Cardiac Surgery MD Group Agrees to Pay $100,000 Settlement to HHS for Lack of HIPAA safeguards

Posted by Helen Oscislawski on April 17, 2012

Take our money.pngAnd the HIPAA money keeps rolling to the feds. The latest settlement (announced today) is with a cardiac surgery physician group in Phoenix, Arizona, which has agreed to pay a hefty sum after someone reported to HHS that the MD group was potentially compromising patients' PHI by posting appointments on an internet-based calendar, which prompted OCR to then investigate and find the physicians to be out of compliance with HIPAA's safeguards.  

The following April 17, 2012 Press Release is HOT off the presses on HHS' News Release website

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients. 

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.

The HHS Resolution Agreement can be found on HHS' website here.  OCR’s investigation  revealed the following specific issues with this group's HIPAA program:

  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.  This last finding being a significant one, and underscores that HIPAA BA Agreements MUST be entered into with vendors who have access to ePHI to facilitate a service to covered entities!

With the HITECH Rules in OMB and due out by mid June (unless an extension is sought by OMB), it will be particularly interesting to see if the Final Rules address the HITECH Act's requirement for percentages being paid out to individuals "damaged" by breaches of their information. The HITECH Act required rules on that topic to be out by this summer. Since an individual's report to HHS triggered this particular investigation and subsequent settlement, some are suggesting that such percentage payouts to individuals for HIPAA violations could in effect become almost like a whistle-blower provision and incentivize patients and others to submit reports to HHS for potential investigation.  I think that might be the point.

But for now, this case just underscores once again that the best way for physician practices (and other covered entities) to protect themselves is to have a fully robust HIPAA compliance program developed and implemented (see, for example, our comprehensive HIPAA-HITECH Helpbook on www.ohcsolutions.com).  Don't forget to also conduct a Security Gap Audit (see www.myhic.net, a leading company that specializes in and has thousands of hours of experience under its belt with competing Security Audits for Physician Practices, or contact them here). Finally, don't forget to provide regular training to your employees. For live training sessions and video training options, visit our Workshops page. 

Peeling Back BCBS's $1.5 Million HIPAA Settlement Onion

Posted by Helen Oscislawski on March 20, 2012

Onion3.png

As many of our readers have already heard, on March 13, 2012 HHS announced that Blue Cross Blue Shield of Tennessee entered into a Resolution Agreement for $1.5 Million Dollars to settle potential violations of HIPAA. You can access a copy of the Resolution Agreement here

I find this new case both instructive and frightening, but one has to peel back the layers of this HIPAA-onion to really understand why the Resolution Agreement between BCBS of Tennessee (BCBSOTenn) and HHS/OCR creates an even greater nerve-racking precedent than may be immediately apparent.

First, it must be noted that OCR initiated its investigation of the Breach incident and BCBSOTenn only after BCBSOTenn submitted its HITECH Breach Report "in compliance with" 45 CFR §164.408.  Therefore, HHS/OCR appears to acknowledge that BCBOTenn's reporting of the Breach was timely, proper and otherwise in compliance with the Breach Notification Rule.  And, while BCBSOTenn did not seem to get much reprieve here for its diligent Breach reporting, it’s important to point out that just because a covered entity experiences a Breach does not in and of itself mean that the covered entity has violated the HIPAA Privacy or Security Rule.  A covered entity must actually fall short of or be non-compliant with a HIPAA Privacy Rule standard or Security Rule standard before an actual violation can be found.

So, at least hypothetically, a covered entity could still be in full compliance with the HIPAA Privacy and Security Rules, even if it experienced a Breach involving or potentially compromising PHI.

In such a situation, as long as the covered entity properly and timely reports the Breach as required under the HITECH Breach Rule, and has a fully compliant, current and effective HIPAA compliance program implemented, then the covered entity should be able to assert that there were no violations of HIPAA or HITECH to give rise to HHS/OCR assessing penalties against it.  However, at least for BCBSOTenn, apparently the costs and burden of going through an investigation to prove that the Breach was not due to an underlying lapse its HIPAA compliance program was not worth it, at least not $1.5 Million.

What may be most chilling from a compliance perspective here, however, is that the Breach incident itself was allegedly caused by an intervening criminal act, and that BCBSOTenn had presumably paid Eastgate to provide security services to safeguard the data closet where the video and audio recordings were being temporarily stored until their scheduled relocation at the end of November 2009;  and, indeed, it seems that Eastgate did have a lot of appropriate physical safeguards in place, including biometric and keycard scan security with a magnetic lock, an additional door with a keyed lock, and basic security services.

