WellPoint hit with $1.7 million for Security Weaknesses in Online Application

The increasingly heavy-handed OCR announced news yesterday of yet another resolution agreement for HIPAA violations; this time hitting WellPoint Inc., a managed care company, with $1.7 million for an Internet breach that occurred between 2009 and 2010 affecting over 600,000.  HHS stated in the press release,

This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

Data (including names, birth dates, social security numbers and health information) was unsecured in a web-based application database after an upgrade.  The resolution agreement alleges that the Data was disclosed improperly over a five month period.  HHS indicated that,

  • WellPoint failed to implement policies for authorizing access to ePHI;
  • WellPoint failed to perform an "adequate" technical evaluate after a software upgrade affected authentication controls; and
  • WellPoint failed to implement technology to verify (authenticate) access to ePHI by authorized individuals.

Covered Entities affiliated with WellPoint include certain Anthem, Blue Cross and Blue Shield, and UNICARE health plans, among others.  There was no Corrective Action Plan accompanying the resolution agreement, which seems to indicate OCR was happy with the mitigative action taken by WellPoint after the fact. However, the Indiana attorney general's office had filed suit against WellPoint back in 2010 for failing to provide notification as required under state breach laws, and the Connecticut attorney general's office opened an investigation as well. 

For entities planning software and other upgrades and modifications (all you "Meaningful Users", to start), you can retrieve a copy of the news release and resolution agreement to give to and hammer home with your Security Officer and IT Departments here

Lessons from the Idaho State University CAP

Back in 2011, Idaho State University (Idaho State) experienced a breach of PHI affecting approximately 17,500 individuals after firewalls on its servers were disabled at one of its outpatient clinics. It appropriately notified HHS in August of that year whereafter (surprise, surprise) HHS informed Idaho State that it would be investigating Idaho State's compliance with HIPAA.

HHS released news of its settlement with Idaho State on May 21, 2013, with Idaho State agreeing to pay $400,000 as part of the Corrective Action Plan (CAP) to resolve allegations that:

  • It did not conduct a risk analysis for over 5 (five) years;
  • It did not implement security measures sufficient to reduce risks and vulnerabilities to ePHI for that same period;
  • It did not implement procedures to regularly review information systems activity for that same period.

As part of the CAP, Idaho State, which operates as a hybrid entity with several covered entity components, must beef up its documentation and specifically designate its covered entity components (i.e., its outpatient clinics). Unsurprisingly, Idaho State is also required to provide HHS with its most recent risk management plan and information systems activity policies for "review and approval" by HHS.  Idaho State must also complete and submit a compliance gap analysis indicating all changes to compliance status with the required provisions of the Security Rule. 

Although Idaho State experienced a breach of PHI AND was informed in November of 2011 that HHS was investigating its compliance with HIPAA, according to HHS, Idaho State did not get around to performing a risk assessment, reviewing information systems activity or identifying gaps in security measures until the summer of 2012 and post-Thanksgiving, November 26, 2012. It is baffling that, after experiencing a breach which was caused by firewall protections being physically disabled for over 10 months, Idaho State appears to have not done much to assess and safeguard against future problems. 

Or did it? Maybe it was just too little, too late. But part of Idaho State's problem could simply have been that it couldn't prove what steps it had taken towards HIPAA security compliance.  Although Idaho State clearly dropped the ball in failing to realize firewalls protections were disabled for almost a year at its Pocatello Family Medicine Clinic, it may have been more compliant than the CAP suggests and simply had nothing to show.

Increasingly, covered entities are realizing that saying and believing they are HIPAA compliant is about as effective with OCR as your teenager telling you he cleaned his room as he runs out the door to the movies.  It's like high school all over again - if you can't "show your work" and prove your HIPAA compliance through documentation, regular reports and reviews, and clearly defined privacy and security policies procedures, OCR simply isn't going to buy it when they show up at your door. 

To be sure, many covered entities have been completely lax about security until now.  Conducting a comprehensive risk assessment (documenting that it was done and periodically reviewed) and having processes in place for ongoing risk management are some of the biggest things OCR has repeatedly been driving home.  Too often, as Idaho State's CAP illustrates, security risk assessments are inadequate and fail to properly identify security risks and vulnerabilities to ePHI. 

On the other hand, many covered entities think that they are compliant with the Security Rule, but really aren't.  A covered entity may conduct a risk assessment of its EHR or EMR, for example, but fail to assess the security risks and vulnerabilities associated with other systems that feed into it or maintain PHI, or with workflow processes, resulting in PHI accidentally being made available online (think Phoenix Cardiac Surgery or Stanford Hospital). Furthermore, where risks and vulnerabilities are identified, appropriate security measures are not always evaluated and action taken as needed to correct them.

As we can see from Idaho State, performing a comprehensive risk assessment now isn't necessarily going to cure your failure to do so before and an overwhelming number of covered entities could still be in the hotseat even if they are actively beefing up their HIPAA privacy and security. And there's still the risk that what has and is being done is simply too little to satisfy OCR. 

However, good faith efforts and diligence to bring your organization into compliance with the Security Rule implementation standards and specifications will go a long way toward lessening the likelihood and impact of an unwanted OCR investigation, not to mention minimizing the risk of breach and harm to your patients and organization.  It is far easier to seek forgiveness for past transgressions from OCR with a robust updated HIPAA security management program in hand. 

Kaiser Permanente Faces Investigation Over Inappropriate Storage of Patient Records by Contractor

Kaiser Permanente is facing investigation over the handling of approximately 300,000 patient records by a contract storage firm.  According to an article in the LA Times, Kaiser contracted with small business Sure File Filing System ("Sure File") to organize and clear out older patient records on its behalf.  As it turns out, the storage firm kept those patient records in a warehouse shared with an individual's party rental business and Ford Mustang, then in the storage firm's owner's personal garage and home.

Although Kaiser retrieved the paper records Sure File possessed upon termination of the contract in 2010, Kaiser recently filed suit, allerging that all of the patient records had not been returned or destroyed when its contract with Sure File was terminated. Patient records, according to Kaiser, were still maintained on hard drives that Stephan and Liza Dean, the couple who own and run Sure File, allegedly kept in their garage with the door open. When Kaiser sued for breach of contract and to recover the files, the hard drives were apparently relocated from the garage to the couples' home, and the patient records only deleted as of this past New Year's Eve.

The LA Times article states that HHS officials were notified last year when the Deans filed a complaint.  You read that right. The individuals responsible for storing the data in an unsecured warehouse, their garage and their house apparently were the ones who filed the complaint that patient records had not been handled appropriately by Kaiser. 

In addition, Stephan Dean reportedly threatened to contact patients directly to inform them of how Kaiser had mishandled their health information.  According to the article, Dean claims Kaiser employees repeatedly failed to maintain the privacy of patient information, citing multiple emails sent by hospital employees to him requesting and including patient-specific information such as social security numbers in an insecure manner.

