HHS Publishes Ransomware Guidance

HHS has published guidance for hospitals and other covered entities in light of recent prominent ransom attacks on hospital data.  The Q&As address Security Rule safeguards which can prevent ransomware and other malware, and also assist in identifying, investigating, responding to and mitigating ransomware attacks. Specifically, HHS notes that the presense of ransomware or any malware on a covered entity or its business associate's systems is a "security incident" as defined under HIPAA.  HHS also notes that, although a breach determination is a fact-specific inquiry,

When [ePHI] is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a "disclosure" not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a "...low probabilkity that the PHI has been compromised," based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.

HHS provides the following examples for consideration as part of the risk assessment which must be conducted to determine whether there is a low probabiity that the ePHI was compromised:

  •  the exact type and variant of malware discovered;
  • algorithmic steps undertaken by the malware
  • communications, including exfiltration attempts between the malware and attackers' command and control services
  • whether the malware propagated to other systems, potentially affecting additional sources of ePHI. 

HHS further states,

Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform.  Understanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity's enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate datam or whetheror not the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthroized access, among other factors. 

The full ransomware guidance can be found here.  

Terms and Conditions May Apply: Consequences of Email-Provider Email Scanning

This guest blog post was written by Van Zimmerman, Esq. Van is currently the Privacy and Security Officer at Jersey Health Connect, a New Jersey health information exchange network. Van has over 18 years experience in health IT, privacy and security, and compliance.  

Yahoo’s recent trip to the courthouse regarding its email content scanning gives us a healthy reminder to think about what we send, how it is used, and how that impacts entities subject to HIPAA and their (or their recipients’) ability to use free hosted email services.  Spoiler - don’t, at least not for any patient-related communication.  Those terms and conditions do matter.

“Yahoo requires its subscribers to consent to the interception, scanning, analysis, and storage of email in exchange for Yahoo Mail Services” and requires users to notify non-Yahoo users with whom they communicate of such “feature”.  In re Yahoo Mail Litig., 2015 U.S. Dist LEXIS 68585 at 9 (N.D. Ca., May 26, 2015).  

 Yahoo’s privacy policy states:

“Yahoo! provides personally relevant product features, content, and advertising, and spam and malware detection by scanning and analyzing Mail, Messenger, and other communications content. Some of these features and advertising will be based on our understanding of the content and meaning of your communications.”  In re Yahoo Mail Litig., at 11.

While it is unclear if this sentence was removed in the court’s opinion or wasn’t present in Yahoo’s policy at the time, the current policy continues, “For instance, we scan and analyze email messages to identify key elements of meaning and then categorize this information for immediate and future use.” 

Other major email providers have “privacy” policies which permit substantial use of the contents of email sent through their systems.  For example, Google provides as of December 19, 2014:

“Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.”  

Google made that addition in their December 19, 2014 revisions to their Privacy Policy, although such practices appear to have gone back in time much farther.  See In re Google Inc. Gmail Litig., 2014 U.S. Dist LEXIS 36957 (N.D. Ca., March 18, 2014).  Compare those statements to the privacy policy of a paid-only service which provides a much more privacy-friendly policy.  Even Google makes an explicit distinction between free and paid email services:

“What kind of data scanning or indexing of end-user data is done?

Google for Work does not scan your data or email in Google Apps Services for advertising purposes. Our automated systems scan and index your data to provide you with your services and to protect your data, such as to perform spam and malware detection, to sort email for features like Priority Inbox and to return fast, powerful search results when users search for information in their accounts. The situation is different for our free offerings and the consumer space. For information on our free consumer products, be sure to check Google's Privacy and Terms page for more consumer tools and information relating to consumer privacy.”

In practice, this seems to go beyond just displaying advertisements, it goes farther than some would consider (Google Tracks Hotel Reservations).  

So why does this matter?  Putting aside the consequences of breaches an email provider may suffer (e.g. Midwest Orthopaedics), the email provider is receiving, maintaining, and possibly transmitting on behalf of the sender. If that sender is a covered entity or business associate, and the email contains PHI, the sender and the provider would need to have a business associate agreement in place.  45 C.F.R. §§ 164.308(b), 164.314, and 164.504(e). 

Even if there were a BAA in place (good luck getting one for free services, Yahoo appears to not under any circumstances, although Google will for paid services), knowing that the email provider is going to use the contents of messages for marketing purposes, possibly in violation of HIPAA at 45 C.F.R. 164.508(a)(3) (remuneration for marketing) or § 164.504(e)(2)(i) (BAA can’t permit BA to use PHI to violate Privacy Rule), may be problematic in light of the termination language in § 164.504(e)(1)(ii) or (iii).  That is, if a pattern or practice is known in advance, it is probably not reasonable to enter into such an arrangement in the first place, and in any event, continued use of such a service would be problematic.

A more interesting question arises when the sender maintains their own email system, but may from time to time send email to external addresses hosted by a provider which performs content analysis of emails for advertising.  Assuming some of those emails will have PHI, is it acceptable to send to those addresses?  An address might belong to another health care provider, or perhaps a patient. 

This is problematic for so many reasons. 

  • Is the destination email provider a BA of the sender, as it is receiving, maintaining, and transmitting PHI on the sender’s behalf?  
  • If the recipient is another BA or covered entity, is the destination email provider a BA of the intended recipient, since it is doing the same for them?  
  • Are all the necessary BAAs in place?  
  • Even if emailing a patient, are you disclosing PHI to them, or are you disclosing it to a third party for subsequent transmission to the patient? 

In any event, an email provider scanning email for advertising (or other) purposes isn’t treatment, payment, or operations, and isn’t otherwise listed as a HIPAA permitted use or disclosure. 45 CFR 164.512 (authorization or opportunity to agree or object not required).  Does an authorization (and NPP) cover such use?  Even if it did, is an email provider going to honor revocation of that authorization?

