HHS settles HIPAA violation case for $100,000, Corrective Action Plan

On April 17, 2012, HHS announced that its Office for Civil Rights (OCR) settled a HIPAA violation case against a surgery practice in Arizona, for $100,000 and a Corrective Action Plan (CAP), which requires implementation of policies and procedures to prevent such HIPAA violations and breaches in the future.

Via HHS Press Release:

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

'This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,' said Leon Rodriguez, director of OCR. 'We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.'


 OCR’s investigation also revealed the following issues:

  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

"HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards," HHS Press Release (April 17, 2012).


Updates to privacy and security regulations expected soon

According to Healthcareinfosecurity.com, the Office of Civil Rights (OCR) is still working on the final rule regarding the updates to HIPAA and the related HIPAA Privacy and Security Rules mandated by the HITECH Act. Susan McAndrew, deputy director for health information privacy at OCR, stated at a conference in Washington, DC, that such changes will be contained in one omnibus regulation and is expected to be published in a matter of months, if not weeks.

Such omnibus regulation will cover:

  • HITECH Act-mandated modifications to the HIPAA privacy, security and enforcement rules. These changes, for example, formalize higher penalties for HIPAA violations and make it clear that business associates must comply with HIPAA. Last December, HHS had indicated in its semi-annual regulatory agenda that the final HIPAA modifications, many of which were issued in preliminary form last year, would be completed by March.
  • The breach notification rule. An interim final version is already in effect. OCR yanked a proposed final version of the rule last year for further consideration. Some observers speculated that the office may be reconsidering the controversial "harm standard" in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident represents a significant risk of harm and thus merits reporting.
  • Privacy provisions under the Genetic Information Nondiscrimination Act. These provisions will formalize that using genetic information for insurance underwriting purposes is a privacy violation as well as a non-discrimination violation, McAndrew said.


Ms. McAndrew also indicated that "a notice of proposed rulemaking revealing a proposal for accounting for disclosures of information in electronic health records "probably" would be issued before the omnibus set of final regulations. Once that notice is issued, OCR will accept comments before issuing a proposed rule."

"HITECH Mandated Regs Still in Works," Healthcareinfosecurity.com (May 11, 2011).


HealthNet breach affects 1.9 million individuals

HealthNet, a California-based insurer, suffered another major data breach last month. Modern Healthcare reports that HealthNet lost data of almost two million employees, members and healthcare providers, including their medical information, Social Security numbers and other sensitive information. The loss was reportedly caused by a missing server drive from HealthNet's Rancho Cordova, CA data center.  According to the insurance company's press release, HealthNet's IT vendor, IBM, notified HealthNet that it could not locate the drives.

As we noted previously, HealthNet suffered another major data breach in 2009, when the company lost a portable hard drive containing sensitive and protected information on 1.5 million people.  As a result of that breach, HealthNet was sued by then-Connecticut Attorney General Richard Blumenthal, in a first such action under HIPAA, as modified by the HITECH Act.  HealthNet and Connecticut settled this suit in 2010 for $250,000 fine, a $500,000 contingency fund and a corrective action plan aimed at enhancing the security of the data in HealthNet's possession.

In light of HHS stepping up enforcement of HIPAA and HIPAA Privacy and Security Rules, HealthNet will become a likely target of both federal and state investigations; and if such investigations reveal negligence or failure to implement or comply with their own corrective action plan referenced above, the fines could be much more severe than the $250,000 number from the Connecticut settlement in 2010.

This should also serve as a reminder about the importance of requiring IT vendors to indemnify healthcare providers against such losses. If HealthNet's investigation concludes that IBM and/or its personnel were responsible for this loss, the parties will likely look to their existing contracts and BAA to determine whether IBM will reimburse HealthNet for its costs in relation to this breach.

 Via Modern Healthcare:

Woodland Hills, Calif.-based health insurer Health Net announced Monday that it had lost servers containing personal health information and demographic data for nearly 2 million current and past patients.

The breach, which affects approximately 1.9 million people nationwide, occurred in February. Health Net said it cannot account for server drives missing from a data center in Rancho Cordova, Calif. Those drives contain patients' names, Social Security numbers and sensitive health information. It's not the first time Health Net enrollees have experienced a breach. In 2009, 1.5 million people were affected when a portable hard drive containing patient data went missing.

According to the California Department of Managed Health Care, the breach will affect as many as 845,000 of the state's residents. In a news release, Connecticut Attorney General George Jepsen urged the insurer to provide adequate identity protections for the 25,000 state residents whose data has been compromised.

