U.S. Department of Health and Human Services

Yesterday’s listserv announcement from the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) brought to mind this question. The post announces the agreement by a Florida company, Advanced Care Hospitalists PL (ACH), to pay $500,000 and adopt a “substantial corrective action plan”. The first alleged HIPAA violation? Patient information, including name, date of birth, and social security number was viewable on the website of ACH’s medical billing vendor, and reported to ACH by a local hospital in 2014.

To add insult (and another alleged HIPAA violation) to injury, according to the HHS Press Release, ACH did not have a business associate agreement (BAA) in place with the vendor, Doctor’s First Choice Billings, Inc. (First Choice), during the period when medical billing services were rendered (an 8-month period running from November of 2011 to June of 2012). Based on the HHS Press Release, it appears that ACH only scrambled to sign a BAA with First Choice in 2014, likely after learning of the website issue. In addition, according to the HHS Press Release, the person hired by ACH to provide the medical billing services used “First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner.”

These allegations are head-spinning, starting with those implicating the “should’ve-been” business associate. First, how does a medical billing company allow an employee or any other individual access to its website without its knowledge or permission? Next, shouldn’t someone at First Choice have noticed that an unauthorized person was posting information on its website back in 2011-2012, or at some point prior to its discovery by an unrelated third party in 2014? Finally, how does a medical billing company (a company that should know, certainly by late 2011, that it’s most likely acting a business associate when it performs medical billing services), not realize that individually identifiable health information and social security numbers are viewable on its website by outsiders?

ACH’s apparent lackadaisical attitude about its HIPAA obligations is equally stunning. What health care provider engaged in electronic billing was not aware of the need to have a BAA in place with a medical billing vendor in 2011? While the Omnibus Rule wasn’t published until January of 2013 (at which point ACH had another chance to recognize its need for a BAA with First Choice), HHS has been publishing FAQs addressing all kinds of business associate-related issues and requirements since 2002.

It seems pretty obvious that ACH should have had a BAA with First Choice, but, in many instances, having a BAA is neither required by HIPAA nor prudent from the perspective of the covered entity. A BAA generally is not necessary if protected health information is not created, received, maintained or transmitted by or to the vendor in connection with the provision of services on behalf of a covered entity, business associate, or subcontractor, and having one in place may backfire. Consider the following scenario:

*          Health Plan (HP), thinking it is acting out of an abundance of HIPAA caution, requires all of its vendors to sign BAAs.

*          Small Law Firm (SLF) provides legal advice to HP, but does not create, receive, maintain or transmit protected health information in connection with the services it provides on behalf of HP.

*          However, SLF signs HP’s BAA at HP’s request and because SLF thinks it might, at some point, expand the scope of legal services it provides to HP to include matters that require it to receive protected health information from HP.

*          SLF suffers a ransomware attack that results in some of its data being encrypted, including data received from HP. It reviews HHS’s fact sheet on Ransomware and HIPAA, and realizes that a HIPAA breach may have occurred, since it cannot rule out the possibility that it received protected health information from HP at some point after it signed the BAA and prior to the attack.

*          SLF reports the attack to HP as per the BAA. Neither SLF nor HP can rule out the possibility that protected health information of individuals covered by HP was received by SLF at some point and affected by the attack.

HP is now in the position of having to provide breach notifications to individuals and HHS. Had it been more circumspect at the outset, deciding it would only ask SLF to sign a BAA if/when SLF needed protected health information in order to provide legal services on behalf of HP, it may have avoided these HIPAA implications completely.

So while it seems stunning that a health care provider entity such as ACH would have neglected to sign a BAA with First Choice before 2014, having a BAA in place when it is not necessary can create its own problems. Better to constantly ask (and carefully consider): to BAA or not to BAA?

We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights.