Is the data encrypted and hashed on the way to the destination email server (possibly, but not necessarily guaranteed)?  Is the data encrypted and hashed in storage once it gets there?  It almost certainly isn’t encrypted such that the email provider can’t scan it.

Does the email provider’s scanning of that email constitute a Breach?  What about email provider’s use of that information for subsequent aggregation and identity tracking or otherwise sharing with a third party? 

What about the Security Rule’s general requirement to “[p]rotect against any reasonably anticipated uses or disclosures…that are not permitted or required under [the Privacy Rule]”?

This isn’t just a healthcare issue.  What are the consequences for privilege, whether attorney-client, doctor-patient, etc., when those communications have no reasonable expectation of privacy?  Does the analysis in Stengart v. Loving Care Agency, Inc., 201 NJ 300 (2010) change if there is no reasonable expectation of privacy?  A number of email providers have adopted language similar to that suggested in United States v. Warshak, 631 F.3d 266, at 287 (6th Cir., 2010) [note-an interesting read for a discussion of the Stored Communication Act, marginalization of the 4th Amendment, and what actually happened to all those Enzyte commercials].  Does it change if those email providers actively engage in activities beyond using email content for directed advertising, such as actively parsing email for illegal content?  Would the privilege consequences be different in civil vs. criminal proceedings?

Perhaps we would be best serve to heed Elliot Spitzer’s advice, "Never write when you can talk. Never talk when you can nod. And never put anything in an e-mail." At least not where free services are involved.

Doctor Sued for Posting Pictures of Drunk Model on Facebook

A Chicago physician is being sued by former Northwestern University student and freelance model Elena Chernyakova after the physician allegedly posted pictures of her drunk on Instagram and Facebook. Ms. Chernyakova has filed suit for invasion of privacy and infliction of emotional distress, seeking compensation over $1.5 million, and claims her career has been damaged.

The physician, Dr. Vinaya Puppala, allegedly knew Ms. Chernyakova through a mutual friend and took pictures of her "while she was on the hospital bed, crying and attached to an IV" in the emergency department at Northwestern Memorial Hospital, according to the complaint as reported by ABC News. He reportedly refused to take the pictures down when requested to by hospital security. 

Despite being effective for over a decade, it is amazing how many health care professionals still seem not to "get" HIPAA and patient privacy, or how many do, and just don't care. Hospitals are increasingly implementing zero tolerance policies for nurses, physicians, students and employees who fail to follow hospital policy and act in utter disregard for patient privacy.  Many have strict policies in place governing use of social media while on the hospital premises and explicitly prohibit the posting of any patient information, even descriptions of patient encounters which would seem to be de-identified, on Facebook, Twitter and other social media platforms. 

Does your organization have social media policies in place? Do your employees and other health care professionals understand the problems social media creates for patient privacy?  Is it clearly communicated that posting impermissible pictures or information about patients on social media will result in disciplinary action? And finally, is your organization consistent in enforcing its social media policies?

Lessons from the Idaho State University CAP

Back in 2011, Idaho State University (Idaho State) experienced a breach of PHI affecting approximately 17,500 individuals after firewalls on its servers were disabled at one of its outpatient clinics. It appropriately notified HHS in August of that year whereafter (surprise, surprise) HHS informed Idaho State that it would be investigating Idaho State's compliance with HIPAA.

HHS released news of its settlement with Idaho State on May 21, 2013, with Idaho State agreeing to pay $400,000 as part of the Corrective Action Plan (CAP) to resolve allegations that:

  • It did not conduct a risk analysis for over 5 (five) years;
  • It did not implement security measures sufficient to reduce risks and vulnerabilities to ePHI for that same period;
  • It did not implement procedures to regularly review information systems activity for that same period.

As part of the CAP, Idaho State, which operates as a hybrid entity with several covered entity components, must beef up its documentation and specifically designate its covered entity components (i.e., its outpatient clinics). Unsurprisingly, Idaho State is also required to provide HHS with its most recent risk management plan and information systems activity policies for "review and approval" by HHS.  Idaho State must also complete and submit a compliance gap analysis indicating all changes to compliance status with the required provisions of the Security Rule. 

Although Idaho State experienced a breach of PHI AND was informed in November of 2011 that HHS was investigating its compliance with HIPAA, according to HHS, Idaho State did not get around to performing a risk assessment, reviewing information systems activity or identifying gaps in security measures until the summer of 2012 and post-Thanksgiving, November 26, 2012. It is baffling that, after experiencing a breach which was caused by firewall protections being physically disabled for over 10 months, Idaho State appears to have not done much to assess and safeguard against future problems. 

Or did it? Maybe it was just too little, too late. But part of Idaho State's problem could simply have been that it couldn't prove what steps it had taken towards HIPAA security compliance.  Although Idaho State clearly dropped the ball in failing to realize firewalls protections were disabled for almost a year at its Pocatello Family Medicine Clinic, it may have been more compliant than the CAP suggests and simply had nothing to show.

Increasingly, covered entities are realizing that saying and believing they are HIPAA compliant is about as effective with OCR as your teenager telling you he cleaned his room as he runs out the door to the movies.  It's like high school all over again - if you can't "show your work" and prove your HIPAA compliance through documentation, regular reports and reviews, and clearly defined privacy and security policies procedures, OCR simply isn't going to buy it when they show up at your door. 

To be sure, many covered entities have been completely lax about security until now.  Conducting a comprehensive risk assessment (documenting that it was done and periodically reviewed) and having processes in place for ongoing risk management are some of the biggest things OCR has repeatedly been driving home.  Too often, as Idaho State's CAP illustrates, security risk assessments are inadequate and fail to properly identify security risks and vulnerabilities to ePHI. 

