Legal Health Information Exchange - Legal issues relating to electronic health information exchange

This April appears to have been designated "National Breach" month.  In what is the second massive breach of Medicaid data this month, over 200,000 South Carolina Medicaid beneficiaries have been notified of a breach of their health information.  The South Carolina Department of Health and Human Services discovered on April 10 that an employee had emailed 17 spreadsheets of beneficiary health information to his personal email account, including names, addresses, social security numbers and Medicaid ID numbers, but no medical information. 

The former employee and project manager, Christopher Lykes, has since then been fired and arrested, charged with five counts of confidentiality violations under the South Carolina Medically Indigent Assistance Act, and one count of disclosure of confidential information, according to ABC News, Charleston. According to Department of Health and Human Services Director, Anthony Keck, the records were transferred to at least one other person, although it is unknown yet why the information was accessed. 

Investigations showed that the information was available through normal reporting processes, however, Department policies and procedures did not require employees to justify needs for information, which has now been rectified by the Department.  An external IT consultant has also been hired to conduct a full risk assessment of all data and IT systems. 

As I posted earlier this month (see my previous blog, Utah Medicaid Claims Data Hacked), this is the second Medicaid breach this month.  Utah, at least, can blame European hackers for the breach, rather than its own policies and procedures, which has since skyrocketed from its original estimate of 24,000 to almost 800,000 Medicaid beneficiaries or individuals who received health services and whose Medicaid status may have been inquired about by their health care provider, as well as CHIP recipients. This makes it one of the top breaches reported over the past few years. The Utah Department of Health has updated its toll-free number for Medicaid clients to call and added additional information about the breach on its website.   

And finally, continuing the April breach theme, Emory Healthcare Systems reported this past week that 10 back-up discs went missing from storage at Emory University Hospital, containing data of 315,000 patients, including likely its own CEO's information.  Oops.  The data related to surgical patients treated at several Emory facilities from September 1990 through April 2007 and contained names, social security numbers, dates of surgery, diagnoses, and surgical codes, as well as names of surgeons and anesthesiologists. 

Patients were notified beginning April 17, although the discs went missing sometime in February.  Emory stated in its online notice that it does not believe any of the data was or will be misused, as the backup discs were for an obsolute software system long-deactivated by Emory.  However, Emory has offered one year of free credit monitoring and has implemented additional security data control measures. 

Along with the recent $100,000 settlement agreement between HHS and a Phoenix cardiac surgeons group, these breaches hammer home the need for a comprehensive HIPAA Compliance Program and periodic risk assessments.  See Helen's post last week for the significance of this settlement agreement and the steps covered entities can take to protect themselves against breaches and privacy and security violations. 

As many of our readers have already heard, on March 13, 2012 HHS announced that Blue Cross Blue Shield of Tennessee entered into a Resolution Agreement for $1.5 Million Dollars to settle potential violations of HIPAA. You can access a copy of the Resolution Agreement here. 

I find this new case both instructive and frightening, but one has to peel back the layers of this HIPAA-onion to really understand why the Resolution Agreement between BCBS of Tennessee (BCBSOTenn) and HHS/OCR creates an even greater nerve-racking precedent than may be immediately apparent.

First, it must be noted that OCR initiated its investigation of the Breach incident and BCBSOTenn only after BCBSOTenn submitted its HITECH Breach Report "in compliance with" 45 CFR §164.408.  Therefore, HHS/OCR appears to acknowledge that BCBOTenn's reporting of the Breach was timely, proper and otherwise in compliance with the Breach Notification Rule.  And, while BCBSOTenn did not seem to get much reprieve here for its diligent Breach reporting, it’s important to point out that just because a covered entity experiences a Breach does not in and of itself mean that the covered entity has violated the HIPAA Privacy or Security Rule.  A covered entity must actually fall short of or be non-compliant with a HIPAA Privacy Rule standard or Security Rule standard before an actual violation can be found.

So, at least hypothetically, a covered entity could still be in full compliance with the HIPAA Privacy and Security Rules, even if it experienced a Breach involving or potentially compromising PHI.

In such a situation, as long as the covered entity properly and timely reports the Breach as required under the HITECH Breach Rule, and has a fully compliant, current and effective HIPAA compliance program implemented, then the covered entity should be able to assert that there were no violations of HIPAA or HITECH to give rise to HHS/OCR assessing penalties against it.  However, at least for BCBSOTenn, apparently the costs and burden of going through an investigation to prove that the Breach was not due to an underlying lapse its HIPAA compliance program was not worth it, at least not $1.5 Million.