In an email sent to listserv participants on July 12, 2016 from OCR-SECURITY-LIST@LIST.NIH.GOV, the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk audits:

Requirements Selected for Desk Audit Review
Privacy Rule
Notice of Privacy Practices & Content Requirements  [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Rule
Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule
Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

As discussed in our prior post, HHS issued guidance regarding individuals’ rights to access PHI earlier this year. Here is a link to this PHI access guidance:  Individuals’ Right under HIPAA to Access their Health Information | HHS.gov

The HHS access guidance stresses that Covered Entities should provide individuals with “easy access” to their PHI and cannot impose “unreasonable measures” on the individuals with respect to this right to access. The HHS access guidance provides important information regarding the different rules that apply when an individual provides a signed authorization for release of their PHI versus when an individual is really making a request for access to his or her PHI.

If an individual is asking for the PHI to be provided to him or her, this is really a request for access even if the individual is providing a signed authorization for release of the PHI.

If the individual is asking the PHI to be directed to a third party, this can be either a situation when a signed authorization is needed or can be an access request, depending on who is really originating the request (the individual or the third party). A Covered Entity cannot require an individual to provide a signed authorization to make an access request.  A Covered Entity can require that the access request be in writing and can require use of a form as long as it does not impose undue burden on the individual’s right to access.

The HHS access guidance also indicates that if an individual requests that his or her PHI be provided by email, the Covered Entity is required to do so and further, if the individual requests in writing that the PHI be provided by unsecure, unencrypted email, the Covered Entity is required to do so after notifying the individual in writing of the risks of this method of transmission. (This notice can be included on the access request form.)

As a result of the HHS access guidance, a Covered Entity may need to review and amend its HIPAA Privacy Policies and Procedures governing individual rights with respect to access to PHI, the form it uses for individual access requests, and its employee training protocols to be sure employees aren’t requiring a patient  (or member, in the case of a health plan Covered Entity) to sign an authorization form when the patient is requesting access to PHI.

Copyright:  / 123RF Stock Photo
Copyright: / 123RF Stock Photo

Two recently reported breaches of hospital data affecting thousands of patients highlight the prevalence, and apparent success, of phishing attacks.  Boston-based Partners HealthCare notified approximately 3,300 patients after a group of staff members were tricked by a phishing scam, and Indiana-based St. Vincent Medical Group, a 20-hospital system that is part of Ascension Health, reported a breach affecting nearly 760 patients that resulted from a phishing attack that involved a single employee’s email account.

The Department of Health and Human Services (HHS), Office of the Chief Information Officer, published an “Information Systems Security Awareness Training” document for FY 2015 that is simple to follow, has easy and useful tips, and even includes enough pictures and graphic images to make what could be dull cybersecurity lessons visually stimulating (the kitten fishing photo comes from page 34).

The phishing-avoidance tips from HHS may seem obvious, but are worth regular review with covered entity and business associate staff that use company email accounts:

NEVER provide your password to anyone via email

*     Be suspicious of any email that:

    — Requests personal information.

    — Contains spelling and grammatical errors.

    — Asks you to click on a link.

    — Is unexpected or from a company or organization with whom you do not have a relationship.

*  If you are suspicious of an email:

    — Do not click on the links provided in the email.

    — Do not open any attachments in the email.

    — Do not provide personal information or financial data.

    — Do forward the email to the HHS Computer Security Incident Response Center (CSIRC) at csirc@hhs.gov and then delete it from your Inbox.

Although HHS’ CSIRC undoubtedly does not want a barrage of emails from non-government entity staff reporting potential phishing attacks, a covered entity or business associate should articulate a similar process for staff to follow when a suspicious email is identified.

Bill Maruca, a Fox Rothschild partner and editor of this blog, added the following tips for recognizing potential phishing emails:

* Be suspicious of any email that:

— Includes multiple other recipients in the “to” or “cc” fields.

— Displays a suspicious “from” address, such as a foreign URL for a U.S. company or a gmail or other “disposable” address for a business sender.  However, even when the sender’s address looks legitimate, it can still be “spoofed” or falsified by a malicious sender.

Bill points out that he has noticed these indicators in phishing emails in the past, even those that otherwise looked like they came from official sources.

On the twelfth day of breaches
my hacker sent to me:

Twelve Data Downloads

Eleven Plundered Patches

Ten Missed BA Contracts

Nine Malware Installs

Eight Mis-sent Faxes

Seven Stolen Laptops

Six Snooping Staffers

Five Old NPPs

Four Lost Thumbdrives

Three Re-sent Texts

Two Pop-up Links …

And a Bill for Compliance Auditing.