On the other hand, many covered entities think that they are compliant with the Security Rule, but really aren't.  A covered entity may conduct a risk assessment of its EHR or EMR, for example, but fail to assess the security risks and vulnerabilities associated with other systems that feed into it or maintain PHI, or with workflow processes, resulting in PHI accidentally being made available online (think Phoenix Cardiac Surgery or Stanford Hospital). Furthermore, where risks and vulnerabilities are identified, appropriate security measures are not always evaluated and action taken as needed to correct them.

As we can see from Idaho State, performing a comprehensive risk assessment now isn't necessarily going to cure your failure to do so before and an overwhelming number of covered entities could still be in the hotseat even if they are actively beefing up their HIPAA privacy and security. And there's still the risk that what has and is being done is simply too little to satisfy OCR. 

However, good faith efforts and diligence to bring your organization into compliance with the Security Rule implementation standards and specifications will go a long way toward lessening the likelihood and impact of an unwanted OCR investigation, not to mention minimizing the risk of breach and harm to your patients and organization.  It is far easier to seek forgiveness for past transgressions from OCR with a robust updated HIPAA security management program in hand. 

Kaiser Permanente Faces Investigation Over Inappropriate Storage of Patient Records by Contractor

Kaiser Permanente is facing investigation over the handling of approximately 300,000 patient records by a contract storage firm.  According to an article in the LA Times, Kaiser contracted with small business Sure File Filing System ("Sure File") to organize and clear out older patient records on its behalf.  As it turns out, the storage firm kept those patient records in a warehouse shared with an individual's party rental business and Ford Mustang, then in the storage firm's owner's personal garage and home.

Although Kaiser retrieved the paper records Sure File possessed upon termination of the contract in 2010, Kaiser recently filed suit, allerging that all of the patient records had not been returned or destroyed when its contract with Sure File was terminated. Patient records, according to Kaiser, were still maintained on hard drives that Stephan and Liza Dean, the couple who own and run Sure File, allegedly kept in their garage with the door open. When Kaiser sued for breach of contract and to recover the files, the hard drives were apparently relocated from the garage to the couples' home, and the patient records only deleted as of this past New Year's Eve.

The LA Times article states that HHS officials were notified last year when the Deans filed a complaint.  You read that right. The individuals responsible for storing the data in an unsecured warehouse, their garage and their house apparently were the ones who filed the complaint that patient records had not been handled appropriately by Kaiser. 

In addition, Stephan Dean reportedly threatened to contact patients directly to inform them of how Kaiser had mishandled their health information.  According to the article, Dean claims Kaiser employees repeatedly failed to maintain the privacy of patient information, citing multiple emails sent by hospital employees to him requesting and including patient-specific information such as social security numbers in an insecure manner.

Kaiser was confident that patient information was not disclosed or accessed inappropriately, although employees were disciplined for failing to follow policies.  Kaiser spokesman John Nelson stated,

 "Kaiser Permanente is committed to protecting the medical and personal privacy of its patients. In retrospect, we certainly wish we'd never done business with Mr. Dean."

It is not likely that Kaiser is squeaky clean in this mess, given it appears Kaiser failed at a minimum to have a proper HIPAA business associate agreement (HIPAA BAA) in place prior to releasing patient records to the contractor.  However, a bigger question is, if OCR is indeed investigating the mishandling of Kaiser's patient records, what liability may exist for the contractor?

Business associates are independently liable as a result of the HITECH Act for certain of the HIPAA Security Rule requirements, in particular, administrative, physical and technical safeguards for electronic PHI.  However, given the uncertainty surrounding business associate liability in the absence of a HITECH final rule, and because the majority of the activities associated with the contract took place prior to 2010, the contractor might only be on the hook contractually for failing to safeguard, return and/or destroy the patient records. Although enacted in 2009, many provisions of HITECH did not take effect until February of 2010.

Assuming Kaiser had obtained an appropriate HIPAA BAA from Sure File, at a minimum, the contractor would have agreed to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information and/or appropriate safeguards to prevent use or disclosure of PHI other than as provided for by its contractI think we would all agree that storing hard drives with hundreds of thousands of patient records in your garage or home, or records in an unsecured shared warehouse space, is a far cry from implementing reasonable and appropriate safeguards, however reckless the other party may also have acted with regard to the information. 

HHS Rings in 2013 with News of Settlement for Small Breach

We hope all of our readers had a happy and relaxing holiday season, and we wish you all the best for this New Year!

It seems fitting for the first post of the year to revolve around HHS's announcement of its first breach settlement of 2013.  In what may quickly become a "trend" for HHS and OCR, the $50,000 settlement with the Hospice of North Idaho (HONI) is the first of its kind.  Coming after OCR investigated a reported breach involving 441 patients and theft of an unencrypted laptop in the summer of 2010, it is a far cry from the breach tallies we have seen in the past numbering in the hundreds of thousands of affected individuals and over a million dollars in fines.

Yet again OCR has called out a covered entity for failing to conduct a risk analysis as required by the HIPAA Security Rule and cracked down on yet another breach involving an unencrypted device (see, for example, the Alaska DHHS Resolution Agreement which resulted from theft of a flashdrive containing PHI).  Not only did OCR state that HONI had failed to implement policies and procedures to address mobile device security despite regular and routine use of laptops in the field, but that HONI also failed to conduct a risk analysis to safeguard electronic PHI, stating,

´╗┐´╗┐HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis...from the compliance date of the Security Rule to January 17, 2012.  In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiaity of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security emasures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures. (emphasis added)

The risk analysis is too often abandoned to the wind by many covered entities, despite being a "Required" implementation specification for the security management process needed to prevent, detect, contain, and correct security violations.

Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.  

