HIPAA, HITECH & HIT

Omnibus Rule Takes Effect Today - Or Does It?

William Maruca — Tue, 26 Mar 2013 14:27:12 -0500

The HIPAA/HITECH Omnibus Rule that appeared in the January 25, 2013 Federal Register contained this cryptic and apparently contradictory statement:

DATES: Effective date: This final rule is effective on March 26, 2013.

Compliance date: Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013.

What does it mean for the final rule to be effective today if covered entities and business associates are not required to comply for six more months?

Keep in mind that many of the provisions addressed in the Omnibus Rule were enacted by Congress in the HITECH Act and took effect on February 18, 2010, with some exceptions. The tiered and increased civil money penalty provisions of section 13410(d) were effective for violations occurring after the date HITECH was enacted, February 18, 2009. Accordingly, covered entities and business associates were obligated to comply in good faith with the statutory requirements except where the statute provided that it did not take effect until after publication of regulations.

HHS proposed a 180-day compliance period in its July 14, 2010 notice of proposed rulemaking, and has implemented that grace period in the final omnibus rule. The 180-day grace period was intended to give covered entities and business associates time to comply while best protecting the privacy and security of patient information, in accordance with the goals of the HITECH Act.

For breaches of unsecured protected health information discovered on or after September 23, 2009, the date of the publication of the interim final rule, through September 23, 2013, covered entities and business associates are still required to comply with the breach notification requirements under the HITECH Act and must continue to comply with the requirements of the interim final rule. A cautious approach during the interim would be to analyze any unauthorized disclosure under both the old “subjective” standard and the new “four part” process, and err on the side of concluding that a disclosure is a reportable breach unless it passes both tests.

The gap between the “effective date” and the compliance date leaves some open issues. For example, the definition of “business associate” has been expanded by the omnibus rule to include new entities who “maintain” PHI such as cloud-based data storage companies and warehouse service providers. When do they become BA’s – March 26 or September 23? It appears that covered entities will not be required to have written agreements in place with these newly-designated BA’s until September 23, but it is not clear that such a BA that causes a breach of unsecured PHI during the gap period would not still be directly liable.

These remaining uncertainties offer a valid reason for covered entities, existing business associates and newly-added BA’s to prioritize the process of evaluating and updating their HIPAA/HITECH compliance efforts, starting with new BAA’s, Notices of Privacy Practices and Breach Notification policies. Procrastination is rarely a good strategy, and waiting until the last minute to comply with the omnibus rule could have costly unanticipated consequences

The New and Improved HIPAA/HITECH Rules: What Employers Need to Know

Michael Kline — Sun, 17 Feb 2013 13:55:39 -0500

On February 7, 2013, our partner Keith McMurdy, Esq., posted an excellent entry on the Employee Benefits Blog of Fox Rothschild LLP that merits republishing for our readers as well. The post outlines some direct effects of the new HIPAA Omnibus Rule on employers and their health plans.

Keith McMurdy writes as follows:

On January 25, the new (final?) rules about HIPAA Privacy under the HITECH Act were issued in the Federal Register. While the effect of the new rules may not be to substantially change the way HIPAA privacy is viewed, there are a number of action items for employers as plan sponsors that have to be accomplished when these rules go into effect.

There are two pieces of good news. The first is that the general purpose of compliance remains the same. Plan sponsors have to ensure PHI is properly protected, refrain from impermissible disclosures and provide notices of security breaches. The second is that the earliest possible deadline for compliance with the new rules is September 23, 2013, so there is some time to prepare. But it is not a bad idea to start preparing now. So let's consider the key changes.

1. Tougher Security Breach Notification Standard

Under the old rule, the standard for notification to participants of a security breach was only necessary if the release of information "posed a significant risk of financial, reputational or other harm" to a covered person. Now, that standard is tightened to apply to ANY security breach unless the plan sponsor can prove "a low probability that the [PHI] has been compromised based on a risk assessment." This should encourage plan sponsors to tighten their security breach protections because any release, even things like accidental e-mails, can potentially become reportable events. So the first step in compliance would be to review security standards and document steps taken to avoid security breaches.

2. Tougher Standards for Business Associates Agreements

Because the new rule provides for penalties to a covered entity for breaches by business associates, the default position is that plan sponsors should be much more concerned about how compliant their business associates really are. Where in the past, plan sponsors may have felt comfortable simply handing off certain protection functions to service providers, the new rule makes it pretty clear that plan sponsors have to actually know that their business associates are HIPAA compliant and diligently seek to confirm that compliance.

3. New Privacy Notices for 2013 Open Enrollment

The new rule also requires that plan sponsors add or amend their privacy notices:

The notice must specifically state that the covered health plans are required to obtain plan participants' authorization to use or disclose psychotherapy notes, to use PHI for marketing purposes, to sell PHI, or to use or disclose PHI for any purpose not described in the notice as well as a statement explaining how plan participants may revoke an authorization.
The notices must state that the plans (other than a long-term care plan) are prohibited from using PHI that is genetic information for underwriting purposes
The notice must inform plan participants of their right to receive a notice when there is a breach of their unsecured PHI.

