Advocate Health Care already facing first lawsuit for July 15 breach involving 4 million EHR patient records

Chicago area Advocate Health Care suffered the country’s biggest health care record breach to date on July 15 – when four unencrypted laptops containing over four million patient records were stolen.  Seven weeks later the legal repercussions to July’s event are already beginning to unfold with last week’s filing of a class-action complaint in Cook County Circuit Court.

Once again, we are reminded both of the repercussions of such a loss and, more importantly, how easy it is to prevent this.  I’m not suggesting that the theft could have been prevented, but if the laptops had been encrypted, then this would have been a non-event (at least as far as the breach notification issue).  No one outside of Advocate would even know about the theft, because Advocate wouldn’t have had to report the loss and it would not have made the news at all.  So the take-away:  encrypt all of your mobile devices, including laptops, thumb drives, smart phones, etc.

Via Modern Healthcare:

The recent massive data breach at Advocate Health Care has already had legal consequences.

Downers Grove, Ill.-based Advocate and a subsidiary, Advocate Medical Group, are facing a state class-action lawsuit filed on behalf of two named plaintiffs and 4 million individuals whose personally identifiable health records were taken along with four desktop computers in a burglary in July. The computers were password protected but not encrypted, according to Advocate.

The five-count, 12-page complaint in Cook County Circuit Court in Chicago alleges negligence, deceptive business practices, invasion of privacy, intentional infliction of emotional distress and consumer fraud, all violations of Illinois law.

According to the class-action complaint, Advocate “continued its use of nonsecure, unencrypted computers and software to maintain the private and confidential patient data” it had collect, in violation of two state privacy laws.

The suit alleges Advocate violated the Illinois Personal Information Protection Act when it “permitted an unauthorized acquisition of computerized data that compromised the security, confidentiality, or integrity of personal information,” and the Illinois Medical Patients Rights Act when it “facilitated and allowed for the unlawful disclosure of patients' private and confidential health information.”

The lawsuit requests a jury trial and judgment of an unspecified dollar amount for actual damages, costs and other relief the court deems appropriate.

The named plaintiffs were former Advocate patients, Pierre Petrich, and her minor daughter, Amara Petrich, of Northbrook, Ill. The suit was filed by Chicago personal injury attorney Robert Clifford.

The suit alleges the plaintiffs' records were part of the massive July 15 data breach at an administrative office of the 1,100-plus physician Advocate Medical Group in Park Ridge, Ill. At just over four million records, it is the largest breach by a healthcare provider since the federal government began requiring public reporting of larger healthcare records breaches in 2009.

Personally identifiable data on the compromised records varied, according to an Advocate spokeswoman, but included patients' names, addresses, dates of birth, Social Security numbers, diagnoses and medical record numbers.

Advocate previously made the federal “wall of shame” list kept by HHS' Office for Civil Rights after the theft of an unencrypted laptop in 2009 carrying 812 patient records.

Thus far, 659 breaches involving records of 500 or more individuals have made the list, accounting for more than 22.8 million records being exposed. Of those involving electronic devices, 48% of the incident reports mentioned theft, 11% loss; and 8% hacking, all of which could have been mitigated by encryption.

The breach is being investigated by the OCR, the chief federal agency enforcing the health information privacy and security rules under the Health Insurance Portability and Accountability Act, and by the Illinois Attorney General's office, for possible HIPAA and Illinois privacy law violations, spokespersons for those agencies have said.

Advocate has faced criticism for not encrypting the data. Encryption is a technique in which software is used to scramble messages or data, rendering them unusable and unreadable to anyone who doesn't have the key, another piece of software code to unscramble the protected information.

An Advocate spokeswoman said an encryption program launched by the organization in 2009 had not reached the four computers in the Park Ridge office.

Advocate's Kelly Jo Golson, senior vice president of public affairs and marketing, in a statement, said “We deeply regret any inconvenience this incident has caused our patients who have entrusted us with their care. Our focus continues to be delivering the highest level of care and service. We are also committed to providing all individuals impacted by this incident with resources to answer their questions and tools to protect their personal information. Although we are unable to comment specifically on active litigation matters, we want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused.”