So, if BCBSOTenn contracted, paid for and relied on Eastgate to provide security services, one would think that it would be reasonable for BCBSOTenn to believe that it had taken appropriate steps to attempt to safeguard the e-PHI while it was temporarily stored at the data closet.  What is not discussed in the Resolution Agreement, however, but would be interesting to know is whether BCBSOTenn’s contract with Eastgate included HIPAA BAA-type language to ensure that Eastgate was aware of the sensitive nature of what they were securing (i.e., e-PHI), and to contractually obligate Eastgate to have in place at least minimum administrative, technical and physical safeguards with regard to how it ensured the security of the data closet.  This illustrates a good lesson, which is while a security vendor or a building manager may not technically be a HIPAA BA, as historically defined by HHS (because such third parties are not required to access PHI to perform their function on behalf of the covered entity), in any instance where a covered entity relies on a third party to ensure the security of its PHI or e-PHI, including software vendors, data warehouses, cloud providers and other similar types of third parties, it is important to have such third party contractually agree to have in place HIPAA BA-type safeguards, and to agree to be responsible for any damages that may arise from a Breach that is due to their own negligence. In this case, Eastgate did not respond to evaluate an unresponsive gate for the entire weekend. While it is not clear whether this may or may not have been negligent on the part of Eastgate, hopefully BCBSOTenn had provisions in its agreement with Eastgate that required insurance coverage for such incidents and will allow BCBSOTenn to also potentially make a claim for indemnification if there was indeed fault on the part of Eastgate.

Finally, despite the fact that the theft of the e-PHI was the event that precipitated HHS/OCR to conduct an investigation here, it almost seems that its settlement with BCBSOTenn had less to do with the actual Breach incident itself and more to do with what HHS/OCR may have believed could be lacking with BCBSOTenn’s general HIPAA compliance program.  In fact, the corrective action plan (CAP) in the Resolution Agreement does not include any requirement to take any actions, like encryption, with regard to similarly stored data devices.  Instead, the CAP focuses on HHS/OCR having the opportunity to review BCBSOTenn’s written policies for conducting a risk assessment, conducting a risk management plan, addressing facility access controls and a facility security plan, and addressing physical safeguards governing the storage of e-PHI.  The CAP also requires such policies to be revised, IF HHS/OCR suggest “material changes” to the policies, and to be distributed to all BCBSOTenn workforce, who must then sign a certification of receipt, and be retrained. Now, while that is all well and good, I wonder about HHS/OCR focusing on BCBSOTenn workforce when wasn’t it the employees of Eastgate who were the ones that did not respond to the lapse in security?  At least in this instance, then, the real security gap seemed to be with BCBSOTenn’s contracted security vendor’s workforce, not its own.

This case certainly raises questions and concerns with investigation and enforcement processes, but also offers some instruction.  First, it is important for covered entities to review their contracts with third parties that may have access to PHI, and most certainly if such third party may be directly or indirectly responsible for ensuring the security of its PHI.  Covered entities should include clear language regarding allocation of responsibility for security, and severe repercussions, including potential indemnity, if the vendor falls short. Contracts with technology vendors, cloud providers, facility security providers, and the like are all potential areas where security weaknesses and gaps may exist.

Finally, while the outcome of the BCBSOTenn situation may tempt many to be more hesitant with reporting Breaches to HHS, that is not advisable.  Not reporting a Breach incident when it is legally required to be reported under the law could just lead to additional potential penalties for violations of the HITECH Breach Rule.  Thus, while Breach reporting clearly can lead to an OCR investigation, as it did here, the best defense may be for covered entities and business associates to ensure that their HIPAA Policies and Procedures are well-developed, updated, and implemented so that they can all be handed to HHS/OCR as proof of full HIPAA compliance, despite any Breach incident having occurred.

 

State AG Brings First HIPAA Lawsuit Against Business Associate

Posted by Krystyna Monticello on February 08, 2012

Last month, I posted how treatment of business associates during HIPAA investigations remains unclear as well as assignment of liability for breaches of PHI.  A final "omnibus rule" is expected to clarify the HITECH business associate (and other) provisions this year, but in the meantime, much confusion remains. 

