Terms and Conditions May Apply: Consequences of Email-Provider Email Scanning

This guest blog post was written by Van Zimmerman, Esq. Van is currently the Privacy and Security Officer at Jersey Health Connect, a New Jersey health information exchange network. Van has over 18 years experience in health IT, privacy and security, and compliance.  

Yahoo’s recent trip to the courthouse regarding its email content scanning gives us a healthy reminder to think about what we send, how it is used, and how that impacts entities subject to HIPAA and their (or their recipients’) ability to use free hosted email services.  Spoiler - don’t, at least not for any patient-related communication.  Those terms and conditions do matter.

“Yahoo requires its subscribers to consent to the interception, scanning, analysis, and storage of email in exchange for Yahoo Mail Services” and requires users to notify non-Yahoo users with whom they communicate of such “feature”.  In re Yahoo Mail Litig., 2015 U.S. Dist LEXIS 68585 at 9 (N.D. Ca., May 26, 2015).  

 Yahoo’s privacy policy states:

“Yahoo! provides personally relevant product features, content, and advertising, and spam and malware detection by scanning and analyzing Mail, Messenger, and other communications content. Some of these features and advertising will be based on our understanding of the content and meaning of your communications.”  In re Yahoo Mail Litig., at 11.

While it is unclear if this sentence was removed in the court’s opinion or wasn’t present in Yahoo’s policy at the time, the current policy continues, “For instance, we scan and analyze email messages to identify key elements of meaning and then categorize this information for immediate and future use.” 

Other major email providers have “privacy” policies which permit substantial use of the contents of email sent through their systems.  For example, Google provides as of December 19, 2014:

“Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.”  

Google made that addition in their December 19, 2014 revisions to their Privacy Policy, although such practices appear to have gone back in time much farther.  See In re Google Inc. Gmail Litig., 2014 U.S. Dist LEXIS 36957 (N.D. Ca., March 18, 2014).  Compare those statements to the privacy policy of a paid-only service which provides a much more privacy-friendly policy.  Even Google makes an explicit distinction between free and paid email services:

“What kind of data scanning or indexing of end-user data is done?

Google for Work does not scan your data or email in Google Apps Services for advertising purposes. Our automated systems scan and index your data to provide you with your services and to protect your data, such as to perform spam and malware detection, to sort email for features like Priority Inbox and to return fast, powerful search results when users search for information in their accounts. The situation is different for our free offerings and the consumer space. For information on our free consumer products, be sure to check Google's Privacy and Terms page for more consumer tools and information relating to consumer privacy.”

In practice, this seems to go beyond just displaying advertisements, it goes farther than some would consider (Google Tracks Hotel Reservations).  

So why does this matter?  Putting aside the consequences of breaches an email provider may suffer (e.g. Midwest Orthopaedics), the email provider is receiving, maintaining, and possibly transmitting on behalf of the sender. If that sender is a covered entity or business associate, and the email contains PHI, the sender and the provider would need to have a business associate agreement in place.  45 C.F.R. §§ 164.308(b), 164.314, and 164.504(e). 

Even if there were a BAA in place (good luck getting one for free services, Yahoo appears to not under any circumstances, although Google will for paid services), knowing that the email provider is going to use the contents of messages for marketing purposes, possibly in violation of HIPAA at 45 C.F.R. 164.508(a)(3) (remuneration for marketing) or § 164.504(e)(2)(i) (BAA can’t permit BA to use PHI to violate Privacy Rule), may be problematic in light of the termination language in § 164.504(e)(1)(ii) or (iii).  That is, if a pattern or practice is known in advance, it is probably not reasonable to enter into such an arrangement in the first place, and in any event, continued use of such a service would be problematic.

A more interesting question arises when the sender maintains their own email system, but may from time to time send email to external addresses hosted by a provider which performs content analysis of emails for advertising.  Assuming some of those emails will have PHI, is it acceptable to send to those addresses?  An address might belong to another health care provider, or perhaps a patient. 

This is problematic for so many reasons. 

  • Is the destination email provider a BA of the sender, as it is receiving, maintaining, and transmitting PHI on the sender’s behalf?  
  • If the recipient is another BA or covered entity, is the destination email provider a BA of the intended recipient, since it is doing the same for them?  
  • Are all the necessary BAAs in place?  
  • Even if emailing a patient, are you disclosing PHI to them, or are you disclosing it to a third party for subsequent transmission to the patient? 

