HIPAA, HITECH & HIT

UCLA Snooper's Conviction Upheld; HHS Publishes Guidance

William Maruca — Tue, 15 May 2012 13:16:43 -0500

Remember Huping Zhou, the UCLA researcher sentenced to prison for snooping through the health records of celebrities and co-workers? A federal appeals court has upheld his conviction and rejected his defense attorney's position that the prosecution had not alleged that he had known he was violating HIPAA when he accessed the records. The court determined that the only elements that were necessary to prove the violation were that he had knowingly accessed the records, and that such access was not permitted under HIPAA.

Zhou was charged with violating the HIPAA provision that imposes a misdemeanor penalty on "[a] person who knowingly and in violation of this part ... obtains individually identifiable health information relating to an individual[.]"

At trial, Zhou entered a conditional guilty plea, reserving his right to appeal the court’s denial of his motion to dismiss the information. Zhou was sentenced to four months in prison, followed by a year of supervised release, a $2,000 fine, and a $100 special assessment. Zhou filed a timely notice of appeal.

The U.S. Court of Appeals for the Ninth Circuit stated:

We reject Zhou’s argument because it contradicts the plain language of HIPAA. The statute’s misdemeanor criminal penalty applies to an individual who “knowingly and in violation of this part . . . obtains individually identifiable health information relating to an individual.” 42 U.S.C. § 320d-6(a)(2) (emphasis added). The word “and” unambiguously indicates that there are two elements of a Section 1320d-6(a)(2) violation: 1) knowingly obtaining individually identifiable health information relating to an individual; and 2) obtaining that information in violation of Title 42 United States Code Chapter 7, Subchapter XI, Part C. Thus, the term “knowingly” applies only to the act of obtaining the health information.

Little words count, and not just in political scandals . As the court noted, somewhat tongue-in-cheek,

If the statute did not contain “and,” then Zhou’s argument might be more persuasive. However, we cannot ignore “and” because its presence often dramatically alters the meaning of a phrase. Without “and,” the Second Amendment would guarantee “the right of the people to keep bear arms,” Leo Tolstoy would have published “War Peace,” and James Taylor would have confusingly crooned about “Fire Rain.

It is conceivable, but unlikely, that a person could unknowingly access PHI, for instance clicking on John W. Smith’s records instead of John P. Smith’s, or by opening an email with a cryptic subject heading only to discover it contained misdirected medical records, but if it is shown that the perpetrator knew he was accessing PHI, and if he had no legitimate reason to do so, game over, at least in the Ninth Circuit. No need to establish that the defendant had ever heard of HIPAA or knew he was breaking the law.

Zhou’s case was noteworthy as it was the first to result in severe sanctions against an individual even where the information was not further leaked, sold or used improperly. As we noted in this blog, it also resulted in a settlement under which UCLA agreed to pay a civil fine of $865,000 It now stands as further evidence of the longstanding maxim that “ignorance of the law is no excuse." (Ignorantia juris non excusat for you Latin aficionados).

As of this month, it may be slightly more difficult to claim ignorance of HIPAA now that HHS has published a 47-page plain-English Guide to Privacy and Security of Health Information. The Guide was developed in conjunction with the American Health Information Management Association (AHIMA) and is targeted at physicians and other healthcare providers. It was released with little fanfare and is not easy to find on the ONC web site, but has been noted by industry publications including Modern Healthcare and Healthcare IT News. The Guide contains a 10-step plan for covered entities to review their HIPAA compliance, including advice on performing a risk analysis, developing an action plan, staff education and training, managing and mitigating risks, and patient communication. The Guide is a helpful reference tool for nonlawyers in navigating the shark-filled HIPAA waters, but details are limited due to the length of the publication. As Mr. Zhou has learned the hard way, you are held responsible for knowing the rules, so when in doubt, consult knowledgeable counsel.

First Small Physician Practice Joins The Parade of HIPAA PHI Security Breaches

William Maruca — Fri, 20 Apr 2012 13:13:45 -0500

Do you think a two-physician cardiology group is too small for the feds to fine for alleged HIPAA violations? Phoenix Cardiac Surgery, P.C. (PCS) has learned otherwise the hard way, to the tune of $100,000. As this blog has noted, almost all enforcement to date has been against large insurers or major hospitals and not community hospitals or physician practice groups, and enforcement has largely been low-hanging fruit of failure to comply on a timely basis with notice requirements. The Resolution Agreement, announced by HHS in an April 17 press release, describes a very different participant in the Parade of HIPAA Breaches we have been following in this blog series. Among the unusual features of this settlement are:

The type of covered entity - a two-physician cardiology practice;
The alleged nature of the violation - not just a one-time negligent breach, but a systematic, multi-year failure to adopt and implement appropriate HIPAA safeguards; and
The size of the violation - as the breach has yet to appear on the OCR Wall of Shame, it may have involved fewer than 500 individuals.

Phoenix Cardiac Surgery first came to the attention of HHS’s Office of Civil Rights following a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. That alone is not unique - other covered entities including SAIC and Stanford University Hospital have been embarrassed to discover their PHI had been inadvertently made available online to prying eyes. What OCR found upon further investigation was a startling indifference to health privacy concerns dating back to the earliest effective dates of HIPAA and continuing through 2009.

OCR determined that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients' electronic protected health information (ePHI). The Resolution Agreement indicates that PCS was unusually lax about HIPAA training, policies and procedures, safeguards, and accountability. It is almost a textbook case of everything a covered entity can do wrong. OCR alleged that PCS:

did not provide and document training of each workforce member on required policies and procedures with respect to PHI as necessary and appropriate for each workforce member to carry out his/her function within the Covered Entity.
posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar over a two year period;
transmitted ePHI daily from an Internet-based email account to workforce members’ personal Internet-based email accounts.
failed to appoint a security official until 2009.
failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI held by PCS.
failed to obtain satisfactory assurances in business associate agreements from the Internet-based calendar vendor and from the Internet-based public email provider that these entities would appropriately safeguard the ePHI received from PCS.
permitted the entity providing the Internet-based calendar application to receive, store, and maintain ePHI on behalf of PCS without obtaining satisfactory assurances in a business associate agreement with the entity.

OCR imposed a $100,000 penalty and required PCS to adopt a Corrective Action Plan which appears as Appendix A to the Resolution Agreement. The plan requires PCS to

Develop, maintain and revise, as necessary, written policies and procedures that meet the requirements of the HIPAA Privacy and Security Rules, and submit them to OCR for review and approval within 60 days;
Make any changes required by OCR and implement the finalized policies and procedures within 30 days of approval.
Distribute the policies and procedures to all members of the workforce within 15 days of their joining PCS‘s workforce, and obtain certification from each member that they have read, understood and will abide by such policies and procedures;
Update its 2009 risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used or transmitted by the Covered Entity, including, but not limited to, when ePHI is a) posted to an Internet-based electronic calendaring system, b) transmitted over an Internet-based electronic communications system, c) accessed remotely, or d) transmitted to or from or stored on a portable device;
Develop and submit a risk management plan to OCR for approval.
Appoint a security official;
Produce satisfactory assurances that all business associates will comply with HIPAA;
Adopt technical safeguards for electronic information systems;
Implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network, including a measure to encrypt or otherwise adequately safeguard ePHI;
Provide and document comprehensive privacy and security training to its workforce;
Report all violations of the policies and procedures by any member of the workforce to OCR within 30 days;

OCR also reserves the right to impose additional civil monetary penalties in the event of a breach of the Corrective Action Plan that is not cured within 30 days.

