Protected Health Information

Registration for the Privacy Summit is open.

Fox Rothschild’s Minneapolis Privacy Summit on November 8 will explore key cybersecurity issues and compliance questions facing company decision-makers. This free event will feature an impressive array of panelists drawn from cybersecurity leaders in major industries, experienced regulatory and compliance professionals and the Chief Division Counsel of the Minneapolis Division of the FBI.

Attendees receive complimentary breakfast and lunch, and can take advantage of networking opportunities and informative panel sessions:

GDPR and the California Consumer Privacy Act: Compliance in a Time of Change

The European Union’s General Data Protection Regulation has been in effect since May. Companies that process or control EU citizens’ personal data should understand how to maintain compliance and avoid costly fines. Many more businesses should also prepare for the next major privacy mandate: the California Consumer Privacy Act.

Risk Management – How Can Privacy Officers Ensure They Have the Correct Security Policies in Place?

Panelists offer best practices for internal policies, audits and training to help maintainn protected health information (PHI), personally identifiable information (PII) or other sensitive data. Learn the cutting edge strategies to combat the technology threats of phishing and ransomware.

Fireside Chat

Jeffrey Van Nest, Chief Division Counsel of the Minneapolis Division of the FBI, speaks on the state of affairs in regulation and enforcement, including how to partner with the FBI, timelines of engagement and the latest on cyber threat schemes. His insights offer details on forming effective cyber incident response plans.

Keynote Speaker – Ken Barnhart

Ken is the former CEO of the Occam Group, a cybersecurity industry advisor and the founder and principal consultant for Highground Cyber – a spin-off of the Occam Group’s Cybersecurity Practice Group. For more than a decade, he has helped companies of all sizes design, host and secure environments in private, public and hybrid cloud models. Prior to his work in the corporate sector, Ken served as a non-commissioned officer in the United States Marine Corp and is a decorated combat veteran of Operation Desert Shield\Storm with the HQ Battalion of the 2nd Marine Division.

Geared toward an audience of corporate executives, in-house chief privacy officers and general counsel, the summit will provide important take-aways about the latest risks and threats facing businesses.

Stay tuned for more agenda details. Registration is open.

Elizabeth Litten (Fox Rothschild Partner and HIPAA Privacy & Security Officer) and Mark McCreary (Fox Rothschild Partner and Chief Privacy Officer) will be presenting at the New Jersey Chapter of the Healthcare Financial Management Association on August 30, 2017, from 12:00-1:00 pm eastern time.  The presentation is titled: “Can’t Touch That: Best Practices for Health Care Workforce Training on Data Security and Information Privacy.”

This webinar is a comprehensive review of information privacy and data security training, with an emphasis on imparting practical know-how and a fluency with the terminology involving phishing, ransomware, malware and other common threats. We will cover best practices for sensitizing health care industry workers to these threats as part of their ongoing HIPAA compliance efforts and, more generally, for training workers in any business on the proper handling of sensitive data. We will cover the adoption of policies and a training regimen for the entire workforce, as well as tailored training for those in positions responsible for implementing security policies.

More information and a registration link can be found here.

Eric Bixler has posted on the Fox Rothschild Physician Law Blog an excellent summary of the changes coming to Medicare cards as a result of the Medicare Access and CHIP Reauthorization Act of 2015.  Briefly, Centers for Medicare and Medicaid Services (“CMS”) must remove Social Security Numbers (“SSNs”) from all Medicare cards. Therefore, starting April 1, 2018, CMS will begin mailing new cards with a randomly assigned Medicare Beneficiary Identifier (“MBI”) to replace the existing use of SSNs.  You can read the entire blog post here.

The SSN removal initiative represents a major step in the right direction for preventing identity theft of particularly vulnerable populations.  Medicare provides health insurance for Americans aged 65 and older, and in some cases to younger individuals with select disabilities.  Americans are told to avoid carrying their social security card to protect their identity in the event their wallet or purse is stolen, yet many Medicare beneficiaries still carry their Medicare card, which contains their SSN.  CMS stated that people age 65 or older are increasingly the victims of identity theft, as incidents among seniors increased to 2.6 million from 2.1 million between 2012 and 2014.  Yet the change took over a decade of formal CMS research and discussions with other government agencies to materialize, in part due to CMS’ estimates of the prohibitive costs associated with the undertaking.  In 2013, CMS estimated that the costs of two separate SSN removal approaches were approximately $255 million and $317 million, including the cost of efforts to develop, test and implement modifications that would have to be made to the agency’s IT systems – see United States Government Accountability Office report, dated September 2013)

We previously blogged (here and here) about the theft of 7,000 student SSNs at Purdue University and a hack that put 75,000 SSNs at risk at the University of Wisconsin.  In addition, the Fox Rothschild HIPAA & Health Information Technology Blog discussed (here) the nearly $7 million fine imposed on a health plan for including Medicare health insurance claim numbers in plain sight on mailings addressed to individuals.