The new rules makes it clear that since this new language is a "material change," plan sponsors are required to distribute this revised notice, even if they had just recently sent the old notice.

4. Genetic Information and the GINA Notice

The Genetic Information Non-Discrimination Act of 2008 (GINA) prohibits discrimination based on genetic information. The HIPAA Privacy Rule now similarly prohibits HIPAA-covered plans from taking genetic information into consideration when offering incentives or discounts through a health risk assessment. Because this modification of the Privacy Rule materially affects how a plan may use PHI, the HIPAA Privacy Rule requires that plan participants be informed in the plan's privacy notice of the prohibition on the use of PHI for underwriting purposes. See the second item under Part 3, above.

So in the midst of our struggles to comply with PPACA, plan sponsors should not forget about HIPAA medical privacy concerns. Start pulling together privacy notices, business associates agreements and plan documents for review and amendment. Review your security practices to avoid even accidental breaches. And be prepared to issue new notices as necessary for your next open enrollment. For more detailed information about HIPAA and HITECH Compliance, please make sure to check out our HIPAA Blog as well. More information means better compliance, which is always a good thing.

Collateral Effects of the Omnibus Rule: Exercise Caution in Using Past OCR Summaries on Large PHI Breaches as a Roadmap for Future Guidance

Michael Kline — Fri, 01 Feb 2013 14:29:37 -0500

In the wake of the post-Omnibus Rule (the “Rule”) frenzy, it is necessary to consider some collateral effects that the Rule may have brought about with respect to compliance with HIPAA/HITECH. The Office of Civil Rights (“OCR”) summaries of closed investigations (the “Summaries”) posted on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”) has been a source of meaningful guidance as discussed in previous posts on this blog. For example, the summary (the “Tennessee Summary”) for a State of Tennessee Sponsored Group Health Plan breach (the “Tennessee Breach”) continues to provide an excellent road map of pre-Omnibus Rule actions for covered entities (“CEs”) or business associates (“BAs”) that suffer List Breaches or PHI breaches of any size.

While the Tennessee Breach itself dealt with mishandling of paper PHI and not electronic health records, the Tennessee Summary does give direction for early intervention by affected CEs or BAs before HHS knocks on their door. However, while there was excellent compliance in the aftermath of the Tennessee Breach, advice from pre-Rule Summaries cannot be used without carefully taking into account the new requirements respecting PHI breaches under the Rule. As will be further discussed below, the most important new requirement in this regard is the necessity for a CE, BA or subcontractor to analyze the level of risk of compromise of the affected PHI.

The Tennessee Summary

The Tennessee Breach occurred on October 6, 2011 and involved approximately 1,770 enrollees with respect to names, addresses, birth dates and social security numbers. According to the Tennessee Summary, an equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.

The Tennessee Summary states that the CE did the following (with some parenthetical observations from the blog author):

1. Retrained the equipment operator (suggesting that suspension and/or termination are not the only actions in appropriate cases with respect to dealing with employees involved with a PHI breach where rehabilitation is possible).

2. Submitted a breach report to HHS (resulting in the posting on the HHS List).

3. Provided notice to affected individuals.

4. Notified the media.

5. Created a toll-free number for information regarding the incident.

6. Posted notice on the CE’s website.

7. Modified policies to remove the social security number on templates for future mailings (a good policy whether paper or electronic PHI is involved).

8. Offered identity theft protection to the affected individuals (a common decision for CEs and BAs based on the type of information that may have been compromised).

9. Following the OCR investigation, reviewed its policies and procedures to ensure adequate safeguards are in place (with this disclosure in the Tennessee Summary, there is a suggestion that OCR continued to exercise some oversight or received reports after the investigation was finished).

The Tennessee Breach in Retrospect after the Omnibus Rule

There was no discussion in the Tennessee Summary of any analysis by the CE of the probable “risk of harm” from the Tennessee Breach under the proposed rule standards that prevailed prior to the Rule. However, it is clear that, in the post-Rule period, a risk analysis of the probability that the PHI “has been compromised” would be necessary for the CE; failure to do such an analysis may be a violation in itself. Under the Rule, there is a presumption that a breach of PHI has taken place unless there is a low probability that the PHI has been compromised. The four factor analysis that would have been required of the CE in the Tennessee Breach case had it happened after the effectiveness of the Rule encompasses the following (with parenthetical comments):

(i) Identifying the nature and extent of the PHI involved, including types of identifiers and risk of re-identification (i.e., names, addresses, birth dates and social security numbers);

(ii) Identifying the unauthorized person(s) who impermissibly used the PHI or to whom the disclosure was made (in the case of the Tennessee Breach, subscribers to the health plan who were not individuals that had an obligation of their own to comply with HIPAA/HITECH);

(iii) Determining whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the PHI to be acquired or viewed (in the case of the Tennessee Breach, there is a likelihood that numerous recipients of the PHI or others without the right to view such PHI did in fact view it); and

(iv) The extent to which risk to the PHI was mitigated (items 3, 4, 5, 6 and 8 above appear to be potential mitigating factors).