Kaiser was confident that patient information was not disclosed or accessed inappropriately, although employees were disciplined for failing to follow policies.  Kaiser spokesman John Nelson stated,

 "Kaiser Permanente is committed to protecting the medical and personal privacy of its patients. In retrospect, we certainly wish we'd never done business with Mr. Dean."

It is not likely that Kaiser is squeaky clean in this mess, given it appears Kaiser failed at a minimum to have a proper HIPAA business associate agreement (HIPAA BAA) in place prior to releasing patient records to the contractor.  However, a bigger question is, if OCR is indeed investigating the mishandling of Kaiser's patient records, what liability may exist for the contractor?

Business associates are independently liable as a result of the HITECH Act for certain of the HIPAA Security Rule requirements, in particular, administrative, physical and technical safeguards for electronic PHI.  However, given the uncertainty surrounding business associate liability in the absence of a HITECH final rule, and because the majority of the activities associated with the contract took place prior to 2010, the contractor might only be on the hook contractually for failing to safeguard, return and/or destroy the patient records. Although enacted in 2009, many provisions of HITECH did not take effect until February of 2010.

Assuming Kaiser had obtained an appropriate HIPAA BAA from Sure File, at a minimum, the contractor would have agreed to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information and/or appropriate safeguards to prevent use or disclosure of PHI other than as provided for by its contractI think we would all agree that storing hard drives with hundreds of thousands of patient records in your garage or home, or records in an unsecured shared warehouse space, is a far cry from implementing reasonable and appropriate safeguards, however reckless the other party may also have acted with regard to the information. 

HHS Rings in 2013 with News of Settlement for Small Breach

We hope all of our readers had a happy and relaxing holiday season, and we wish you all the best for this New Year!

It seems fitting for the first post of the year to revolve around HHS's announcement of its first breach settlement of 2013.  In what may quickly become a "trend" for HHS and OCR, the $50,000 settlement with the Hospice of North Idaho (HONI) is the first of its kind.  Coming after OCR investigated a reported breach involving 441 patients and theft of an unencrypted laptop in the summer of 2010, it is a far cry from the breach tallies we have seen in the past numbering in the hundreds of thousands of affected individuals and over a million dollars in fines.

Yet again OCR has called out a covered entity for failing to conduct a risk analysis as required by the HIPAA Security Rule and cracked down on yet another breach involving an unencrypted device (see, for example, the Alaska DHHS Resolution Agreement which resulted from theft of a flashdrive containing PHI).  Not only did OCR state that HONI had failed to implement policies and procedures to address mobile device security despite regular and routine use of laptops in the field, but that HONI also failed to conduct a risk analysis to safeguard electronic PHI, stating,

´╗┐´╗┐HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis...from the compliance date of the Security Rule to January 17, 2012.  In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiaity of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security emasures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures. (emphasis added)

The risk analysis is too often abandoned to the wind by many covered entities, despite being a "Required" implementation specification for the security management process needed to prevent, detect, contain, and correct security violations.

Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.  

This breach settlement combined with the fact that the risk analysis is also an independent core measure required for Meaningful Use participants in the Medicare and Medicaid EHR Incentive Programs, suggests all covered entities should make it their New Year's Resolution to be more proactivate about their risk analyses and throw out bad portable device habits, whether they are big or small. If your organization doesn't have policies and procedures regarding use of laptops, flashdrives, and other devices which can store or access ePHI, and a good reason for not encrypting them where their use is necessary, it may be in for a rude awakening in the event of loss, theft or OCR or CMS knocking at the door to conduct an audit. Remember, even though not required per se by the HIPAA Security Rule, encryption of data at rest and in transmission is an implementation specification that must be addressed by all covered entities.    

OCR and ONC have made available several resources and tools to help covered entities of all sizes in conducting and reviewing a risk analysis.  The majority of these are now readily available in one location on the Health IT website under the National Learning Consortium Resources section. The NIST 800-30 Special Publication has also consistently been referred to by OCR as a resource to use in preparing for and conducting risk analyses. In addition, ONC recently released a new initiative aimed at increasing the security of mobile devices, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information.

Whatever the reasons or excuses in the past, make 2013 the year your organization resolves to be more proactive about its risk analysis and security management processes, managing mobile devices and the overall security of ePHI. 

The $1.7 Million Flashdrive...Alaska Medicaid Settles HIPAA Violations

Even state agencies are not invisible to the all-seeing eye of OCR.  The use, and subsequent theft of, an unencrypted flashdrive cost the Alaska Medicaid agency $1.7 million, according to the Office of Civil Rights (OCR) in a news release issued yesterday. According to OCR, an employee of the Alaska Department of Health and Human Services (ADHHS), the state's Medicaid agency, had an unencrypted flashdrive possibly containing PHI stolen from his car back in October 2009.  ADHHS reported the breach promptly to OCR, which began an investigation in the beginning of 2010. 

In the Resolution Agreement, OCR stated that ADHSS had failed to:

  • Complete a HIPAA risk analysis;
  • Implement sufficient risk management measures;
  • Complete security training for ADHHS workforce members;
  • Implement device and media controls; and
  • Address device and media encryption.

The Resolution Agreement require ADHHS to revise and submit to OCR its policies and procedures relating to access to e-PHI, specifically with regard to tracking and safeguarding devices containing e-PHI, encryption, disposal and re-use of such devices, responding to security incidents, and appropriately applying sanctions for violations. In addition, ADHHS is required to conduct a risk assessment of the confidentiality, integrity and availability of e-PHI, and implement security measures sufficient to reduce risks and vulnerabilities identified.  The Resolution Agreement also requires ADHHS to provide specific training on the new policies.   

We all know the considerable security risks that are accompanied by use of unencrypted flashdrives, laptops and other portable devices and media by employees, residents and other workforce members -- now with a hefty price tag of $1.7 million.  Even for entities that have policies and procedures in place prohibiting use of such unencrypted devices, or that implement software that automatically encrypts any information saved to such devices, clearly communicating and enforcing these and the entity's other security policies and procedures is critical to avoiding security breaches and defending against potential OCR audits. 

While encryption isn't per se required to be implemented by HIPAA, it is an "addressable" implementation specification of the Security Rule.  This means that you must assess whether encryption would be "reasonable and appropriate" for ePHI "at rest" and in transmission, and if not appropriate, clearly have in place alternative safeguards and mechanisms to secure electronic PHI.  It has become all too clear that not encrypting flashdrives, laptops, hard drives and other devices and media that can potentially leave the safety of your facility can not only result in a reportable security breach, but also some serious explaining to OCR when it comes knocking on your door. And remember, if a security incident occurs and the information that was stored or transmitted was encrypted, you are likely not required to notify patients that a security breach has occurred.  

To help assess whether your security management process will stand up to OCR review, keep an eye out for our next post reviewing the the newly released OCR Audit Protocol for the HIPAA performance audits. 

Mass. AG Levies 750k Judgment on Hospital for Data Breach

Massachusetts Attorney General Martha Coakley announced on May 24, 2012 having reached a settlement agreement with South Shore Hospital for failure to protect personal and confidential health information of over 800,000 patients. 