Despite the lack of final business associate rules, and confusion or not, Minnesota has dived head first into action against a business associate for HIPAA violations.  In the first HIPAA enforcement action directly against a business associate, Minnesota Attorney General Lori Swanson has brought an action against Accretive Health, Inc., pursuant to her authority under HITECH.  In addition, multiple violations of Minnesota law are alleged, including the Minnesota Health Records Act, debt collection statutes, and consumer protection laws.

Accretive functions in multiple capacities for covered entities in Minnesota, including as treatment coordinator, debt collector and quality cost control and management partner.  A breach last summer of data compiled by Accretive resulting from a stolen unencrypted laptop left in a rental car by an employee affected at least 23,531 patients.  Information that was on the laptop included personal identifying information (name, address, phone number, Social Security Number), "medical scores" predicting the frailty, complexity and likelihood a patient would be admitted to the hospital, and dollar amounts allocated to the patient's health care provider, as well as whether patients had certain conditions such as bipolar disorder, depression, high blood pressure, asthma and back pain.

The HIPAA violations are quite extensive, with the complaint alleging:

  • failure to implement policies and procedures to prevent, detect, contain and correct security violations;
  • failure to implement policies and procedures to ensure appropriate access to electronic PHI by members of its workforce and prevent those without authorized access from accessing such PHI in violation of HIPAA;
  • failure to effectively train all members of its workforce, agents and independent contractors, on the policies and procedures regarding PHI as necessary and appropriate to carry out their functions and maintain security of the PHI;
  • failure to identify and respond to suspected or known security incidents and mitigate to the extent practiable harmful effects known to them;
  • failure to implement policies and procedures to limit physical access;
  • faiilure to implement policies and procedures governing receipt and removal of hardware and electronic media containing electronic PHI within and without the facility;
  • failure to implement technical policies and procedures for electronic information systems to allow access only to those granted access rights; and
  • failure to implement policies and procedures as otherwise required by HIPAA.

Almost more interesting than the alleged HIPAA violations (and what could potentially have been one of the driving forces behind the Attorney General taking action rather than the HIPAA violations), the complaint also alleges deceptive and fraudulent practices in that Accretive failed to disclose how much health information it was collecting on patients and its involvement in their health care, detailing in great length the importance of transparency for patients and the doctor-patient relationship.  In the press release, Attorney General Swanson stated,

“Accretive showcases its activities to Wall Street investors but hides them from Minnesota patients.  Hospital patients should have at least the same amount of information about Accretive’s extensive role in their health care that Wall Street investors do.”

This action has the potential to set precedent in Minnesota as to just how much transparency and information should be viewed as "necessary" for patients to make informed choices regarding their health care and medical records and the extent to which health care entities must take affirmative action to notify patients of their role in their health care.   

Although the extensive HIPAA violations are merely one drop in the bucket of allegations against Accretive (e.g., fraud and deceptive practices, failure to notify of status as debt collector, release of health records in violation of the Minnesota Health Records Act), the enforcement action against Accretive makes it quite clear that covered entities aren't the only ones who need to be scrambling to get their ducks in a row.  While other state Attorney Generals have previously brought actions against covered entities (e.g., Vermont, Indiana, Connecticut), now that a state has gone after a business associate directly, it would not come as a surprise to see other states joining in, even despite the lack of business associate rules.

For more information regarding what covered entities and business associates can do to prepare for a HIPAA audit or ward off the potential for enforcement action against them, see our November 17 blog post with links to additional HIPAA resources.  A copy of the complaint against Accretive may also be found here.

OCR Director Reaffirms Commitment to Strengthening Privacy and Security of EHRs

Posted by Krystyna Monticello on December 16, 2011

It's no secret that since the days of its enactment, HIPAA enforcement has been lacking on both civil and criminal fronts from the Office of Civil Rights (OCR) and the Department of Justice (DOJ).  However, with increased penalties under HITECH and a renewed committment by OCR and DOJ towards cracking down on HIPAA violations, Covered Entities and Business Associates have even more reason now to dot their i's and cross their t's, especially with HIPAA audits kicking off this past November.

As providers and hospitals increasingly adopt and utilize EHR systems as part of the Medicare and Medicaid EHR Incentive Programs, the security of these systems (and authority over the system vendors) becomes a critical focus.  The new Director of OCR, Leon Rodriguez, in a recent interview with the Boston Globe said that his office would take a tougher stance on HIPAA with the goal of improving public acceptance of EHRs and that his office was ready to work with EHR providers on security.