For a glimpse at what the U.S. Department of Health and Human Services, Office for Civil Rights (HHS) expects a HIPAA covered entity to do to remedy faulty Security Rule Policies and Procedures, see the “Corrective Action Obligations” listed in the Resolution Agreement between HHS and Anchorage Community Mental Health Services, Inc.

Happy Holidays to All!

I read a recent Forbes.com post by Rick Ungar (“Claims That Obamacare Website Violates Health Privacy Reveals Embarrassing Fact – GOP Does Not Understand HIPAA or Obamacare”) that revealed a truly embarrassing fact:  very few of us really understand HIPAA, let alone the intricacies of the Affordable Care Act (“ACA” or “Obamacare”) and its interplay with HIPAA.  These misunderstandings are prevalent and not limited to any particular political party or viewpoint on the ACA.  Even as a lawyer who deals with HIPAA issues on a near-daily basis, I frequently find myself picking and plodding my way through the regulatory definitions and cross-references  (both pre- and post-Omnibus rule) to see whether a particular piece of information might enjoy, or be burdened by, HIPAA protections.  The ACA merely complicates the picture, adding new layers to the privacy and security regulatory morass.

HIPAA as originally enacted in 1996 was updated by HITECH in 2009 – light years ago, considering the rapid pace of technology development and plethora of changes triggered by the ACA.  Perhaps Congress didn’t envision the widespread on-line purchasing of health insurance coverage by individuals when HIPAA and HITECH were enacted, and perhaps the Department of Health and Human Services (“HHS”), the agency responsible for the HIPAA regulations, didn’t envision widespread ACA Website technological glitches when it published rules on the Affordable Insurance Exchanges (“Exchanges”) in 2012 or the HIPAA Omnibus Rules this past January.  Still, personal information submitted on an Exchange and sent to a qualified health plan may, in fact, be subject to HIPAA.  It doesn’t matter that the Exchange is not itself a health care provider, a health care plan, or a clearinghouse (i.e., a “Covered Entity” under HIPAA), or that individuals are not submitting medical information.  HIPAA is big, broad and inclusive and captures lots of little pieces of electronic information in its protective net.

In some ways, HHS side-stepped this issue when it published rules in March of 2012 dealing with the establishment of Exchanges.  In response to commenters seeking clarification on whether an Exchange would be subject to HIPAA as a business associate, HHS said that each State would determine the applicability of HIPAA to their Exchange.  HHS added “clarifying” language to 45 CFR 155.200 saying that to the extent an Exchange performs “minimum functions” described in the regulation, it would not be acting on behalf of a qualified health plan offering coverage on the Exchange and so would not be subject to HIPAA.  These “minimum function” Exchanges are still required to abide by privacy and security requirements set forth in 45 CFR 155.260 (which can be seen as “HIPAA-light” standards), but they are only subject to full-fledged HIPAA requirements if they perform functions other than or in addition to those described in section 155.200.  By way of example, HHS says that some States may need to consider whether the Exchange performs eligibility assessments for Medicaid or CHIP.

In short, information submitted to an Exchange may be subject to HIPAA if the Exchange is performing a function on behalf of a qualified health plan that goes beyond the minimum functions required of the Exchanges.  For example, the Exchange may be a “Business Associate” under HIPAA, and information it submits to a “Covered Entity” health plans may be “Protected Health Information” or “PHI” under HIPAA.  45 CFR 160.103 contains the relevant series of definitions.

When the series of definitions is properly followed through and applied, it becomes clear that information which identifies an individual (name, address, and social security number will definitely do that!) that is electronically transmitted from the Exchange to a health plan and relates to the future payment for the provision of health care to the individual is protected by HIPAA – if the Exchange is transmitting the information on the health plan’s behalf.  The Exchange and the health plan covered entity should have a BAA in place that complies with HIPAA in the post-Omnibus period and clearly identifies the roles and responsibilities of the parties with respect to protecting the privacy and security of the PHI.