As stated in an earlier postings here and here, no Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011. While the Summaries continue to provide highly useful information for CEs, BAs and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the Rule. It may be that a concern of OCR about potential confusion which could be created by publishing pre-Rule Summaries has prevented OCR from making recent postings of Summaries on the HHS List.

HIPAA "Mega Rule", Meet "Super BAA": The CMS Data Use Agreement

Elizabeth Litten — Thu, 24 Jan 2013 11:17:21 -0500

The recent release of the HIPAA/HITECH “mega rule” or “omnibus rule” has given bloggers and lawyers like us plenty of topics for analysis and debate, as well as some tools with which to prod covered entities, business associates and subcontractors to put HIPAA/HITECH-compliant Business Associate Agreements (“BAAs”) in place. It’s also a reminder to read BAAs that are already in place, and to make sure the provisions accurately describe how and why protected health information (“PHI”) is to be created, received, maintained, and/or transmitted.

If you are an entity that participates in the Medicare Shared Savings Program as a Medicare Accountable Care Organization (“ACO”), your ability to access patient data from Medicare depends on your having signed the CMS Data Use Agreement (the “Data Use Agreement”). Just as covered entities, business associates, and subcontractors should read and fully understand their BAAs, Medicare ACOs should make sure they are aware of several Data Use Agreement provisions that are more stringent than provisions typically included in a BAA and that may come as a surprise. Here are ten provisions from the Data Use Agreement worth reviewing, whether you are a Medicare ACO or any other business associate or subcontractor, as these may very well resurface in some form in the “Super BAA” of the future:

1. CMS (the covered entity) retains ownership rights in the patient data furnished to the ACO.

2. The ACO may only use the patient data for the purposes enumerated in the Data Use Agreement.

3. The ACO may not grant access to the patient data except as authorized by CMS.

4. The ACO agrees that, within the ACO and its agents, access to patient data will be limited to the minimum amount of data and minimum number of individuals necessary to achieve the stated purposes.

5. The ACO will only retain the patient data (and any derivative data) for one year or until 30 days after the purpose specified in the Data Use Agreement is completed, whichever is earlier, and the ACO must destroy the data and send written certification of the destruction to CMS within 30 days.

6. The ACO must establish administrative, technical, and physical safeguards that meet or exceed standards established by the Office of Management and Budget and the National Institute of Standards and Technology.

7. The ACO acknowledges that it is prohibited from using unsecured telecommunications, including the Internet, to transmit individually identifiable, bidder identifiable or deducible information derived from the patient files.

8. The ACO agrees not to disclose any information derived from the patient data, even if the information does not include direct identifiers, if the information can, by itself or in combination with other data, be used to deduce an individual’s identity.

9. The ACO agrees to abide by CMS’s cell size suppression policy (which stipulates that no cell of 10 or less may be displayed).

And last, but certainly not least:

10. The ACO agrees to report to CMS any breach of personally identifiable information from the CMS data file(s), loss of these data, or disclosure to an unauthorized person by telephone or email within one hour.

While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes.

Urgent - Verify Your Business Associate and Subcontractor Agreements by This Friday 1/25/13 to Qualify for Extension

William Maruca — Wed, 23 Jan 2013 10:59:15 -0500

The September 23, 2013 deadline for updating Business Associate Agreements is extended for one year under the Omnibus Rule for covered entities who have compliant Business Associate Agreements in place by Friday, January 25, 2013. This also applies to agreements between Business Associates and their subcontractors.

Covered Entities and Business Associates (as well as Business Associates and their subcontractors) may continue to rely on those agreements for up to one year beyond the compliance date of the modifications, regardless of whether the contract meets the applicable contract requirements in the Omnibus Rule. This includes existing written agreements between business associates and subcontractors under which such subcontractors agree to the same restrictions and conditions that apply to the business associate. Such contracts are deemed to be compliant with the modifications to the Rules until either the covered entity or business associate has renewed or modified the contract following the compliance date of the modifications, or until September 23, 2014 (one year after the compliance date), whichever is sooner. "Evergreen" contracts which automatically renew also qualify for the extension.

Covered Entities (providers, health plans/insurers, and clearinghouses) should verify that they have current signed business associate agreements in place no later than this Friday in order to be grandfathered for an extra year.

Business Associates who have delegated functions to subcontractors involving PHI need to make sure they have signed written agreements in place that meet the standards of the existing rule under which the subcontractors agree to follow HIPAA. This is where there may be more gaps, since many Business Associates may have been unaware of their obligations to assure compliance by their subcontractors.

Even grandfathered Business Associate Agreements and subcontractor agreements should be reviewed to see if the contracted party (business associate or subcontractor) is acting as an agent of the Covered Entity or Business Associate. If it is, the date on which a breach is discovered (or should have been discovered) is imputed up contractual chain and could mean that the Covered Entity is responsible for reporting breaches it knows nothing about.

If you need help determining whether you qualify for grandfathering, please contact your Fox Rothschild attorney immediately

This Just In: Guidance for Health Care Providers, and the Omnibus Rule

William Maruca — Fri, 18 Jan 2013 11:07:27 -0500

With gun violence and mental health concerns in the headlines, the Office of Civil Rights of the Department of Health and Human Services has published a letter to health care providers clarifying when it is permissible to reveal PHI when a patient is reasonably believed to present a serious danger to himself or others. The long-awaited HIPAA Omnibus Rule, finally released yesterday, also addresses concerns about how to balance patient privacy with public safety.