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” AG Coakley said. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

The consent judgment requires South Shore Hospital to pay a total of $750,000, including $250,000 in civil penalties and $220,000 towards an education fund for protection of PHI and personal information.  However, South Shore Hospital did receive a "credit" for security measures it implemented after the breach occurred of $275,000, leaving only $475,000 payable. 

The consent judgment also requires South Shore Hospital to undergo audit and report results of certain security measures, as well as take steps to ensure compliance with HIPAA business associate provisions and other federal and state security requirements.  In addition to failure to comply with HIPAA business associate obligations, South Shore Hospital also failed to comply with HIPAA and state obligations to implement appropriate safeguards, policies, and procedures to protect patient information, and appropriately train its workforce in safeguarding the privacy of PHI. It also neglected to ensure that the contractor itself had procedures in place to protect such PHI, according to the AG. 

Three boxes full of unencrypted computer backup tapes had been sent to a subcontractor of Archive Data Solutions in 2010 to be erased and resold; however, the subcontractor only received one of the boxes and the remaining two were never recovered.  According to the AG's office, South Shore Hospital did not have a business associate agreement in place with the contractor nor had it informed Archive Data that the backup tapes contained PHI.

The backup tapes contained Social Security Numbers, names, financial account numbers, and medical diagnoses.  As reported by HealthDataManagement, South Shore Hospital had determined in July 2010 that the missing backup tapes was not a breach requiring individual notice to affected and potentially affected individuals.  Rather, it posted a prominent notice on its website, citing state law provisions permitting alternative notifications where costs would exceed $250,000 or where over 500,000 residents are affected. 

It is unclear whether this breach was reportable and therefore actually reported to the Department of Health and Human Services (HHS) under the HITECH Breach Notification Rule.  Although the PHI here was unencrypted and therefore "unsecured" within the meaning of the HITECH Breach Notification Rule, covered entities are also required to conduct an assessment to determine whether an incident poses a "significant risk of harm" to the individual(s) that would give rise to a reportable breach.  Most importantly, a breach in and of itself does not automatically mean a HIPAA violation has occurred.

If a covered entity determines that there was a breach, all affected individuals and individuals reasonably believed to be affected are required to receive written notice of the breach, as well as HHS where over 500 individuals have been affected.  HITECH also permit alternative notification but only where the contact information of an individual is incomplete or where written notice has been returned undeliverable to the covered entity attempting to notify such individual of a reportable breach. 

Aside from South Shore Hospital's obvious failure to obtain a business associate agreement and apparently even inform Archive Data that it was a business associate subject to certain HIPAA provisions, it is unclear what else it was South Shore Hospital did or failed to do that contributed to the 750k settlement agreement and other alleged HIPAA and state law violations.  The AG's office noted that multiple shipping companies had handled the backup tapes, but did not otherwise indicate whether it was the lack of policies and procedures for safeguarding PHI and training workforce in such safeguards that resulted in the missing backup tapes (again, a breach itself does not automatically mean a HIPAA violation has occurred) or whether the focus was on the hospital's overall HIPAA and state law compliance program.

What is even more noteworthy is that the AG stated South Shore Hospital failed to determine whether Archive Data had sufficient safeguards in place to protect the PHI it would receive on the backup tapes prior to destruction.  This clearly places an obligation upon covered entities to go beyond ensuring that the business associate agreement itself is in compliance with HIPAA by requiring the business associate to implement reasonable safeguards to protect PHI.

While covered entities have always been, and should be, responsible for appropriate oversight and monitoring of their business associates, just how far is a covered entity responsible for going?  Does a hospital need to request that the business associate provide copies of its policies and procedures for safeguarding PHI? Policies and procedures for data destruction or erasing data?  Information on how its staff is trained on the business associate's obligations under HIPAA and the business associate agreement? 

And if a hospital is not satisfied with a business associate's policies and procedures, can it require additional safeguards and processes be implemented? Should a hospital also require notification by a business associate of potential breaches and security incidents to safeguard against bad calls? With business associates frequently resisting the inclusion of any provisions in a business associate agreement beyond the bare minimum required by HIPAA, covered entities may find it increasingly difficult to provide the required levels of oversight, safeguards and assigned responsibility.

With over 22% of reported breaches since 2009 involving business associates, as reported by HealthcareInfoSecurity, and with only one case (see Minnesota AG case against Accretive Health) so far targeting business associates directly for HIPAA violations, covered entities remain liable for the actions of their business associates, despite that business associates are now directly subject to certain HIPAA provisions. Covered entities also bear the brunt of a breach, as it is their patients who may be seriously harmed.  As determining liability for breaches and other security incidents between a covered entity and a business associate involved remains quite uncertain for now, the business associate regulations (expected "soon" ever since last year) will be a welcomed ray of clarity for covered entities and business associates alike. 

Will HIPAA Conviction Appeal Loss Open the "Zhou" Gates?


This post is prepared by Christopher Dodson. 

Readers of this blog are probably familiar with the case of Dr. Huping Zhou, who was successfully prosecuted for violating HIPAA's privacy protections.  Zhou accessed the patient records of celebrities and coworkers more than three hundred (300) times over the course of several months, including four times after he was fired. The case is notable, in part, because Zhou's actions were not part of a broader criminal conspiracy. He was not defrauding the government or engaging in identity theft but was merely reading patient records as a matter of curiosity. When he appealed his conviction, the Ninth Circuit ruled that HIPAA's wrongful disclosure provision does not require intent to break the law.

One of the interesting details of the case was that while Zhou accessed several hundred records, he was only charged for the four records he accessed after he was fired. Why did the Department of Justice not charge him for accessing the other records while he was employed?

§ 1320d-6 of HIPAA prohibits anyone from knowingly accessing individually identifiable health information from a covered entity without authorization.

The answer to why Zhou was only charged with four counts may lie in the phrase "without authorization." It is possible that since DOJ was already breaking new ground by prosecuting him for accessing records without criminal intent, they did not want to add a second novel issue in whether he had sufficient authorization while he was employed. 

But now that DOJ has established that criminal intent is not required to violate HIPAA's wrongful disclosure provision, is it possible that the next person in Zhou's position could be charged for inappropriately accessing records while employed?

There is an interesting parallel with the Computer Fraud and Abuse Act. As with HIPAA, the CFAA prohibits certain actions when they occur "without authorization," a phrase which is undefined. There is ongoing debate over what qualifies as authorization for purposes of the CFAA and a split has developed among the circuit courts over a theory relating to authorization for employees. The theory holds that when an employee violates the duty of loyalty, her authorization is canceled as a matter of law even while she is still employed. Under this theory, if an employee has authorization to access a computer system then violates the duty of loyalty and engages in actions prohibited under the CFAA, a court may rule that her authorization to use the computer system was terminated as a matter of law at the time of the offense. In other words, as far as the employee and her employer are concerned she is an authorized user. But sometime later the legal system determines otherwise, leaving her liable under the CFAA.