"Health insurance companies have access to very sensitive and personal information," Jepsen said in the release. “They have a duty to protect that information from unlawful disclosure.”

[In a press release,] Health Net said it would offer two years of credit monitoring and identity protection to affected customers. The insurer also has set up a hotline.


New York City hospitals suffer enormous data breach

New York City's Health and Hospital Corporation notified its patients last week of a loss of electronic files containing personal data, including PHI of some 1.7 million people. Electronic files were stolen while the information management company's van was left unlocked and unattended.

This case should serve as a great reminder to:

  • check your existing contracts - including Business Associate Agreements - with HIT and health information management vendors, to see if such agreements contain appropriate clauses indemnifying the provider against costs, losses, fines and other expenses incurred as a result of the vendor's loss or improper disclosure of protected personal data, including PHI;
  • make sure that same contracts do not impose a cap on vendor's liability in the event of such breach;
  • confirm that you have a proper breach response plan in place (which should include, e.g., where applicable, procedures for notifying patients in foreign languages); if not, bring together management, legal, IT and privacy and security offers to develop such a plan as soon as possible; and
  • review your policies and procedures with respect to compliance with the HIPAA Privacy and Security Rules, especially as modified by the HITECH Act.


Via the New York Times:

On Wednesday, the agency started mailing notification letters to the victims, in 17 languages, announcing an information hot line and customer care centers at both hospitals, and offering free credit monitoring and fraud resolution services for one year. Those interested in the offer have 120 days to register. The notification text is also available online.

The hospitals corporation said it had taken “decisive steps to protect the individuals who are potentially affected,” even though there is no evidence the information, contained on computer backup tapes that were being delivered to “a secure storage location,” has been accessed or misused. It also said that the data is stored in a program “that would make it difficult for someone without technical knowledge to access the private information.”

The hospitals corporation has filed suit to hold the vendor, GRM Information Management Services, responsible for covering all damages related to the loss of the data. 

For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.

Advisory panel submits recommendations to HIT Policy Committee regarding health data exchanges

On August 19, 2010, the "tiger team" advisory panel submitted a letter to the HIT Policy Committee, established pursuant to the HITECH Act, proposing new safeguards for personally identifiable information on health information exchanges.  Via Bloomberg Business Week:

The recommendations were developed in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology. They touch upon and clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information.

<...> One of the bigger recommendations relates to patient consent. The direct exchange of electronic patient data between health providers for treatment purposes does not require any additional patient consent, the panel noted. The same rules that apply to paper or faxed exchanges of health information should apply in the electronic realm as well.

HIT Policy Committee will have to review and approve the proposed safeguards.  You can read more about the proposed standards after the jump, and can read the letter in full by clicking here.


Bloomberg Business Week described some of the proposed safeguards:

However, any data exchange that involves a third-party does require specific and "meaningful" patient consent, the letter noted. Any such consent also needs to be transparently and easily revocable by the patient at any time, the panel said.

The letter also recommended further exploration of technologies that allow individuals to exercise more granular control over the data for instance permitting the exchange of certain kinds of health data, but not all.

Third-party service organizations should also not be allowed to collect, use or share personal health data for any purposes other what's specified in their service agreements, the panel recommended.

Third parties should also be required to retain personal health data only for as long as it is reasonably needed and should then be required to destroy the data, the panel said.

All third parties having access to patient health information also need to comply with the privacy and security requirements of HIPAA.

"Panel drafts privacy recommendations for health data exchanges," Bloomberg Business Week (August 19, 2010).

Study: 94% of healthcare businesses not in substantial compliance with HITECH and HIPAA

A new survey by the Ponemon Institute, an organization dedicated to advancing responsible information and privacy management practices, found that almost all surveyed organizations did not substantially comply with HIPAA, including as modified by the HITECH Act.  The survey was conducted in November 2009, but, according to Ponemon, the results are not supposed to have changed much. 

Ponemon Institute's survey of 77 healthcare organizations, including 42 covered entities and 35 business associates, found (via BNA):

  • 27 percent of the health care organizations had not started and were “barely aware” of what was required;
  • 32 percent of the organizations were waiting for more details;
  • 14 percent of organizations surveyed had a plan but were waiting for more details on the requirements;
  • 21 percent of the organizations surveyed were just beginning to act on becoming compliant;
  • 79 percent of organizations do not regularly have the required independent assessment or audit of their program to determine adequacy; and
  • 57 percent reported having known deficiencies for privacy or security.

