Health Insurance Portability and Accountability Act (HIPAA)

Roger Severino, director of the Department of Health and Human Services’ Office of Civil Rights, told HIMSS18 conference attendees this week that he plans no slowdown in HIPAA enforcement.

“I come from the Department of Justice Office for Civil Rights; I bring that mindset to OCR. We’re still looking for big, juicy egregious cases” for enforcement, Severino said, according to this report in Data Breach Today. That doesn’t mean smaller companies should assume they are off the radar, he added.

He said 2017 was OCR’s second biggest year for HIPAA settlements with $19.4 million collected, second only to 2016 in which OCR collected nearly $25 million.

Username and password login fields, online security
Usernames and passwords were exposed in a number of reported data breaches.

According to the monthly report from the Identity Theft Resource Center, the health care industry suffered more data breaches in January than government, educational and financial sectors combined.

Medical and health care-related data breaches accounted for 26.7 percent of the verified 116 data breaches in early 2018. The report defines a breach as a cybersecurity incident in which personal information such as emails, medical records, Social Security numbers or driver’s license information, is exposed and made vulnerable to risk.

While the report identifies “Business” as the sector most affected by data breaches, the category broadly encompasses many types of major service providers in retail, hospitality, trade, transportation and other industries.

For more detailed statistics of data breaches by industry, download the ITRC report.

Last year saw multiple high-profile data breaches, enough to place cybersecurity atop any in-house attorney’s 2018 priority list.

But the threat posed by hackers isn’t the only cyber concern on the minds of in-house counsel this year, reports Corporate Counsel magazine.

In the regulatory realm, complying with the European Union’s General Data Protection Regulation, which takes effect in May,  is expected to be companies’ top data privacy task of 2018. But it’s not the only one. The Chinese government also plans to impose new, below-the-radar data privacy regs that will make companies jump through another set of legal hoops.

The legal implications of new technologies, such as fitness devices that blur the line between medical and personal data collection, are also expected to challenge corporate counsel. And groundbreaking legal cases could change the law regarding who has standing to sue following a data breach in the U.S. and whether companies can use standard contractual clauses to transfer personal data out of Europe.

On our HIPAA & Health Information Technology Blog, associate Ankita Patel discusses how Millennials’ embrace of newer forms of social media such as Snapchat and Instagram poses HIPAA challenges for health care organizations.

“With just a few taps and swipes, an employee can post a seemingly innocuous disclosure of PHI. Interns and residents of the younger generation may innocently upload a short-term post (be it a picture for two-seconds or an eight-second long video) of a busy hospital room or even an innocent ‘selfie’ without realizing that there is visible and identifiable PHI in the corner,”  Ankita writes.

It’s an intriguing read exploring the intersection of health care and privacy law, social sharing and the rapid pace of technological change. Read the full post here.

Physicians have their hands full on the best of days. It’s not difficult to imagine why using a voice assistant such as Amazon’s Alexa or Apple’s Siri might be attractive.

In fact, a recent survey showed nearly one in four physicians uses the assistants for work-related purposes, such as researching prescription drug dosing. It’s likely many are unaware of the information security dangers they pose.

In an interview with SCG Health Blog, Fox Rothschild attorneys Elizabeth Litten and Michael Kline explain that the labor-saving devices pose a bevy of data privacy and security risks, and offer doctors six helpful tips for protecting their practices.

Elizabeth Litten (Fox Rothschild Partner and HIPAA Privacy & Security Officer) and Mark McCreary (Fox Rothschild Partner and Chief Privacy Officer) will be presenting at the New Jersey Chapter of the Healthcare Financial Management Association on August 30, 2017, from 12:00-1:00 pm eastern time.  The presentation is titled: “Can’t Touch That: Best Practices for Health Care Workforce Training on Data Security and Information Privacy.”

This webinar is a comprehensive review of information privacy and data security training, with an emphasis on imparting practical know-how and a fluency with the terminology involving phishing, ransomware, malware and other common threats. We will cover best practices for sensitizing health care industry workers to these threats as part of their ongoing HIPAA compliance efforts and, more generally, for training workers in any business on the proper handling of sensitive data. We will cover the adoption of policies and a training regimen for the entire workforce, as well as tailored training for those in positions responsible for implementing security policies.

More information and a registration link can be found here.

On July 23, 2017, Washington State will become the third state (after Illinois and Texas) to statutorily restrict the collection, storage and use of biometric data for commercial purposes. The Washington legislature explained its goal in enacting Washington’s new biometrics law:

The legislature intends to require a business that collects and can attribute biometric data to a specific uniquely identified individual to disclose how it uses that biometric data, and provide notice to and obtain consent from an individual before enrolling or changing the use of that individual’s biometric identifiers in a database.

— Washington Laws of 2017, ch. 299 § 1.  (See complete text of the new law here).

Washington’s new biometrics act governs three key aspects of commercial use of biometric data:

  1. collection, including notice and consent,
  2. storage, including protection and length of time, and
  3. use, including dissemination and permitted purposes.

