, BA or subcontractor to analyze the level of risk of compromise of the affected PHI.

 

The Tennessee Summary

 

The Tennessee Breach occurred on October 6, 2011 and involved approximately 1,770 enrollees with respect to names, addresses, birth dates and social security numbers.  According to the Tennessee Summary, an equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.

 

The Tennessee Summary states that the CE did the following (with some parenthetical observations from the blog author):

 

1.         Retrained the equipment operator (suggesting that suspension and/or termination are not the only actions in appropriate cases with respect to dealing with employees involved with a PHI breach where rehabilitation is possible).

2.         Submitted a breach report to HHS (resulting in the posting on the HHS List).

3.         Provided notice to affected individuals.

4.         Notified the media.

5.         Created a toll-free number for information regarding the incident.

6.         Posted notice on the CE’s website.

7.         Modified policies to remove the social security number on templates for future mailings (a good policy whether paper or electronic PHI is involved).

8.         Offered identity theft protection to the affected individuals (a common decision for CEs and BAs based on the type of information that may have been compromised).

9.         Following the OCR investigation, reviewed its policies and procedures to ensure adequate safeguards are in place (with this disclosure in the Tennessee Summary, there is a suggestion that OCR continued to exercise some oversight or received reports after the investigation was finished).

 

The Tennessee Breach in Retrospect after the Omnibus Rule

 

There was no discussion in the Tennessee Summary of any analysis by the CE of the probable “risk of harm” from the Tennessee Breach under the proposed rule standards that prevailed prior to the Rule.  However, it is clear that, in the post-Rule period, a risk analysis of the probability that the PHI “has been compromised” would be necessary for the CE; failure to do such an analysis may be a violation in itself.   Under the Rule, there is a presumption that a breach of PHI has taken place unless there is a low probability that the PHI has been compromised.  The four factor analysis that would have been required of the CE in the Tennessee Breach case had it happened after the effectiveness of the Rule encompasses the following (with parenthetical comments):

 

(i)         Identifying the nature and extent of the PHI involved, including types of identifiers and risk of re-identification (i.e., names, addresses, birth dates and social security numbers);

 

(ii)        Identifying the unauthorized person(s) who impermissibly used the PHI or to whom the disclosure was made (in the case of the Tennessee Breach, subscribers to the health plan who were not individuals that had an obligation of their own to comply with HIPAA/HITECH);

 

(iii)       Determining whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the PHI to be acquired or viewed (in the case of the Tennessee Breach, there is a likelihood that numerous recipients of the PHI or others without the right to view such PHI did in fact view it); and

 

(iv)       The extent to which risk to the PHI was mitigated (items 3, 4, 5, 6 and 8 above appear to be potential mitigating factors).

 

As stated in an earlier postings here and here, no Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011.  While the Summaries continue to provide highly useful information for CEs, BAs and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the Rule.  It may be that a concern of OCR about potential confusion which could be created by publishing pre-Rule Summaries has prevented OCR from making recent postings of Summaries on the HHS List.

 

We have written several times in this blog series about the long-awaited (some would assert long overdue) HIPAA “Mega Rule.” What was highly anticipated for the summer of 2012 has become the winter of discontent and a new year for eager HIPAA professionals. Below are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information (PHI), even without the benefit of the Mega Rule.  

10.       I will ask for a copy of my employer’s HIPAA Policies and Procedures.

 

9.         I will read them.

 

8.         I will compare what they say with what I do with PHI and will identify and correct discrepancies.

 

7.         I will not snoop through PHI of others or access or use any PHI I do not need in order to do my job.

 

6.         If I get PHI from or send PHI to a third party (outside my employer) as part of my job, I will find out whether my employer has a Business Associate Agreement (“BAA”) in place with that third party (or has decided one is not needed).

 

5.         I will learn how to encrypt (as per National Institute of Standards and Technology) PHI before I save it or send it.

 

4.         I will check my laptop, smartphone, or other portable device for encryption capability and make sure it is activated. I will also check for any unencrypted PHI that may be lurking on my portable device(s). I will encrypt or remove such PHI (if consistent with the HIPAA Policies and Procedures of my employer and any BAAs).

 

3.         I will investigate the “chain of control” of PHI before I send it to make sure it will not end up outside the jurisdiction of the United States.

 

2.         I will educate myself as to whether and how PHI might be de-identified and will recommend that my employer consider a policy of de-identification in accordance with guidance published by the Office of Civil Rights of the Department of Health and Human Services.

 

1.         Even if I’ve accomplished resolution # 4, I will not leave my laptop, smartphone or other portable device containing PHI in plain sight inside my parked car, especially while at lunch.

 

If everyone were to make and follow these resolutions, we all will have a Happy HIPAA New Year.