By Joseph Conn

Advocate Health Care sued following massive data breach,” Modern Healthcare (September 6, 2013)

Settlement of first small scale HIPAA breach announced by HHS

In a sign that HHS is serious about small data breaches, the Office of Civil Rights (OCR) and The Hospice of North Idaho reached a settlement agreement to resolve allegations of a 2010 breach involving 441 patient records. OCR Director Leon Rodriguez reminded the industry that every covered entity, regardless of size, must implement the privacy and security safeguards - including, e.g., encryption of protected health information on mobile devices - required under HIPAA, as amended pursuant to the HITECH Act.

This settlement comes at the same time as the OCR rolls out its new educational initiative aimed at securing protected data on mobile devices. You can learn more about this initiative here.

Via HHS Press Release:

The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010.  Laptops containing ePHI are regularly used by the organization as part of their field work.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach.  Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones.  For more information, visit www.HealthIT.gov/mobiledevices.

The Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf

HHS announces first HIPAA breach settlement involving less than 500 patients:
Hospice of North Idaho settles HIPAA security case for $50,000
,” HHS Press Release (January 2, 2013)

Laptop theft costs Massachusetts provider $1.5 million in HHS settlement

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) will be paying HHS $1.5 million in installments over three years for a 2010 incident.  It is worth noting that OCR also reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) earlier this year for a breach involving over a million patient records on stolen hard drives.  The MEEI data breach, on the other hand,  involved only 3,621 patient records.

Regardless of OCR's exact motives for such a high fine for such a significantly smaller scale breach, it is clear that OCR takes compliance with the HIPAA Privacy and Security Rules very seriously, especially in cases where patient data is stored on portable devices. It is also important to keep in mind that, as we pointed out after the BCBST breach, the $1.5 million settlement amount may well be exceeded by the costs and expenses associated with notification and credit monitoring expenses, as well as investigating and correcting this breach by MEEI.

Via Modern Healthcare:

HHS' Office for Civil Rights announced that Massachusetts Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle a HIPAA security-rule violation case.

The $1.5 million settlement with Boston-based Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, collectively known as MEEI, is part of a resolution agreement (PDF) with the Office for Civil Rights. MEEI's alleged violations of the Health Insurance Portability and Accountability Act's security rule stem from the reported 2010 theft of a laptop computer storing 3,621 patient records, according to HHS.

 

The Office for Civil Rights alleges that the infirmary and the group not only failed to secure data on the laptop but also failed to comply with several other HIPAA security-rule requirements, including performing “a thorough analysis of the risk to the confidentiality” of individually identifiable patient information stored on the portable device and not “adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.” The term ePHI refers to electronic protected health information. 

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Office for Civil Rights Director Leon Rodriguez said in a news release. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

The settlement amount is to be paid in three equal installments of $500,000—the first on Oct. 15 of this year and the next two on the same date in 2013 and 2014.

The 17-page resolution agreement also requires the organization “to adhere to a corrective action plan” and permits an independent monitor to make semi-annual assessments of MEEI's compliance with the plan for three years.

The American Recovery and Reinvestment Act of 2009 required the reporting to HHS of breaches affecting 500 or more individuals and the creation of a public accessible website listing the breaches. There are now 490 such self-reported breach incidents on the list, which is maintained by the Office for Civil Rights. Combined, those breaches exposed the records of more than 21 million individuals, according to the office.

The infirmary is on the list twice. A November 2009 incident involving 1,076 records stemmed from a police investigation into improper use of credit card information that led to the firing of two infirmary employees.

By Joseph Conn

Mass. provider to pay $1.5 million in HIPAA settlement,” Modern Healthcare (September 17, 2012)

OCR: Health records of over 7 percent of U.S. population breached in past 3 years

Health records of over seven percent of the U.S. population – almost 21 million individuals – have been breached in the past three years, according to OCR.  Although it may be somewhat of an apples-to-oranges comparison, it is worth noting that outside the health care arena it is not uncommon for this number of records, and several times this number of records, to be breached in a single incident, in this new era of vanishing personal privacy.  The 2012 theft from Amazon/Zappos online shoe retailer of 24 million customer records may be the most recent of the large-scale data breaches, but it is dwarfed by other breaches in recent years including, notably, the 2009 Heartland Payment Systems incident in which 134 million records were compromised.  According to the OCR, the 21 million number represents just those records compromised in breaches over a certain threshold and does not include smaller scale breaches. 