In any event, an email provider scanning email for advertising (or other) purposes isn’t treatment, payment, or operations, and isn’t otherwise listed as a HIPAA permitted use or disclosure. 45 CFR 164.512 (authorization or opportunity to agree or object not required).  Does an authorization (and NPP) cover such use?  Even if it did, is an email provider going to honor revocation of that authorization?

Is the data encrypted and hashed on the way to the destination email server (possibly, but not necessarily guaranteed)?  Is the data encrypted and hashed in storage once it gets there?  It almost certainly isn’t encrypted such that the email provider can’t scan it.

Does the email provider’s scanning of that email constitute a Breach?  What about email provider’s use of that information for subsequent aggregation and identity tracking or otherwise sharing with a third party? 

What about the Security Rule’s general requirement to “[p]rotect against any reasonably anticipated uses or disclosures…that are not permitted or required under [the Privacy Rule]”?

This isn’t just a healthcare issue.  What are the consequences for privilege, whether attorney-client, doctor-patient, etc., when those communications have no reasonable expectation of privacy?  Does the analysis in Stengart v. Loving Care Agency, Inc., 201 NJ 300 (2010) change if there is no reasonable expectation of privacy?  A number of email providers have adopted language similar to that suggested in United States v. Warshak, 631 F.3d 266, at 287 (6th Cir., 2010) [note-an interesting read for a discussion of the Stored Communication Act, marginalization of the 4th Amendment, and what actually happened to all those Enzyte commercials].  Does it change if those email providers actively engage in activities beyond using email content for directed advertising, such as actively parsing email for illegal content?  Would the privilege consequences be different in civil vs. criminal proceedings?

Perhaps we would be best serve to heed Elliot Spitzer’s advice, "Never write when you can talk. Never talk when you can nod. And never put anything in an e-mail." At least not where free services are involved.

Deciphering the HITECH Omnibus Rule: Business Associates

Since the HITECH Notice of Proposed Rulemaking (NPRM) was released in July of 2010, covered entities and business associates have been waiting (im)patiently for the Final HITECH Omnibus Rule to be released.  As of this past Thursday, we all finally have some guidance on how to implement provisions of the HITECH Act, including but not limited to provisions governing business associate and subcontractor liability, individual access rights, fundraising, marketing, breach standards, and much more. 

True to its name, the HITECH “Omnibus” Rule or Final Rule packs in a lot of changes to the HIPAA Privacy and Security Rules, enforcement provisions and breach notification requirements of the HITECH Act, as well as amendments to GINA and handling of genetic information.  To make dissecting this 500+ page rule manageable, the next few posts will focus on key aspects of the HITECH Final Rule, starting today with the provisions of the Final Rule which impact business associates and their subcontractors

A covered entity is and has been required by HIPAA to enter into a HIPAA Business Associate Agreement (HIPAA BAA) with any entity that would create, receive or transmit PHI for or on their behalf in connection with certain health care operations purposes.  However, before the implementation of the HITECH Act, business associates of covered entities were not directly liable for improper uses or disclosures of protected health information (PHI) in the performance of services or functions. 

Ultimately, only covered entities were responsible in the event a business associate failed to appropriately safeguard the PHI they were provided with or used/disclosed it improperly. However, as you know, HITECH made provisions of the Privacy and Security Rules directly applicable to business associates, with the NPRM proposing several modifications to the definition of a “business associate”, including adding Patient Safety Organizations and patient safety activities as well as certain health information exchange organization (HIOs) and personal health record (PHR) activities. 

The HITECH Final Rule modifies the definition of “business associate” to mean that a business associate is any person who “creates, receives, maintains, or transmits” PHI on behalf of a covered entity, in order to clarify that any entity that maintains PHI, such as a data storage organization, is a business associate even if it does not access or view the PHI.  PHRs vendors will also be considered business associates where they provide PHRs for or on behalf of a covered entity, rather than simply establishing a connection for the covered entity to send PHI to the individual’s PHR.  Rather than acting simply as a “conduit”, the PHR vendor is maintaining PHI on behalf of the covered entity for the benefit of the individual. 

For HIOs and other entities, they will be considered business associates where they (1) provide data transmission services with respect to PHI and (2) require routine access to the PHI.  The Preamble to the HITECH Final Rule clarifies “access on a routine basis” to mean circumstances where an entity requires access to PHI in order to perform services and functions on behalf of a covered entity, such as management of an exchange network through use of record locator and other services on behalf of its participants.  However, HHS recognizes that it will depend upon the circumstances and states its intention of issuing future guidance in this area. 