In essence, the Corrective Action Plan requires PCS to do what it should have done all along to comply with HIPAA, but with the added intrusion and inconvenience of government oversight analogous to the Corporate Integrity Agreements frequently required in settlements of Medicare fraud and other federal false claims allegations. For Phoenix Cardiac Surgery, this is one march that provides no aerobic benefits.

If OCR is trying to send a message that no covered entity is too small to be penalized, they picked a particularly clear and egregious first case. However, that is no assurance that less pervasive compliance failures will continue to fly under the OCR radar.

Utah Department of Health: A Bold Repeat Marcher in the Parade of Major PHI Security Breaches

Michael Kline — Wed, 11 Apr 2012 23:03:07 -0500

Postings on this blog series have been following the continuing parade of security and privacy breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals. On March 30, 2012, a large data security breach (the “Utah Breach”) that has not yet been posted on the HHS List was experienced by the Utah Department of Technology Services (“DTS”) on a computer server (the “DTS Server”) that stores Medicaid and Children’s Health Insurance Program (“CHIP”) claims data.

DTS detected the Utah Breach on Monday, April 2, 2012 after the putative thieves began removing data from the DTS Server. Upon detection, DTS stated that it immediately shut down the DTS Server, has identified where the breakdown in security occurred and has implemented new processes to ensure this type of breach will not happen again.

DTS and the Utah Department of Health (“UDOH”) have established a separate Web page to provide “Latest Information” respecting the Utah Breach (the “Update Page”). The Update Page has turned out to be a useful reporting mechanism for what has become a continuously rising count of individuals affected by the Utah Breach. Currently the Update Page reports that “approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen.” Therefore, the total current number of identified affected individuals of the Utah Breach appears to be approximately 780,000. However, the various numbers of victims reflected on the Update Page are somewhat confusing, possibly due at least in part to the addition on a serial basis of newly discovered victims.

Information on the DTS Server included claims payment and eligibility inquiries regarding potential Medicaid and CHIP claimants. According to UDOH:

This could include sensitive, personal health information from individuals and health care providers such as Social Security numbers, names, dates of birth, addresses, diagnosis codes, national provider identification numbers, provider taxpayer identification numbers, and billing codes.

Interestingly, UDOH and DTS have made a clear distinction as to the assistance and support that they will provide to identified victims of the Utah Breach. Victims who had their Social Security numbers (“SSNs”) stolen will be offered one year of free credit monitoring services. Those victims of the Utah Breach who did not have SSNs stolen will not be offered free credit monitoring services, even though they have had other information compromised that has been characterized by UDOH as “less-sensitive.” Moreover, those who had SSNs stolen will receive priority in being alerted as to the Utah Breach over those victims who did not have stolen SSNs.

The Utah Breach is not the first large PHI breach experienced by UDOH. The HHS List reports that on March 1, 2010, UDOH had an "Unauthorized Access/Disclosure" affecting 1,298 individuals respecting "Computer, Paper." The HHS List also reflects that Utah Department of Workforce Services was involved as a Business Associate in the 2010 UDOH PHI breach.

It is possible that the current offering by UDOH of free credit monitoring services only to those Utah Breach victims who had stolen SSNs may be reevaluated or changed in the future. This blog series has previously reported the abrupt about-face by SAIC to offer credit monitoring services to the millions of victims of its large 2011 PHI breach after pressure by the Department of Defense to do so.

We will continue to monitor developments with regard to the Utah Breach.

The Parade of Major Reported PHI Breaches Hits 400 - A Closer Look at Victim 400 and its Actions in Response to the Breach - Part 2

Michael Kline — Wed, 21 Mar 2012 00:38:29 -0500

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). A recent posting in this blog series reported that, on February 24, 2012, HHS recorded number 400 in the ever-lengthening parade of List Breaches.

Such posting also noted that more than half (223) of the 400 List Breaches attributed the breach to “Theft.” Of the 223 thefts reported, 93 of them were characterized as theft of a laptop. Therefore, it is not surprising that the 400^th List Breach affecting Triumph, LLC (“Triumph”) was reported to be a theft on December 13, 2011 of a laptop affecting 2,000 individuals (the “Triumph Breach”) respecting several of its North Carolina behavioral and psychiatric facilities.

While the facts of the Triumph Breach were not remarkable in themselves, the event is worthy of review as being a typical List Breach involving a theft of a laptop that contained PHI of several thousand individuals. A closer look at the Triumph Breach reveals that it was an event as to which Triumph appears to have been a victim with little ability to avoid the loss.

To its credit, Triumph has placed a HIPAA Breach Notification (the “Notification”) on its Web site with a prominent notice on its Home page in red with a link to the Notification and the following advice: “Please click here to read the public notice which may affect consumers receiving services from our Winston-Salem, Mocksville and King facilities.” As this blog series has pointed out in previous postings, many covered entities do not detail List Breaches on their Web sites.

The Notification states that the Triumph Breach occurred on December 13, 2011 when three men entered the 2nd floor lobby. While two of them were distracting the receptionist, the third entered a hallway and stole a laptop computer from an office. Because the Notification says that the laptop was password protected, one can reasonably conclude that there was no encryption. The information on the computer was reported in the Notification to have included names, dates of birth, medical record numbers, insurance/Medicaid numbers, billing codes and authorization status for services, but not social security numbers, diagnostic codes or specific financial information.

Although the HHS List states that 2,000 individuals were affected by the Triumph Breach, no reference to the number of affected individuals was contained in the Notification. Additionally, while the Notification included contact information for questions about the Triumph Breach, no reference was made in the Notification as to the offering by Triumph of credit monitoring or other security services to affected individuals as has been done for many other List Breaches. Perhaps the explanation for the latter omission is the following statement by Triumph in the Notification:

We believe the motive for the theft was for the computer not for the information stored on the computer. In light of this theft, we are examining our policies, procedures and protocols to safeguard against any future incidents.

Nonetheless, it is unclear whether the PHI stored on the computer will be inappropriately accessed and used. Triumph was clearly an unfortunate victim of a theft of PHI as many other providers have been. Nonetheless, the Triumph Breach is a reminder that it does not matter how a List Breach is caused. It will be costly for the covered entity in every case on many levels, and the ultimate extent of the adverse impact cannot be known with certainty.

Patients' "Meaningful Use" of Electronic Health Information Proposed as Core Measure for Provider Incentive Payments from Feds

Elizabeth Litten — Mon, 19 Mar 2012 13:02:19 -0500

The Centers for Medicare & Medicaid Services (CMS) recently published proposed rules setting forth the “Stage 2” criteria that eligible providers (EPs), eligible hospitals (EHs), and critical access hospitals (CAHs) (referred to herein collectively as “providers”) would be required to meet in order to qualify for Medicare and/or Medicaid incentive payments for the use of electronic health records (EHRs) (“Stage 2 Proposal”). The Stage 2 Proposal is a small-font, acronym-laden, tediously-detailed 131-page document that modifies and expands upon the criteria included in the “Stage 1” final rule published on July 28, 2010 and is likely to be of interest primarily to providers concerned with receiving or continuing to receive added payments from CMS for adopting and “meaningfully using” EHR.