Via Modern Healthcare:

Since September 2009, there have been 477 breaches reported to the Office for Civil Rights affecting 500 or more people, according to a publicly viewable list on the office's website.

 

The breach notification and reporting mandate was part of more stringent privacy and security provisions of the American Recovery and Reinvestment Act of 2009.

Tens of thousands of breaches that involve fewer than 500 records have also been reported, according to the Office for Civil Rights, but details of these lesser breaches are not required to be posted to the website.

Six healthcare organizations have suffered breaches compromising 1 million records or more.

The list is topped by an incident last September involving the loss of 4.9 million records by an employee of Science Applications International Corp. He reported to police that some backup tapes carrying data on the medical treatment of military personnel kept by the Tricare Management Activity were stolen from his car in Austin, Texas.

Loss of data by a vendor is nothing unusual. In 100 of these larger breach incidents—roughly 21%—a business associate of a "covered entity" as defined under the Health Insurance Portability and Accountability Act of 1996, also was affected in the breach, Office for Civil Rights data show.

In total, the records of 20,970,222 individuals have been potentially exposed in these major breaches thus far.

The median size of a breach on the list involves the records of 2,184 people; the average is 43,963.

Theft is the most commonly reported breach type (54%), followed by unauthorized access or disclosure (20%), loss (11%), hacking (6%), improper disposal (5%) and other/unknown (4%).

Large medical-records breaches affect nearly 21 million: OCRModern Healthcare (August 1, 2012)

HHS publishes EHR privacy and security guide

The ONC’s Office of the Chief Privacy Officer (OCPO) has published a "Guide to Privacy and Security of Health Information” intended to help healthcare practitioners and their staffs better understand the roles of privacy and security in the meaningful use of electronic health records.

Via Healthcare IT News:

Earlier this spring Healthcare IT News reported the results of a study from HIMSS Analytics and Kroll that showed security breaches are still widespread in healthcare – despite increased attention paid to patient privacy.

The ‘HIMSS Analytics Report: Security of Patient Data,’ suggested that, despite increasingly stringent regulatory activity with regard to reporting and auditing procedures, most providers were prioritizing compliance with the rules over actually bolstering their own organizations' security protocols.

So the new ONC guide, which seeks to offer a comprehensive, easy-to-understand resource to help providers incorporate robust privacy and security routines into their clinical workflow, comes at a crucial time.

Developed by OCPO in partnership with the American Health Information Management Association (AHIMA) Foundation, the 47-page guide offers detailed guidance on topics such as security risk analyses and management tips, and working with EHR and health IT vendors.

The guide also offers a 10-step plan for reinforcing privacy and security protections before attesting for meaningful use:

1. Confirm your organization is a covered entity. Most healthcare providers are covered entities, and thus, have HIPAA responsibilities for individually identifiable health information. The Department of Health and Human Services offers tools that can help you confirm your organization's status.

2. Provide leadership. Emphasizing the importance of protecting patient information to all your employees is central to ensuring a culture where security is treated with the importance it deserves.

3. Document your process, findings and actions. The Centers for Medicare & Medicaid Services (CMS) advises all providers attesting for meaningful use to retain all relevant records that support attestation. Record all your practice decisions, findings and actions related to safeguarding patient information.

4. Conduct security risk analysis. A security risk analysis – or a reassessment, if you've already done one – compares your current security measures to what is legally and pragmatically required to safeguard personal health information, and identifies high priority threats and vulnerabilities.

5. Develop an action plan. Using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan must have five components, the guide notes: administrative, physical, and technical safeguards; policies and procedures; and organizational standards.