Because there is a split among the circuit courts, many observers think the issue will wind up before the Supreme Court. If the Supreme Court affirms canceling authorization retroactively based on an employee's actions, it is not a stretch to imagine DOJ developing an argument that the authorization of someone like Zhou was terminated as a matter of law prior to being fired. This would enable DOJ to charge the defendant with all of the record views that occur after the authorization-terminating event.

Christopher is a former software developer and current J.D. candidate at the Earle Mack School of Law of Drexel University.  He is working with the Attorneys at Oscislawski LLC as a summer intern.

Cardiac Surgery MD Group Agrees to Pay $100,000 Settlement to HHS for Lack of HIPAA safeguards

Take our money.pngAnd the HIPAA money keeps rolling to the feds. The latest settlement (announced today) is with a cardiac surgery physician group in Phoenix, Arizona, which has agreed to pay a hefty sum after someone reported to HHS that the MD group was potentially compromising patients' PHI by posting appointments on an internet-based calendar, which prompted OCR to then investigate and find the physicians to be out of compliance with HIPAA's safeguards.  

The following April 17, 2012 Press Release is HOT off the presses on HHS' News Release website

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients. 

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.

The HHS Resolution Agreement can be found on HHS' website here.  OCR’s investigation  revealed the following specific issues with this group's HIPAA program:

  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.  This last finding being a significant one, and underscores that HIPAA BA Agreements MUST be entered into with vendors who have access to ePHI to facilitate a service to covered entities!

With the HITECH Rules in OMB and due out by mid June (unless an extension is sought by OMB), it will be particularly interesting to see if the Final Rules address the HITECH Act's requirement for percentages being paid out to individuals "damaged" by breaches of their information. The HITECH Act required rules on that topic to be out by this summer. Since an individual's report to HHS triggered this particular investigation and subsequent settlement, some are suggesting that such percentage payouts to individuals for HIPAA violations could in effect become almost like a whistle-blower provision and incentivize patients and others to submit reports to HHS for potential investigation.  I think that might be the point.

But for now, this case just underscores once again that the best way for physician practices (and other covered entities) to protect themselves is to have a fully robust HIPAA compliance program developed and implemented (see, for example, our comprehensive HIPAA-HITECH Helpbook on www.ohcsolutions.com).  Don't forget to also conduct a Security Gap Audit (see www.myhic.net, a leading company that specializes in and has thousands of hours of experience under its belt with competing Security Audits for Physician Practices, or contact them here). Finally, don't forget to provide regular training to your employees. For live training sessions and video training options, visit our Workshops page. 

Peeling Back BCBS's $1.5 Million HIPAA Settlement Onion


As many of our readers have already heard, on March 13, 2012 HHS announced that Blue Cross Blue Shield of Tennessee entered into a Resolution Agreement for $1.5 Million Dollars to settle potential violations of HIPAA. You can access a copy of the Resolution Agreement here

I find this new case both instructive and frightening, but one has to peel back the layers of this HIPAA-onion to really understand why the Resolution Agreement between BCBS of Tennessee (BCBSOTenn) and HHS/OCR creates an even greater nerve-racking precedent than may be immediately apparent.

First, it must be noted that OCR initiated its investigation of the Breach incident and BCBSOTenn only after BCBSOTenn submitted its HITECH Breach Report "in compliance with" 45 CFR §164.408.  Therefore, HHS/OCR appears to acknowledge that BCBOTenn's reporting of the Breach was timely, proper and otherwise in compliance with the Breach Notification Rule.  And, while BCBSOTenn did not seem to get much reprieve here for its diligent Breach reporting, it’s important to point out that just because a covered entity experiences a Breach does not in and of itself mean that the covered entity has violated the HIPAA Privacy or Security Rule.  A covered entity must actually fall short of or be non-compliant with a HIPAA Privacy Rule standard or Security Rule standard before an actual violation can be found.

So, at least hypothetically, a covered entity could still be in full compliance with the HIPAA Privacy and Security Rules, even if it experienced a Breach involving or potentially compromising PHI.

In such a situation, as long as the covered entity properly and timely reports the Breach as required under the HITECH Breach Rule, and has a fully compliant, current and effective HIPAA compliance program implemented, then the covered entity should be able to assert that there were no violations of HIPAA or HITECH to give rise to HHS/OCR assessing penalties against it.  However, at least for BCBSOTenn, apparently the costs and burden of going through an investigation to prove that the Breach was not due to an underlying lapse its HIPAA compliance program was not worth it, at least not $1.5 Million.

What may be most chilling from a compliance perspective here, however, is that the Breach incident itself was allegedly caused by an intervening criminal act, and that BCBSOTenn had presumably paid Eastgate to provide security services to safeguard the data closet where the video and audio recordings were being temporarily stored until their scheduled relocation at the end of November 2009;  and, indeed, it seems that Eastgate did have a lot of appropriate physical safeguards in place, including biometric and keycard scan security with a magnetic lock, an additional door with a keyed lock, and basic security services.

So, if BCBSOTenn contracted, paid for and relied on Eastgate to provide security services, one would think that it would be reasonable for BCBSOTenn to believe that it had taken appropriate steps to attempt to safeguard the e-PHI while it was temporarily stored at the data closet.  What is not discussed in the Resolution Agreement, however, but would be interesting to know is whether BCBSOTenn’s contract with Eastgate included HIPAA BAA-type language to ensure that Eastgate was aware of the sensitive nature of what they were securing (i.e., e-PHI), and to contractually obligate Eastgate to have in place at least minimum administrative, technical and physical safeguards with regard to how it ensured the security of the data closet.  This illustrates a good lesson, which is while a security vendor or a building manager may not technically be a HIPAA BA, as historically defined by HHS (because such third parties are not required to access PHI to perform their function on behalf of the covered entity), in any instance where a covered entity relies on a third party to ensure the security of its PHI or e-PHI, including software vendors, data warehouses, cloud providers and other similar types of third parties, it is important to have such third party contractually agree to have in place HIPAA BA-type safeguards, and to agree to be responsible for any damages that may arise from a Breach that is due to their own negligence. In this case, Eastgate did not respond to evaluate an unresponsive gate for the entire weekend. While it is not clear whether this may or may not have been negligent on the part of Eastgate, hopefully BCBSOTenn had provisions in its agreement with Eastgate that required insurance coverage for such incidents and will allow BCBSOTenn to also potentially make a claim for indemnification if there was indeed fault on the part of Eastgate.