This breach settlement combined with the fact that the risk analysis is also an independent core measure required for Meaningful Use participants in the Medicare and Medicaid EHR Incentive Programs, suggests all covered entities should make it their New Year's Resolution to be more proactivate about their risk analyses and throw out bad portable device habits, whether they are big or small. If your organization doesn't have policies and procedures regarding use of laptops, flashdrives, and other devices which can store or access ePHI, and a good reason for not encrypting them where their use is necessary, it may be in for a rude awakening in the event of loss, theft or OCR or CMS knocking at the door to conduct an audit. Remember, even though not required per se by the HIPAA Security Rule, encryption of data at rest and in transmission is an implementation specification that must be addressed by all covered entities.    

OCR and ONC have made available several resources and tools to help covered entities of all sizes in conducting and reviewing a risk analysis.  The majority of these are now readily available in one location on the Health IT website under the National Learning Consortium Resources section. The NIST 800-30 Special Publication has also consistently been referred to by OCR as a resource to use in preparing for and conducting risk analyses. In addition, ONC recently released a new initiative aimed at increasing the security of mobile devices, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information.

Whatever the reasons or excuses in the past, make 2013 the year your organization resolves to be more proactive about its risk analysis and security management processes, managing mobile devices and the overall security of ePHI. 

OCR Releases HIPAA Audit Protocol as Audits Continue

Without pomp and circumstance, OCR made available its protocol for the HIPAA performance audits conducted pursuant to the HITECH audit requirement.  The Audit Protocol covers the Privacy, Security and Breach Notification Rules, delineating over 150 areas of performance evaluation.  OCR has completed the first set of 20 audits as of March 2012, with the next set of organizations being notified and audited on a rolling basis. 

With clear-cut references to each applicable standard and implementation specification, and the key performance criteria, activities and procedures for each, the Audit Protocol revolves largely around whether policies and procedures are in place to address each standard/implementation specification and the extent to which processes within the covered entity actually conform to these policies and procedures.  For example, one area of performance evaluation for assessing compliance with the Privacy Rule covers uses and disclosures for treatment, payment and health care operations, requiring the auditor to:

Inquire of management as to whether a process exists for the use or disclosure of PHI for treatment, payment or health care operations provided and whether such use or disclosure is consistent with other applicable requirements.  Obtain and review the process and evaluate the content relative to the specified criteria used for use or disclosure of PHI for treatment, payment, or health care operations proided to determine whether such use or discosure is consistent with other applicable requirements.  Obtain and review a sample of training programs and evaluate the content relative to the specified criteria to determine the use or disclosure of PHI for treatment, payment, or health care operations provided is consistent with other applicable requirements. 

Another critical set of audit procedures inquires about the policies and practices for accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI, stating

Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.  Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity's environment.  Determine if the covered entity risk assessment has been conducted on a periodic basis.  Determine if the covered entity has identified all systems that contain, process or transmit ePHI. (emphasis added)

The Audit Protocol can easily be used by covered entities to self-assess their levels of compliance with all aspects of HIPAA and should be a light in the darkness for many organizations.  Although the Audit Protocol does NOT tell covered entities exactly how often they need to be conducting a risk assessment, conducting internal audits or reviewing their policies and procedures, how many patient records they should be self-auditing, and other "guarantees" for complying with HIPAA, it still provides a basic roadmap for covered entities to understand what they will be called upon to provide.  The Audit Protocol can and should be used to identify what policies, procedures and practices will be carefully scrutinized by OCR and whether the organization's existing policies and procedures would reasonably pass muster in the event of an audit.  It should also be used to assess the level of compliance by the organization's workforce with such policies and procedures, and the training materials used to educate new-hires and current employees. 

Some key areas that OCR has highlighted as problematic include HIPAA risk assessments and user activity monitoring (e.g., audit logs, access reports and security incident reports).  OCR has provided guidance previously on conducting risk assessments, see HIPAA Security Standards: Guidance on Risk Analysis, however, as we continually see and the audits have underscored, this remains a source of confusion and an area which covered entities frequently are deficient in. With Meaningful Use also requiring completion of a HIPAA risk assessment for each applicable reporting period, it is even more critical for providers and hospitals to ensure that they are periodically conducting comprehensive risk assessments. It remains to be seen whether CMS and State Medicaid EHR Incentive Program audits will result in recoupment of payments to eligible professionals and hospitals based on a failure to properly perform these risk assessments.  

For more information on the OCR Audit Program, visit OCR's Audit page.  HHS and OCR have also made available substantial resources for compliance with the Privacy Rule, as well as the Security Rule that includes the Security Rule Educational Paper Series and links to various NIST Special Publications, all which can be used to assess compliance with HIPAA. You can also check out live and video training workshops and other options on our Workshops page for workforce compliance, as well as our November "Health Law Diagnosis," which contains additional tips for preparing for an audit.    

Mass. AG Levies 750k Judgment on Hospital for Data Breach

Massachusetts Attorney General Martha Coakley announced on May 24, 2012 having reached a settlement agreement with South Shore Hospital for failure to protect personal and confidential health information of over 800,000 patients. 

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” AG Coakley said. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

The consent judgment requires South Shore Hospital to pay a total of $750,000, including $250,000 in civil penalties and $220,000 towards an education fund for protection of PHI and personal information.  However, South Shore Hospital did receive a "credit" for security measures it implemented after the breach occurred of $275,000, leaving only $475,000 payable. 

The consent judgment also requires South Shore Hospital to undergo audit and report results of certain security measures, as well as take steps to ensure compliance with HIPAA business associate provisions and other federal and state security requirements.  In addition to failure to comply with HIPAA business associate obligations, South Shore Hospital also failed to comply with HIPAA and state obligations to implement appropriate safeguards, policies, and procedures to protect patient information, and appropriately train its workforce in safeguarding the privacy of PHI. It also neglected to ensure that the contractor itself had procedures in place to protect such PHI, according to the AG. 