In one of the best examples we have ever seen that it pays to be HIPAA compliant (and can cost A LOT when you are not), the U.S. Department of Health and Human Services, Office for Civil Rights, issued the following press release about the above settlement.  This is worth a quick read and some soul searching if your company has not been meeting its HIPAA requirements.

FOR IMMEDIATE RELEASE
April 24, 2017
Contact: HHS Press Office
202-690-6343
media@hhs.gov

$2.5 million settlement shows that not understanding HIPAA requirements creates risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet

HHS has gathered tips and information to help protect and secure health information when using mobile devices:  https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html

Last week we posted about A Brief Primer on the NIST Cybersecurity Framework.  Our partner and HIPAA/HITECH expert Elizabeth Litten took the NIST Cybersecurity Framework and created a blog post for the HIPAA, HITECH and Health Information Technology Blog on how How the NIST Cybersecurity Framework Can Help With HIPAA Compliance: 3 Tips, which can be read here.  For those facing any HIPAA-related issues, it is a worthwhile read.

The Federal Trade Commission recently announced that it settled charges against a health billing company and its former CEO that they misled consumers who had signed up for their online billing portal by failing to inform them that the company would seek detailed medical information from pharmacies, medical labs and insurance companies.

The Atlanta-based medical billing provider operated a website where consumers could pay their medical bills, but in 2012, the company developed a separate service, Patient Health Report, that would provide consumers with comprehensive online medical records.  In order to populate the medical records, the company altered its registration process for the billing portal to include permission for the company to contact healthcare providers to obtain the consumer’s medical information, such as prescriptions, procedures, medical diagnoses, lab tests and more.

The company obtained a consumer’s “consent” through four authorizations presented in small windows on the webpage that displayed only six lines of the extensive text at a time and could be accepted by clicking one box to agree to all four authorizations at once.  According to the complaint, consumers registering for the billing service would have reasonably believed that the authorizations related only to billing.

The settlement requires the company to destroy any information collected relating to the Patient Health Report service.

This case is a good reminder for companies in the healthcare industry looking to offer new online products involving consumer health information that care must always be taken to ensure that consumers understand what the product offers and what information will be collected.

 

DataSecurityWe are pleased to announce the launch of our Data Breach 411 App, which is available for free download in the iTunes store at:  https://itunes.apple.com/us/app/data-breach-411/id726115837?mt=8

The Data Breach 411 App is a data breach survival guide designed to tackle a general counsel’s worst nightmare:  the loss or theft of sensitive data.

Features of the app include:

1.  State Breach Notification Statutes:  An alphabetical listing of the 46 states that have data breach notification statutes in place and links to relevant information.

2.  HIPAA/HITECH Statutes:  Breach notification rules and other pertinent information related to the loss or theft of protected health information.

3.  Other Resources:  Links to credit agencies, credit monitoring services and the FTC Website, as well as a section on COPPA — the Children’s Online Privacy Protection Act.

On July 11, 2013, the Department of Health and Human Services announced that it reached a settlement with WellPoint Inc. related to potential violations of the HIPAA Privacy and Security Rules.  In compliance with the HITECH Breach Notification Rule, WellPoint notified the HHS Office for Civil Rights that certain security weaknesses in one of its online application databases made available on the Internet protected health information (“PHI”) of over 600,000 individuals (including names, dates of birth, addresses, Social Security numbers, telephone numbers and health information).  After receiving WellPoint’s report, HHS started an investigation and, ultimately, found that WellPoint failed to implement appropriate safeguards to procect PHI.  Specifically, HHS determined that WellPoint failed to: (1) adequately implement policies and procedures for authorizing access to its online application databases (containing PHI); (2) perform an appropriate technical evaluation in response to a software upgrade that it recently conducted; (3) employ safeguards to verify the person or entity seeking access to PHI in its databases.  Under the terms of a resolution agreement, WellPoint agreed to pay $1.7 million to settle the action.