What may be most chilling from a compliance perspective here, however, is that the Breach incident itself was allegedly caused by an intervening criminal act, and that BCBSOTenn had presumably paid Eastgate to provide security services to safeguard the data closet where the video and audio recordings were being temporarily stored until their scheduled relocation at the end of November 2009;  and, indeed, it seems that Eastgate did have a lot of appropriate physical safeguards in place, including biometric and keycard scan security with a magnetic lock, an additional door with a keyed lock, and basic security services.

So, if BCBSOTenn contracted, paid for and relied on Eastgate to provide security services, one would think that it would be reasonable for BCBSOTenn to believe that it had taken appropriate steps to attempt to safeguard the e-PHI while it was temporarily stored at the data closet.  What is not discussed in the Resolution Agreement, however, but would be interesting to know is whether BCBSOTenn’s contract with Eastgate included HIPAA BAA-type language to ensure that Eastgate was aware of the sensitive nature of what they were securing (i.e., e-PHI), and to contractually obligate Eastgate to have in place at least minimum administrative, technical and physical safeguards with regard to how it ensured the security of the data closet.  This illustrates a good lesson, which is while a security vendor or a building manager may not technically be a HIPAA BA, as historically defined by HHS (because such third parties are not required to access PHI to perform their function on behalf of the covered entity), in any instance where a covered entity relies on a third party to ensure the security of its PHI or e-PHI, including software vendors, data warehouses, cloud providers and other similar types of third parties, it is important to have such third party contractually agree to have in place HIPAA BA-type safeguards, and to agree to be responsible for any damages that may arise from a Breach that is due to their own negligence. In this case, Eastgate did not respond to evaluate an unresponsive gate for the entire weekend. While it is not clear whether this may or may not have been negligent on the part of Eastgate, hopefully BCBSOTenn had provisions in its agreement with Eastgate that required insurance coverage for such incidents and will allow BCBSOTenn to also potentially make a claim for indemnification if there was indeed fault on the part of Eastgate.

Finally, despite the fact that the theft of the e-PHI was the event that precipitated HHS/OCR to conduct an investigation here, it almost seems that its settlement with BCBSOTenn had less to do with the actual Breach incident itself and more to do with what HHS/OCR may have believed could be lacking with BCBSOTenn’s general HIPAA compliance program.  In fact, the corrective action plan (CAP) in the Resolution Agreement does not include any requirement to take any actions, like encryption, with regard to similarly stored data devices.  Instead, the CAP focuses on HHS/OCR having the opportunity to review BCBSOTenn’s written policies for conducting a risk assessment, conducting a risk management plan, addressing facility access controls and a facility security plan, and addressing physical safeguards governing the storage of e-PHI.  The CAP also requires such policies to be revised, IF HHS/OCR suggest “material changes” to the policies, and to be distributed to all BCBSOTenn workforce, who must then sign a certification of receipt, and be retrained. Now, while that is all well and good, I wonder about HHS/OCR focusing on BCBSOTenn workforce when wasn’t it the employees of Eastgate who were the ones that did not respond to the lapse in security?  At least in this instance, then, the real security gap seemed to be with BCBSOTenn’s contracted security vendor’s workforce, not its own.

This case certainly raises questions and concerns with investigation and enforcement processes, but also offers some instruction.  First, it is important for covered entities to review their contracts with third parties that may have access to PHI, and most certainly if such third party may be directly or indirectly responsible for ensuring the security of its PHI.  Covered entities should include clear language regarding allocation of responsibility for security, and severe repercussions, including potential indemnity, if the vendor falls short. Contracts with technology vendors, cloud providers, facility security providers, and the like are all potential areas where security weaknesses and gaps may exist.

Finally, while the outcome of the BCBSOTenn situation may tempt many to be more hesitant with reporting Breaches to HHS, that is not advisable.  Not reporting a Breach incident when it is legally required to be reported under the law could just lead to additional potential penalties for violations of the HITECH Breach Rule.  Thus, while Breach reporting clearly can lead to an OCR investigation, as it did here, the best defense may be for covered entities and business associates to ensure that their HIPAA Policies and Procedures are well-developed, updated, and implemented so that they can all be handed to HHS/OCR as proof of full HIPAA compliance, despite any Breach incident having occurred.

In June of 2010, a large healthcare system was informed by its business associate that a breach had occurred, affecting thousands of patients at its hospital.  The breach had occurred the previous month when an employee of the business associate lost an unencrypted flash drive that may have contained patient information.  Although the breach was reported last year, news regarding the breach appears to have begun circulating this past week, most likely due to the new role of the business associate in question. 

The real kicker is that the business associate was none other than KPMG, the prominent auditing, advisory and tax company that was recently awarded $9.2M by the Office for Civil Rights (OCR) to conduct HIPAA privacy and security compliance audits.  Although the flash drive reportedly did not contain patient information such as social security numbers, addresses, personal identification numbers, dates of birth or financial information, the embarrassing fact remains that a KPMG employee used an unencrypted flash drive to carry around patient information. 