Three boxes full of unencrypted computer backup tapes had been sent to a subcontractor of Archive Data Solutions in 2010 to be erased and resold; however, the subcontractor only received one of the boxes and the remaining two were never recovered.  According to the AG's office, South Shore Hospital did not have a business associate agreement in place with the contractor nor had it informed Archive Data that the backup tapes contained PHI.

The backup tapes contained Social Security Numbers, names, financial account numbers, and medical diagnoses.  As reported by HealthDataManagement, South Shore Hospital had determined in July 2010 that the missing backup tapes was not a breach requiring individual notice to affected and potentially affected individuals.  Rather, it posted a prominent notice on its website, citing state law provisions permitting alternative notifications where costs would exceed $250,000 or where over 500,000 residents are affected. 

It is unclear whether this breach was reportable and therefore actually reported to the Department of Health and Human Services (HHS) under the HITECH Breach Notification Rule.  Although the PHI here was unencrypted and therefore "unsecured" within the meaning of the HITECH Breach Notification Rule, covered entities are also required to conduct an assessment to determine whether an incident poses a "significant risk of harm" to the individual(s) that would give rise to a reportable breach.  Most importantly, a breach in and of itself does not automatically mean a HIPAA violation has occurred.

If a covered entity determines that there was a breach, all affected individuals and individuals reasonably believed to be affected are required to receive written notice of the breach, as well as HHS where over 500 individuals have been affected.  HITECH also permit alternative notification but only where the contact information of an individual is incomplete or where written notice has been returned undeliverable to the covered entity attempting to notify such individual of a reportable breach. 

Aside from South Shore Hospital's obvious failure to obtain a business associate agreement and apparently even inform Archive Data that it was a business associate subject to certain HIPAA provisions, it is unclear what else it was South Shore Hospital did or failed to do that contributed to the 750k settlement agreement and other alleged HIPAA and state law violations.  The AG's office noted that multiple shipping companies had handled the backup tapes, but did not otherwise indicate whether it was the lack of policies and procedures for safeguarding PHI and training workforce in such safeguards that resulted in the missing backup tapes (again, a breach itself does not automatically mean a HIPAA violation has occurred) or whether the focus was on the hospital's overall HIPAA and state law compliance program.

What is even more noteworthy is that the AG stated South Shore Hospital failed to determine whether Archive Data had sufficient safeguards in place to protect the PHI it would receive on the backup tapes prior to destruction.  This clearly places an obligation upon covered entities to go beyond ensuring that the business associate agreement itself is in compliance with HIPAA by requiring the business associate to implement reasonable safeguards to protect PHI.

While covered entities have always been, and should be, responsible for appropriate oversight and monitoring of their business associates, just how far is a covered entity responsible for going?  Does a hospital need to request that the business associate provide copies of its policies and procedures for safeguarding PHI? Policies and procedures for data destruction or erasing data?  Information on how its staff is trained on the business associate's obligations under HIPAA and the business associate agreement? 

And if a hospital is not satisfied with a business associate's policies and procedures, can it require additional safeguards and processes be implemented? Should a hospital also require notification by a business associate of potential breaches and security incidents to safeguard against bad calls? With business associates frequently resisting the inclusion of any provisions in a business associate agreement beyond the bare minimum required by HIPAA, covered entities may find it increasingly difficult to provide the required levels of oversight, safeguards and assigned responsibility.

With over 22% of reported breaches since 2009 involving business associates, as reported by HealthcareInfoSecurity, and with only one case (see Minnesota AG case against Accretive Health) so far targeting business associates directly for HIPAA violations, covered entities remain liable for the actions of their business associates, despite that business associates are now directly subject to certain HIPAA provisions. Covered entities also bear the brunt of a breach, as it is their patients who may be seriously harmed.  As determining liability for breaches and other security incidents between a covered entity and a business associate involved remains quite uncertain for now, the business associate regulations (expected "soon" ever since last year) will be a welcomed ray of clarity for covered entities and business associates alike. 

Cardiac Surgery MD Group Agrees to Pay $100,000 Settlement to HHS for Lack of HIPAA safeguards

Take our money.pngAnd the HIPAA money keeps rolling to the feds. The latest settlement (announced today) is with a cardiac surgery physician group in Phoenix, Arizona, which has agreed to pay a hefty sum after someone reported to HHS that the MD group was potentially compromising patients' PHI by posting appointments on an internet-based calendar, which prompted OCR to then investigate and find the physicians to be out of compliance with HIPAA's safeguards.  

The following April 17, 2012 Press Release is HOT off the presses on HHS' News Release website

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients. 

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.

The HHS Resolution Agreement can be found on HHS' website here.  OCR’s investigation  revealed the following specific issues with this group's HIPAA program:

  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.  This last finding being a significant one, and underscores that HIPAA BA Agreements MUST be entered into with vendors who have access to ePHI to facilitate a service to covered entities!

With the HITECH Rules in OMB and due out by mid June (unless an extension is sought by OMB), it will be particularly interesting to see if the Final Rules address the HITECH Act's requirement for percentages being paid out to individuals "damaged" by breaches of their information. The HITECH Act required rules on that topic to be out by this summer. Since an individual's report to HHS triggered this particular investigation and subsequent settlement, some are suggesting that such percentage payouts to individuals for HIPAA violations could in effect become almost like a whistle-blower provision and incentivize patients and others to submit reports to HHS for potential investigation.  I think that might be the point.