6. Manage and mitigate risks. Begin implementing your action plan. Develop written and up-to-date policies and procedures about how your practice protects personal health information. Do not lose sight of basic security measures, some of which can be low-cost and highly effective.

7. Prevent with education and training. To safeguard patient information, your workforce must know how to implement your policies, procedures, and security audits, according to ONC. HIPAA covered providers must train their workforces (employees, volunteers, trainees, and contractors) on your policies and procedures. Staffs must receive formal training on breach notification.

8. Communicate with patients. Your patients may be concerned about confidentiality and security of their health information in an EHR, the guide points out. Emphasize the benefits of EHRs to them as patients, perhaps using consumer education handouts that others have developed, and reassure them that you have a system to proactively protect their health information.

9. Update business associate agreements. Ensure your business associate agreements require compliance with HIPAA and HITECH breach notification requirements. This will require your business associates to safeguard protected health information they get from your practice, train their workforce, and adhere to breach notification requirements.

10. Attest for the security risk analysis meaningful use objective. Only apply for an EHR incentive program once you'd fulfilled the security risk analysis requirement and have documented your efforts, the ONC guide emphasizes, pointing out that when you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Participants in the EHR Incentive Program can be audited.

Beyond HIPAA and HITECH, ‘ensuring privacy and security of health information, including information in electronic health records, is a key component to building the trust required to realize the potential benefits of electronic health information exchange,’ the ONC guide notes. ‘If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to electronic health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences.

 

 

 

Access the ONC Guide to Privacy and Security of Health Information here.

ONC privacy and security guide offers 10 steps for MU,” Healthcare IT News (May 9, 2012)

 

HHS settles HIPAA violation case for $100,000, Corrective Action Plan

On April 17, 2012, HHS announced that its Office for Civil Rights (OCR) settled a HIPAA violation case against a surgery practice in Arizona, for $100,000 and a Corrective Action Plan (CAP), which requires implementation of policies and procedures to prevent such HIPAA violations and breaches in the future.

Via HHS Press Release:

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

'This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,' said Leon Rodriguez, director of OCR. 'We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.'

 

 OCR’s investigation also revealed the following issues:

  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

"HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards," HHS Press Release (April 17, 2012).

 

Study: Most data breaches are caused by insiders

A survey by Veriphyr, a provider of identity and access intelligence solutions, found that insiders were responsible for over 60% of data breaches of protected health information (PHI). Specifically, 35% of the PHI breaches were due to insiders' snooping into medical records of fellow employees, and 27% due to improper access to records of their friends and relatives.

Over 70% of surveyed entities, which included hospitals and other heathcare providers, reported suffering one or more breaches within the last 12 months. Veriphyr CEO estimated that data breaches cost healthcare organizations almost $6 billion annually, but found that an overwhelming majority of privacy and compliance officers within the surveyed group (79%) felt that they lacked "adequate controls to detect PHI breaches in a timely fashion."

It is worth noting that 45% of breaches in the survey were caused by loss or theft of medical records and/or equipment holding such records. We have recently seen HHS impose a $1 million fine on Massachusetts General Hospital in a case where, it seems, records were lost by an employee due to a simple mistake and with no malice. UCLA Health System also paid a high price for its employees' snooping into medical records of celebrities.

While it is difficult to anticipate or avoid all possible human error, certain best practices - including Board and executive-level support for privacy initiatives, staff training and updated privacy and security policies and procedures, will go a long way to help your organization protect itself from a disastrous and costly data breach.

"Insiders responsible for majority of privacy breaches, survey finds," Healthcare IT News (August 30, 2011).

 

UCLA Health System reaches $865,500 settlement with OCR

On July 6, 2011, the University of California at Los Angeles Health System (UCLAHS) reached a settlement with HHS's Office of Civil Rights (OCR) regarding UCLAHS's potential violations of HIPAA Privacy and Security Rules. The settlement includes a payment of $865,500 and a corrective action plan (CAP). 

According to the HHS press release, this settlement "resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients."