Interestingly, at the end of the press release issued by HHS announcing the settlment, HHS stated that, “[b]eginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.”  By including this statement in its press releave, HHS may have been sending a message to business associates that it intends to enforce compliance with this new HIPAA requirement.

 

[This blog posting was previously posted on the HIPAA, HITECH and Health Information blog.]

The recent release of the HIPAA/HITECH “mega rule” or “omnibus rule” has given bloggers and lawyers like us plenty of topics for analysis and debate, as well as some tools with which to prod covered entities, business associates and subcontractors to put HIPAA/HITECH-compliant Business Associate Agreements (“BAAs”) in place. It’s also a reminder to read BAAs that are already in place, and to make sure the provisions accurately describe how and why protected health information (“PHI”) is to be created, received, maintained, and/or transmitted. 

If you are an entity that participates in the Medicare Shared Savings Program as a Medicare Accountable Care Organization (“ACO”), your ability to access patient data from Medicare depends on your having signed the CMS Data Use Agreement (the “Data Use Agreement”). Just as covered entities, business associates, and subcontractors should read and fully understand their BAAs, Medicare ACOs should make sure they are aware of several Data Use Agreement provisions that are more stringent than provisions typically included in a BAA and that may come as a surprise. Here are ten provisions from the Data Use Agreement worth reviewing, whether you are a Medicare ACO or any other business associate or subcontractor, as these may very well resurface in some form in the “Super BAA” of the future:

 

1.         CMS (the covered entity) retains ownership rights in the patient data furnished to the ACO.

 

2.         The ACO may only use the patient data for the purposes enumerated in the Data Use Agreement.

 

3.         The ACO may not grant access to the patient data except as authorized by CMS.

 

4.         The ACO agrees that, within the ACO and its agents, access to patient data will be limited to the minimum amount of data and minimum number of individuals necessary to achieve the stated purposes.

 

5.         The ACO will only retain the patient data (and any derivative data) for one year or until 30 days after the purpose specified in the Data Use Agreement is completed, whichever is earlier, and the ACO must destroy the data and send written certification of the destruction to CMS within 30 days.

 

6.         The ACO must establish administrative, technical, and physical safeguards that meet or exceed standards established by the Office of Management and Budget and the National Institute of Standards and Technology.

 

7.         The ACO acknowledges that it is prohibited from using unsecured telecommunications, including the Internet, to transmit individually identifiable, bidder identifiable or deducible information derived from the patient files. 

 

8.         The ACO agrees not to disclose any information derived from the patient data, even if the information does not include direct identifiers, if the information can, by itself or in combination with other data, be used to deduce an individual’s identity.

 

9.         The ACO agrees to abide by CMS’s cell size suppression policy (which stipulates that no cell of 10 or less may be displayed).

 

And last, but certainly not least:

 

10.       The ACO agrees to report to CMS any breach of personally identifiable information from the CMS data file(s), loss of these data, or disclosure to an unauthorized person by telephone or email within one hour.

 

 

While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes. 

 

The following was recently posted in substantially the same form on the Fox Rothschild LLP HIPAA, HITECH and Health Information Technology blog.

Elizabeth Litten and Michael Kline write:

 

We have posted several blogs, including those here and here, tracking the reported 2011 theft of computer tapes from the car of an employee of Science Applications International Corporation (“SAIC”) that contained the protected health information (“PHI”) affecting approximately 5 million military clinic and hospital patients (the “SAIC Breach”).  SAIC’s recent Motion to Dismiss (the “Motion”) the Consolidated Amended Complaint filed in federal court in Florida as a putative class action (the “SAIC Class Action”) highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach. SAIC’s Motion emphasizes this gap between the incident and the realization of harm, making it appear like a chasm so wide it practically swallows the breach into oblivion. 

 

SAIC, a giant publicly-held government contractor that provides information technology (“IT”) management and, ironically, cyber security services, was engaged to provide IT management services to TRICARE Management Activity, a component of TRICARE, the military health plan (“TRICARE”) for active duty service members working for the U.S. Department of Defense (“DoD”).  SAIC employees had been contracted to transport backup tapes containing TRICARE members’ PHI from one location to another.