Finally, despite the fact that the theft of the e-PHI was the event that precipitated HHS/OCR to conduct an investigation here, it almost seems that its settlement with BCBSOTenn had less to do with the actual Breach incident itself and more to do with what HHS/OCR may have believed could be lacking with BCBSOTenn’s general HIPAA compliance program.  In fact, the corrective action plan (CAP) in the Resolution Agreement does not include any requirement to take any actions, like encryption, with regard to similarly stored data devices.  Instead, the CAP focuses on HHS/OCR having the opportunity to review BCBSOTenn’s written policies for conducting a risk assessment, conducting a risk management plan, addressing facility access controls and a facility security plan, and addressing physical safeguards governing the storage of e-PHI.  The CAP also requires such policies to be revised, IF HHS/OCR suggest “material changes” to the policies, and to be distributed to all BCBSOTenn workforce, who must then sign a certification of receipt, and be retrained. Now, while that is all well and good, I wonder about HHS/OCR focusing on BCBSOTenn workforce when wasn’t it the employees of Eastgate who were the ones that did not respond to the lapse in security?  At least in this instance, then, the real security gap seemed to be with BCBSOTenn’s contracted security vendor’s workforce, not its own.

This case certainly raises questions and concerns with investigation and enforcement processes, but also offers some instruction.  First, it is important for covered entities to review their contracts with third parties that may have access to PHI, and most certainly if such third party may be directly or indirectly responsible for ensuring the security of its PHI.  Covered entities should include clear language regarding allocation of responsibility for security, and severe repercussions, including potential indemnity, if the vendor falls short. Contracts with technology vendors, cloud providers, facility security providers, and the like are all potential areas where security weaknesses and gaps may exist.

Finally, while the outcome of the BCBSOTenn situation may tempt many to be more hesitant with reporting Breaches to HHS, that is not advisable.  Not reporting a Breach incident when it is legally required to be reported under the law could just lead to additional potential penalties for violations of the HITECH Breach Rule.  Thus, while Breach reporting clearly can lead to an OCR investigation, as it did here, the best defense may be for covered entities and business associates to ensure that their HIPAA Policies and Procedures are well-developed, updated, and implemented so that they can all be handed to HHS/OCR as proof of full HIPAA compliance, despite any Breach incident having occurred.


State AG Brings First HIPAA Lawsuit Against Business Associate

Last month, I posted how treatment of business associates during HIPAA investigations remains unclear as well as assignment of liability for breaches of PHI.  A final "omnibus rule" is expected to clarify the HITECH business associate (and other) provisions this year, but in the meantime, much confusion remains. 

Despite the lack of final business associate rules, and confusion or not, Minnesota has dived head first into action against a business associate for HIPAA violations.  In the first HIPAA enforcement action directly against a business associate, Minnesota Attorney General Lori Swanson has brought an action against Accretive Health, Inc., pursuant to her authority under HITECH.  In addition, multiple violations of Minnesota law are alleged, including the Minnesota Health Records Act, debt collection statutes, and consumer protection laws.

Accretive functions in multiple capacities for covered entities in Minnesota, including as treatment coordinator, debt collector and quality cost control and management partner.  A breach last summer of data compiled by Accretive resulting from a stolen unencrypted laptop left in a rental car by an employee affected at least 23,531 patients.  Information that was on the laptop included personal identifying information (name, address, phone number, Social Security Number), "medical scores" predicting the frailty, complexity and likelihood a patient would be admitted to the hospital, and dollar amounts allocated to the patient's health care provider, as well as whether patients had certain conditions such as bipolar disorder, depression, high blood pressure, asthma and back pain.

The HIPAA violations are quite extensive, with the complaint alleging:

  • failure to implement policies and procedures to prevent, detect, contain and correct security violations;
  • failure to implement policies and procedures to ensure appropriate access to electronic PHI by members of its workforce and prevent those without authorized access from accessing such PHI in violation of HIPAA;
  • failure to effectively train all members of its workforce, agents and independent contractors, on the policies and procedures regarding PHI as necessary and appropriate to carry out their functions and maintain security of the PHI;
  • failure to identify and respond to suspected or known security incidents and mitigate to the extent practiable harmful effects known to them;
  • failure to implement policies and procedures to limit physical access;
  • faiilure to implement policies and procedures governing receipt and removal of hardware and electronic media containing electronic PHI within and without the facility;
  • failure to implement technical policies and procedures for electronic information systems to allow access only to those granted access rights; and
  • failure to implement policies and procedures as otherwise required by HIPAA.

Almost more interesting than the alleged HIPAA violations (and what could potentially have been one of the driving forces behind the Attorney General taking action rather than the HIPAA violations), the complaint also alleges deceptive and fraudulent practices in that Accretive failed to disclose how much health information it was collecting on patients and its involvement in their health care, detailing in great length the importance of transparency for patients and the doctor-patient relationship.  In the press release, Attorney General Swanson stated,

“Accretive showcases its activities to Wall Street investors but hides them from Minnesota patients.  Hospital patients should have at least the same amount of information about Accretive’s extensive role in their health care that Wall Street investors do.”

This action has the potential to set precedent in Minnesota as to just how much transparency and information should be viewed as "necessary" for patients to make informed choices regarding their health care and medical records and the extent to which health care entities must take affirmative action to notify patients of their role in their health care.   

Although the extensive HIPAA violations are merely one drop in the bucket of allegations against Accretive (e.g., fraud and deceptive practices, failure to notify of status as debt collector, release of health records in violation of the Minnesota Health Records Act), the enforcement action against Accretive makes it quite clear that covered entities aren't the only ones who need to be scrambling to get their ducks in a row.  While other state Attorney Generals have previously brought actions against covered entities (e.g., Vermont, Indiana, Connecticut), now that a state has gone after a business associate directly, it would not come as a surprise to see other states joining in, even despite the lack of business associate rules.

For more information regarding what covered entities and business associates can do to prepare for a HIPAA audit or ward off the potential for enforcement action against them, see our November 17 blog post with links to additional HIPAA resources.  A copy of the complaint against Accretive may also be found here.

OCR Director Reaffirms Commitment to Strengthening Privacy and Security of EHRs

It's no secret that since the days of its enactment, HIPAA enforcement has been lacking on both civil and criminal fronts from the Office of Civil Rights (OCR) and the Department of Justice (DOJ).  However, with increased penalties under HITECH and a renewed committment by OCR and DOJ towards cracking down on HIPAA violations, Covered Entities and Business Associates have even more reason now to dot their i's and cross their t's, especially with HIPAA audits kicking off this past November.

As providers and hospitals increasingly adopt and utilize EHR systems as part of the Medicare and Medicaid EHR Incentive Programs, the security of these systems (and authority over the system vendors) becomes a critical focus.  The new Director of OCR, Leon Rodriguez, in a recent interview with the Boston Globe said that his office would take a tougher stance on HIPAA with the goal of improving public acceptance of EHRs and that his office was ready to work with EHR providers on security.

Critical to the security of EHRs are the privacy and security responsibilities of Business Associates (and their contractors and subcontractors).  Although HITECH imposed certain HIPAA requirements directly on Business Associates, the Business Associate regulations and a model Business Associate Agreement incorporating the new requirements have yet to be released.  The Notice of Proposed Rulemaking, however, is expected to be forthcoming "soon", according to Director Rodriguez in a presentation given on November 17 at the ONC Grantee and Stakeholder Summit.  In addition, for the time being, the HIPAA Privacy and Security audits will not be conducted directly on Business Associates, but rather, only on those Business Associates connected with a covered entity being audited.