We reported on possible privacy violations at UCLA Health System before. Specifically, in May 2010, we wrote about Huping Zhou, a UCLAHS employee who was the first person to receive a criminal conviction for a HIPAA violation. It is not surprising that OCR stressed the importance of training staff in prevention of such privacy violations in the CAP required by the settlement. The CAP "requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years."

Via HHS press release:

Through policies and procedures, entities covered under HIPAA must reasonably restrict access to patient information to only those employees with a valid reason to view the information and must sanction any employee who is found to have violated these policies.

<...> Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity,” said Director Verdugo.

Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider,” said OCR Director Georgina Verdugo. “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”

Audit criticizes OCR and ONC over data privacy efforts

HHS's own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.

The audit tested seven hospitals' compliance with HIPAA in seven different states, and found 151 vulnerabilities in the systems and controls intended to cover e-PHI, 124 of which were categorized as "high-impact" (i.e., ones which may result in costly losses, injury or death.)  Violations included unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. Via Modern Healthcare:

The audits of the seven hospitals revealed weaknesses in hospital IT defenses of electronic protected health information, or ePHI, ranging from the fact that several hospitals still were using obsolete and vulnerable encryption protocols to the fact that all seven had vulnerable access controls in which “Outsiders or employees at some hospitals could have accessed, and in one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.”

“These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk,” the auditors said. The individual hospital audit reports were not disclosed “because the reports contained restricted, sensitive information that may be exempt from release under the Freedom of Information Act,” according to the report.

 

OIG also criticized the Office of National Coordinator for Health IT (ONC) for their failure to develop standards ensuring privacy and security of patient data as part of ARRA's push for digitizing medical records:

As a yardstick for ONC performance as a security champion, the inspector general's auditors reviewed last year's ONC-developed interim final rule and final rule on standards, implementation specifications and certification criteria for the ARRA-funded electronic health record system incentive payment program. The auditors found both wanting.

The report's authors differentiated between two types of security measures. One they described as “application security controls” that “function inside systems or applications to ensure that they work correctly.” Such measures include security controls covered by the ONC final rule and used in testing and certification of electronic health-record systems as able to meet meaningful-use requirements for providers participating in the federal IT incentive payment programs. An example is a requirement that certified EHRs be able to encrypt data shared between providers.

The auditors called the other type of measures “general information technology security controls,” described as “structure, policies and procedures that apply to an entity's overall computer operation.”

An example would be a policy that requires providers to use encryption software on their systems and encrypt all data copied from an EHR and placed on a portable storage device, such as a laptop, CD or a portable thumb drive. The auditors found that the ONC had included application controls in writing its interoperability specifications for meaningful use, but that "there were no (health IT) standards that included general IT security controls.”

Other examples of general controls not addressed by the ONC but suggested for development by the report would be requirements that providers use two-factor authentication to gain access to an organization's health IT system and policies that mandate that organizations install “patches” or bug fixes in a routine and timely manner to computers that process and store EHRs.

"Audit reports hit HHS on digital security," Modern Healthcare (May 17, 2011).

 

Updates to privacy and security regulations expected soon

According to Healthcareinfosecurity.com, the Office of Civil Rights (OCR) is still working on the final rule regarding the updates to HIPAA and the related HIPAA Privacy and Security Rules mandated by the HITECH Act. Susan McAndrew, deputy director for health information privacy at OCR, stated at a conference in Washington, DC, that such changes will be contained in one omnibus regulation and is expected to be published in a matter of months, if not weeks.

Such omnibus regulation will cover:

  • HITECH Act-mandated modifications to the HIPAA privacy, security and enforcement rules. These changes, for example, formalize higher penalties for HIPAA violations and make it clear that business associates must comply with HIPAA. Last December, HHS had indicated in its semi-annual regulatory agenda that the final HIPAA modifications, many of which were issued in preliminary form last year, would be completed by March.
     
  • The breach notification rule. An interim final version is already in effect. OCR yanked a proposed final version of the rule last year for further consideration. Some observers speculated that the office may be reconsidering the controversial "harm standard" in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident represents a significant risk of harm and thus merits reporting.
     
  • Privacy provisions under the Genetic Information Nondiscrimination Act. These provisions will formalize that using genetic information for insurance underwriting purposes is a privacy violation as well as a non-discrimination violation, McAndrew said.