The law focuses on “biometric identifiers,” which it defines as

data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.

— Id. § 3(1).

The law excludes all photos, video or audio recordings, or information “collected, used, or stored for health care treatment, payment or operations” subject to HIPAA from the definition of “biometric identifiers.” Id.  It also expressly excludes biometric information collected for security purposes (id. § 3(4)), and does not apply to financial institutions subject to the Gramm-Leach-Bliley Act.  Id. § 5(1).  Importantly, the law applies only to biometric identifiers that are “enrolled in” a commercial database, which it explains means capturing a biometric identifier, converting it to a reference template that cannot be reconstructed into the original output image, and storing it in a database that links the biometric identifier to a specific individual.  Id. §§ 2, 3(5).

Statutory Ambiguity Creates Confusion

Biometric data
Copyright: altomedia / 123RF Stock Photo

Unfortunately, ambiguous statutory language, combined with rapidly-advancing technology, virtually guarantees confusion in each of the three key aspects of the new law.

Regarding collection, the new law states that a company may not “enroll a biometric identifier in a database for a commercial purpose” unless it: (1) provides notice, (2) obtains consent, or (3) “provid[es] a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”  Id. § 2(1).  Confusingly, the law does not specify what type of “notice” is required, except that it must be “given through a procedure reasonably designed to be readily available to affected individuals,” and its adequacy will be “context-dependent.”  Id. § 2(2).

If consent is obtained, a business may sell, lease or disclose biometric data to others for commercial use.  Id. § 2(3).  Absent consent, a business may not disclose biometric data to others except in very limited circumstances listed in the statute, including in litigation, if necessary to provide a service requested by the individual or as authorized by other law. Id. However, the new law may ultimately be read by courts or regulators as including a “one disclosure” exception because it says disclosure is allowed to any third party “who contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose” inconsistent with the new law.  Id.

The new law also governs the storage of biometric identifiers.  Any business holding biometric data “must take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers that are in the possession or control of the person.”  Id. § 2(4)(a).  Moreover, businesses are barred from retaining biometric data for any longer than “reasonably necessary” to provide services, prevent fraud, or comply with a court order.  Id. § 2(4)(b).  Here too the law fails to provide certainty, e.g., it sets no bright-line time limits on retention after customer relationships end, or how to apply these rules to ongoing but intermittent customer relationships.

The Washington legislature also barred companies that collect biometric identifiers for using them for any other purpose “materially inconsistent” with the original purpose they were collected for unless they first obtain consent.  Id. § 2(5).  Confusingly, even though notice alone is enough to authorize the original collection, it is not sufficient by itself to authorize a new use.

Interestingly, the new Washington law makes a violation of its collection, storage or use requirements a violation of the Washington Consumer Protection Act (the state analog to Section 5 of the FTC Act).  Id. § 4(1).  However, it specifically excludes any private right of action under the statute and provides for enforcement solely by the Washington State Attorney General, leaving Illinois’s Biometric Information Privacy Act as the only state biometrics law authorizing private enforcement.  Id. § 4(2).

Washington’s new law was not without controversy.  Several state legislators criticized it as imprecise and pushed to more specifically detail the activities it regulates; proponents argued that its broad language was necessary to allow flexibility for future technological advances. Ultimately, the bill passed with less than unanimous approval and was signed into law by Washington’s governor in mid-May.  It takes effect on July 23, 2017.  A similar, but not identical, Washington law takes effect the same day governing the collection, storage and use of biometric identifiers by state agencies.  (See Washington Laws of 2017, ch. 306 here).

In one of the best examples we have ever seen that it pays to be HIPAA compliant (and can cost A LOT when you are not), the U.S. Department of Health and Human Services, Office for Civil Rights, issued the following press release about the above settlement.  This is worth a quick read and some soul searching if your company has not been meeting its HIPAA requirements.

FOR IMMEDIATE RELEASE
April 24, 2017
Contact: HHS Press Office
202-690-6343
media@hhs.gov

$2.5 million settlement shows that not understanding HIPAA requirements creates risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet

HHS has gathered tips and information to help protect and secure health information when using mobile devices:  https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html

In its ongoing guidance* initiatives, the Office for Civil Rights (OCR) has continued to interpret key obligations within the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164) (HIPAA Rules). Most recently, the OCR has added FAQ details about cloud service providers (CSPs) as business associates (Cloud Guidance) under HIPAA Rules. It should be noted that all CSPs, despite varying levels of functionality and service, are viewed equally in the Cloud Guidance.

OCR first addressed whether a CSP is a business associate if it stores encrypted Protect Health Information (PHI) with access to the encryption key.

CSPs Are Business Associates Despite Encryption Practices

OCR made clear that when a CSP handles electronic PHI (ePHI) – transmits, creates, maintains or receives ePHI – the CSP enters into the status of a “Business Associate” per HIPAA Rules despite handling encrypted data without an encryption key. Even though a CSP cannot view the ePHI, the fact that it handles and/or maintains that data makes it a Business Associate. OCR reasons that encryption limits viewing of ePHI but cannot protect it from malicious software corruption or assure its access at all times – two requirements that must be fulfilled under the HIPAA Security Rule.