The Stage 2 Proposal is not, at first glance, particularly relevant reading for those of us generally interested in issues involving the privacy and security of personal information -- or even those of us more specifically interested in the privacy and security of protected health information (PHI). Still, two new provisions caught my attention because they measure the meaningful use required for provider incentive payments based not simply on the providers’ use of EHR, but on their patients’ use of it.

One provision of the Stage 2 Proposal would require a provider to give at least 50% of its patients the ability to timely "view online, download, and transmit" their health information ("timely" meaning within 4 business days after the provider receives it) (and subject to the provider’s discretion to withhold certain information). Moreover, it would require that more than 10% of those patients (or their authorized representatives) actually view, download or transmit the information to a third party. There's an exception for providers that conduct a majority (more than 50%) of their patient encounters in a county that doesn't have 50% or more of "its housing units with 4Mbps broadband availability as per the most recent information available from the FCC” (whew!) for the applicable EHR reporting period.

Another provision would require a provider to use "secure electronic messaging to communicate with patients on relevant health information" and would require the provider to show that more than 10% of the provider's patients seen during the reporting period actually sent secure messages (presumably, to the provider, though the language is not precise) using the "electronic messaging function of Certified EHR Technology." According to CMS:

[O]ver 43,000 providers have received $3.1 billion to help make the transition to electronic health records; the number of hospitals using EHRs has more than doubled in the last two years from 16 to 35 percent between 2009 and 2011; and 85 percent of hospitals now report that by 2015 they intend to take advantage of the incentive payments.

The Stage 2 Proposal will incentivize providers to continue this trend toward meaningful use of EHRs, but is also likely to result in providers’ efforts to induce to their patients to become EHR users.

Perhaps patients are ready, willing and able to communicate with providers via email and to download and forward their PHI. According to AARP, the aging baby boomer generation appears to be embracing electronic media and social networking at an unprecedented rate, and it is this segment of the population that is most likely to require health care services.

The Parade of Major Reported PHI Breaches Hits 400 - Theft is the Primary Type of Breach

Michael Kline — Tue, 13 Mar 2012 23:15:33 -0500

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). On February 24, 2012, HHS posted number 400 in the ever-lengthening parade of List Breaches.

The first postings on the HHS List occurred on March 4, 2010. Therefore, it took almost exactly two years to reach the 400 level, which means that an average of 200 postings of List Breaches have been occurring each year.

A closer look at the 400 List Breaches reveals that there are an appreciable number of repeat entrants into the parade. This blog series has reported on a number of them, such as Henry Ford Health System with 3 List Breaches and University of Rochester Medical Center with 2 List Breaches. (In some cases assumptions had to be made as to repeat entrants because the names of some covered entities on the HHS List were similar but not identical to others or appeared to be different divisions of the same covered entity.)

Based on the assumptions and the review, there were 28 covered entities with 2 List Breaches, 16 covered entities with three List Breaches and 1 covered entity with four List Breaches (counting multiple divisions as one covered entity). Therefore, there were 337 separate covered entities that reported the total of 400 List Breaches.

Of the total of 400 List Breaches, 223 of them attributed the cause or partial cause of the breach to be “Theft.” As a matter of fact the 400^th List Breach was reported by Triumph, LLC as a theft on December 13, 2011 of a laptop affecting 2,000 individuals at several of its North Carolina behavioral and psychiatric facilities.

While the Parade of List Breaches continues to grow, there are many more PHI data breaches involving fewer than 500 individuals that are occurring as well. As this blog series has emphasized in the past, it is more a question of when a covered entity will suffer a PHI data breach and how severe the breach will be, rather than if it will suffer a breach.

Protected Health Information on HIT Super-Highways: If it's Secure, Do We Care Where it Travels and How it is Used When it Lands?

Elizabeth Litten — Tue, 14 Feb 2012 21:05:55 -0500

By: Elizabeth G. Litten and Michael J. Kline

Kaiser Health News reported today that a division of UnitedHealth, Optum, will be using cloud computing technology to allow centralized access to fragmented health information. The Philadelphia Business Journal (the “Journal”) also reported today that three large Blues plans in Pennsylvania and New Jersey (Highmark Inc., Independence Blue Cross, and Horizon Blue Cross and Blue Shield of New Jersey) and a health information technology company, Lumeris Corp. (“Lumeris”), will be joining together to purchase NaviNet, “the country’s largest real-time communication network for physicians, hospitals, and health insurers.”

According to the Journal article, Lumeris created an accountable-care delivery platform to support “new payment models that reward improved outcomes, enhanced patient safety, and increased physician and patient satisfaction, while lowering overall health-care costs.” The combination of the Lumeris accountable-care platform and NaviNet’s real-time communication network is designed to facilitate the sharing of information and the “administrative, clinical, and financial tasks” needed for high quality, less costly (i.e, “accountable”) care.

Clearly, the health care industry is racing to create information superhighways into which health information can be entered, consolidated, accessed, maintained and used in novel ways that will improve our health care delivery and payment system. If the protected health information (“PHI”) flowing through these information superhighways and into and out of clouds and other data bases is adequately secured and the increased use and sophistication of health information technology results in improved quality and reduced cost, can anyone reasonably object to this race? Even the Centers for Medicare and Medicaid Services encourages sharing and using PHI to improve quality and reduce costs (see discussions of privacy issues in the Final Rule on the “Medicare Shared Savings Program: Accountable Care Organizations”).

In his recent post to this blog, our law partner Bill Maruca made it clear that the Minnesota Attorney General (“MAG”) is not a fan of the manner in which at least one company, Accretive Health, Inc. (“Accretive”), accessed and used (and, incidentally, allegedly improperly disclosed) PHI. Although the PHI breach seems to have triggered the MAG’s lawsuit against Accretive, the complaint seems particularly critical of Accretive’s “Quality and Total Cost of Care” services, which allegedly used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms. Accretive allegedly “amasses and has access to a high volume of sensitive and personal information,” which it uses to, among other things, create “per patient risk score” calculations.

The MAG claims that, “upon information and belief”, patients’ medical authorization forms did not “identify Accretive by name or disclose the scope and the breadth of the information” that the hospitals that engaged Accretive for these services shared with Accretive. The MAG does not claim that the hospitals involved violated HIPAA requirements related to notice of privacy practices and patient consents and authorizations. Rather, the complaint alleges violations by Accretive of the Minnesota Prevention of Consumer Fraud Act and the Minnesota Uniform Deceptive Trade Practices Act, related to the assertion that patients were “not aware of the extent of Accretive’s involvement in their health care or the extent to which it amasses data about them.”

We agree wholeheartedly with Bill’s closing comment, cautioning that regulators not chill legitimate uses of health information data and technology. We also wonder whether, and under what circumstances, patients should be informed of the myriad directions in which their health information might “legitimately” travel, be mined, and/or be analyzed, or whether that additional layer of patient notice will create unnecessary speed bumps in the race toward more affordable, high quality care.

Finally, query whether such notice to a patient about the use of PHI for development of modeling, data mining, risk scores, algorithms, etc., meaningfully adds to the patient’s knowledge and understanding of what is likely to matter most to the patient - the extent, if any, to which such uses may enhance, limit and/or alter his/her personal medical treatment by physicians and other providers.