Critical to the security of EHRs are the privacy and security responsibilities of Business Associates (and their contractors and subcontractors).  Although HITECH imposed certain HIPAA requirements directly on Business Associates, the Business Associate regulations and a model Business Associate Agreement incorporating the new requirements have yet to be released.  The Notice of Proposed Rulemaking, however, is expected to be forthcoming "soon", according to Director Rodriguez in a presentation given on November 17 at the ONC Grantee and Stakeholder Summit.  In addition, for the time being, the HIPAA Privacy and Security audits will not be conducted directly on Business Associates, but rather, only on those Business Associates connected with a covered entity being audited.

This leaves significant room for confusion in how Business Associates, and in particular, their contractors and subcontractors, will be dealt with by OCR during the course of a HIPAA investigation and who ultimately will be held responsible for a breach of EHR and other patient data.  A great example of this can be found in a recent blog by the President and CEO of the Massachusetts eHealth Collaborative, which as a result of a theft of an employee laptop last year experienced a security breach affecting over 14,000 patients.  

As Deven McGraw, director of the Health Policy Project at the Center for Democracy and Technology, stated, stronger enforcement of HIPAA is critical to the success of EHRs, noting,

"We're just on the back side of the curve of adoption of more robust security.  I'm hoping that in another year, we'll have a little bit of a different picture, but it's not pretty right now."

For a more in-depth look at the issues concerning Business Associates and HIPAA, see the Center for Democracy and Technology's December 15, 2011 post examining the need for clarification in the Business Associate rules.  And, in the words of Director Rodriguez, "stay tuned" for these proposed rules to come "soon". 

HIPAA Audits Begin November 2011, How Can Covered Entities and Business Associates Prepare?

Posted by Helen Oscislawski on November 17, 2011

The United States Department of Health and Human Services (HHS) has announced that it will begin HIPAA audits of covered entities and business associates this November 2011, and its contracted auditor, KPMG, is required to audit up to 150 entities by the end of 2012!  HHS’s website provides detailed information regarding when the audits will begin, who may be audited, how the audit program will work, what the general timeline will be for an audit, and, generally, what will happen after an audit is completed. In addition, HHS's sample Audit Letter indicates that KPMG will focus on discovering vulnerabilities in privacy and security compliance programs, and that certain “information” and “documents” will be requested in connection with the audit. However, no additional details are given regarding what covered entities and business associates may be asked to produce. 

Presumably, KPMG will not be letting the HIPAA audit cat out of the bag too soon by telling organizations exactly what information and documents they may ask for in connection with such audits, especially where one of their objectives is to identify gaps in HIPAA compliance. Nevertheless, covered entities and business associates may gain valuable insight into what to expect by looking to past guidance regarding HIPAA audits issued by HSS’s Office of e-Health Standards and Services (the “HIPAA Audit Checklist”), as well as by reviewing HIPAA audits and investigations that have taken place over the last few years. 

In its formerly-released HIPAA Audit Checklist, the Office of e-Health lists out the types of personnel that may be interviewed, and the the types of policies, procedures and other documentation and evidence that may be requested.  In addition, the audit of Atlanta, Georgia’s Piedmont Hospital is informative. In February of 2007, HHS through the Office of Inspector General conducted a random HIPAA audit of Piedmont hospital.  The letter to Piedmont’s CIO announced that the focus of the audit would be on the organization’s compliance with the Security Rule and indicated that the audit would begin with an “entrance conference” 10 days after Piedmont’s receipt of the audit letter from the Regional Inspector General for Audit Services (note that the proposed timeframe for coming KPMG audits is 30-90 calendar days from the date on the applicable HHS Audit Letter).  The Piedmont audit letter also included an enclosure asking for a list of documents and information to be provided, which overlapped significantly with the Office of e-Health’s HIPAA Audit Checklist!   

Covered entities and business associates may also glean additional insight from what HHS/OCR has asked for in connection with complaint-driven HIPAA investigations. HHS/OCR has posted on its website several Resolution Agreements with covered entities who have been through a HIPAA investigation.  These agreements also contain hints as to what covered entities and business associates may be asked for during a HIPAA Audit.

Until news of organizations starting to receive HIPAA audit letters starts to trickle out and KPMG begins its work, it is not possible to know exactly what KPMG will ask for and focus on.  Nevertheless, covered entities and business associates should not sit back and take a “wait and see” approach.  Rather, organizations should prepare now by completing an internal review of their HIPAA compliance program to ensure that their policies are current and are being followed by their workforce, and all other required HIPAA documentation is in place and ready to be produced in case a HIPAA Audit letter arrives in the mailbox tomorrow.