This leaves significant room for confusion in how Business Associates, and in particular, their contractors and subcontractors, will be dealt with by OCR during the course of a HIPAA investigation and who ultimately will be held responsible for a breach of EHR and other patient data.  A great example of this can be found in a recent blog by the President and CEO of the Massachusetts eHealth Collaborative, which as a result of a theft of an employee laptop last year experienced a security breach affecting over 14,000 patients.  

As Deven McGraw, director of the Health Policy Project at the Center for Democracy and Technology, stated, stronger enforcement of HIPAA is critical to the success of EHRs, noting,

"We're just on the back side of the curve of adoption of more robust security.  I'm hoping that in another year, we'll have a little bit of a different picture, but it's not pretty right now."

For a more in-depth look at the issues concerning Business Associates and HIPAA, see the Center for Democracy and Technology's December 15, 2011 post examining the need for clarification in the Business Associate rules.  And, in the words of Director Rodriguez, "stay tuned" for these proposed rules to come "soon". 

HIPAA Audits Begin November 2011, How Can Covered Entities and Business Associates Prepare?

The United States Department of Health and Human Services (HHS) has announced that it will begin HIPAA audits of covered entities and business associates this November 2011, and its contracted auditor, KPMG, is required to audit up to 150 entities by the end of 2012!  HHS’s website provides detailed information regarding when the audits will begin, who may be audited, how the audit program will work, what the general timeline will be for an audit, and, generally, what will happen after an audit is completed. In addition, HHS's sample Audit Letter indicates that KPMG will focus on discovering vulnerabilities in privacy and security compliance programs, and that certain “information” and “documents” will be requested in connection with the audit. However, no additional details are given regarding what covered entities and business associates may be asked to produce. 

Presumably, KPMG will not be letting the HIPAA audit cat out of the bag too soon by telling organizations exactly what information and documents they may ask for in connection with such audits, especially where one of their objectives is to identify gaps in HIPAA compliance. Nevertheless, covered entities and business associates may gain valuable insight into what to expect by looking to past guidance regarding HIPAA audits issued by HSS’s Office of e-Health Standards and Services (the “HIPAA Audit Checklist”), as well as by reviewing HIPAA audits and investigations that have taken place over the last few years. 

In its formerly-released HIPAA Audit Checklist, the Office of e-Health lists out the types of personnel that may be interviewed, and the the types of policies, procedures and other documentation and evidence that may be requested.  In addition, the audit of Atlanta, Georgia’s Piedmont Hospital is informative. In February of 2007, HHS through the Office of Inspector General conducted a random HIPAA audit of Piedmont hospital.  The letter to Piedmont’s CIO announced that the focus of the audit would be on the organization’s compliance with the Security Rule and indicated that the audit would begin with an “entrance conference” 10 days after Piedmont’s receipt of the audit letter from the Regional Inspector General for Audit Services (note that the proposed timeframe for coming KPMG audits is 30-90 calendar days from the date on the applicable HHS Audit Letter).  The Piedmont audit letter also included an enclosure asking for a list of documents and information to be provided, which overlapped significantly with the Office of e-Health’s HIPAA Audit Checklist!   

Covered entities and business associates may also glean additional insight from what HHS/OCR has asked for in connection with complaint-driven HIPAA investigations. HHS/OCR has posted on its website several Resolution Agreements with covered entities who have been through a HIPAA investigation.  These agreements also contain hints as to what covered entities and business associates may be asked for during a HIPAA Audit.

Until news of organizations starting to receive HIPAA audit letters starts to trickle out and KPMG begins its work, it is not possible to know exactly what KPMG will ask for and focus on.  Nevertheless, covered entities and business associates should not sit back and take a “wait and see” approach.  Rather, organizations should prepare now by completing an internal review of their HIPAA compliance program to ensure that their policies are current and are being followed by their workforce, and all other required HIPAA documentation is in place and ready to be produced in case a HIPAA Audit letter arrives in the mailbox tomorrow.

Click here to download a copy of our November edition of "Health Law Diagnosis" which includes a list of HIPAA compliance items that all covered entities and business associates should have in order to be prepared for a HIPAA Audit.

HIPAA Auditor Responsible for Breach in 2010

In June of 2010, a large healthcare system was informed by its business associate that a breach had occurred, affecting thousands of patients at its hospital.  The breach had occurred the previous month when an employee of the business associate lost an unencrypted flash drive that may have contained patient information.  Although the breach was reported last year, news regarding the breach appears to have begun circulating this past week, most likely due to the new role of the business associate in question. 

The real kicker is that the business associate was none other than KPMG, the prominent auditing, advisory and tax company that was recently awarded $9.2M by the Office for Civil Rights (OCR) to conduct HIPAA privacy and security compliance audits.  Although the flash drive reportedly did not contain patient information such as social security numbers, addresses, personal identification numbers, dates of birth or financial information, the embarrassing fact remains that a KPMG employee used an unencrypted flash drive to carry around patient information. 

Not only was I surprised at KPMG's responsibility for the breach, but also the length of time that went between the discovery of the loss of the flash drive by KPMG (May 10, 2010) and the report that was sent to the covered entity regarding the loss (June 29, 2010).  Although KPMG just barely notified its customer within the HITECH sixty day notice requirement, one has to wonder why it took so long for KPMG to discover that the device was missing and/or report it.

Although I am also curious as to why a KPMG employee would need to carry around patient information on a flash drive to begin with (especially an unencrypted one), this shows that a breach can happen to the best of us.  It also highlights a big problem for hospitals and other health care providers when it comes to security of patient information.  All too often residents, nurses and other health care providers copy patient information onto flash drives, laptops or other unencrypted devices which are easily lost or stolen.  These risks must be identified and aggressively managed by health care organizations and their business associates to minimize the risk of breach to such organizations and the patients they serve. 

HealthLeadersMedia reports that Susan McAndrew, OCR deputy director for health information privacy, wrote in an email that the case was currently under investigation and as such, OCR could not address KPMG's involvement in the breach.  When asked whether KPMG's involvement in the breach had been considered prior to awarding it the HIPAA audit contract, McAndrew stated,

The award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.

The public notice made available by the hospital on its website stated that,

KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.

Improved encryption? The flash drive that went missing reportedly did not have any encryption mechanisms.  One would hope though that KPMG has followed through and improved its security measures, given that it is now an ONC HIPAA auditor with the potential to access patient PHI and other information in the course of its auditing activities.

UCLAHS Settles Potential HIPAA Violations

The HHS OCR has announced its settlement with the University of California Los Angeles Health System (UCLAHS) for potential violations of the HIPAA Privacy and Security Rules. The settlement and resulting Resolution Agreement resolved two separate complaints alleging UCLAHS employees repeatedly accessed the electronic protected health information (PHI) of two celebrity patients out of curiosity. 