The Hazards of Data Mining: Minnesota AG Sues Collection Agency for Breach, Improper Use of PHI

William Maruca — Fri, 10 Feb 2012 18:04:51 -0500

A Wall Street-based medical collection service has been sued by the Minnesota Attorney General after losing a laptop containing sensitive information about 23,500 patients treated by two hospitals which contracted with the company. More significantly, the AG’s complaint alleges that the company, Accretive Health, Inc., was mining, analyzing and using the data for purposes that were not disclosed to patients and which may adversely affect their access to care. The suit is being reported as the first HIPAA enforcement action by a state attorney general against a business associate.

Accretive Health’s parent company, Accretive, LLC, a private equity firm, has run into legal challenges in Minnesota before due to its vertical integration of the debt collection industry under which they took control of the nation’s largest debt collection enterprise, the largest national collection law firm, and the nation’s largest consumer debt collection arbitration company.

The company’s laptop, which was stolen from a rental car, allegedly contained patient names, addresses, dates of birth, social security numbers, as well as risk factors developed by Accretive to sort patients by likelihood of inpatient admission, the presence of any of 22 costly health conditions, “frailty” and ability to pay.

According to Attorney General Lori Swanson’s press release,

“The debt collector found a way to essentially monetize portions of the revenue and health care delivery systems of some nonprofit hospitals for Wall Street investors, without the knowledge or consent of patients who have the right to know how their information is being used and to have it kept confidential.”

Accretive provided comprehensive revenue cycle services to its hospital clients, including patient intake and scheduling, billing and collections. In its contract with one of the hospitals, Fairview Health Services, Accretive offered what it called “Quality and Total Cost of Care” services, allegedly through using “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms. Under this model, Accretive was paid incentives for cost control and increased revenue.

The AG relied heavily on securities disclosure materials provided by Accretive to its investors, which described its business as including “development of risk scores on individual patients; automated care plans; case management; medical necessity reviews; pharmacy management; length of stay management; discharge planning; population based management; and analytics and reporting of utilization by patient, per patient profit and loss reports, and identification of patient ‘outliers.’” The AG characterizes Accretive’s business model using its own language, which boasted that the company provides risk scoring of patients; focuses on reducing avoidable hospital admissions; identifies the “sickest and most impactable patients” for “proactive management” and identifies “real-time interventions with significant revenue or cost impact.”

In addition to HIPAA violations, the suit alleges violation of state debt collection and consumer protection laws, and asks the court to order Accretive to fully disclose to patients the nature and purpose of the information gathered including to what extent data has been sent to the company’s “Shared Services Blended Shore Center of Excellence” in New Delhi, India. The suit also seeks injunctive relief and damages.

It may be tempting to see this lawsuit as an act of political grandstanding seeking to capitalize on current anti-Wall Street sentiments (and on the widespread resentment of outsourcing of American jobs). Accretive’s troubled history with Minnesota regulators and its use of impenetrable, Orwellian and vaguely threatening euphemisms for its data analysis services (“impactable patients,” “proactive management,” “real-time interventions”) doesn’t help its case.

However, the case may also validate the maxim “bad cases make bad law.” The type of data allegedly gathered and analyzed by Accretive could potentially be used for nefarious purposes including shunting poorer, sicker patients into a second-class care system, but it could also be used to identify those patients for whom special attention could most effectively improve outcomes. In fact, this is the very type of analytical capability that many providers will need to develop to effectively participate in the emerging post-fee-for-service reimbursement environment typified by Medicare’s ACO Shared Savings Program. The suit may signify a crackdown on shadowy organizations trafficking in secret health and financial scores for profit without the knowledge of the patients whose data is being bought and sold, but regulators should be cautious not to chill legitimate and transparent use of the multitude of electronic data currently available in ways that may advance cost-effective, high-quality care.

The Parade of PHI Security Breaches: UCLA Rejoins the March and Merits Mixed Reviews for the Quality of its Public Disclosures

Michael Kline — Sun, 05 Feb 2012 12:40:06 -0500

In a recent posting on this blog series, my partner William Maruca mentioned the multiple reported “snooping” intrusions from 2005 to 2009 by employees at UCLA Health System (“UCLA”) into medical records of celebrities “without a permissible reason.” Such snooping would constitute violations of the requirements under HIPAA/HITECH statutes and regulations. Ultimately, UCLA entered into a settlement agreement (the “Settlement Agreement”) with federal health regulators with respect to such incursions, which among other things, socked UCLA with a fine of $865,000.

Shortly after the Settlement Agreement was reported in July 2011, a new and different security breach was posted for UCLA (the “2011 Breach”) on the U.S. Department of Health and Human Services (“HHS”) Web site that lists breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”). (Presumably the snooping intrusions were not on the HHS List because they affected fewer than 500 individuals.) The 2011 Breach was reported on the HHS List as a theft of an “Other Portable Electronic Device” on September 7, 2011, that affected the protected health information (“PHI”) of 2,761 individuals. UCLA has developed a mixed record of disclosure with respect to this most recent security breach.

UCLA is to be commended for having posted and maintained on its Web site (the “UCLA Web Site”) information on the 2011 Breach, as it has done with respect to the Settlement Agreement. This can be contrasted to a number of other covered entities previously identified in this blog series, such as Eisenhower Medical Center, that have not seen fit to post such security breaches on their Web sites. As a matter of fact, the posting on the UCLA Web Site about the 2011 Breach goes beyond the usual minimum level of disclosure to have a user-friendly, plain-language series of questions and answers to assist the site visitor.

The UCLA Web Site reported

The documents containing information did not include Social Security numbers or any financial information. They did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information. . . . UCLA has engaged Kroll, a global leader in data security, to provide assistance to individuals affected by this incident.

Even though UCLA has retained a consultant to provide advice to potential victims of the 2011 Breach, to this point no credit monitoring has been offered, while other covered entities have done so in similar circumstances because some of the information that was included in theft could heighten identity theft risks.

There is also a perplexing discrepancy between the 2,761 individuals reported on the HHS List as having been affected in the 2011 Breach, as compared to 16,288 individual reported on the UCLA Web Site. The HHS Web site provides the following instructions regarding amendments to the number of affected individuals in a large PHI security breach:

If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected. As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.

While there can only be speculation as to the source of the discrepancy, best disclosure practices would appear to dictate that UCLA provide information to HHS to permit the HHS List to be corrected from the current number to the materially higher number of 16,288 individuals. If UCLA has reported the higher figure to HHS, which did not correct it on the HHS List, then there is a flaw in the HHS List posting process that does not update amended information received from covered entities.

More recently, an additional factor has surfaced to detract from the quality of UCLA disclosures respecting the 2011 Breach. Derek Hawkins of Law360 discusses the filing by a UCLA patient of a putative class action against UCLA in December 2011 relating to the 2011 Breach. The Hawkins posting criticizes UCLA for not commenting at all on the lawsuit.

Thus UCLA has been inconsistent in its post-2011 Breach disclosures. Prompt, decisive and compliant action by covered entities affected by PHI security breaches, including transparency and accurate and consistent disclosure, is necessary to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches.

When Will They Learn? Snooping Nurse Fired, Patients Notified

William Maruca — Fri, 20 Jan 2012 15:07:33 -0500

A nurse has been fired by a Texas hospital after accessing information on patients for whom she had no clinical responsibility, according to the Mt. Pleasant, TX Daily Tribune. The hospital, Titus Regional Medical Center, reportedly discovered the unauthorized access in the course of an audit in November. The nurse admitted to looking at the records out of curiosity but insisted that no records had been further disclosed.