You can find the full survey here.

"Study Finds Majority of Health Care Entities Not Compliant with HIPAA, HITECH Provisions," BNA Health IT Law & Industry Report (May 24, 2010).


ONC publishes white paper on consent options

The Office of National Coordinator for Health IT (ONC) published on its web site a white paper analyzing the policies behind obtaining consent for the purposes of electronic health information exchange.  The paper examined the concept of patient control of their health information, focusing on "the issues, nuanced considerations, and possible tradeoffs associated with the various consent options to help facilitate informed decision making."  While the paper was written by researchers at the George Washington University, under contract with ONC, ONC clearly stated in the preamble that this white paper does not actually represent the views of the ONC or HHS.

You can find the full paper (and the attachments) by clicking here.  You can view the executive summary by clicking here.

Rising numbers and costs of data breaches

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information.  Here are just a few notable reports on this subject:

  • Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat:  "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months."  According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."
  • Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches."  The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.


There are also a couple of examples of individual healthcare organizations suffering from increasing costs associated with data breaches:

  • According to Chattanooga Times Free Press (via iHealthBeat), BlueCross BlueShield of Tennessee announced that it has spent more than $7 million to respond to a security breach resulting from 57 hard drives having been stolen from its training facility, which may have compromised personal and health data of up to 500,000 members.  $7 million tab does not appear to be the end of it:

The insurer has notified 220,000 BlueCross members about the data theft. The company also is offering no-cost credit-monitoring services for affected members. In addition, BlueCross is working to notify attorneys general in 32 states about the breach [pursuant to the HITECH Act].   <...>

BlueCross officials said 20,500 members already have signed up for the no-cost credit-monitoring services. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services.

  • Considering the experience of BCBS of Tennessee, the costs associated with HealthNet's infamous data breach must be even higher. On top of providing two years of free credit-monitoring for hundreds of thousands of affected members, HealthNet is being sued by the state of Connecticut for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.  The missing hard drive contained "27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records."  Further complicating HealthNet's situation is the fact that the company waited for six months to inform the affected customers of the possible breach.

"Healthcare hacks on the rise," Inforsecurity.com (January 26, 2010).

"Survey: Data breaches from malicious attacks doubled last year," cnet News (January 25, 2010).

"Tab for Response to Data Breach Hits $7 Million for BCBS of Tennessee," IHealthBeat (January 26, 2010).

"AG files suit in health data privacy breach," theday.com (January 13, 2010).



ONC names 17 members of the privacy and security workgroup

The Office of National Coordinator for Health IT named 17 members of the newly formed privacy and security workgroup of the HIT Policy Committee.  According to Government Health IT:

The work group will be co-chaired by Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and Rachel Block, executive director of the New York eHealth Collaborative and deputy commissioner for health IT transformation at the New York State Department of Health.

Their team will advise the Policy Committee on such matters as how safeguards for the exchange of health information should fit into the “meaningful use” test for health IT incentives that ONC has been working on.

The ONC has previously announced the establishment of a separate workgroup devoted to creation of a national health information network, which, of course, will have to deal with its own set of privacy and security concerns.  There is also a privacy and security workgroup under the HIT Standards Committee.

Government Health IT provides a list of the other members of the workgroup:

Some of the privacy and security work group members named today already sit on its parent Policy Committee. They are: are Dixie Baker, SAIC; Paul Egerman, consultant; Judy Faulkner, Epic Inc.; Gayle Harrell, a consumer representative with the state of Florida; Dr. Mike Klag, Johns Hopkins University School of Public Health; Latanya Sweeney, Carnegie Mellon University; and Paul Tang, Palo Alto Medical Foundation and Policy Committee vice chairman.

New members who are not current members of the Policy Committee are: Dr. Peter Basch; a healthcare practitioner, Dr. A. John Blair, a practitioner; Marianna Bledsoe, the National Institutes for Health; Joyce DuBow, AARP; Justine Handelman, Blue Cross Blue Shield; John Houston, University of Pittsburgh Medical Center; Terri Shaw, Children’s Partnership; and Paul Uhrig, SureScripts. Jodi Daniel and Sarah Wattenberg will represent the Office of the National Coordinator for Health IT on the workgroup.

"ONC names privacy, security workgroup members," Government Health IT (December 8, 2009).

HIT Standards Committee endorses privacy and security standards

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems. 
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act.  Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology."   Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.”  The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).