Long before HIPAA, court decisions have supported the right, and the duty, of health care providers to reveal a patient's health information where it may be necessary to protect the patient or the public from identifiable risks of harm. The seminal case is the 1974 decision of the California Supreme Court in Tarasoff v. the Regents of the University of California. In that case, the family of a murder victim brought suit based on the failure of the university psychologist who had treated her killer to warn her that he had threatened her life during therapy sessions. The psychologist had recommended that the patient be hospitalized and did inform campus police, but he was not deemed dangerous enough to detain involuntarily, and later carried out his plan. This landmark case established a duty of health care providers to warn potential victims and the authorities when an individual makes a credible threat of violence. Most states follow the Tarasoff rule, either by statute or case law.

As the recent OCR letter indicates, the HIPAA rule permits disclosures in similar situations.

When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. Further, the provider is presumed to have had a good faith belief when his or her belief is based upon the provider’s actual knowledge (i.e., based on the provider’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority (i.e., based on a credible report from a family member of the patient or other person). These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).

Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.

In the spirit of the "imminent threat" exception, and recalling the famous Tarasoff decision quote, "The protective privilege ends where the public peril begins," the Omnibus rule resolves a controversy over when and how student immunization records may be shared with school officials. The rule simplifies the process to permit oral or written authorization to health care providers or other covered entities to supply this information to schools where required by state law for admission.

The final rule adopts the proposal to The final rule adopts the proposal to amend § 164.512(b)(1) by adding a new paragraph that permits a covered entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor. We believe that the option to provide oral agreement for the disclosure of student immunization records will relieve burden on parents, schools, and covered entities, and greatly facilitate the role that schools play in public health, while still giving parents the opportunity to consider whether to agree to the disclosure of this information.

Documentation of the parental permission is still required, but the form of that documentation is up to the covered entity. Note that once a school is in possession of a student's PHI, the school's handling of those records is governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA.

The Omnibus rule is described by OCR director Leon Rodriguez as making "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented." Many of these changes appeared in the Notice of Proposed Rulemaking published on July 14, 2010. We will be analyzing these changes in forthcoming posts in the near future.

In light of the Obama Administration's initiatives following the Sandy Hook, CT and Aurora, CO tragedies, HHS appears to be responding to criticism of overly restrictive privacy rules that allegedly would have prevented disclosure of mental health information that may have saved lives. Clearly the current rules permit disclosure of imminent, concrete threats directed at specific targets, and there is no indication that either of the gunmen had expressed any such threats in advance to healthcare providers or otherwise. Nevertheless, the time may be right to dispel any misinformation about when such threats can be legally communicated to authorities and potential victims.

The Parade of Major Reported PHI Breaches Creeps Ahead to 525 - Theft Continues to Dominate the Numbers

Michael Kline — Tue, 08 Jan 2013 16:16:57 -0500

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As of January 1, 2013 (and as of today), there were 525 postings of List Breaches.

A previous blog post reported that, on February 24, 2012, HHS listed the 400th List Breach. As the first postings on the HHS List occurred on March 4, 2010, an average of about 200 postings of List Breaches were recorded in each of its first two years. However, in the 10-plus months between February 24, 2012 and January 1, 2013, 125 additional List Breaches were posted, which on an annualized twelve month period basis would translate into 150 List Breaches. It is not yet clear whether the lower volume of List Breaches since February 2012 is attributable to increased caution and better practices in protecting PHI on the part of covered entities (“CEs”) and business associates (“BAs”), greater use of encryption and other practices to protect PHI, slower postings of List Breaches by HHS, other factors or a combination thereof.

Of the total of 525 List Breaches posted through January 1, 2013, there were approximately 274 (52.2%) events shat attributed the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the 60 additional List Breaches listing the category of “loss” of all types is added to the 274 “theft” events, the total for the two categories swells to approximately 334 or 63.6% of the 525 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.

Even more revealing may be the fact that approximately 193 (36.8%) of the 525 List Breaches listed the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices. Theft or loss of laptops or other portable electronic devices thus constituted 51.6% of the 334 List Breaches that involved reported theft or loss.

Over the last 10 months since the number of List Breaches passed 400, it appears that the relative percentage of List Breaches attributable to theft and loss is trending mildly upward. Of the 125 additional reported List Breaches, approximately 86 or 68.8% listed theft or loss as the source of the PHI breach. The number of such 125 List Breaches that reported theft or loss of laptops or other portable electronic devices was 37 or 29.6%, a lower percentage than the 36.8% for all 525 List Breaches. The sample sizes are relatively small, so that further following of these numbers is warranted.

My partner, William Maruca, Esq., recently posted a blog entry highlighting the fact that the first breach settlement announcement by HHS in 2013 (the “2013 Settlement”) involved a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It was the first fine by HHS for a PHI security breach that involved fewer than 500 individuals and, therefore, was below the threshold for a List Breach.