The hospital decided to notify 108 patients in a letter which warned them of a slight risk of identity theft. The hospital administrator indicated that the notices may not be required under HIPAA but were being sent out of an abundance of caution, and emphasized that there was no evidence any data was printed nor disclosed to any third parties. Although most records accessed did not contain social security numbers, affected patients were nevertheless advised to contact the three major credit bureaus, Equifax, Experian and TransUnion.

This incident is reminiscent of the 2011 UCLA breach which resulted in a prison term for the snooping employee and similar incidents involving other California hospitals. A common element in these breach incidents is that the health information was not sold, distributed or otherwise further disclosed by the snooping employees. However, after an investigation, federal health regulators determined that UCLA employees reviewed patients' electronic medical records "repeatedly and without a permissible reason." Ultimately, UCLA entered into a settlement agreement with federal health regulators, which among other things, socked UCLA with a fine of $865,000.

These cases illustrate the seriousness of HIPAA’s still poorly-defined “minimum necessary” standard which, at the least, requires workers at covered entities and business associates to have a valid reason beyond mere curiosity before they access PHI. The ease with which employees can call up any record in a health system’s database can present an overpowering temptation, and it is incumbent on employers to educate their workforce about the need to resist the urge to snoop.

Two Wrongs Don't Make a Right: How Not to Defend Against Fraud Allegations

William Maruca — Mon, 09 Jan 2012 20:54:59 -0500

If your hospital is being raked over the coals in the media for alleged fraudulent billing, it’s understandable to want to set the record straight. However, releasing patient information without consent is not the wisest approach.

California’s Shasta Regional Medical Center and its parent company Prime Healthcare Services have come under fire for aggressive Medicare billing practices, arising out of the unusual frequency of claims for a rare third-world malnutrition condition known as kwashiorkor, which they reported at a rate over 70 times the state average. The story was reported by the Center for Investigative Reporting’sCalifornia Watch, who quoted a patient and her daughter who came forward upon learning that she had been assigned this diagnosis during a hospital stay. The patient signed a waiver allowing California Watch to review her hospital records, which indicated she was treated for kidney failure, but her doctors made no mention of kwashiorkor or malnutrition. The kwashiorkor diagnosis resulted in an estimated $6,755 increase in the hospital’s Medicare DRG payment.

Faced with embarrassing publicity, a lawsuit and potential federal and/or state regulatory action, Prime Healthcare went into damage control mode. The Los Angeles Times reports that when the local newspaper, the Redding Record Searchlight, contacted Shasta Regional for comment prior to publishing California Watch’s allegations, the hospital’s CEO and Chief Medical Officer paid a visit to the paper’s editor with the patient’s chart, which they discussed with him in detail. They also divulged information about her treatment to the LA Times reporter, who reports that the patient and her daughter never authorized these disclosures.

The Times reports that the hospital CEO Randall Hempling defended his decision by stating: "As far as we're concerned, the patient gave that permission when she gave her records to California Watch and was quoted on the record. . . . That waived her privacy."

As the Times accurately noted, a patient who discloses PHI to a media representative or any other recipient does not waive his or her rights to additional disclosures. California Watch reports that the FBI is now looking into the unauthorized disclosure of the patient’s records along with the billing irregularities.

Moral for covered entities: Resist the temptation to reveal patient information without proper authorization, even to defend your reputation in the face of disputed allegations. HIPAA protection is not like the attorney-client privilege which can easily be waived by a single disclosure -- patients still control their PHI and can choose to whom, and for what purpose, they disclose that information.

A New Year's Resolution: Review and Analyze Potentially Applicable State Laws Whenever Examining HIPAA Compliance Issues

Michael Kline — Sun, 01 Jan 2012 18:14:32 -0500

The Order of Judge Richard Smoak in a recent Federal District Court case (Opis Management, LLC, et. al. v. Dudek, No. 4:11-cv-400/RS-WCS (N.D. Fla., Tallahassee Division)) (the “Opis Order”) reminds us of the attention that must be paid to the interaction and potential conflicts or dual applicability of state law with HIPAA compliance. While the Opis Order dealt with a relatively narrow issue that did not involve a data security breach, as will be hereinafter discussed, its focus highlights the broader concern about conflicts or dual law coverage involving HIPAA and state law.

The Opis Order itself dealt with the concern of plaintiffs that compliance with a Florida law would violate federal law under HIPAA, and compliance with federal law under HIPAA would violate state law.As a result, plaintiffs argued that the Florida law was invalid. More specifically they argued that

Florida law requires nursing homes to “furnish to the spouse, guardian, surrogate, proxy, or attorney in fact . . . of a former resident . . . a copy of that resident’s records which are in the possession of the facility.” Further, the law provides that “copies of such records shall not be considered part of the deceased resident’s estate and may be made available prior to the administration of an estate, upon request, to the spouse, guardian, surrogate, proxy, or attorney in fact.” FLA. STAT. § 400.145 . . . Plaintiffs claim that their non-compliance is excusable because Section 400.145 is preempted by the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”). They seek a declaratory judgment that Section 400.145 is invalid and injunctive relief prohibiting its enforcement. [For whatever reason, the Opus Order uses the definition “HIPPA” rather than the much more widely-used acronym “HIPAA.” Except in quotations taken directly from the OPIS Order, this posting will use the more prevalent “HIPAA.”]

Under HIPAA, a more stringent state law preempts HIPAA as to a particular matter. HIPAA defines more stringent as meaning “with respect to a use or disclosure, the [state] law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted.” In granting plaintiff’s declaratory judgment petition, the Court found that, rather than being more stringent than HIPAA, Florida provision Section 400.145 actually afforded less protection of protected health information (“PHI”) than HIPAA. The Opis Order concluded as follows:

Section 400.145 is preempted because it is contrary to HIPPA. It affords a patient far less protection than the heightened privacy requirements imposed by the federal requirement and is, therefore, not more stringent than HIPPA. For this reason, Section 400.145 “stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPPA].” 45 C.F.R. § 160.202.

The Opis Order serves as a case in point of the need to analyze state law whenever considering compliance issues involving HIPAA. However, the Opis Order is only one example of potential conflicts, overlapping or inconsistencies that can exist between HIPAA and state law relative to the same or similar subject matter. A proper analysis requires a comparison of HIPAA and state law definitions of terms, scope of applicability and procedural requirements. Moreover, it must be remembered that, to the extent a HIPAA item is not “contrary to” a state law provision, both HIPAA and state law provisions must be followed. For example, some areas where differences between HIPAA and state law may surface in connection with notification of security breaches include the following:

• To what persons does the law apply? - HIPAA applies to covered entities and business associates/state law may apply to different persons, e.g., all businesses and/or public entities.

• What type of information is covered? – HIPAA applies to PHI, a very broad range of information/state law may apply to more limited information primarily associated with potential identity theft, such as credit card numbers, social security numbers and dates of birth.

• In what medium is the information contained? - HIPAA covers PHI in electronic, paper and oral format/state law may only cover one or two of these formats.

• What constitutes a security breach? – HIPAA and state law may diverge greatly.

• In what cases, who, how and when must regulatory authorities be notified of a data security breach? – HIPAA and state law may have provisions that differ greatly and may conflict with each other, overlap or have dual applicability, while not conflicting.