 

Ms. McAndrew also indicated that "a notice of proposed rulemaking revealing a proposal for accounting for disclosures of information in electronic health records "probably" would be issued before the omnibus set of final regulations. Once that notice is issued, OCR will accept comments before issuing a proposed rule."

"HITECH Mandated Regs Still in Works," Healthcareinfosecurity.com (May 11, 2011).

 

Cignet Health fined $4.3 million for HIPAA Privacy Rule violation

Cignet Health, a Maryland health plan and a HIPAA covered entity, has been fined $4.3 million for failing to produce health records upon request to 41 patients, and for failing to cooperate with OCR with the agency's investigation.  This is the very first civil money penalty (CMP) issued by HHS under the HIPAA Privacy Rule.

Via HHS Press Release:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

 

 OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

A copy of the Notice of Proposed Determination and Notice of Final Determination can be found at http://www.hhs.gov/ocr/privacy. Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr.

 

Updated: Slides from Webinar on HIPAA Privacy and Security Rules

Post & Schell, in collaboration with Kroll Fraud Solutions, presented a free webinar examining the crucial changes and updates to the HIPAA Privacy and Security Rules included in the Notice of Proposed Rulemaking (NPRM) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services on July 8, 2010. Post & Schell's Steve Fox and Vadim Schick highlighted the key provisions in the NPRM, including:

  • New restrictions on use and disclosure of protected health information (PHI) for marketing, fundraising, and other commercial purposes
  • Providing patients with e-copies of their PHI
  • Extension of HIPAA Privacy and Security Rules to business associates
  • Effect of new rules on business associate agreements

In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, discussed the practical implications of this new set of regulations on covered entities and business associates, including:

  • Assessing an organization's policies, procedures and practices for compliance with the HIPAA Rules and these updates
  • Reviewing current contractual agreements and relationships with business associates and their subcontractors
  • Training staff of the organization
  • Breach preparedness and breach response

You can view or download the slides from this presentation by clicking here.

For more information, contact Vadim Schick at vschick@postschell.com or 202-661-6945.

Rite Aid settles FTC and OCR privacy charges

The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe. 

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public.  Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed.  Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).

 

In addition, OCR and FTC found that Rite Aid:

  • failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
  • failed to adequately train employees on how to dispose of such information properly;
  • failed to employ a reasonable process for discovering and remedying risks to personal information; and
  • did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Pursuant to their settlement with HHS, Rite Aid agreed to pay HHS a cool $1 million and agreed to implement a strong corrective action program (lasting 3 years) which includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Finally, Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order, which will be in place for 20 years.

FTC and OCR have previously filed charges against CVS Caremark, another major pharmacy chain which was reported to engage in similar violations to Rite Aid's.  

The current economic conditions require most organizations to do more with less. The unfortunate end result is that long term projects, such as major privacy and security compliance reviews and overhauls get postponed and overlooked.  Rite Aid and CVS cases should remind covered entities and other organizations responsible for keeping patient information safe that neglect or procrastination with regard to privacy policies and practices can lead to major fines, PR embarrassments and excessive compliance and legal costs. 

It is also key to remember that your organization must comply with its own privacy policies and procedures -- otherwise, FTC can charge your organization for "false promises," as was the case with Rite Aid.  In order to comply with such policies, however, your organization must train the staff about the critical importance of privacy.  Without such training, all the policies and procedures will be rendered entirely ineffective.

You can read the full OCR press release by clicking here.

You can read the full FTC press release by clicking here.

HLM: OCR to release privacy and security rules in two weeks

Via Health Leaders Media:

OCR will release proposed rules later this month [or 'about two weeks or around June 26th'] on most of the HIPAA privacy and security-related provisions in HITECH, according to the North Carolina Healthcare Information and Communications Alliance (NCHICA).

<...> NCHICA reports the proposed rules will not include accounting for disclosures, which will be the subject of a separate proposed rule. The NPRM will also include clarification regarding "willful neglect" (penalty tiers).