Not only was I surprised at KPMG's responsibility for the breach, but also the length of time that went between the discovery of the loss of the flash drive by KPMG (May 10, 2010) and the report that was sent to the covered entity regarding the loss (June 29, 2010).  Although KPMG just barely notified its customer within the HITECH sixty day notice requirement, one has to wonder why it took so long for KPMG to discover that the device was missing and/or report it.

Although I am also curious as to why a KPMG employee would need to carry around patient information on a flash drive to begin with (especially an unencrypted one), this shows that a breach can happen to the best of us.  It also highlights a big problem for hospitals and other health care providers when it comes to security of patient information.  All too often residents, nurses and other health care providers copy patient information onto flash drives, laptops or other unencrypted devices which are easily lost or stolen.  These risks must be identified and aggressively managed by health care organizations and their business associates to minimize the risk of breach to such organizations and the patients they serve. 

HealthLeadersMedia reports that Susan McAndrew, OCR deputy director for health information privacy, wrote in an email that the case was currently under investigation and as such, OCR could not address KPMG's involvement in the breach.  When asked whether KPMG's involvement in the breach had been considered prior to awarding it the HIPAA audit contract, McAndrew stated,

The award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.

The public notice made available by the hospital on its website stated that,

KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.

Improved encryption? The flash drive that went missing reportedly did not have any encryption mechanisms.  One would hope though that KPMG has followed through and improved its security measures, given that it is now an ONC HIPAA auditor with the potential to access patient PHI and other information in the course of its auditing activities.

An Alabama woman has been slapped with criminal charges in connection with the theft of patient information from Trinity Medical Center in Birmingham, Alabama, as reported by The Birmingham News.  Section 1320d-6 imposes criminal penalties where any person knowingly uses a unique health identifier or obtains or discloses individually identifiable health information in violation of HIPAA. 

The young woman, identified as Chelsea Catherine Stewart, allegedly stole paper surgery schedules from a closed patient registration area at the hospital while visiting a patient.  Stewart was arrested the beginning of June after hundreds of pages of the schedules were found in the house where she was staying by police in connection with an ongoing investigation for mail theft and credit card fraud.   

The schedules contained the names, dates of birth, social security numbers and certain medical information of approximately 4,500 patients of the hospital.  In addition to the patient information, an affidavit by postal inspector John Bailey stated there were handwritten notes with information of other individuals which could be used for identity theft and a "to-do" list of sorts for fraud.  Notes allegedly read, "Get hospital records together and run credit reports on people to get info."  

The notice of the theft on Trinity Medical Center's website states,

"All stolen information has been recovered....The hospital has no reason to believe this information has been or will be used in a way that would cause harm." 

However, Trinity Medical Center will be offering free credit monitoring for those affected patients.  In addition to the notice on its website, the hospital also notified affected individuals of the theft by mail.

If convicted, Stewart could face the maximum criminal penalties under §1320d-6 for "intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm" and up to 10 years in jail and $250,000 in penalties.  Stewart also faces unrelated charges of credit card fraud and breaking into a vehicle.  

Patients affected by a West Virginia hospital breach that went undetected for several months are seeking certification as a class action as reported by Health Data Management.  Five of the approximately 3,655 affected patients have filed suit against the Charleston Area Medical Center in circuit court seeking damages based on four counts:

• breach of confidentiality
• negligence
• invasion of privacy by intrusion on seclusion
• invasion of privacy by unreasonable publicity of private life

The lawsuit, Tabata v. Charleston Area Medical Center, stems from the availability of a database containing patient names, social security numbers, medical information and demographic information on the Internet.  A family member of a patient had found the information while searching the web.

Although the database was created in September of 2010 by a third party for patient case management in a research subsidiary of the hospital, the fact that it had inadvertently been made publically available went unnoticed until February 2011.  However, the hospital acted quickly upon being made aware of the breach and promptly notified all potentially affected patients within 8 days.

The hospital had originally offered to pay for one year of credit monitoring as well as an immediate credit freeze at the three credit bureaus for all affected patients.  Free credit reports were also made available to affected patients through the West Virginia Attorney General's Office.  In addition, after discussion with the Attorney General's Office, the hospital hired a risk management group to conduct a security assessment and undertook a number of other measures to protect against further breaches.

The patients seek as part of the damages for the hospital to extend additional credit and identify protection and monitoring services.  They also ask the court to require that the hospital establish a specific security program as well as award monetary damages for annoyance, embarrassment and emotional distress, and for the lack of security and violation of their privacy.