In summary, while HIPAA requires careful compliance in the event of a security breach, state law provisions must also be considered and analyzed as well.

Happy New Year and thank you to each of our readers.

Personal Information Data Breaches - Not If, but When?

Elizabeth Litten — Wed, 28 Dec 2011 18:43:58 -0500

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings) can be accessed, can we trust that any electronically transmitted or stored information is really safe?

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases.

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology.

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage.

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

HIPAA Holidays - 5010 Enforcement and Stage 2 HITECH Compliance Extensions

William Maruca — Thu, 22 Dec 2011 16:14:02 -0500

We all know how those year-end deadlines sneak up on us and how there never seems to be enough time to get everything done. Well, here’s some welcome news – The feds have decided to play Santa and give us a little more breathing room this season.

HIPAA 5010 Transition

CMS is transitioning its electronic transaction standards from Accredited Standards Committee (ASC) X12 version 4010A1 to ASC X12 version 5010. These standards regulate the transmission of certain health care transactions among covered entities including hospitals, physician practices, health plans and clearinghouses. Although this description may sound like impenetrable technobabble, CMS considers the upgrade necessary to increase transaction uniformity, support pay-for-performance methods and streamline reimbursement transactions, particularly with the coming exponential expansion of diagnosis codes under ICD-10. CMS summarizes the improvements as follows:

“Version 5010 of the HIPAA standards includes improvements in structural, front matter, technical, and data content (such as improved eligibility responses and better search options). It is more specific in requiring the data that is needed, collected, and transmitted in a transaction (such as tightened, clear situational rules, and in misunderstood areas such as corrections and reversals, refund processing, and recoupments). Further, the new claims transaction standard contains significant improvements for the reporting of clinical data, enabling the reporting of ICD–10–CM diagnosis codes and ICD–10–PCS procedure codes, and distinguishes between principal diagnosis, admitting diagnosis, external cause of injury and patient reason for visit codes. These distinctions will improve the understanding of clinical data and enable better monitoring of mortality rates for certain illnesses, outcomes for specific treatment options, and hospital length of stay for certain conditions, as well as the clinical reasons for why the patient sought hospital care.

Finally, Version 5010 also addresses a variety of currently unmet business needs, including an indicator on institutional claims for conditions that were “present on admission,” and accommodating the use of the ICD-10 code sets, which are not supported by Version 4010/4010A1.”

Level I Compliance was required by December 31, 2010, meaning that a covered entity can demonstrably create and receive compliant transactions, resulting from the compliance of all design/build activities and internal testing. Level II Compliance is due by: December 31, 2011, and all covered entities must be fully compliant on January 1, 2012. Level II compliance means that a covered entity has completed end-to-end testing with each of its trading partners, and is able to operate in production mode with the new versions of the standards.

In a notice posted on December 14 on Medicare Learning Network as MLN Matters® Number: SE1137, CMS' Office of E-Health Standards and Services (OESS) announced that it would not initiate enforcement with respect to any HIPAA covered entity that is not in compliance on January 1, 2012 with the Version 5010 standards until March 31, 2012. Importantly, this is only a 90-day delay on the enforcement of the transition, including fines. Claims not submitted under the 5010 standards on or after January 1, 2012 may not be paid, unless CMS has accepted a transition plan. Modern Healthcare reports that most physician practices are relying on their clearinghouses to convert claims into the new format, or assuming that an updgrade in software will meet all the new standards.

If you don’t know your practice’s status regarding 5010 compliance, contact your clearinghouse or practice management system vendor as soon as possible to avoid an unanticipated interruption in your revenue stream.

Extension of HITECH Meaningful Use Stage 2 Deadline

Physicians who met the Stage 1 Meaningful Use criteria to qualify for the HITECH Act’s subsidies in 2011 will get another year to meet the Stage 2 criteria, according to a HHS notice . Under the current requirements, eligible doctors and hospitals that begin participating in the Medicare EHR (electronic health record) Incentive Programs this year would have to meet new standards for the program in 2013. If they did not participate in the program until 2012, they could wait to meet these new standards until 2014 and still be eligible for the same incentive payment. To encourage faster adoption, HHS Secretary Sebilius announced that HHS intends to allow eligible providers to adopt health IT in 2011, without meeting the new standards until 2014. The final Stage 2 meaningful use criteria will appear in a Notice of Proposed Rulemaking scheduled to be published in February 2012.

The HHS press release also linked to a CDC survey that indicated that physician use of electronic records had doubled in the past two years. The reprt shows that in 2011, 57% of office-based physicians used EMR/EHR systems, ranging from 40% in Louisiana to 84% in North Dakota. Over half intended to apply for the HITECH incentives. In Pennsylvania, CDC reports that 50% of office-based practice use some EHR, and that 47.5% planned to apply for HITECH funds.

Congressional Inquiry or Autopsy for SAIC Breach Disaster? - Part 5

Elizabeth Litten — Tue, 06 Dec 2011 23:45:38 -0500

Five members of Congress (two Republicans and three Democrats) representing districts from far-flung states (Colorado, Florida, Massachusetts, New Jersey and Texas) are co-signers of a bipartisan letter dated December 2, 2011 (the “December 2 Letter”), addressed to the Director of the TRICARE Management Authority. The December 2 Letter was written to express the Congress members’ “deep concerns about a major breach of personally identifiable and protected health information” by TRICARE contractor Science Applications International Corporation (SAIC).”

Michael Kline and I have previously blogged about the SAIC PHI breach in four previous postings on this blog series, the most recent posting of which was on November 9, 2011, shortly after TRICARE did an about-face and announced that it was directing SAIC to offer the 4.9 million affected individuals credit monitoring services and assistance.

The December 2 Letter requests “timely and thorough responses” by no later than February 2, 2012 to seventeen startlingly direct and often blame-loaded questions. The questions make it very clear that the authors believe SAIC (and/or TRICARE) should have done more to prevent the SAIC breach and should be doing more to protect affected individuals. Question 9 notes that SAIC offered to provide “victims” (note the word choice) credit monitoring services for a year, but goes on to point out that “such services are useless in protecting against medical identity theft and fraudulent health insurance claims.” It then asks whether victims will also be provided with “newly available medical identity theft monitoring,” and, if not, to explain why such monitoring would not be provided.

The December 2 Letter closes with a brief and scathing chronology of recent SAIC misconduct, after noting that “SAIC has received more than $20 billion in federal contracts over the previous three fiscal years,” and asks: “Why does [TRICARE] continue to contract with SAIC for its data handling and IT needs despite these major performance problems?”

The members of Congress who authored the December 2 Letter hail from both sides of the aisle and from various parts of the country, but a common link seems to be a strong interest in information privacy and security. For example, Edward Markey (D-Mass) and Joe Barton (R-Texas) co-chair the Bi-Partisan Privacy Caucus and recently focused on Facebook privacy issues. Cliff Stearns (R-Florida) introduced an online privacy bill last spring. Diana DeGette (D-Colorado) has commented publicly on the importance of online privacy.

While Rob Andrews (D-New Jersey) has no apparent recent history with respect to information privacy and security, he was the sponsor in 2003 of a bill, which was not ultimately enacted, designed to afford students and parents with private civil remedies for the violation of their privacy rights under the General Education Provisions Act. Moreover, in his continuing role as a member of the House Committee on Armed Services and its Subcommittee on Oversight and Investigation, he has a deep interest and abiding concern regarding large scale threats to the privacy and security of protected health information of millions of service individuals and their families.