Most importantly, and perhaps a sore point for business associates and their subcontractors, the HITECH Final Rule makes subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of such business associate likewise HIPAA business associates.  Therefore, these downstream subcontractors will be subject to the same requirements that the first business associate is subject to.  Each business associate now also is required to have a HIPAA compliant BAA in place with its subcontractors, its subcontractor with its own subcontractors, and so forth down the chain of subcontractors no matter how long. 

HHS recognized that,

“The intent of the proposed extension of the Rules to subcontractors was to avoid having privacy and security protections for [PHI] lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity.  Allowing such a lapse in privacy and security protections could allow business associates to avoid liability….”

Furthermore, the Preamble stated, “applying HIPAA privacy and security requirements directly to subcontractors also ensures that the privacy and security protections of the HIPAA Rules extend beyond covered entities to those entities that create or receive [PHI] in order for the covered entity to perform in health care functions.”

The HITECH Final Rule also provides some clarification as to when a business associate will be an “agent” of a covered entity.  Although generally determinations of whether a business associate will be acting as an agent of a covered entity are fact specific, the Preamble to the Final Rule makes it clear that federal common law agency principles will be applied, regardless of whether the parties consider or state themselves to be independent contractors.  If the covered entity has the right to control or direct any given service or function provided or performed by the business associate, then an agency relationship will likely be created (i.e., how a business associate will make available access to PHI by an individual).  

Liability for a business associate’s actions, however, will only extend to the scope of the agency. For example, if a business associate fails to limit PHI disclosed to the minimum necessary while performing services it was engaged by a covered entity to perform (as an agent), then the business associate is likely acting within the scope of agency.  However, a business associate’s conduct is outside the scope of agency where it acts for its own benefit or for that of a third party. 

Business associates are also subject to the HITECH marketing requirements, to be discussed in a future blog post.  And finally, the HITECH Final Rule applies certain other provisions of the Privacy Rule directly to business associates.  Business associates will have direct liability for impermissible uses or disclosures in violation of the HIPAA BAA or the Privacy Rule, as well as:

  • failure to disclose PHI where required by the Secretary;
  • failure to disclose PHI for access rights;
  • failure to limit PHI used/disclosed to the minimum necessary;
  • failure to obtain a HIPAA compliant BAA with subcontractors;
  • failure to provide breach notification;
  • failure to provide an accounting of disclosures (subject of a separate future rulemaking)

Covered entities and business associates are permitted under the Final Rule transition provisions to continue operating under existing HIPAA BAAs for up to one year beyond the compliance date of the Final Rule, or initial renewal/modification, whichever earlier.  The minimum requirements of a HIPAA BAA were slightly modified by the Final Rule, and now:

  1. Must include the requirement that a business associate report any Breach of which it becomes aware to the covered entity, in addition to security incidents;
  2. Must include the requirement that a business associate, to the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, comply with the requirements that apply to the covered entity in the performance of such obligation; and
  3. Need not include the requirement that the covered entity report a business associate to the Secretary for patterns or practices which constitute a material breach or violation of the HIPAA BAA.

Stay tuned for a discussion of the new Breach Presumption and Risk Assessment requirements implemented by the Final Rule...

Kaiser Permanente Faces Investigation Over Inappropriate Storage of Patient Records by Contractor

Kaiser Permanente is facing investigation over the handling of approximately 300,000 patient records by a contract storage firm.  According to an article in the LA Times, Kaiser contracted with small business Sure File Filing System ("Sure File") to organize and clear out older patient records on its behalf.  As it turns out, the storage firm kept those patient records in a warehouse shared with an individual's party rental business and Ford Mustang, then in the storage firm's owner's personal garage and home.

Although Kaiser retrieved the paper records Sure File possessed upon termination of the contract in 2010, Kaiser recently filed suit, allerging that all of the patient records had not been returned or destroyed when its contract with Sure File was terminated. Patient records, according to Kaiser, were still maintained on hard drives that Stephan and Liza Dean, the couple who own and run Sure File, allegedly kept in their garage with the door open. When Kaiser sued for breach of contract and to recover the files, the hard drives were apparently relocated from the garage to the couples' home, and the patient records only deleted as of this past New Year's Eve.

The LA Times article states that HHS officials were notified last year when the Deans filed a complaint.  You read that right. The individuals responsible for storing the data in an unsecured warehouse, their garage and their house apparently were the ones who filed the complaint that patient records had not been handled appropriately by Kaiser. 

In addition, Stephan Dean reportedly threatened to contact patients directly to inform them of how Kaiser had mishandled their health information.  According to the article, Dean claims Kaiser employees repeatedly failed to maintain the privacy of patient information, citing multiple emails sent by hospital employees to him requesting and including patient-specific information such as social security numbers in an insecure manner.