 

According to the original statement published in late September of 2011 ( the “TRICARE/SAIC Statement”) the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the TRICARE/SAIC Statement said that there was no financial data, such as credit card or bank account information, on the backup tapes. Note 17 to the audited financial statements (“Note 17”) contained in the SAIC Annual Report on Form 10-K for the fiscal year ended January 31, 2012, dated March 27, 2012 (the “2012 Form 10-K”), filed with the Securities and Exchange Commission (the "SEC”), includes the following:

 

There is no evidence that any of the data on the backup tapes has actually been accessed or viewed by an unauthorized person. In order for an unauthorized person to access or view the data on the backup tapes, it would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.  The Company [SAIC] has notified potentially impacted persons by letter and is offering one year of credit monitoring services to those who request these services and in certain circumstances, one year of identity restoration services.

 

While the TRICARE/SAIC Statement contained similar language to that quoted above from Note 17, the earlier TRICARE/SAIC Statement also said, “The risk of harm to patients is judged to be low despite the data elements . . . .” Because Note 17 does not contain such “risk of harm” language, it would appear that (i) there may have been a change in the assessment of risk by SAIC six months after the SAIC Breach or (ii) SAIC did not want to state such a judgment in an SEC filing.

 

Note 17 also discloses that SAIC has reflected a $10 million loss provision in its financial statements relating to the  SAIC Class Action and various other putative class actions respecting the SAIC Breach filed between October 2011 and March 2012 (for a total of seven such actions filed in four different federal District Courts).  In Note 17 SAIC states that the $10 million loss provision represents the “low end” of SAIC’s estimated loss and is the amount of SAIC’s deductible under insurance covering judgments or settlements and defense costs of litigation respecting the SAIC Breach.  SAIC expresses the belief in Note 17 that any loss experienced in excess of the $10 million loss provision would not exceed the insurance coverage.  

 

Such insurance coverage would, however, likely not be available for any civil monetary penalties or counsel fees that may result from the current investigation of the SAIC Breach being conducted by the Office of Civil Rights of the Department of Health and Human Services (“HHS”) as described in Note 17.

  

Initially, SAIC did not deem it necessary to offer credit monitoring to the almost 5 million reportedly affected individuals. However, SAIC urged anyone suspecting they had been affected to contact the Federal Trade Commission’s identity theft website. Approximately 6 weeks later, the DoD issued a press release stating that TRICARE had “directed” SAIC to take a “proactive” response by covering a year of free credit monitoring and restoration services for any patients expressing “concern about their credit as a result of the data breach.”   The cost of such a proactive response easily can run into millions of dollars in the SAIC Breach. It is unclear the extent, if any, to which insurance coverage would be available to cover the cost of the proactive response mandated by the DoD, even if the credit monitoring, restoration services and other remedial activities of SAIC were to become part of a judgment or settlement in the putative class actions.

 

We have blogged about what constitutes an impermissible acquisition, access, use or disclosure of unsecured PHI that poses a “significant risk” of “financial, reputational, or other harm to the individual” amounting to a reportable HIPAA breach, and when that “significant risk” develops into harm that may create claims for damages by affected individuals. Our partner William Maruca, Esq., artfully borrows a phrase from former Defense Secretary Donald Rumsfeld in discussing a recent disappearance of unencrypted backup tapes reported by Women and Infants Hospital in Rhode Island. If one knows PHI has disappeared, but doubts it can be accessed or used (due to the specialized equipment and expertise required to access or use the PHI), there is a “known unknown” that complicates the analysis as to whether a breach has occurred. 

 

As we await publication of the “mega” HIPAA/HITECH regulations, continued tracking of the SAIC Breach and ensuing class action litigation (as well as SAIC’s SEC filings and other government filings and reports on the HHS list of large PHI security breaches) provides some insights as to how covered entities and business associates respond to incidents involving the loss or theft of, or possible access to, PHI.   If a covered entity or business associate concludes that the incident poses a “significant risk” of harm, but no harm actually materializes, perhaps (as the SAIC Motion repeatedly asserts) claims for damages are inappropriate. When the covered entity or business associate takes a “proactive” approach in responding to what it has determined to be a “significant risk” (such as by offering credit monitoring and restoration services), perhaps the risk becomes less significant. But once the incident (a/k/a, the ubiquitous laptop or computer tape theft from an employee’s car) has been deemed a breach, the chasm between incident and harm seems to open wide enough to encompass a mind-boggling number of privacy and security violation claims and issues.