The OCR investigations which began in June of 2009 found that throughout 2005-2008, employees of UCLAHS accessed the PHI of patients without reason.  OCR also found that UCLAHS had failed to provide and/or document appropriate HIPAA training for its employees, implement appropriate security measures and assess and/or apply sanctions against employees who accessed PHI without reason. 

UCLAHS is required under the Resolution Agreement to pay $865,500 and implement a corrective action plan that includes putting into place HIPAA privacy and security policies approved by OCR to address permissible and impermissible uses and disclosures of PHI as well as training and appropriate sanctions against employees for non-compliance.  UCLAHS is also required by the Resolution Agreement to designate an independent monitor to assess UCLAHS's compliance with the plan over the next three (3) years.

The Director of OCR, Georgina Verdugo, stated:

Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections.  Entities will be held accountable for employees who access protected health informaiton to satisfy their own personal curiosity.

You can read the full Resolution Agreement here and the HHS press release here

Doctor Faces Criminal Charges for Wrongful Disclosures under "False Pretenses"

Tripping on the heels of the HIPAA criminal charges against Chelsea Catherine Stewart for theft of patient information, (see my previous post on June 14, 2011), a physician was indicted June 21, 2011 on three counts of HIPAA violations in the U.S. District Court for the Eastern District of Virginia.  Dr. Richard Alan Kaye, a licensed osteopath and board certified in psychiatry, was formerly the medical director of the Psychiatric Care Center at the Sentara Obici Hospital in Suffolk, Virginia, and had treated the patient whose individually identifiable health information was allegedly disclosed without authorization.

According to the U.S. Attorney's Office for the Eastern District of Virginia, Dr. Kaye had provided in-patient mental health treatment to a patient and upon the patient's discharge in September of 2007, he had indicated in the discharge summary that the patient was not a danger to others.  Despite this, in February of 2008, Dr. Kaye disclosed information on three occasions to an agent of the patient's employer under "false pretenses" that the patient was a serious and imminent threat to the safety of the public.

According to the Virginia Board of Medicine, the Board had already investigated the incidents and fined Dr. Kaye $5,000 for "one patient case of releasing confidential information and breach of confidentiality" in May 2010.  He was placed on probation until he completed eight hours in professional ethics.  Dr. Kaye's license was restored by the Board on October 4, 2010 after compliance with the terms of his probation.

What makes this indictment against Dr. Kaye unique among previous HIPAA criminal prosecutions, however, is that it alleges false pretenses for wrongful disclosures made to an employer.  As it is unclear what the motive for Dr. Kaye's actions was in disclosing the information to the employer, one has to wonder what the "trigger" was that led to the FBI's involvement and U.S. Attorney's criminal charges.  Criminal prosecution under HIPAA is still a rare, albeit increasing occurrence, especially in comparison to the number of HIPAA violations investigated by OCR each year.

Under § 1320d-6(b)(2), Dr. Kaye could face a fine of up to $100,000 and up to five years in jail if convicted of disclosing the information under "false pretenses."  Dr. Kaye is scheduled to be arraigned on July 13.  A copy of the press release can be found here.  

CVS in the HIPAA Spotlight...Again.

On March 7, CVS Caremark (CVS) hit the HIPAA spotlight again, and not in a good way.  Back in 2009, CVS was the target of a joint U.S. Department of Health and Human Services (HHS) Offices for Civil Rights (OCR) and Federal Trade Commission (FTC) investigation after media reports alleged that certain CVS locations were disposing of pill bottles containing patient information in unsecured dumpsters.  Although CVS denied the allegations, CVS shelled out a $2.25 million settlement as well as took corrective action to settle both potential HIPAA and FTC violations.  As a result, CVS is being actively monitored by HHS until 2012 and by the FTC for the next 20 years.  Then this past October, CVS was sued by six Texas pharmacies for trade secret misappropriation and Racketeer and Influenced and Corrupt Organizations Act (RICO) violations as a result of certain CVS data-mining practices. The plaintiffs, who are board members of the American Pharmacies, alleged that CVS denied patients choice of pharmacies and smothered business competition as well as used patient PHI in violation of HIPAA. 

Now, Strike 3.  Bloomberg News reported recently that CVS has been sued by a Pennsylvania resident, Arthur Steinberg, and the Philadelphia Federation of Teachers Health and Welfare Fund, for selling patient prescription information to pharmaceutical manufacturers such as Merck & Co, AstraZeneca and Bayer.  Allegedly, CVS was paid by pharmaceutical manufacturers to encourage physicians to prescribe their drugs to patients. "CVS encouraged physicians to do so through letters which included patient names, dates of birth and what medications patients were currently prescribed, allegedly obtained from CVS pharmacy services." The lawsuit accuses CVS of unfair trade practices, unjust enrichment and violating consumer protection laws. 

As Cignet Health and Mass General know all too well from the combined $5.3 million in civil penalties imposed recently by OCR, OCR is pursuing HIPAA violations with a vengeance as a result of HITECH's increased enforcement and CVS could potentially face a HIPAA investigation in addition to the pending lawsuits.  HIPAA as amended by HITECH generally prohibits Covered Entities and their Business Associates from marketing and selling PHI without first obtaining patient authorization.  Only under very limited circumstances may patient information be "sold" or released without authorization for such purposes.  Investigation by OCR is even more likely given that CVS has been under OCR's watchful eye since 2009.  In addition, CVS's actions could also potentially violate its 2009 settlement agreement with OCR, placing it in even more hot water. 

One, Two HIPAA Penalty Punch from HHS and OCR

Just as gasps from the 4.3 million dollar penalty OCR assessed against Cignet Health of Maryland started to subside, OCR delivers a whopping 1 million dollar penalty to another hospital -- this time to the The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (aka, "Mass General"). 

The HHS Press Release indicates that Mass General has agreed to pay the U.S. government $1,000,000 to settle potential violations of the HIPAA Privacy Rule.  Mass General signed a Resolution Agreement with HHS on February 14, 2011, which you can review here.  After announcing the Settlement Agreement, OCR Director Georgina Verdugo made this official statement:

We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information

The issue came to the attention of OCR when a patient filed a complaint after PHI involving 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS, was lost on March 9, 2009. The impermissible disclosures of PHI involved the loss of documents consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. Documents containing the PHI were lost when Mass General employee left the documents on the subway train that were never recovered.

The Corrective Action Plan (CAP) requires that the hospital:

  • Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General’s premises;
  • Train workforce members on these policies and procedures; and
  • Designate the Director of Internal Audit Services to serve as an internal monitor who will conduct assessments of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a 3-year period.

The OCR Director also added:

To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules . . . A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.

4.3 Million Penalty Assessed Under HITECH for HIPAA violations

One might say that it looks like HHS and OCR are making up for all those years people have said there has been a lack of enforcement of HIPAA -- 4.3 million dollars worth of "making up for lost time" in just one shot....