Click here to download a copy of our November edition of "Health Law Diagnosis" which includes a list of HIPAA compliance items that all covered entities and business associates should have in order to be prepared for a HIPAA Audit.

HIPAA Auditor Responsible for Breach in 2010

Posted by Krystyna Monticello on August 16, 2011

In June of 2010, a large healthcare system was informed by its business associate that a breach had occurred, affecting thousands of patients at its hospital.  The breach had occurred the previous month when an employee of the business associate lost an unencrypted flash drive that may have contained patient information.  Although the breach was reported last year, news regarding the breach appears to have begun circulating this past week, most likely due to the new role of the business associate in question. 

The real kicker is that the business associate was none other than KPMG, the prominent auditing, advisory and tax company that was recently awarded $9.2M by the Office for Civil Rights (OCR) to conduct HIPAA privacy and security compliance audits.  Although the flash drive reportedly did not contain patient information such as social security numbers, addresses, personal identification numbers, dates of birth or financial information, the embarrassing fact remains that a KPMG employee used an unencrypted flash drive to carry around patient information. 

Not only was I surprised at KPMG's responsibility for the breach, but also the length of time that went between the discovery of the loss of the flash drive by KPMG (May 10, 2010) and the report that was sent to the covered entity regarding the loss (June 29, 2010).  Although KPMG just barely notified its customer within the HITECH sixty day notice requirement, one has to wonder why it took so long for KPMG to discover that the device was missing and/or report it.

Although I am also curious as to why a KPMG employee would need to carry around patient information on a flash drive to begin with (especially an unencrypted one), this shows that a breach can happen to the best of us.  It also highlights a big problem for hospitals and other health care providers when it comes to security of patient information.  All too often residents, nurses and other health care providers copy patient information onto flash drives, laptops or other unencrypted devices which are easily lost or stolen.  These risks must be identified and aggressively managed by health care organizations and their business associates to minimize the risk of breach to such organizations and the patients they serve. 

HealthLeadersMedia reports that Susan McAndrew, OCR deputy director for health information privacy, wrote in an email that the case was currently under investigation and as such, OCR could not address KPMG's involvement in the breach.  When asked whether KPMG's involvement in the breach had been considered prior to awarding it the HIPAA audit contract, McAndrew stated,

The award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.

The public notice made available by the hospital on its website stated that,

KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.

Improved encryption? The flash drive that went missing reportedly did not have any encryption mechanisms.  One would hope though that KPMG has followed through and improved its security measures, given that it is now an ONC HIPAA auditor with the potential to access patient PHI and other information in the course of its auditing activities.

UCLAHS Settles Potential HIPAA Violations

Posted by Krystyna Monticello on July 07, 2011

The HHS OCR has announced its settlement with the University of California Los Angeles Health System (UCLAHS) for potential violations of the HIPAA Privacy and Security Rules. The settlement and resulting Resolution Agreement resolved two separate complaints alleging UCLAHS employees repeatedly accessed the electronic protected health information (PHI) of two celebrity patients out of curiosity. 

The OCR investigations which began in June of 2009 found that throughout 2005-2008, employees of UCLAHS accessed the PHI of patients without reason.  OCR also found that UCLAHS had failed to provide and/or document appropriate HIPAA training for its employees, implement appropriate security measures and assess and/or apply sanctions against employees who accessed PHI without reason. 

UCLAHS is required under the Resolution Agreement to pay $865,500 and implement a corrective action plan that includes putting into place HIPAA privacy and security policies approved by OCR to address permissible and impermissible uses and disclosures of PHI as well as training and appropriate sanctions against employees for non-compliance.  UCLAHS is also required by the Resolution Agreement to designate an independent monitor to assess UCLAHS's compliance with the plan over the next three (3) years.

The Director of OCR, Georgina Verdugo, stated:

Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections.  Entities will be held accountable for employees who access protected health informaiton to satisfy their own personal curiosity.

You can read the full Resolution Agreement here and the HHS press release here

Doctor Faces Criminal Charges for Wrongful Disclosures under "False Pretenses"

Posted by Krystyna Monticello on June 29, 2011

Tripping on the heels of the HIPAA criminal charges against Chelsea Catherine Stewart for theft of patient information, (see my previous post on June 14, 2011), a physician was indicted June 21, 2011 on three counts of HIPAA violations in the U.S. District Court for the Eastern District of Virginia.  Dr. Richard Alan Kaye, a licensed osteopath and board certified in psychiatry, was formerly the medical director of the Psychiatric Care Center at the Sentara Obici Hospital in Suffolk, Virginia, and had treated the patient whose individually identifiable health information was allegedly disclosed without authorization.