While the parade of List Breaches continues to lengthen, the 2013 Settlement underscores the fact that there are many more PHI security breaches involving fewer than 500 individuals. The PHI security breaches that are not List Breaches are receiving increased scrutiny by HHS. As this blog series has emphasized in the past, it may become more a question of when a CE or BA will suffer a PHI security breach and how severe the breach will be, rather than if it will suffer a breach. All CEs and BAs must exercise vigilance and use recommended protection procedures to avoid all PHI security breaches, not just large List Breaches. The continuing proliferation of the use of portable electronic devices to receive, access and store PHI should be monitored, as it can be expected that this type of security breach will continue to expand.

OCR Announces First "Under 500" Breach Settlement

William Maruca — Fri, 04 Jan 2013 13:36:29 -0500

The first breach settlement announcement of the new year breaks new ground - a $50,000 fine based on theft of a laptop containing 441 patients' unencrypted data. It's the first settlement of a breach involving fewer than 500 individuals. There was no indication that any PHI was improperly viewed or accessed.

In a press release issued January 2, 2013, OCR announced the negotiated resolution of a breach by the Hospice of North Idaho (HONI), which began when HONI reported the June 2010 laptop theft. The investigation revealed that HONI had not conducted a risk analysis to safeguard ePHI and had not adopted policies or procedures to address mobile device security.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Resolution Agreement, which appears here, emphasized the hospice agency's failure to anticipate the risk of loss of unprotected data on mobile devices which were commonly used by its staff in field work:

"In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures."

The emphasis on a small covered entity's lack of analysis and risk assessment is reminiscent of OCR's settlement with two-physician Phoenix Cardiac Surgery, P.C. announced in April 2012, another case widely considered to be a warning to similarly situated entities. Note that HONI disputes the allegations in its own press release.

OCR also required HONI to enter into a two-year corrective action plan, which requires HONI to investigate any information indicating that any workforce member may have failed to comply with its Privacy and Security policies and procedures, and report the details of any such failure including sanctions imposed and steps taken to prevent recurrence.

Some lessons can be taken away from the HONI settlement.

First, encryption of ePHI is critical! Given the prevalance of breaches associated with lost and stolen laptops, it is often forgotten that the loss of unreadable encrypted data is generally not a HIPAA breach.

Next, all organizations but especially those like hospices, home health agencies and other entities with mobile workforces must prioritize securing mobile devices. For starters, refer to OCR's guidance entitled Your Mobile Device and Health Information Privacy and Security, which is definitely worth reading. Some of the advice seems to be common sense (password protection, remote wiping or disabiling, firewall and security software, avoiding file-sharing applications) but needs to be enforced organization-wide, particularly in today's "bring your own device" environment. OCR has even created a handy one-page Fact Sheet with useful mobile device security tips.

Loss and theft of mobile devices may be inevitable, but protection of the data those devices contain is not as challenging as many think, and effectively implementing such protection should be a priority for 2013.

Countdown to 2013 and the HITECH "Mega Rule": Ten New Year's Resolutions to Protect Health Information

Elizabeth Litten — Thu, 27 Dec 2012 16:13:19 -0500

We have written several times in this blog series about the long-awaited (some would assert long overdue) HIPAA “Mega Rule.” What was highly anticipated for the summer of 2012 has become the winter of discontent and a new year for eager HIPAA professionals. Below are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information (PHI), even without the benefit of the Mega Rule.

10. I will ask for a copy of my employer’s HIPAA Policies and Procedures.

9. I will read them.

8. I will compare what they say with what I do with PHI and will identify and correct discrepancies.

7. I will not snoop through PHI of others or access or use any PHI I do not need in order to do my job.

6. If I get PHI from or send PHI to a third party (outside my employer) as part of my job, I will find out whether my employer has a Business Associate Agreement (“BAA”) in place with that third party (or has decided one is not needed).

5. I will learn how to encrypt (as per National Institute of Standards and Technology) PHI before I save it or send it.

4. I will check my laptop, smartphone, or other portable device for encryption capability and make sure it is activated. I will also check for any unencrypted PHI that may be lurking on my portable device(s). I will encrypt or remove such PHI (if consistent with the HIPAA Policies and Procedures of my employer and any BAAs).

3. I will investigate the “chain of control” of PHI before I send it to make sure it will not end up outside the jurisdiction of the United States.

2. I will educate myself as to whether and how PHI might be de-identified and will recommend that my employer consider a policy of de-identification in accordance with guidance published by the Office of Civil Rights of the Department of Health and Human Services.

1. Even if I’ve accomplished resolution # 4, I will not leave my laptop, smartphone or other portable device containing PHI in plain sight inside my parked car, especially while at lunch.

If everyone were to make and follow these resolutions, we all will have a Happy HIPAA New Year.

Back to the SAIC Breach and a Look Across the Chasm Between Significant Risk and Actual Harm Resulting from a HIPAA Breach

Elizabeth Litten — Thu, 06 Dec 2012 22:33:10 -0500

Elizabeth Litten and Michael Kline write:

We have posted several blogs, including those here and here, tracking the reported 2011 theft of computer tapes from the car of an employee of Science Applications International Corporation (“SAIC”) that contained the protected health information (“PHI”) affecting approximately 5 million military clinic and hospital patients (the “SAIC Breach”). SAIC’s recent Motion to Dismiss (the “Motion”) the Consolidated Amended Complaint filed in federal court in Florida as a putative class action (the “SAIC Class Action”) highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach. SAIC’s Motion emphasizes this gap between the incident and the realization of harm, making it appear like a chasm so wide it practically swallows the breach into oblivion.