But for now, this case just underscores once again that the best way for physician practices (and other covered entities) to protect themselves is to have a fully robust HIPAA compliance program developed and implemented (see, for example, our comprehensive HIPAA-HITECH Helpbook on www.ohcsolutions.com).  Don't forget to also conduct a Security Gap Audit (see www.myhic.net, a leading company that specializes in and has thousands of hours of experience under its belt with competing Security Audits for Physician Practices, or contact them here). Finally, don't forget to provide regular training to your employees. For live training sessions and video training options, visit our Workshops page. 

Feb 29th is Last Day to Report Breaches of <500 to HHS!

For those that have been logging their "small" Breaches (i.e., less than 500 individuals affected) and waiting to report them to HHS at the end of the year, next Wednesday, February 29th is the LAST day to get your information entered into HHS' Breach reporting website.  While covered entities may opt to report each small Breach to HHS throughout the year (i.e., including the onsies and twosies), the other option is to log each small Breach during the calendar year and report all such small breaches to HHS within 60 days of the end of such applicable calendar year. 

A couple of important points to note about reporting small breaches to HHS:  

First, the HHS-reporting "buck" stops with the covered entity, not the Business Associate. Even if a breach was caused by a Business Associate (BA), under the current HITECH Breach Rule the BA's only reporting obligation is to the covered entity; the covered entity is solely responsible for reporting all reportable Breaches to HHS. 

Goldilocks.pngSecond, follow a 'GOLDILOCKS rule'  of 'Not too much, not too little -- just right'. Covered entities must report all relevant information requested on HHS' online reporting form. However, there are several fields that ask for a typed response.  For example, HHS asks for a "brief description of the breach" including how it happened, any additional information about the breach, type of media and PHI. HHS similarly asks the covered entity to describe "other actions taken" in response to the Breach. But, while a covered entity must report what it is required to report by law, offering too much infomation (including impermissibly disclosing patients' PHI, among other things) could land the covered entity in hot water.

Finally, you better have remembered to collect ALL the required information on your Breach Log!  A covered entity that is planning to report small Breaches at the end of the calendar year must plan ahead and know what information to collect and document, and hint: it's a lot of information that you might not be able to recall at the end of the year unless you documented it as you went along.  Among the information that covered entities should be collecting about each "small" breach includes:

  • Date of the Breach? 
  • Date the Breach was Discovered?
  • Approximate number of individuals affected?
  • What "type" of breach was it? (select: theft, loss, improper disposal, unauthorized access, hacking/IT incident, other, or unknown)
  • Location of the Breach? (select: laptop, desktop computer, network server, e-mail, portable electronic devices, electronic medical record, paper, other)
  • What type of information was involved? (select : demographic info, financial info, clinical info, other) 
  • What safeguards were in place prior to the Breach? (select: firewalls, packet filtering, secure browser sessions, strong authentication, encrypted wireless, physical security, logical access control, antivirus software, intrusion detection, biometrics) 
  • Date individuals were notified? (note: that this date should never be more than 60 days after the Date of Discovery entered, and in any case any "unreasonable delay" in notifying individuals (even if less than 60 days) could be a trigger a closer look by HHS).
  • Actions taken in response (select : privacy & security safeguards, mitigation, sanctions, policies and procedures, or other) 
  • Even though HHS withdrew the Interim Final Breach Notification Rule during the summer of 2010 (and even though we continue to wait for a final revised version of that rule to be published), covered entities are still required to report all Breaches (if there is a positive "Harm" determination) to HHS. HHS specifically points out on its website that "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect."

    For Breach Notification training & education, click our Workshops button.

    State AG Brings First HIPAA Lawsuit Against Business Associate

    Last month, I posted how treatment of business associates during HIPAA investigations remains unclear as well as assignment of liability for breaches of PHI.  A final "omnibus rule" is expected to clarify the HITECH business associate (and other) provisions this year, but in the meantime, much confusion remains. 

    Despite the lack of final business associate rules, and confusion or not, Minnesota has dived head first into action against a business associate for HIPAA violations.  In the first HIPAA enforcement action directly against a business associate, Minnesota Attorney General Lori Swanson has brought an action against Accretive Health, Inc., pursuant to her authority under HITECH.  In addition, multiple violations of Minnesota law are alleged, including the Minnesota Health Records Act, debt collection statutes, and consumer protection laws.

    Accretive functions in multiple capacities for covered entities in Minnesota, including as treatment coordinator, debt collector and quality cost control and management partner.  A breach last summer of data compiled by Accretive resulting from a stolen unencrypted laptop left in a rental car by an employee affected at least 23,531 patients.  Information that was on the laptop included personal identifying information (name, address, phone number, Social Security Number), "medical scores" predicting the frailty, complexity and likelihood a patient would be admitted to the hospital, and dollar amounts allocated to the patient's health care provider, as well as whether patients had certain conditions such as bipolar disorder, depression, high blood pressure, asthma and back pain.

    The HIPAA violations are quite extensive, with the complaint alleging:

    • failure to implement policies and procedures to prevent, detect, contain and correct security violations;
    • failure to implement policies and procedures to ensure appropriate access to electronic PHI by members of its workforce and prevent those without authorized access from accessing such PHI in violation of HIPAA;
    • failure to effectively train all members of its workforce, agents and independent contractors, on the policies and procedures regarding PHI as necessary and appropriate to carry out their functions and maintain security of the PHI;
    • failure to identify and respond to suspected or known security incidents and mitigate to the extent practiable harmful effects known to them;
    • failure to implement policies and procedures to limit physical access;
    • faiilure to implement policies and procedures governing receipt and removal of hardware and electronic media containing electronic PHI within and without the facility;
    • failure to implement technical policies and procedures for electronic information systems to allow access only to those granted access rights; and
    • failure to implement policies and procedures as otherwise required by HIPAA.