According to the U.S. Attorney's Office for the Eastern District of Virginia, Dr. Kaye had provided in-patient mental health treatment to a patient and upon the patient's discharge in September of 2007, he had indicated in the discharge summary that the patient was not a danger to others.  Despite this, in February of 2008, Dr. Kaye disclosed information on three occasions to an agent of the patient's employer under "false pretenses" that the patient was a serious and imminent threat to the safety of the public.

According to the Virginia Board of Medicine, the Board had already investigated the incidents and fined Dr. Kaye $5,000 for "one patient case of releasing confidential information and breach of confidentiality" in May 2010.  He was placed on probation until he completed eight hours in professional ethics.  Dr. Kaye's license was restored by the Board on October 4, 2010 after compliance with the terms of his probation.

What makes this indictment against Dr. Kaye unique among previous HIPAA criminal prosecutions, however, is that it alleges false pretenses for wrongful disclosures made to an employer.  As it is unclear what the motive for Dr. Kaye's actions was in disclosing the information to the employer, one has to wonder what the "trigger" was that led to the FBI's involvement and U.S. Attorney's criminal charges.  Criminal prosecution under HIPAA is still a rare, albeit increasing occurrence, especially in comparison to the number of HIPAA violations investigated by OCR each year.

Under § 1320d-6(b)(2), Dr. Kaye could face a fine of up to $100,000 and up to five years in jail if convicted of disclosing the information under "false pretenses."  Dr. Kaye is scheduled to be arraigned on July 13.  A copy of the press release can be found here.  

CVS in the HIPAA Spotlight...Again.

Posted by Helen Oscislawski on March 18, 2011

On March 7, CVS Caremark (CVS) hit the HIPAA spotlight again, and not in a good way.  Back in 2009, CVS was the target of a joint U.S. Department of Health and Human Services (HHS) Offices for Civil Rights (OCR) and Federal Trade Commission (FTC) investigation after media reports alleged that certain CVS locations were disposing of pill bottles containing patient information in unsecured dumpsters.  Although CVS denied the allegations, CVS shelled out a $2.25 million settlement as well as took corrective action to settle both potential HIPAA and FTC violations.  As a result, CVS is being actively monitored by HHS until 2012 and by the FTC for the next 20 years.  Then this past October, CVS was sued by six Texas pharmacies for trade secret misappropriation and Racketeer and Influenced and Corrupt Organizations Act (RICO) violations as a result of certain CVS data-mining practices. The plaintiffs, who are board members of the American Pharmacies, alleged that CVS denied patients choice of pharmacies and smothered business competition as well as used patient PHI in violation of HIPAA. 

Now, Strike 3.  Bloomberg News reported recently that CVS has been sued by a Pennsylvania resident, Arthur Steinberg, and the Philadelphia Federation of Teachers Health and Welfare Fund, for selling patient prescription information to pharmaceutical manufacturers such as Merck & Co, AstraZeneca and Bayer.  Allegedly, CVS was paid by pharmaceutical manufacturers to encourage physicians to prescribe their drugs to patients. "CVS encouraged physicians to do so through letters which included patient names, dates of birth and what medications patients were currently prescribed, allegedly obtained from CVS pharmacy services." The lawsuit accuses CVS of unfair trade practices, unjust enrichment and violating consumer protection laws. 

As Cignet Health and Mass General know all too well from the combined $5.3 million in civil penalties imposed recently by OCR, OCR is pursuing HIPAA violations with a vengeance as a result of HITECH's increased enforcement and CVS could potentially face a HIPAA investigation in addition to the pending lawsuits.  HIPAA as amended by HITECH generally prohibits Covered Entities and their Business Associates from marketing and selling PHI without first obtaining patient authorization.  Only under very limited circumstances may patient information be "sold" or released without authorization for such purposes.  Investigation by OCR is even more likely given that CVS has been under OCR's watchful eye since 2009.  In addition, CVS's actions could also potentially violate its 2009 settlement agreement with OCR, placing it in even more hot water. 