A thoughtful reader commented on the recent blog post in this series that asked whether the 2012 Breach of Massachusetts Eye and Ear Infirmary (“MEEI”) should have by now been reflected in a third posting respecting MEEI on the HHS List. (Capitalized terms not otherwise defined herein shall have the meanings assigned to them in the earlier blog post.) 

The reader’s comments included the following:

 

I have been wondering—and this article [the blog post] continues to make me wonder—whether covered entities will be less likely to “err on the side of caution” in making breach reports, now that they see the potentially draconian consequences of making such a report. I think it’s pretty clear (and I think OCR [the Office of Civil Rights] has even said publicly) that large breach reports will trigger investigations and, as we have seen, investigations are likely to open to scrutiny all aspects of the covered entity’s HIPAA policies, practices and procedures. Seeing million dollar resolution agreements may give covered entities pause about blowing the whistle on themselves, particularly where there is room to argue whether the disclosure creates a significant risk of harm. . . .

 

The reader’s comments point out the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach, even if it appears not to rise to the level of a potential List Breach. I concur with the reader that more attention may be given by a covered entity in the future to make a risk analysis of the probable harm of a potential List Breach. One of the purposes will be to determine the number of involved individuals and whether the entity can reasonably conclude that a List Breach has not occurred, and, therefore, there may be no need for a List Breach report to HHS. 

 

The covered entity may so conclude even if it publicizes the PHI security breach, notifies “potentially affected individuals,” posts information about the breach on its Web site, engages in some “voluntary” remedial action for such potentially affected individuals, disciplines involved employees and makes improvements to its policies and procedures. Repeat marchers in the Breach Parade may be especially motivated to conclude that a List Breach has not occurred.

 

However, the stakes may be high for a covered entity to conclude that a List Breach has not occurred. The penalties that can flow from the potentially “draconian consequences of making such a report” to HHS can be greatly amplified if the conclusion not to report the security breach as a List Breach turns out to be erroneous. The failure to report a List Breach is a separate violation and can give rise to significant penalties. Moreover, the covered entity must consider that most states have adopted their own requirements to make timely reports to state regulators about a PHI security breach, often with different standards for reporting, and state Attorneys General can seek to enforce a failure to make a mandatory report under both state law and HIPAA.

 

To some observers, elements of the risk analysis of a covered entity for reporting a possible List Breach may be somewhat analogous to the considerations that exist for self-reporting by healthcare providers of potential false claims to the HHS Office of Inspector General under its voluntary disclosure program. The important difference is that voluntary disclosure is optional; reporting a PHI security breach that is a List Breach to HHS is mandatory, with potential materially adverse consequences for failure to comply.

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 498 List Breaches reported by covered entities (“CEs”), of which approximately 102 (20.5%) have been reported as also involving business associates (“BAs”).  

As stated in an earlier posting in this blog series, the HHS List includes valuable guidance for CEs and BAs in the form of “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” To date, the HHS List has posted approximately 96 summaries (“Summaries”) respecting the 498 current postings for CE marchers in the Breach Parade (which include some multiple postings of List Breaches where a single alleged breach by a BA caused a number of CEs to have List Breaches). Of the 96 List Breaches for which Summaries have been posted by OCR, 19 (19.8%) were reported as involving BAs.  

 

Unfortunately, since May 10, 2012, it would appear that only one new Summary has been posted by OCR, which relates to List Breach number 337 reported by Indiana University School of Optometry as CE. According to the OCR Summary, that List Breach affected 757 individuals and resulted in accessibility over the Internet of patient names, birth dates, medical history, diagnoses and treatment plans for the period from August 8, 2011 through September 9, 2011.  

 

No Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011, already a year ago. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011, as discussed in an earlier posting in this blog series. 

 

Moreover, the substantial majority of Summaries posted by OCR relate to List Breaches affecting fewer than 10,000 persons. While this Summary history may be reflective of the population of List Breaches as discussed in an earlier post in this blog series, the largest number of affected individuals for which a Summary has been posted to date is 83,000. That List Breach, which occurred on November 12, 2009 and was number 21 on the HHS List, related to unauthorized access/disclosure of paper information and was reported by Universal American in New York as the CE with Democracy Data & Communications, LLC as an involved BA. In light of the existence of complex List Breaches that reportedly affect hundreds of thousands or even millions of individuals, Summaries respecting larger List Breaches may be helpful in providing new and different insights for CEs and BAs.

 

There is great value in the guidance provided by the posted Summaries for educating CEs and BAs as to what OCR may deem to be significant with respect to List Breaches. OCR Summaries may provide analysis not only of the List Breaches themselves but also subsequent actions taken by the affected CEs and BAs. However, because the paucity of recent postings of Summaries can dampen their overall educational benefit, OCR is encouraged to increase the frequency, number, currentness and diversity of the Summaries posted.