However, OCR added that CSPs dealing with encrypted ePHI without an encryption key does meet Security Rule obligations for both a Covered Entity and CSP because of the safeguard measures of the Covered Entity. OCR explained:

[I]f a customer implements its own reasonable and appropriate user authentication controls and agrees that the CSP providing no-view services need not implement additional procedures to authenticate (verify the identity of) a person or entity seeking access to ePHI, these Security Rule access control responsibilities would be met for both parties by the action of the customer.

Notably, a CSP will not be held responsible for compliance shortfalls that arise from its Covered Entity/Business Associate customers. Relevant compliance responsibility agreements that protect the CSP will also remain valid. OCR added additional interpretations about Privacy Rule requirement of CSPs performing “no-view services.” A CSP may not disclose or use PHI unless the Business Associate Agreement (BAA) and Privacy Rule permit those actions. A CSP is not authorized to restrict its Business Associate or Covered Entity customer gaining access to its ePHI.

PHI Storage and Retention Does Not Make a CSP a ‘Mere Conduit’

OCR, in another FAQ, goes on to clarify that a CSP is not a “mere conduit,” a designation that would provide exemptions from HIPAA Rules for Business Associations.** A conduit exception is only made for very specific cases – a CSP is a conduit if it its services are limited to transmission only and does not involve any data storage beyond the functions needed to properly execute its transmission services. By these standards, a CSP is a Business Associate if it uses both transmission and data retention services.

Business Associate Status Extends to Downstream CSPs

CSPs worried that in cases where a BAA is not formed, they may not be aware of services provided to a Business Associate or a downstream subcontractor. OCR states that if a CSP provides services that make it a Business Associate, the CSP assumes Business Associate liabilities. Although, per OCR, when a CSP lacks “actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit ePHI,” the CSP should address all HIPAA compliance shortcomings within 30 days of noticing this circumstance. Acting within that timeframe affords the CSP a liability waiver of sorts, and the OCR may extend the timing by an additional 30 days based on the specific issues of noncompliance. If it is shown that the CSP willfully neglected investigating the potential for this circumstance, it will not afforded similar corrective opportunities. A CSP should record all attempts and achievements to comply with HIPAA Rules if it find itself in noncompliance, or remove or protect the ePHI in question.

ePHI Audits, Offshoring, and Maintenance and Cloud Security

Audit Requirements: OCR affirms that HIPAA Rules obligate Covered Entities and Business Associates to document and possess security assurances from contractors and vendor as BAAs. Auditing those entities is not required.

Offshoring: Concerns arise when CSPs store or retain data in servers beyond the U.S., which affects security and HIPAA enforcement. Notably, OCR points that offshoring is neither prohibited nor addressed in HIPAA Rules, but data storage beyond U.S. borders obligates the CSP and all contracting parties to acknowledge the added vulnerabilities in their risk management plans and analyses as part of their HIPAA Security Rule.

ePHI Maintenance: A CSP does not have to maintain ePHI beyond the services it agreed to provide. The OCR mentions that the HIPAA Privacy Rule requires a BAA that addresses whether a CSP must return or eliminate ePHI at the expiration of the BAA. If the return or removal of data is not possible, the CSP is obligated to secure, conceal and protect the data in a way that adequately addresses the reason it cannot return or destroy the data.

Important Notes

  • CSPs typically utilize Service Level Agreements (SLA) that contain language which affects HIPAA compliance. SLAs address service performance details regarding system availability/reliability, data back-up and recovery and data return/termination requirements. OCR advised that BAAs and SLAs should be in line with each other and executable under HIPAA Rules. Further, SLAs cannot restrict a Covered Entity from gaining access to its own PHI, and SLA conditions that violate HIPAA Rules will form noncompliance issues for the Covered Entity.
  • A CSP must have security reporting policies for its Covered Entity and Business Associate customers that comply with the Security Rule and the Breach Notification Rule.
  • OCR will not make any kind of recommendation for technology and products that offer HIPAA-compliant cloud services.
  • Mobile devices may be used the same way as non-cloud means by Covered Entities and Business associates to access CSP-stored ePHI. The BAA addressing ePHI access via mobile device should require the CSP to have satisfactory physical and technical safeguards that maintain all necessary data protection and security.

*See, OCR Guidance on Ransomware, July 11, 2016 and OCR Guidance for Long Term Care Facilities May 2016.

**See OCR’s analysis of the “conduit” exemption at 78 Fed. Reg. 5565, 5571 (January 25, 2013).

Last week we posted about A Brief Primer on the NIST Cybersecurity Framework.  Our partner and HIPAA/HITECH expert Elizabeth Litten took the NIST Cybersecurity Framework and created a blog post for the HIPAA, HITECH and Health Information Technology Blog on how How the NIST Cybersecurity Framework Can Help With HIPAA Compliance: 3 Tips, which can be read here.  For those facing any HIPAA-related issues, it is a worthwhile read.