One, Two HIPAA Penalty Punch from HHS and OCR

Posted by Helen Oscislawski on February 25, 2011

Just as gasps from the 4.3 million dollar penalty OCR assessed against Cignet Health of Maryland started to subside, OCR delivers a whopping 1 million dollar penalty to another hospital -- this time to the The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (aka, "Mass General"). 

The HHS Press Release indicates that Mass General has agreed to pay the U.S. government $1,000,000 to settle potential violations of the HIPAA Privacy Rule.  Mass General signed a Resolution Agreement with HHS on February 14, 2011, which you can review here.  After announcing the Settlement Agreement, OCR Director Georgina Verdugo made this official statement:

We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information

The issue came to the attention of OCR when a patient filed a complaint after PHI involving 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS, was lost on March 9, 2009. The impermissible disclosures of PHI involved the loss of documents consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. Documents containing the PHI were lost when Mass General employee left the documents on the subway train that were never recovered.

The Corrective Action Plan (CAP) requires that the hospital:

  • Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General’s premises;
  • Train workforce members on these policies and procedures; and
  • Designate the Director of Internal Audit Services to serve as an internal monitor who will conduct assessments of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a 3-year period.

The OCR Director also added:

To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules . . . A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.

4.3 Million Penalty Assessed Under HITECH for HIPAA violations

Posted by Helen Oscislawski on February 23, 2011

One might say that it looks like HHS and OCR are making up for all those years people have said there has been a lack of enforcement of HIPAA -- 4.3 million dollars worth of "making up for lost time" in just one shot....

HHS and OCR held nothing back as the first civil money penalty was assessed under the new categories and increased penalty amounts created by HITECH.  The 4.3 million penalty was imposed against Cignet Health in Prince George County, Maryland, for violating HIPAA patient access rights.  Cignet had denied access to the medical records of 41 patients upon their request between September 2008 and October 2009 and each patient had filed complaints individually with OCR. HIPAA requires Covered Entities to provide patients with copies of their medical records on request within 30 days and in no case later than 60 days from the date of the request. HITECH created new categories of violations, ranging from "did not know" to "willful neglect" to comply with HIPAA, and established a corresponding tiered monetary penalty system.

Had this been the end of the story, Cignet would have walked away with only a 1.3 million penalty for violating HIPAA.  However, not only did Cignet fail to comply with HIPAA patient access rights, but it refused to produce the records when OCR demanded it do so.  Even after OCR presented Cignet with a subpoena, it continued to not produce the records.  Only after OCR filed a petition to enforce the subpoena and subsequently obtained a default judgment in United States District Court against Cignet did Cignet finally turn over the records.  Cignet also made no efforts throughout the entire investigation to cooperate or resolve the complaints informally.  OCR found Cignet's failure to cooperate a willful neglect of the HIPAA Privacy Rule, which requires all Covered Entities to cooperate with investigations by OCR, and an extra 3 million was imposed against Cignet.

The penalties imposed against Cignet dispel any doubt that may have remained concerning HHS' ramped up enforcement of HIPAA.  OCR Director Georgina Verdugo stated, "The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules." With a hefty 4.3 million penalty as HHS' "first shot", Covered Entities will certainly take notice and action to avoid coming under fire themselves.

The Spirit of Holiday Giving, er, Penalties...

Posted by Helen Oscislawski on November 24, 2010

The California Department of Public Health (CDPH) will be collecting a whopping $667,000 in administrative fines and penalties from six hospitals charged with privacy violations.  The CDPH imposed penalties ranging from $5,000 to $250,000 on the hospitals under new privacy and confidentiality regulations enacted in 2008 aimed at cracking down on widespread patient privacy violations.  Under the new legislation, penalties may be assessed for violations up to $25,00 per patient whose information was accessed, used or disclosed improperly and up to $17,500 for subsequent violations. 

By far the most astounding of violations was Kern Medical Center which was hit with a $250,000 penalty after the theft of laboratory reports from storage lockers used for distribution of the reports.  A staff member had placed daily laboratory reports in storage lockers that were no longer on the premises of the hospital but outside and accessible to the general public.  He was aware that the locks were not functioning and that the locker door was broken, a condition that the storage locker had been in for several months.  Although the Privacy Officer alleged that keeping the reports in the outside lockers was not a hospital permitted practice, it appeared to have been occurring for some time.  Another hospital was assessed a $225,000 penalty for failing to prevent unauthorized access and use of patient information by a hospital employee who had memorized the information while purging older hospital records in order to help other individuals open fake Verizon accounts.