Currently, that represents the most egregious breach of unsecured PHI and can include a penalty of at least $1.5 million under new HITECH tiers in the enforcement final rule.

The state alliance also reports state attorneys general (SAG) are "developing training programs, including information for SAG staff, covered entities and business associates regarding HIPAA requirements and processes for filings with HHS, based on lessons learned from the first AG filing in Connecticut." Under HITECH, state AGs can pursue lawsuits for HIPAA violations, and Connecticut's AG was the first to do so.

OCR is expected to begin its HITECH-required compliance audits next year, the alliance reports. OCR's audits will be outsourced because its resources are limited, according to the e-mail.

"Much remains to be decided," Susan McAndrew, JD, deputy director for Health Information Privacy, for OCR, said in the "Quiz the Regulator" session on June 7.

"State Alliance: Proposed HITECH Regulations Coming in Two Weeks," Health Leaders Media (June 15, 2010).

OCR adds investigators to boost security rule enforcement

According to Health Data Management, Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) announced at a recent conference that OCR added investigators to 10 regional offices in order to boost enforcement of HIPAA privacy and security rules. 

On August 3, 2009, HHS Secretary Kathleen Sebelius transferred the responsibility for HIPAA Security Rule enforcement from CMS to OCR, which is now tasked with enforcement of both the HIPAA Security Rule and the HIPAA Privacy Rule.

While the transition from CMS to OCR "took longer than expected," Ms. McAndrew believes that OCR is finally in a position to increase enforcement efforts in order to realize the privacy and security initiatives enacted last year pursuant to the HITECH Act.

We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement... [and] that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.

"OCR Boosting Security Enforcement," Health Data Management (May 12, 2010).

 

In the news: patient privacy edition

  • HHS's Office of Civil Rights (OCR) filed a notice in the Federal Register lifting a requirement preventing OCR from posting names of sole practitioners who suffer breaches of patient data without first obtaining consent from such practitioners.  Pursuant to the HITECH Act, any covered entity reporting a breach affecting over 500 individuals must report such breach to HHS, and HHS will post a notice of such breach on its web site.  At the same time, HHS did not post names of individual physician practices (e.g., sole practitioners) without such physicians' consent because they deemed the name of the physician to be protected under the Privacy Act of 1974. Instead, HHS listed such breaches under "private practice."  However, OCR announced on April 16, 2010, that "it will begin posting on its breach notification web site the names of entities they consider "individuals" regardless of whether or not those entities give consent." According to HealthLeaders Media, the rule will become effective after the comment period closes (about May 23, 2010).
  • Government Health IT reports that OCR will issue more privacy and security rules mandated by the HITECH Act in May 2010, including rules regarding business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  According to HHS, "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."
  • On April 23, 2010 HIT Policy Committee's privacy and security workgroup revealed a draft  technical framework for patient consent requirements, titled Basic Patient Privacy Consent (BPPC).  According to Federal Computer Week, the draft framework includes "at least 12 types of patient consents, including implicit and explicit opt-out and opt-in, authorizations for specific research projects and authorizations for use of the document but not for republishing."
     

 

OCR delays enforcement of certain HITECH provisions

In a much-anticipated move, the Office of Civil Rights (OCR) within the Department of Health and Human Services has issued an update regarding delays of certain HITECH provisions, while confirming enforcement of others.  Via OCR press release:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009. Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

You can find about more here.

"HITECH Act Rulemaking and Implementation Update," OCR Press Release (March 18, 2010).

HHS begins enforcement of breach notification requirements

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act.  Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules.  That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site.  This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach.  Business associates who discover a breach must notify the covered entity. 

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial  "harm threshold" to this requirement:  covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

The HITECH Act defines “breach” as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The Act includes two important (albeit vague) exceptions to this definition for cases in which: (1) “the unauthorized acquisition, access, or use of PHI is unintentional and made by an employee or individual acting under authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship with the covered entity or business associate, and such information is not further acquired, accessed, used, or disclosed”; or (2) “where an inadvertent disclosure occurs by an individual who is authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility, as long as the PHI is not further acquired, accessed, used, or disclosed without authorization.