    Almost more interesting than the alleged HIPAA violations (and what could potentially have been one of the driving forces behind the Attorney General taking action rather than the HIPAA violations), the complaint also alleges deceptive and fraudulent practices in that Accretive failed to disclose how much health information it was collecting on patients and its involvement in their health care, detailing in great length the importance of transparency for patients and the doctor-patient relationship.  In the press release, Attorney General Swanson stated,

    “Accretive showcases its activities to Wall Street investors but hides them from Minnesota patients.  Hospital patients should have at least the same amount of information about Accretive’s extensive role in their health care that Wall Street investors do.”

    This action has the potential to set precedent in Minnesota as to just how much transparency and information should be viewed as "necessary" for patients to make informed choices regarding their health care and medical records and the extent to which health care entities must take affirmative action to notify patients of their role in their health care.   

    Although the extensive HIPAA violations are merely one drop in the bucket of allegations against Accretive (e.g., fraud and deceptive practices, failure to notify of status as debt collector, release of health records in violation of the Minnesota Health Records Act), the enforcement action against Accretive makes it quite clear that covered entities aren't the only ones who need to be scrambling to get their ducks in a row.  While other state Attorney Generals have previously brought actions against covered entities (e.g., Vermont, Indiana, Connecticut), now that a state has gone after a business associate directly, it would not come as a surprise to see other states joining in, even despite the lack of business associate rules.

    For more information regarding what covered entities and business associates can do to prepare for a HIPAA audit or ward off the potential for enforcement action against them, see our November 17 blog post with links to additional HIPAA resources.  A copy of the complaint against Accretive may also be found here.

    HIPAA Audits Begin November 2011, How Can Covered Entities and Business Associates Prepare?

    The United States Department of Health and Human Services (HHS) has announced that it will begin HIPAA audits of covered entities and business associates this November 2011, and its contracted auditor, KPMG, is required to audit up to 150 entities by the end of 2012!  HHS’s website provides detailed information regarding when the audits will begin, who may be audited, how the audit program will work, what the general timeline will be for an audit, and, generally, what will happen after an audit is completed. In addition, HHS's sample Audit Letter indicates that KPMG will focus on discovering vulnerabilities in privacy and security compliance programs, and that certain “information” and “documents” will be requested in connection with the audit. However, no additional details are given regarding what covered entities and business associates may be asked to produce. 

    Presumably, KPMG will not be letting the HIPAA audit cat out of the bag too soon by telling organizations exactly what information and documents they may ask for in connection with such audits, especially where one of their objectives is to identify gaps in HIPAA compliance. Nevertheless, covered entities and business associates may gain valuable insight into what to expect by looking to past guidance regarding HIPAA audits issued by HSS’s Office of e-Health Standards and Services (the “HIPAA Audit Checklist”), as well as by reviewing HIPAA audits and investigations that have taken place over the last few years. 

    In its formerly-released HIPAA Audit Checklist, the Office of e-Health lists out the types of personnel that may be interviewed, and the the types of policies, procedures and other documentation and evidence that may be requested.  In addition, the audit of Atlanta, Georgia’s Piedmont Hospital is informative. In February of 2007, HHS through the Office of Inspector General conducted a random HIPAA audit of Piedmont hospital.  The letter to Piedmont’s CIO announced that the focus of the audit would be on the organization’s compliance with the Security Rule and indicated that the audit would begin with an “entrance conference” 10 days after Piedmont’s receipt of the audit letter from the Regional Inspector General for Audit Services (note that the proposed timeframe for coming KPMG audits is 30-90 calendar days from the date on the applicable HHS Audit Letter).  The Piedmont audit letter also included an enclosure asking for a list of documents and information to be provided, which overlapped significantly with the Office of e-Health’s HIPAA Audit Checklist!   

    Covered entities and business associates may also glean additional insight from what HHS/OCR has asked for in connection with complaint-driven HIPAA investigations. HHS/OCR has posted on its website several Resolution Agreements with covered entities who have been through a HIPAA investigation.  These agreements also contain hints as to what covered entities and business associates may be asked for during a HIPAA Audit.

    Until news of organizations starting to receive HIPAA audit letters starts to trickle out and KPMG begins its work, it is not possible to know exactly what KPMG will ask for and focus on.  Nevertheless, covered entities and business associates should not sit back and take a “wait and see” approach.  Rather, organizations should prepare now by completing an internal review of their HIPAA compliance program to ensure that their policies are current and are being followed by their workforce, and all other required HIPAA documentation is in place and ready to be produced in case a HIPAA Audit letter arrives in the mailbox tomorrow.

    Click here to download a copy of our November edition of "Health Law Diagnosis" which includes a list of HIPAA compliance items that all covered entities and business associates should have in order to be prepared for a HIPAA Audit.

    HIPAA Auditor Responsible for Breach in 2010

    In June of 2010, a large healthcare system was informed by its business associate that a breach had occurred, affecting thousands of patients at its hospital.  The breach had occurred the previous month when an employee of the business associate lost an unencrypted flash drive that may have contained patient information.  Although the breach was reported last year, news regarding the breach appears to have begun circulating this past week, most likely due to the new role of the business associate in question. 

    The real kicker is that the business associate was none other than KPMG, the prominent auditing, advisory and tax company that was recently awarded $9.2M by the Office for Civil Rights (OCR) to conduct HIPAA privacy and security compliance audits.  Although the flash drive reportedly did not contain patient information such as social security numbers, addresses, personal identification numbers, dates of birth or financial information, the embarrassing fact remains that a KPMG employee used an unencrypted flash drive to carry around patient information. 

    Not only was I surprised at KPMG's responsibility for the breach, but also the length of time that went between the discovery of the loss of the flash drive by KPMG (May 10, 2010) and the report that was sent to the covered entity regarding the loss (June 29, 2010).  Although KPMG just barely notified its customer within the HITECH sixty day notice requirement, one has to wonder why it took so long for KPMG to discover that the device was missing and/or report it.