SAIC, a giant publicly-held government contractor that provides information technology (“IT”) management and, ironically, cyber security services, was engaged to provide IT management services to TRICARE Management Activity, a component of TRICARE, the military health plan (“TRICARE”) for active duty service members working for the U.S. Department of Defense (“DoD”). SAIC employees had been contracted to transport backup tapes containing TRICARE members’ PHI from one location to another.

According to the original statement published in late September of 2011 ( the “TRICARE/SAIC Statement”) the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the TRICARE/SAIC Statement said that there was no financial data, such as credit card or bank account information, on the backup tapes. Note 17 to the audited financial statements (“Note 17”) contained in the SAIC Annual Report on Form 10-K for the fiscal year ended January 31, 2012, dated March 27, 2012 (the “2012 Form 10-K”), filed with the Securities and Exchange Commission (the “SEC”) includes the following:

There is no evidence that any of the data on the backup tapes has actually been accessed or viewed by an unauthorized person. In order for an unauthorized person to access or view the data on the backup tapes, it would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. The Company [SAIC] has notified potentially impacted persons by letter and is offering one year of credit monitoring services to those who request these services and in certain circumstances, one year of identity restoration services.

While the TRICARE/SAIC Statement contained similar language to that quoted above from Note 17, the earlier TRICARE/SAIC Statement also said, “The risk of harm to patients is judged to be low despite the data elements . . . .” Because Note 17 does not contain such “risk of harm” language, it would appear that (i) there may have been a change in the assessment of risk by SAIC six months after the SAIC Breach or (ii) SAIC did not want to state such a judgment in an SEC filing.

Note 17 also discloses that SAIC has reflected a $10 million loss provision in its financial statements relating to the SAIC Class Action and various other putative class actions respecting the SAIC Breach filed between October 2011 and March 2012 (for a total of seven such actions filed in four different federal District Courts). In Note 17 SAIC states that the $10 million loss provision represents the “low end” of SAIC’s estimated loss and is the amount of SAIC’s deductible under insurance covering judgments or settlements and defense costs of litigation respecting the SAIC Breach. SAIC expresses the belief in Note 17 that any loss experienced in excess of the $10 million loss provision would not exceed the insurance coverage.

Such insurance coverage would, however, likely not be available for any civil monetary penalties or counsel fees that may result from the current investigation of the SAIC Breach being conducted by the Office of Civil Rights of the Department of Health and Human Services (“HHS”) as described in Note 17.

Initially, SAIC did not deem it necessary to offer credit monitoring to the almost 5 million reportedly affected individuals. However, SAIC urged anyone suspecting they had been affected to contact the Federal Trade Commission’s identity theft website. Approximately 6 weeks later, the DoD issued a press release stating that TRICARE had “directed” SAIC to take a “proactive” response by covering a year of free credit monitoring and restoration services for any patients expressing “concern about their credit as a result of the data breach.” The cost of such a proactive response easily can run into millions of dollars in the SAIC Breach. It is unclear the extent, if any, to which insurance coverage would be available to cover the cost of the proactive response mandated by the DoD, even if the credit monitoring, restoration services and other remedial activities of SAIC were to become part of a judgment or settlement in the putative class actions.

We have blogged about what constitutes an impermissible acquisition, access, use or disclosure of unsecured PHI that poses a “significant risk” of “financial, reputational, or other harm to the individual” amounting to a reportable HIPAA breach, and when that “significant risk” develops into harm that may create claims for damages by affected individuals. Our partner William Maruca, Esq., artfully borrows a phrase from former Defense Secretary Donald Rumsfeld in discussing a recent disappearance of unencrypted backup tapes reported by Women and Infants Hospital in Rhode Island. If one knows PHI has disappeared, but doubts it can be accessed or used (due to the specialized equipment and expertise required to access or use the PHI), there is a “known unknown” that complicates the analysis as to whether a breach has occurred.

As we await publication of the “mega” HIPAA/HITECH regulations, continued tracking of the SAIC Breach and ensuing class action litigation (as well as SAIC’s SEC filings and other government filings and reports on the HHS list of large PHI security breaches) provides some insights as to how covered entities and business associates respond to incidents involving the loss or theft of, or possible access to, PHI. If a covered entity or business associate concludes that the incident poses a “significant risk” of harm, but no harm actually materializes, perhaps (as the SAIC Motion repeatedly asserts) claims for damages are inappropriate. When the covered entity or business associate takes a “proactive” approach in responding to what it has determined to be a “significant risk” (such as by offering credit monitoring and restoration services), perhaps the risk becomes less significant. But once the incident (a/k/a, the ubiquitous laptop or computer tape theft from an employee’s car) has been deemed a breach, the chasm between incident and harm seems to open wide enough to encompass a mind-boggling number of privacy and security violation claims and issues.