Kaiser was confident that patient information was not disclosed or accessed inappropriately, although employees were disciplined for failing to follow policies.  Kaiser spokesman John Nelson stated,

 "Kaiser Permanente is committed to protecting the medical and personal privacy of its patients. In retrospect, we certainly wish we'd never done business with Mr. Dean."

It is not likely that Kaiser is squeaky clean in this mess, given it appears Kaiser failed at a minimum to have a proper HIPAA business associate agreement (HIPAA BAA) in place prior to releasing patient records to the contractor.  However, a bigger question is, if OCR is indeed investigating the mishandling of Kaiser's patient records, what liability may exist for the contractor?

Business associates are independently liable as a result of the HITECH Act for certain of the HIPAA Security Rule requirements, in particular, administrative, physical and technical safeguards for electronic PHI.  However, given the uncertainty surrounding business associate liability in the absence of a HITECH final rule, and because the majority of the activities associated with the contract took place prior to 2010, the contractor might only be on the hook contractually for failing to safeguard, return and/or destroy the patient records. Although enacted in 2009, many provisions of HITECH did not take effect until February of 2010.

Assuming Kaiser had obtained an appropriate HIPAA BAA from Sure File, at a minimum, the contractor would have agreed to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information and/or appropriate safeguards to prevent use or disclosure of PHI other than as provided for by its contractI think we would all agree that storing hard drives with hundreds of thousands of patient records in your garage or home, or records in an unsecured shared warehouse space, is a far cry from implementing reasonable and appropriate safeguards, however reckless the other party may also have acted with regard to the information. 

Mass. AG Levies 750k Judgment on Hospital for Data Breach

Massachusetts Attorney General Martha Coakley announced on May 24, 2012 having reached a settlement agreement with South Shore Hospital for failure to protect personal and confidential health information of over 800,000 patients. 

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” AG Coakley said. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

The consent judgment requires South Shore Hospital to pay a total of $750,000, including $250,000 in civil penalties and $220,000 towards an education fund for protection of PHI and personal information.  However, South Shore Hospital did receive a "credit" for security measures it implemented after the breach occurred of $275,000, leaving only $475,000 payable. 

The consent judgment also requires South Shore Hospital to undergo audit and report results of certain security measures, as well as take steps to ensure compliance with HIPAA business associate provisions and other federal and state security requirements.  In addition to failure to comply with HIPAA business associate obligations, South Shore Hospital also failed to comply with HIPAA and state obligations to implement appropriate safeguards, policies, and procedures to protect patient information, and appropriately train its workforce in safeguarding the privacy of PHI. It also neglected to ensure that the contractor itself had procedures in place to protect such PHI, according to the AG. 

Three boxes full of unencrypted computer backup tapes had been sent to a subcontractor of Archive Data Solutions in 2010 to be erased and resold; however, the subcontractor only received one of the boxes and the remaining two were never recovered.  According to the AG's office, South Shore Hospital did not have a business associate agreement in place with the contractor nor had it informed Archive Data that the backup tapes contained PHI.

The backup tapes contained Social Security Numbers, names, financial account numbers, and medical diagnoses.  As reported by HealthDataManagement, South Shore Hospital had determined in July 2010 that the missing backup tapes was not a breach requiring individual notice to affected and potentially affected individuals.  Rather, it posted a prominent notice on its website, citing state law provisions permitting alternative notifications where costs would exceed $250,000 or where over 500,000 residents are affected. 

It is unclear whether this breach was reportable and therefore actually reported to the Department of Health and Human Services (HHS) under the HITECH Breach Notification Rule.  Although the PHI here was unencrypted and therefore "unsecured" within the meaning of the HITECH Breach Notification Rule, covered entities are also required to conduct an assessment to determine whether an incident poses a "significant risk of harm" to the individual(s) that would give rise to a reportable breach.  Most importantly, a breach in and of itself does not automatically mean a HIPAA violation has occurred.

If a covered entity determines that there was a breach, all affected individuals and individuals reasonably believed to be affected are required to receive written notice of the breach, as well as HHS where over 500 individuals have been affected.  HITECH also permit alternative notification but only where the contact information of an individual is incomplete or where written notice has been returned undeliverable to the covered entity attempting to notify such individual of a reportable breach. 

Aside from South Shore Hospital's obvious failure to obtain a business associate agreement and apparently even inform Archive Data that it was a business associate subject to certain HIPAA provisions, it is unclear what else it was South Shore Hospital did or failed to do that contributed to the 750k settlement agreement and other alleged HIPAA and state law violations.  The AG's office noted that multiple shipping companies had handled the backup tapes, but did not otherwise indicate whether it was the lack of policies and procedures for safeguarding PHI and training workforce in such safeguards that resulted in the missing backup tapes (again, a breach itself does not automatically mean a HIPAA violation has occurred) or whether the focus was on the hospital's overall HIPAA and state law compliance program.