    Although I am also curious as to why a KPMG employee would need to carry around patient information on a flash drive to begin with (especially an unencrypted one), this shows that a breach can happen to the best of us.  It also highlights a big problem for hospitals and other health care providers when it comes to security of patient information.  All too often residents, nurses and other health care providers copy patient information onto flash drives, laptops or other unencrypted devices which are easily lost or stolen.  These risks must be identified and aggressively managed by health care organizations and their business associates to minimize the risk of breach to such organizations and the patients they serve. 

    HealthLeadersMedia reports that Susan McAndrew, OCR deputy director for health information privacy, wrote in an email that the case was currently under investigation and as such, OCR could not address KPMG's involvement in the breach.  When asked whether KPMG's involvement in the breach had been considered prior to awarding it the HIPAA audit contract, McAndrew stated,

    The award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.

    The public notice made available by the hospital on its website stated that,

    KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.

    Improved encryption? The flash drive that went missing reportedly did not have any encryption mechanisms.  One would hope though that KPMG has followed through and improved its security measures, given that it is now an ONC HIPAA auditor with the potential to access patient PHI and other information in the course of its auditing activities.

    HITPC Releases Tiger Team EHR Amendment/Correction Recommendations

    The ONC Health Information Technology Policy Committee (HITPC) released the Privacy & Security Tiger Team (Tiger Team) recommendations concerning amendments and corrections to electronic medical records (EMRs) in a letter to HHS on July 25, 2011 (HITPC Letter).  The Tiger Team's two recommendations are:

    • Certified electronic health record (EHR) technology for Meaningful Use Stage 2 should have the capability to support amendments to health information as well as support compliance with HIPAA obligations to respond to patient requests for amendments, specifically (i) to make it technologically possible for providers to make amendments consistent with their obligations with respect to the legal medical record (e.g., access/view the original data and identify changes made); and (ii) attach any information from the patient and any rebuttal from the entity regarding disputed data.
    • Certified EHR technology for Meaningful Use Stage 2 should have the ability to transmit amendments, updates or appended information to other providers to whom data in question had previously been transmitted. 

    The recommendations address the concerns of stakeholders regarding technological capabilities of EHR systems to assist covered entities in complying with HIPAA amendment and correction procedures for their EMRs.  They also address issues concerning data integrity and quality when correcting errors in patient information not at the request of the patient or communicating updates in patient information. 

    HIPAA requires covered entities to comply with specific procedures for correcting or amending protected health information (PHI) within their records where a patient requests such correction or amendment.  In addition, the principle of "correction" was adopted by the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, which requires timely means provided to individuals to dispute the accuracy or integrity of their health information.  

    The Tiger Team recommends that the HIT Standards Committee develop standards, specifications and criteria for the certified EHR technology, and that any technological capabilities be kept as simple as possible to start.  Capabilities could evolve over time and become more complex, including "potentially greater standarization and automation."  Most notably, the Tiger Team rejected placing affirmative obligations on providers to inform other providers and entities about errors which were not identified in response to a patient's request, citing the "range of different errors that could occur" and the potential difficulty in distinguishing between what was a difference in medical opinion and an actual error, deciding,

    ...Providers' existing ethical and legal obligations were sufficient to motivate them to use appropriate professional judgment regarding when to inform any known or potential recipients of amendments to health data.

    Finally, the HITPC letter notes that the Tiger Team considered whether health information exchange organizations (HIOs) should be obligated to correct errors and transmit amendments or updates to affected providers where they may be responsible for such errors.  The Tiger Team has specifically sought input from the HITPC and will continue to research existing HIO policies prior to developing future recommendations on this issue. 

    The full HITPC letter may be found here: HITPC Privacy & Security Tiger Team Amendment Recommendations

    HHS Thinks Rite Aid Disposal Policies Are "In the Dumps"

    Prepared by Krystyna Nowik. 

    In a recent settlement agreement, Rite Aid Corporation and its affiliated entities have agreed to shell out $1 million in order to settle potential HIPAA violations. The Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) launched an investigation against Rite Aid and its affiliates after media reports showed Rite Aid pharmacies across the country had disposed of prescription and pill bottles containing protected health information (PHI) in publically accessible dumpsters.  The investigation indicated that Rite Aid entities failed to implement appropriate policies and procedures to safeguard PHI during the disposal process.  It also found that Rite Aid entities did not provide and document appropriate training for their employees in disposing PHI.  Finally, the investigation indicated that Rite Aid entities had not implemented a sanction policy to deal with employees who violated the disposal policies and procedures.   

    The Rite Aid Resolution Agreement is an important tool for other covered entities in assessing and developing policies and procedures for disposing of PHI.  Covered entities should ask themselves:

    1. Is there an up-to-date policy for the disposal of PHI? Are employees aware of it?
    2. Are employees properly trained on how to dispose of PHI? How is training documented?
    3. What sanctions are in place? Are employees reeducated, reprimanded or otherwise appropriately sanctioned after a violation?
    4. How is off-site destruction/disposal dealt with? Are business associate contracts HIPAA compliant?
    5. Is there an internal and/or third-party auditing system in place to ensure employees are complying with the disposal and other HIPAA policies?

    Read the full Rite Aid Resolution Agreement posted on HHS's website.  For additional guidance and best practices for disposal of PHI, see the joint FAQ posted by HHS and CMS on the topic that is helpful.  The FAQ even describes how to properly dispose of computers and other electronic media that store electronic PHI, which is of particular relevance for Health Information Exchanges.

    Krystyna is a graduate of Seton Hall Law School, with a concentration in Health Law.  She works with Oscislawski LLC on various Health Information Exchange matters and is a guest contributor to Legal HIE.