The imposition of these fines and penalties impress even out-of-state hospitals with the importance of securing both paper and electronic health information.  From safeguarding computer printouts such as laboratory reports to preventing unauthorized access to or uses of electronic health information, hospitals must be vigilant and proactive in safeguarding patient information.  Not only must hospitals monitor access to and uses of patient information, but they must also continue to educate and re-educate staff on confidentiality and security policies, conduct periodic audits and physical security sweeps, and strictly enforce all policies by imposing sanctions where appropriate.

The full CDPH press release may be found at http://www.cdph.ca.gov/Pages/NR10-92.aspx

HHS Thinks Rite Aid Disposal Policies Are "In the Dumps"

Posted by Helen Oscislawski on August 18, 2010

Prepared by Krystyna Nowik. 

In a recent settlement agreement, Rite Aid Corporation and its affiliated entities have agreed to shell out $1 million in order to settle potential HIPAA violations. The Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) launched an investigation against Rite Aid and its affiliates after media reports showed Rite Aid pharmacies across the country had disposed of prescription and pill bottles containing protected health information (PHI) in publically accessible dumpsters.  The investigation indicated that Rite Aid entities failed to implement appropriate policies and procedures to safeguard PHI during the disposal process.  It also found that Rite Aid entities did not provide and document appropriate training for their employees in disposing PHI.  Finally, the investigation indicated that Rite Aid entities had not implemented a sanction policy to deal with employees who violated the disposal policies and procedures.   

The Rite Aid Resolution Agreement is an important tool for other covered entities in assessing and developing policies and procedures for disposing of PHI.  Covered entities should ask themselves:

  1. Is there an up-to-date policy for the disposal of PHI? Are employees aware of it?
  2. Are employees properly trained on how to dispose of PHI? How is training documented?
  3. What sanctions are in place? Are employees reeducated, reprimanded or otherwise appropriately sanctioned after a violation?
  4. How is off-site destruction/disposal dealt with? Are business associate contracts HIPAA compliant?
  5. Is there an internal and/or third-party auditing system in place to ensure employees are complying with the disposal and other HIPAA policies?

Read the full Rite Aid Resolution Agreement posted on HHS's website.  For additional guidance and best practices for disposal of PHI, see the joint FAQ posted by HHS and CMS on the topic that is helpful.  The FAQ even describes how to properly dispose of computers and other electronic media that store electronic PHI, which is of particular relevance for Health Information Exchanges.

Krystyna is a graduate of Seton Hall Law School, with a concentration in Health Law.  She works with Oscislawski LLC on various Health Information Exchange matters and is a guest contributor to Legal HIE. 

Oh where, Oh where has the Security Breach Rule gone?

Posted by Helen Oscislawski on August 05, 2010

Today, I was going to draft a follow up article to my previous post to address whether notification was required under the Security Breach Notification Rule. However, when I sat down to begin typing, I discovered that the Breach Rule was gone! Well, maybe not exactly gone, but at least “withdrawn”.

HHS recently posted on its website the following:

At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months. Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.

So now what?

For starters, HHS made clear in its last statement that the Interim Final Rule that went into effect in September remains in effect. Therefore, whatever “difficulties” HHS/OMB/OCR may be having with regard to administering or enforcing compliance, this does not automatically give covered entities or business associates a “free pass” to not report Breaches if an incident warrants such notification –to patients, OCR or otherwise – under the Interim Final Rule. As of today, OCR’s website set up to receive breach notifications is still up and running, and so covered entities should continue make any required reports of breaches though that website. Also, entities should be mindful that if their state has implemented a breach notification statute (as many have), then such state law must still be complied with. To see if your state has such a law, visit NCSL's website.  

As for what HHS will be doing to the Breach Rule? … it’s not clear. It has been suggested that the withdrawal may have been prompted to address certain privacy groups’ concerns regarding the “Harm” threshold. Particularly, the Harm threshold has been heavily criticized by some as creating a loophole to avoid reporting by Business Associates who are required ONLY to notify the Covered Entity regarding a Breach (which then triggers the Covered Entity’s obligation to notify HHS and patients of the Breach caused by the BA). Specifically, as the Breach Rule currently reads, a Business Associate is entitled to go through the same Harm analysis in order to decide whether or not to report the Breach to the Covered Entity. Some have compared this to the “fox guarding the chicken coop”. Nevertheless, I don’t believe that this warrants complete removal of the Harm balancing from the Breach Rule, and here is why:

Continue Reading