Attorney General Lori Swanson of Minnesota (“AG”) issued a press release reporting that Accretive Health, Inc. (“Accretive”), the defendant in an action filed by the AG in U.S. District Court alleging violations of HIPAA, HITECH, the Minnesota Health Records Act, and the Minnesota consumer protection laws, signed a Settlement Agreement, Release and Order on July 30, 2012 (“Settlement Agreement”). The Settlement Agreement recites:

[R]ecognizing that unique circumstances exist in Minnesota in light of the Attorney General’s Agreement with Minnesota charitable hospitals … Accretive Health … has decided to wind down its remaining work for Minnesota Clients …


(other than its continuation of prior technology licensing agreements). The Settlement Agreement also requires Accretive  to pay the AG nearly $2.5 million within 15 days of the Settlement Agreement’s effective date. The funds may be distributed to patients at the discretion of the AG, used for settlement administration, and/or remitted to the State Treasury.


Previous posts to this blog have reported on the AG’s action against Accretive, and on the need for entities or individuals sharing Protected Health Information (‘PHI”) to identify the roles, rights, and obligations of the parties. Michael Kline’s recent blog reported on a breach involving more than 500 individuals included on the list maintained by the U.S. Department of Health and Human Services (the “HHS List”), highlighting the summary provided by the Office of Civil Rights (“OCR”). Michael noted that the OCR summary implies that OCR expects a covered entity (“CE”) contracting with a business associate (“BA”) to verify that the BA is “not an independent” CE.  


Identifying the roles of the parties and the context in which PHI is disclosed is critical because different information-sharing standards apply depending on these roles and circumstances. For example, a business associate agreement (“BAA”) is not required for disclosures made within a CE for treatment, payment, or health care operations, nor is a BAA required for PHI to be disclosed from one CE to another CE where the recipient CE is a health care provider and the PHI is being disclosed for treatment purposes.


However, if the recipient CE is a health care provider, but is receiving the PHI as a BA (generally defined as a person or entity that performs functions or activities on behalf of another person that is a CE, which involves the use or disclosure of PHI), a BAA is required and it must, among other things, “establish the permitted and required uses and disclosures” of the PHI (though failure to execute a BAA will not absolve the BA of its responsibilities and liabilities under HIPAA and HITECH). In addition, while most uses and disclosures of PHI must be limited to the “minimum necessary,” current regulations do not restrict disclosures to or requests by a CE that is a health care provider to the “minimum necessary” when the disclosure or request is for treatment of a patient. A CE can use or disclose PHI for “payment” activities, but must comply with the “minimum necessary” standard.  If the “payment” activity involves disclosure to a consumer reporting agency, the CE may only disclose specified information (name/address, date of birth, social security number, payment history, account number, and the name and address of the CE). 


The Accretive case was triggered by an alleged PHI breach (the all-too-frequent loss of a laptop containing sensitive information about 23,500 patients treated at two hospitals that had contracted with Accretive), but the AG’s allegations were most scathing where they painted a picture of insidious and inappropriate sharing and use of PHI between hospitals and Accretive.  The AG alleged that Accretive’s “Quality and Total Cost of Care” services used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms.  Accretive allegedly “amasse[d] and ha[d] access to a high volume of sensitive and personal information,” which it used, among other things, to create “per patient risk score” calculations, yet the hospitals’ patient authorization forms allegedly failed to disclose the scope or breadth of the PHI that the hospitals would share with Accretive.


In addition to this questionable and seemingly surreptitious “behind the scenes” PHI-sharing, Accretive staff allegedly interfaced directly with patients seeking treatment at the hospitals, often appearing to be members of the hospital’s staff.  Jessica Silver-Greenberg, reporting on the Settlement Agreement in the New York Times, describes allegations of aggressive collection tactics taken by Accretive that involved requesting payment from patients seeking emergency care. 

Whether a clear delineation of the role of Accretive as a BA and/or restriction of PHI disclosed to Accretive to the “minimum necessary” would have prevented the AG’s action is unclear. However, the Accretive case provides a good example of how the blurring of the CE and BA roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.