HHS and OCR held nothing back as the first civil money penalty was assessed under the new categories and increased penalty amounts created by HITECH.  The 4.3 million penalty was imposed against Cignet Health in Prince George County, Maryland, for violating HIPAA patient access rights.  Cignet had denied access to the medical records of 41 patients upon their request between September 2008 and October 2009 and each patient had filed complaints individually with OCR. HIPAA requires Covered Entities to provide patients with copies of their medical records on request within 30 days and in no case later than 60 days from the date of the request. HITECH created new categories of violations, ranging from "did not know" to "willful neglect" to comply with HIPAA, and established a corresponding tiered monetary penalty system.

Had this been the end of the story, Cignet would have walked away with only a 1.3 million penalty for violating HIPAA.  However, not only did Cignet fail to comply with HIPAA patient access rights, but it refused to produce the records when OCR demanded it do so.  Even after OCR presented Cignet with a subpoena, it continued to not produce the records.  Only after OCR filed a petition to enforce the subpoena and subsequently obtained a default judgment in United States District Court against Cignet did Cignet finally turn over the records.  Cignet also made no efforts throughout the entire investigation to cooperate or resolve the complaints informally.  OCR found Cignet's failure to cooperate a willful neglect of the HIPAA Privacy Rule, which requires all Covered Entities to cooperate with investigations by OCR, and an extra 3 million was imposed against Cignet.

The penalties imposed against Cignet dispel any doubt that may have remained concerning HHS' ramped up enforcement of HIPAA.  OCR Director Georgina Verdugo stated, "The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules." With a hefty 4.3 million penalty as HHS' "first shot", Covered Entities will certainly take notice and action to avoid coming under fire themselves.

The Spirit of Holiday Giving, er, Penalties...

The California Department of Public Health (CDPH) will be collecting a whopping $667,000 in administrative fines and penalties from six hospitals charged with privacy violations.  The CDPH imposed penalties ranging from $5,000 to $250,000 on the hospitals under new privacy and confidentiality regulations enacted in 2008 aimed at cracking down on widespread patient privacy violations.  Under the new legislation, penalties may be assessed for violations up to $25,00 per patient whose information was accessed, used or disclosed improperly and up to $17,500 for subsequent violations. 

By far the most astounding of violations was Kern Medical Center which was hit with a $250,000 penalty after the theft of laboratory reports from storage lockers used for distribution of the reports.  A staff member had placed daily laboratory reports in storage lockers that were no longer on the premises of the hospital but outside and accessible to the general public.  He was aware that the locks were not functioning and that the locker door was broken, a condition that the storage locker had been in for several months.  Although the Privacy Officer alleged that keeping the reports in the outside lockers was not a hospital permitted practice, it appeared to have been occurring for some time.  Another hospital was assessed a $225,000 penalty for failing to prevent unauthorized access and use of patient information by a hospital employee who had memorized the information while purging older hospital records in order to help other individuals open fake Verizon accounts.

The imposition of these fines and penalties impress even out-of-state hospitals with the importance of securing both paper and electronic health information.  From safeguarding computer printouts such as laboratory reports to preventing unauthorized access to or uses of electronic health information, hospitals must be vigilant and proactive in safeguarding patient information.  Not only must hospitals monitor access to and uses of patient information, but they must also continue to educate and re-educate staff on confidentiality and security policies, conduct periodic audits and physical security sweeps, and strictly enforce all policies by imposing sanctions where appropriate.

The full CDPH press release may be found at http://www.cdph.ca.gov/Pages/NR10-92.aspx

HHS Thinks Rite Aid Disposal Policies Are "In the Dumps"

Prepared by Krystyna Nowik. 

In a recent settlement agreement, Rite Aid Corporation and its affiliated entities have agreed to shell out $1 million in order to settle potential HIPAA violations. The Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) launched an investigation against Rite Aid and its affiliates after media reports showed Rite Aid pharmacies across the country had disposed of prescription and pill bottles containing protected health information (PHI) in publically accessible dumpsters.  The investigation indicated that Rite Aid entities failed to implement appropriate policies and procedures to safeguard PHI during the disposal process.  It also found that Rite Aid entities did not provide and document appropriate training for their employees in disposing PHI.  Finally, the investigation indicated that Rite Aid entities had not implemented a sanction policy to deal with employees who violated the disposal policies and procedures.   

The Rite Aid Resolution Agreement is an important tool for other covered entities in assessing and developing policies and procedures for disposing of PHI.  Covered entities should ask themselves:

  1. Is there an up-to-date policy for the disposal of PHI? Are employees aware of it?
  2. Are employees properly trained on how to dispose of PHI? How is training documented?
  3. What sanctions are in place? Are employees reeducated, reprimanded or otherwise appropriately sanctioned after a violation?
  4. How is off-site destruction/disposal dealt with? Are business associate contracts HIPAA compliant?
  5. Is there an internal and/or third-party auditing system in place to ensure employees are complying with the disposal and other HIPAA policies?

Read the full Rite Aid Resolution Agreement posted on HHS's website.  For additional guidance and best practices for disposal of PHI, see the joint FAQ posted by HHS and CMS on the topic that is helpful.  The FAQ even describes how to properly dispose of computers and other electronic media that store electronic PHI, which is of particular relevance for Health Information Exchanges.

Krystyna is a graduate of Seton Hall Law School, with a concentration in Health Law.  She works with Oscislawski LLC on various Health Information Exchange matters and is a guest contributor to Legal HIE. 

Oh where, Oh where has the Security Breach Rule gone?

Today, I was going to draft a follow up article to my previous post to address whether notification was required under the Security Breach Notification Rule. However, when I sat down to begin typing, I discovered that the Breach Rule was gone! Well, maybe not exactly gone, but at least “withdrawn”.

HHS recently posted on its website the following:

At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months. Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.

So now what?

For starters, HHS made clear in its last statement that the Interim Final Rule that went into effect in September remains in effect. Therefore, whatever “difficulties” HHS/OMB/OCR may be having with regard to administering or enforcing compliance, this does not automatically give covered entities or business associates a “free pass” to not report Breaches if an incident warrants such notification –to patients, OCR or otherwise – under the Interim Final Rule. As of today, OCR’s website set up to receive breach notifications is still up and running, and so covered entities should continue make any required reports of breaches though that website. Also, entities should be mindful that if their state has implemented a breach notification statute (as many have), then such state law must still be complied with. To see if your state has such a law, visit NCSL's website.  

As for what HHS will be doing to the Breach Rule? … it’s not clear. It has been suggested that the withdrawal may have been prompted to address certain privacy groups’ concerns regarding the “Harm” threshold. Particularly, the Harm threshold has been heavily criticized by some as creating a loophole to avoid reporting by Business Associates who are required ONLY to notify the Covered Entity regarding a Breach (which then triggers the Covered Entity’s obligation to notify HHS and patients of the Breach caused by the BA). Specifically, as the Breach Rule currently reads, a Business Associate is entitled to go through the same Harm analysis in order to decide whether or not to report the Breach to the Covered Entity. Some have compared this to the “fox guarding the chicken coop”. Nevertheless, I don’t believe that this warrants complete removal of the Harm balancing from the Breach Rule, and here is why:

Continue Reading