OIG Reports Shortcomings In EHR Incentive Oversight

William Maruca — Fri, 30 Nov 2012 11:33:10 -0500

CMS should improve its oversight of its electronic health record incentive program, according to a report by the Office of Inspector General released this month. The government watchdog agency faults CMS for both inadequate prepayment safeguards and insufficient postpayment monitoring of recipients of federal funding intended to help cover the costs of adoption and implementation of EHR.

As this blog noted earlier this month, some concerns have been raised in a Congressional hearing about how the approximately $7.7 billion in taxpayer funds have been spent to date under the HITECH Act’s incentive program. In its report, the OIG recommended that CMS:

Obtain and review supporting documentation from selected professionals and hospitals prior to payment to verify the accuracy of their self-reported information;

Issue guidance with specific examples of documentation that professionals and hospitals should maintain to support their compliance; and

Conduct prepayment reviews to improve program oversight.

OIG reported resistance from CMS regarding its recommendation to implement prepayment reviews, which CMS believes would increase the burden on practitioners and hospitals and could delay incentive payments. CMS agreed to take steps to improve program oversight. CMS’s response appears as an exhibit to the OIG report at page 30.

Next, the OIG turned to the Office of the National Coordinator for Health Information Technology (ONC), the government agency that establishes EHR standards and certifies EHR technology. OIG recommended that the ONC:

Require that certified EHR technology be capable of producing reports for yes/no meaningful use measures where possible; and

Improve the certification process for EHR technology to ensure accurate EHR reports.

ONC concurred with both recommendations, as noted in the letter from Dr. Farhad Mostashari appearing at page 32.

The report noted that CMS currently conducts prepayment validation of professionals’ and hospitals’ self-reported meaningful use information to ensure that it meets program requirements, mostly by checking the math in the reports and verifying EHR certification codes. OIG also noted that CMS plans to audit selected professionals and hospitals after payment using a similar method to select audit targets based on inconsistencies in their reported data. At the time of the OIG review, CMS had not yet completed any postpayment audits.

Among OIG’s findings were:

CMS’s prepayment validation functions correctly but does not verify the accuracy of self-reported information.
Sufficient data are not available to verify self-reported information through automated system edits.
CMS does not collect supporting documentation to verify self-reported information prior to payment.
CMS’s planned postpayment audits may not conclusively verify the accuracy of professionals’ and hospitals’ self-reported meaningful use information.
Reports from certified EHR technology are not sufficient for CMS to verify self-reported information and may not always be accurate.
CMS may not be able to obtain sufficient supporting documentation to verify self-reported information during audits.

Given budgetary pressure and ongoing Congressional oversight, it is likely that CMS and ONC will be looking more closely at how HITECH incentive funds are being applied in the coming year.

Another Case of Snooping Prosecuted

William Maruca — Tue, 27 Nov 2012 16:52:31 -0500

Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer's medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the same hospital, was frustrated by the hospital administration’s delays in responding to her complaints and notified others including the FBI, her state senator and the American Civil Liberties Union before action was taken.

The Rutland, VT Herald reports that Kathy Tatro of Bennington, VT pleaded guilty to four counts of unauthorized access to computer records in a plea bargain that imposed probation and required her to serve 160 hours of community service, which will include talking to medical employees about the importance of privacy regarding patient records. The Bennington Banner reports that Ms. Tatro was given a 6-12 month suspended sentence, 2 years probation and a $2,000 fine.

This blog has noted other instances of snooping leading to serious consequences, including the case of a UCLA researcher sentenced to prison time for reading records of celebrities and co-workers, a Texas nurse fired for unauthorized access, a California hospital fined after employees accessed Michael Jackson’s records, a New York hospital that suspended employees for accessing George Clooney's records after a motorcycle accident, and the termination of 16 hospital employees for accessing the records of an injured first-year resident.

The Vermont ACLU claims that this incident is “believed to be the most extensive breach of personal electronic medical records ever reported in Vermont.” The ACLU noted that the victim had explained in court how the system let her down.

“No investigation was begun nor any remedial action taken until she spoke up, complained, and dogged doctors, hospital administrators and trustees, state officials, federal officials, police officers, and the state’s attorney to do something. The privacy protections in place don’t work on their own; you have to fight to protect your rights.”

Based on reports, it appears this case was brought solely under state privacy laws, not HIPAA. It is not clear whether the Vermont Attorney General was involved, even though it seems that the victim alerted a variety of authorities.

This case is yet another cautionary tale that should be considered by anyone in a position to access health records without a legitimate purpose, as well as by hospitals and other covered entities who should reevaluate the safeguards they have in place to track and prevent or at least discourage unauthorized access.

OIG EHR Questionnaire Focuses on Fraud Safeguards

William Maruca — Mon, 19 Nov 2012 09:03:44 -0500

The OIG is conducting a survey of hospitals who have certified the meaningful use of Electronic Health Record (EHR) Technology, with an emphasis on safeguards that protect the EHR systems from fraudulent access or alteration. A generous hospital compliance officer who has asked to remain nameless has provided me with a copy of the survey tool which can be accessed here.