Although it is unclear yet what repercussions the hospital may face from the Department of Health and Human Services for the breach, the breach and accompanying lawsuit highlight the importance of monitoring business associates who have access to PHI and the resulting work product.  In addition, frequent and periodic security assessments are crucial to identifying issues before an incident or breach occurs.  A robust and proactive security assessment coupled with a strong information security program will go a long way towards effectively safeguarding patient electronic PHI as well as cutting costs associated with incident-response. 

On November 16th, a class of plaintiffs sued AvMed for a massive breach that resulted in their personal information being put at risk.  In December of 2009, unencrypted laptop computers were stolen from an AvMed facility in Gainesville, Fla.  AvMed initially believed information on about 208,000 members was at risk, but by June 2009 it became apparent that the information of over 1.22 million members was at risk.  Information contained on the laptops included a mixture of name, address, date of birth, Social Security number, phone number, and diagnosis, procedure and prescription information. The attorneys representing the class of plaintiffs maintain that had AvMed taken time to encrypt their laptops, this simple step would have obviated any harm done by the theft.  

Like other breaches under HITECH involving PHI of 500 or more individuals, the AvMed breach is posted on HHS's Web site. However, although the federal government has enforcement jurisdiction over HITECH, there is still no private right that would allow one to sue under HITECH for breaches (although in the future individual may be eligible to collect a percentage of any Civil Monetary Penalties collected and resulting from violation of HIPAA and/or HITECh that result in "harm" to such individual). 

Attorneys attempting to sue for damages resulting from a breach are often hard-pressed to keep their complaint from being tossed, unless they can demonstrate the plaintiff suffered actual harm caused by the breach. However, the attorneys representing the class of plaintiffs in the AvMedcase are commercial litigators, and so it will be interesting to see if they come up with more unique causes of action under consumer protection or other laws, and how this will be tested in court.  Stay tuned...

A reminder to all covered entities out there that may be considering selling their business – don’t forget your file cabinet!! (or computers .. or disks ... or seemingly “empty” boxes where PHI may be lurking…..well, you get the picture).

NJ Times reports today that Aetna is notifying 7,250 people after paper files containing their PHI was accidentally left in a file cabinet that was being sold after an office move. The press release indicates that over 2,346 New Jersey residents were affected and over 4,013 in Pennsylvania, as well as a few in Connecticut and Delaware. Apparently, the files were voluntarily returned to Aetna after the individual who purchased the file cabinet discovered them. Aetna issued a press release indicating that it “has no reason to believe the information will be misused in any manner." Nevertheless, Aetna is notifying affected individuals and offering them a credit-monitoring service. Aetna also indicates that it has many privacy policies and processes in place, but corrective action will be taken to ensure that such a “mistake” does not happen again.

The Aetna “breach” raises a number of interesting questions, many which I often am asked about in similar contexts. Specifically: 1) Can PHI be disclosed in connection with a sale of a business? 2) Must a seller purge or maintain PHI that is not transferred in connection with the sale of such business? and, 3) Who do I have to notify in the event of a breach?

I’ll tackle Questions #1 & #2 in today’s post, and save #3 for follow-up.

HIPAA actually does not require a patient’s written authorization to use or disclose PHI in connection with the sale of a business, in certain limited circumstances. A sale of a business is considered a “health care operation,” which is defined in the HIPAA Privacy Rule to include:

“the business management and general administrative activities of the covered entity including, but not limited to … (iv) the sale, transfer, merger, or consolidation of all or part of such entity with another covered entity, or an entity that following such activity [or completed purchase] will become a covered entity, and the due diligence related to such activity.” See §164.501.

Therefore, if Aetna had sold its filing cabinet to an entity that was acquiring its health plan business, then there would have been no breach under the federal standards. However, in this situation, it appears that the patients’ files were simply inadvertently left in Aetna’s file cabinet after furniture was sold to a random buyer in connection with an office move.  As such, there appears to have been a lapse in either following or implementing adequate safeguards.

The HIPAA Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to protect PHI from intentional and unintentional use or disclosure that is in violation of the Privacy Rule (see § 164.530(c)(1)-(2). However, it is the Security Rule that provides more detailed guidance on the types of safeguards that may be useful. Specifically, the Security Rule requires covered entities to:

“implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within a facility.” (see §164.310(d)(1).

The Rule goes on then to require covered entities to implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored (see §164.310(d)(2)(i)-Disposal). The Security Rule also requires covered entities to maintain a record of the movements of hardware and electronic media and any person responsible therefore. (see §164.310(d)(2)(iii)–Accountability).

Although the Security Rule technically applies only to electronic PHI, the Aetna situation illustrates why it makes sense to implement similar sorts of controls for paper PHI. After all, if it makes sense to keep track of computers that store electronic PHI so that such information does not inadvertently end up in the hands of someone who should not have it, would it not make sense to implement similar safeguard controls for a file cabinet that “houses” paper PHI?

It would seem so.