The Silent Brigade in the Parade of Major Reported PHI Breaches of Security and Privacy: Business Associates - An Update

Michael Kline — Mon, 05 Dec 2011 14:51:54 -0500

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the list (the “HHS List”) posted by the U.S. Department of Health and Human Services (“HHS”) that reports breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Four months ago a blog posting in this series did some analysis as to the extent to which such List Breaches are being reported by covered entities (“CEs”) as attributable to events involving business associates (“BAs”).

A December 2, 2011 article in MedPage Today by Cole Petrochko reported on a survey conducted by the Ponemon Institute (the “Survey”) that was conducted based on "interviews with senior-level staff at 72 healthcare organizations regarding data loss and theft experiences at their facilities. Sites included parent holding companies of healthcare organizations, parts of a healthcare network, and individual hospitals or clinics."

This interesting Survey acknowledged that it had a number of limiting factors, including self-reporting from only 14% of the organizations, mostly larger-sized groups, that were contacted by the Ponemon Institute to participate in the interview process. It is therefore likely that data derived from the HHS List is more reliable in light of the adverse consequences and penalties that can be incurred by a CE from inaccurately reporting in writing to HHS. Nonetheless, according to the Survey, "two out of five respondents (41%) blamed data breaches on employee negligence -- not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices -- and 49% reported lost or stolen devices. Third-party errors were responsible for 46% of breaches." [Emphasis supplied.]

It is not clear that the incidents involving “third-party errors” in the Survey are coincident with events that would have been reportable as involving BAs had they been on the HHS List. Moreover, the Survey covered institutional healthcare providers only and not other types of CEs such as insurers, government agencies and individual physicians and physician practice groups. However, the Survey results as to third party errors mirror to some extent the proportion of reported BA involvement with respect to the largest of the List Breaches on the HHS List as of December 2, 2011.

As of that date, only 83 of the total of 372 List Breaches (22.3%) reportedly involved BAs of the reporting CEs.

This overall amount is far lower than the 46% of breaches that was attributable to third-party errors in the Survey. However, further analysis of the HHS List as of December 2, 2011 reveals the following information that more closely parallels the Survey at higher numbers of involved individuals:

• 3 of the 6 List Breaches (50%) that affected 1,000,000 or more individuals reportedly involved BAs of the reporting CEs.

• 13 of the 29 List Breaches (44.8%) that affected between 30,000 and 999,999 individuals reportedly involved BAs of the reporting CEs.

• 14 of the 47 List Breaches (29.8%) that affected between 10,000 and 29,999 individuals reportedly involved BAs of the reporting CEs.

• 53 of the 290 List Breaches (18.3%) that affected between 500 and 9,999 individuals reportedly involved BAs of the reporting CEs.

While the foregoing review is only a snapshot of the HHS List as of a given date, the review would indicate that, as the size of a List Breach increases, it is more likely that involvement of a BA will be reported. However, the overwhelming proportion of List Breaches (77.7%) on the HHS List that affected fewer than 10,000 individuals have reported no involvement of a BA.

More data will be required before the impact of BA involvement in smaller and larger List Breaches becomes clearer. However, there are indications that the larger the List Breach that is reported by a CE, the greater the likelihood that it will involve an alleged BA.

HHS/OCR Audits Are Almost Here - OCR Issues "Sample" Audit Letter

Michael Kline — Thu, 01 Dec 2011 11:49:41 -0500

Contributed by David Restaino, Esq.

Last month a posting was made on this blog series regarding action being taken by the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) relating to the fact that government audits for HIPAA compliance with privacy and security standards are finally beginning. In this regard, OCR recently released a “sample” letter (the “Sample Letter”) that will be used as the template for the actual letters that OCR will issue to those covered entities that are selected for audit in 2012. As OCR noted in the Sample Letter, recipients of actual letters will find that the audit process will begin within 30 to 90 calendar days from the date of the letter.

OCR has hired KPMG LLP (“KPMG”), one of the “Big Four” certified public accounting firms, to conduct the audits in accordance with government auditing standards. OCR's release of the Sample Letter likely represents its way of communicating to all regulated facilities that KPMG's actions will have the same force and effect as actions by OCR itself. As a result, when KPMG requests detailed information at the beginning of and during the audit process, the covered entity under audit should assume that the KPMG request carries with it the full weight of the United States government.

Release of the Sample Letter can also be viewed as OCR's effort to prepare the regulated community for the seriousness of the upcoming audits. Perhaps more importantly, recipients of actual letters should use the 30 to 90 calendar day period to get prepared -- although facilities would be well advised to take appropriate steps to ensure compliance now rather than risk the adverse results that can occur from last-minute efforts to organize for an audit. Those facilities that are unprepared will have a difficult time getting ready if KPMG comes knocking.

(David Restaino, a partner at Fox Rothschild LLP in its Princeton, NJ office, has more than 20 years of experience representing clients in regulatory compliance and complex commercial litigation matters, including environmental and health care disputes, before multiple federal and state courts and agencies.)

HHS/OCR Audits are Coming: What are Covered Entities Doing to Prepare?

Michael Kline — Thu, 10 Nov 2011 17:23:01 -0500

Contributed by David Restaino, Esq.

Those entities subject to both the HIPAA privacy and security rules should pay close attention to recent action taken by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which will increase the frequency and depth of government audits for HIPAA/HITECH compliance over the next year. This initiative may be in direct response to some critics that OCR was not doing sufficient monitoring of compliance with HIPAA/HITECH.

Preliminary Audit Procedures. Specifically, OCR awarded a contract worth over $9 million to KPMG, LLP for administration of the audits, which will begin shortly. The audits are required by the American Recovery and Reinvestment Act of 2009 (ARRA), which states at Section 13411, “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements … comply with such requirements.” Details are sketchy regarding the process to identify the entities that will be audited. However, this much is known:

● The first step will be creation of audit protocols, followed by an undertaking of the actual audits.

● OCR will base its decision to audit upon risk.

● Audits will not be based upon complaints or actual reported privacy or security breaches.

● KPMG will assist OCR in establishing the program to audit covered entities and business associates, and their compliance with the privacy and security rules.

● HHS staff will guide KPMG’s conduct during the audits.

● The audits will include site visits, interviews with leadership, documentation, an examination of operations, and an assessment of the consistency with which process is married to policy.

● Each audit will be followed by a report that will, among other things, address compliance efforts and corrective actions taken.

Who Will Be Audited? HHS reports that every covered entity and business associate is eligible to be audited. The initial round of recipients is expected to provide a broad assessment of a complex and diverse health care industry. Thus, the audit process is designed to have OCR audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered. OCR has also made it explicitly clear that covered entities must fully cooperate with the auditors – as obligated under the HIPAA “enforcement rule.” Finally, HHS reports that business associates will be included in future audits.

What can covered entities do now to be ready? For starters, they can make sure that all policies and procedures are in place now. For example, the HHS website states that covered entities will have only ten (10) days to produce documents; this is not much time if policies and procedures are not already in good order.

Based on the above, the best way to get prepared is to make sure that compliance protocols are in place, and being followed, today. Stated differently, all covered entities and business associates should assess their compliance efforts, ensure that timely corrective actions are taken when necessary, and remain on their guard. Documentation of the proactive assessment and corrective measures should also assist in demonstrating that the compliance efforts are effective.