The HITECH Act imposes a similar notification requirement on a business associate “that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured” PHI. In the event of a breach, the business associate shall provide notice to the covered entity, including “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.”

The term “unsecured protected health information” refers to PHI that is not secured through the use of a “technology or methodology” specified by the Secretary in a “Guidance” issued as part of the breach notification regulation in the Federal Register on August 24, 2009 (see link above).  The Guidance, which is to be updated annually, specifies two basic ways of rendering PHI “secure:” encryption and destruction. Electronic PHI must be properly encrypted “by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.” The Guidance provided an exhaustive list of technologies which would encrypt PHI, referencing “approved” processes and methods from the National Institute of Standards and Technology (NIST). Electronic PHI may be properly destroyed in the hard copy media (e.g., paper, tapes) on which the PHI is stored is shredded or destroyed “suchin such a way “that the PHI cannot be read or otherwise cannot be reconstructed;” electronic media containing PHI “must be cleared, purged, or destroyed consistent with NIST [Guidelines] such that the PHI cannot be retrieved.”

Securing PHI in accordance with this Guidance will be the safest way to protect a healthcare organization from a serious breach of patient data privacy. Organizations that suffer a breach involving disclosed, stolen or lost data that was not “secured” may be subject to a wide range of newly established breach notification requirements.  It is important to note, however, that for both covered entities and business associates, the breach shall be deemed to have been discovered on the first day on which it is “known to such entity or associate.” The term “known” means that the circumstances of the breach are known by any “employee, officer, or other agent of such entity or associate,” other than the person who committed the breach. Furthermore, all notifications (by both covered entities and business associates) must be made “without unreasonable delay,” which, in Congressional time, means no later than 60 calendar days after discovery of the breach. The entity making the notification has the burden of demonstrating that all required notifications were made, as well as explaining the necessity of any delay.

There is a lot more information that covered entities and business associates must know about the new rules, including, for example, requirements regarding the content of breach notices.  For more information on these matters, please do not hesitate to contact us.

OCR may delay enforcement of business associate provisions in the HITECH Act

Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities became subject to the HIPAA Privacy and Security Rules, including provisions regarding implementation of various safeguards to secure protected health information.  As Steve Fox pointed out in a recent report on the subject by the Pittsburgh Business Journal, it is highly unlikely that most companies are ready to comply with these dramatic changes.

However, according to Hunton & Williams's privacy blog, Adam Greene of the HHS Office of Civil Rights (OCR) stated at an ABA conference on February 18, 2010, that OCR will delay enforcement of this provision of the HITECH Act until the relevant regulations are finalized.  OCR itself did not publish a press release on the subject, and we were unable to reach Mr. Greene for comment.

Regardless of OCR's intent to enforce compliance, the business associate provisions in the HITECH Act went into effect last week.  We would strongly encourage all covered entities and business associates to take all necessary actions to comply with the new law.

"Privacy policies over electronic health records expand reach," Pittsburgh Business Journal (February 19, 2010).

"HHS Delays Enforcement of HITECH Act Business Associate Provisions," Privacy & Information Security Law Blog (February 19, 2010).

 

 

Sebelius shifts responsibility for HIPAA Security Rule enforcement to OCR

HHS Secretary Kathleen Sebelius has delegated the responsibility for administration and enforcement of the HIPAA Security Rule to the Office of Civil Rights, a division of HHS.  Previously, Centers for Medicare and Medicaid Services (CMS), another HHS division, was responsible for Security Rule administration, while OCR was tasked with administering and enforcing the HIPAA Privacy Rule.  Effective immediately, OCR is responsible for administering both Security  Rule and Privacy Rule, as well as all HIT privacy and security related provisions in the HITECH Act.

According to HHS, this move "will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected."  This transfer of authority is not meant to create any disruption of current procedures.  Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET) -- which can be accessed here. New security complaints may also be sent to the Office for Civil Rights

You can find the Federal Register notice here.

"HHS Delegates Authority for the HIPAA Security Rule to Office for Civil Rights," HHS Press Release (August 3, 2009).