What is even more noteworthy is that the AG stated South Shore Hospital failed to determine whether Archive Data had sufficient safeguards in place to protect the PHI it would receive on the backup tapes prior to destruction.  This clearly places an obligation upon covered entities to go beyond ensuring that the business associate agreement itself is in compliance with HIPAA by requiring the business associate to implement reasonable safeguards to protect PHI.

While covered entities have always been, and should be, responsible for appropriate oversight and monitoring of their business associates, just how far is a covered entity responsible for going?  Does a hospital need to request that the business associate provide copies of its policies and procedures for safeguarding PHI? Policies and procedures for data destruction or erasing data?  Information on how its staff is trained on the business associate's obligations under HIPAA and the business associate agreement? 

And if a hospital is not satisfied with a business associate's policies and procedures, can it require additional safeguards and processes be implemented? Should a hospital also require notification by a business associate of potential breaches and security incidents to safeguard against bad calls? With business associates frequently resisting the inclusion of any provisions in a business associate agreement beyond the bare minimum required by HIPAA, covered entities may find it increasingly difficult to provide the required levels of oversight, safeguards and assigned responsibility.

With over 22% of reported breaches since 2009 involving business associates, as reported by HealthcareInfoSecurity, and with only one case (see Minnesota AG case against Accretive Health) so far targeting business associates directly for HIPAA violations, covered entities remain liable for the actions of their business associates, despite that business associates are now directly subject to certain HIPAA provisions. Covered entities also bear the brunt of a breach, as it is their patients who may be seriously harmed.  As determining liability for breaches and other security incidents between a covered entity and a business associate involved remains quite uncertain for now, the business associate regulations (expected "soon" ever since last year) will be a welcomed ray of clarity for covered entities and business associates alike. 

OCR Director Reaffirms Commitment to Strengthening Privacy and Security of EHRs

It's no secret that since the days of its enactment, HIPAA enforcement has been lacking on both civil and criminal fronts from the Office of Civil Rights (OCR) and the Department of Justice (DOJ).  However, with increased penalties under HITECH and a renewed committment by OCR and DOJ towards cracking down on HIPAA violations, Covered Entities and Business Associates have even more reason now to dot their i's and cross their t's, especially with HIPAA audits kicking off this past November.

As providers and hospitals increasingly adopt and utilize EHR systems as part of the Medicare and Medicaid EHR Incentive Programs, the security of these systems (and authority over the system vendors) becomes a critical focus.  The new Director of OCR, Leon Rodriguez, in a recent interview with the Boston Globe said that his office would take a tougher stance on HIPAA with the goal of improving public acceptance of EHRs and that his office was ready to work with EHR providers on security.

Critical to the security of EHRs are the privacy and security responsibilities of Business Associates (and their contractors and subcontractors).  Although HITECH imposed certain HIPAA requirements directly on Business Associates, the Business Associate regulations and a model Business Associate Agreement incorporating the new requirements have yet to be released.  The Notice of Proposed Rulemaking, however, is expected to be forthcoming "soon", according to Director Rodriguez in a presentation given on November 17 at the ONC Grantee and Stakeholder Summit.  In addition, for the time being, the HIPAA Privacy and Security audits will not be conducted directly on Business Associates, but rather, only on those Business Associates connected with a covered entity being audited.

This leaves significant room for confusion in how Business Associates, and in particular, their contractors and subcontractors, will be dealt with by OCR during the course of a HIPAA investigation and who ultimately will be held responsible for a breach of EHR and other patient data.  A great example of this can be found in a recent blog by the President and CEO of the Massachusetts eHealth Collaborative, which as a result of a theft of an employee laptop last year experienced a security breach affecting over 14,000 patients.  

As Deven McGraw, director of the Health Policy Project at the Center for Democracy and Technology, stated, stronger enforcement of HIPAA is critical to the success of EHRs, noting,

"We're just on the back side of the curve of adoption of more robust security.  I'm hoping that in another year, we'll have a little bit of a different picture, but it's not pretty right now."

For a more in-depth look at the issues concerning Business Associates and HIPAA, see the Center for Democracy and Technology's December 15, 2011 post examining the need for clarification in the Business Associate rules.  And, in the words of Director Rodriguez, "stay tuned" for these proposed rules to come "soon".