Did Tricare/DoD Make a "Proactive Response" or a Preemptive Strike with SAIC in the PHI Breach Matter? Whose Risk is it Anyway? - Part 4

Elizabeth Litten — Wed, 09 Nov 2011 23:22:07 -0500

By: Elizabeth Litten and Michael Kline

[Capitalized terms not otherwise defined in this Part 4 shall have the meanings assigned to them in Part 3 or earlier Parts.]

As reported in Part 3 of this blog series, Tricare and SAIC did not initially offer credit monitoring services to patients affected by the 2011 Breach made public on September 29, 2011, due to what was then judged to be the low “risk of harm” to those affected. The Public Statement specifically answered the question “Will credit monitoring and restoration services be provided to protect affected individuals against possible identity theft?” as follows:

No. The risk of harm to patients is judged to be low despite the data elements involved. Retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. To date, we have no conclusive evidence that indicates beneficiaries are at risk of identify theft, but all are encouraged to monitor their credit and place a free fraud alert of their credit for a period of 90 days using the Federal Trade Commission (FTC) web site.

Now, less than 6 weeks later, Tricare has directed SAIC to provide one year of credit monitoring and restoration services to patients “who express concern about their credit” as a result of the 2011 Breach. In a press release issued by the DoD on November 4, 2011, entitled "Proactive Response to Recent Data Breach Announced" (the “DoD Press Release”), Tricare Management Activity's deputy director explains,

These additional proactive security measures exceed the industry standard to protect against the risk of identity theft. We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will be unaffected by this breach.

It is unclear that the new security measure exceeds the “industry standard,” as evidenced by numerous past postings respecting PHI security breaches in this blog series. In some cases as long as two years of credit monitoring was offered to affected individuals. However, given the assurances in the Public Statement to the “approximately 4.9 million patients treated at military hospitals and clinics during the past 20 years” that the risk of harm was low and there was no conclusive evidence that patients were at risk of identity theft, one can speculate as to whether Tricare’s abrupt about-face relates to new evidence, a revised judgment as to the risk of harm to affected patients and/or simply an abundance of caution as to its own exposure to risk.

Then again, Tricare's new position could have less to do with new concerns related to patient identity theft risk, and more to do with a “proactive response” or even a preemptive strike by Tricare and DoD to combat certain of the allegations in the putative class action lawsuit filed against them in the U.S. District Court for the District of Columbia on October 11, 2011 (Gaffney v. Tricare Management Activity, et. al., Case No. 1:2011cv01800) (the “Class Action Complaint”). Each of Virginia Gaffney and Adrienne Taylor, two of the plaintiffs named in the Class Action Complaint, has alleged that she had “incurred an economic loss as a result of having to purchase a credit monitoring service to alert her to potential misappropriation of her identity.”

By offering the credit monitoring services to all of the 4.9 million affected individuals, Tricare and DoD may be endeavoring to render moot or at least mitigate the risk from those allegations in the Class Action Complaint. [Note: The recent posting of the 2011 Breach in the HHS List, which did not provide any information beyond that reflected in the Public Statement, earlier reported “5,117,799” as the approximate number of individuals affected, but the current number reported is “4,901,432.”]

The Class Action Complaint seeks judgment against Tricare and DoD for damages in an amount of $1,000 for each affected individual. Perhaps Tricare and DoD did the quick math and realized that the cost of credit monitoring and restoration for a subset (those “expressing concern”) of the roughly 4.9 million affected patients would be far less than the almost $5 billion aggregate damages award sought in the Class Action Complaint. Tricare may have reversed its stance as a result of this “risk of harm” analysis, and not because of new information or a revised evaluation related to a heightened risk of harm to affected individuals.

SAIC and Its Military Millions March - Flooding the Parade with Possible PHI Breaches - Part 3

Michael Kline — Thu, 27 Oct 2011 16:04:27 -0500

By Michael Kline and Elizabeth Litten

[Capitalized terms not otherwise defined in this Part 3 shall have the meanings assigned to them in Parts 1 and 2.]

The Public Statement reports that SAIC and Tricare are cooperating in the notification process but that no credit monitoring or restoration services will be provided in light of the “low risk of harm.” This was in contrast to the decision of Nemours in the Nemours Report to provide such services.

Since the release by SAIC of the Public Statement, Law 360 has reported that

(i) According to Tricare, SAIC was “on the hook for the cost of notifying nearly 5 million program beneficiaries that computer tapes containing their personal data had been stolen”;

(ii) A putative class action lawsuit was filed against Tricare and DoD (but not SAIC) respecting the 2011 Breach; and

(iii) Another putative class action lawsuit was filed against SAIC (but not Tricare and DoD) respecting the 2011 Breach.

Further review of SAIC and its incidents regarding PHI reveals that the 2011 Breach was not the first such event for SAIC. However, it appears to the first such breach since the adoption of the Breach Notification Rule in August of 2009.

On July 21, 2007 The Washington Post reported that SAIC had acknowledged the previous day that “some of its employees sent unencrypted data -- such as medical appointments, treatments and diagnoses -- across the Internet” that related to 867,000 U.S. service members and their families. The Post article continues:

So far, there is no evidence that personal data have been compromised, but ‘the possibility cannot be ruled out,’ SAIC said in a press release. The firm has fixed the security breach, the release said.

Embedded later in the Post article is the following:

The [2007] disclosure comes less than two years after a break-in at SAIC's headquarters that put Social Security numbers and other personal information about tens of thousands of employees at risk. Among those affected were former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq, and a former director who was a top CIA official.

It is not clear whether the earlier 2005 breach reported in the Post involved PHI or other personal information.

On January 20, 2009, SPAMfighter reported that SAIC had informed the Attorney General of New Hampshire of a data breach that had occurred involving malware. The SPAMfighter report continues that SAIC wrote a letter to many affected users to inform them about the potential compromise of personal information. (A portion of such personal information would have been deemed PHI had it been part of health-related material.)

The SPAMfighter report also discloses the following:

Furthermore, the current [2009] breach at SAIC is not the only one. There was one other last year (2008), when keylogging software managed to bypass SAIC's malware detection system. That breach had exposed mainly business account information.

As of the date of this blog post, the “News Releases” section on the SAIC Web site has no reference to the 2011 Breach. Nor does the “SEC Filings” section under “Investor Relations” on the SAIC Web site indicate any recent SEC filing that discloses the 2011 Breach.

Coincidentally, the SEC issued a release on October 13, 2011 containing guidelines for public companies regarding disclosure obligations relating to cybersecurity risks and cyber incidents. In the context of SAIC, an $11 billion company, while the actual costs of notification and remediation of the 2011 Breach may run into millions of dollars, the 2011 Breach may not be deemed a “material” reportable event for SEC purposes by its management.

It is likely that much more will be heard in the future about the mammoth 2011 Breach and its aftermath that may give covered entities and their business associates valuable information and guidance to consider in identifying and confronting a future large PHI security breach. The 2011 Breach has not even yet appeared on the HHS List. The regulatory barriers preventing private actions under HIPAA/HITECH may be tested by the putative class action lawsuits. It will also be interesting to see whether the cooperation of SAIC with Tricare and DoD may wither in the face of the pressures of the lawsuits and potential controversy regarding the decision of SAIC not to provide credit monitoring and identity theft protection to affected individuals.