Topics addressed in the survey include:

Coding capabilities
User authentication and access
Access to EHR by outside entities
Audit log and metadata features
Methods for entering physician and nursing notes
Capabilities for exporting and transmitting EHR documents
Patient access
Patient identity management
Additional features and safeguards.

The underlying thread of the questionnaire looks to determine what each hospital is doing to ensure the integrity of the EHR data gathered, and to identify the barriers to more effective implementation of electronic records.

Meanwhile, back on Capitol Hill, a hearing was held on November 14, 2012 before the House Subcommittee on Technology and Innovation Committee on Science and Technology. The hearing topic was titled: Is ‘Meaningful Use’ Delivering Meaningful Results? An Examination of Health Information Technology Standards and Interoperability. Witnesses were asked to address in their testimony:

What is the goal for health information interoperability under the HITECH Act?

How are Stage 1 and 2 meaningful use requirements and supporting standards advancing us towards this goal?

How have the lessons learned from the implementation of Stage 1 meaningful use requirements and supporting standards been applied in drafting Stage 2 requirements and Stage 3 proposals?

How does the ONC engage Federal agencies and other stakeholders (National Institute of Standards and Technology (NIST), vendors, and providers) in developing the meaningful use requirements and technical standards?

How does the HIT Standards Committee balance the need for common IT standards with the diversity of the healthcare industry? How does the Committee account for technology development and innovation in its standards recommendations?

How effective have HHS and the ONC been in establishing long-term goals and benchmarks for HIT adoption, interoperability, and provision of care?

What recommendations would you make for Federal policy makers as we consider futureHIT policies?

Dr. Farzad Mostashari, HHS National Coordinator for Health Information Technology, presented prepared remarks which can be found here. Dr. Mostashari was cautiously optimistic about the pace of adoption of EHR and the progress being made toward interoperability. He noted that as of September 2012, more than 300,000, more than half of the nation’s eligible professionals, as well as over 75 percent of eligible hospitals have registered to participate in the Medicare or Medicaid Incentive Programs.

Summarizing the lessons learned by HHS to date, Dr. Mostashari stated “By creating standards-based methods for the electronic submission, receipt and processing of health IT, Federal agencies can improve the quality of the data they receive while also reducing the number of expensive, one-off solutions for addressing the varied needs of the stakeholders they serve.” He praised his agency’s collaborations with NIST and recognized the over 6,400 comments received from stakeholders regarding the meaningful use process. He emphasized the efforts to provide new flexibility in definitions, exclusions, a shorter reporting period for the first year of Stage 2, and additional quality measures that account for the needs of many medical specialties to measure and improve the care they provide. He also called attention to the Standards and Interoperability Framework, a Wikipedia-style site for EHR developers, which he described as an example of “government as a platform” - enabled by integrated functions, processes, and tools – for the open community of implementers and experts to work together to develop and harmonize health information exchange standards.

Other witnesses appearing before the committee included Dr. Charles H. Romine, Director, Information Technology Laboratory, National Institute of Standards and Technology; Marc Probst, Chief Information Officer and Vice President, Information Systems, Intermountain Healthcare; Ms. Rebecca Little, Senior Vice President, Medicity; and Dr. Willa Fields, DNSc, RN, FHIMSS, Professor, School of Nursing, San Diego State University.

In his introductory remarks, subcommittee chairman Ben Quayle (R-AZ) noted :

Given our current budget situation, it is vital that these taxpayer dollars are spent effectively in ways that lead to reduced costs and better health care down the road. Nearly four years after the HITECH Act, taxpayers should know what we have to show for it.

The recent survey suggests that the OIG intends to supply Rep. Quayle's subcommittee with a detailed answer to that question.

Known Unknowns and Data Losses

William Maruca — Wed, 07 Nov 2012 11:52:15 -0500

A New England hospital has reported the disappearance of backup tapes containing ultrasound images and personal data of 14,000 patients. How do you handle a data loss when you don’t have any way of determining where the data went or who may have seen it? Is it still a “breach” in the technical sense?

These questions call to mind former Defense Secretary Donald Rumsfeld’s famous observation about assessing knowledge gaps:

“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.”

And a less-famous Rumsfeld quote from the same press briefing, “The absence of evidence is not evidence of absence, or vice versa” may also be applicable.

What is known, according to the press release issued by Women and Infants Hospital of Rhode Island, is that on September 13, 2012, the institution learned that unencrypted backup tapes containing ultrasound images went missing from two ambulatory sites in Providence, Rhode Island and New Bedford, Massachusetts. The backup tapes contained ultrasound images and included patient names, dates of birth, dates of exams, physicians’ names, patient ultrasound images, and, in some instances, Social Security numbers.

The hospital has concluded that they have no reason to believe that the information has been accessed or used improperly, because doing so would require specialized equipment and technical expertise. The fact pattern and analysis recalls the 2011 breaches involving SAIC/Tricare and Nemours discussed on this blog in October 2011 by my partner Elizabeth Litten. As she noted,

When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?

At this time, Women & Infants has notified affected patients and established a hotline but is not yet offering credit monitoring or identity theft protection. Further, there is no indication of a report having been filed with HHS, but once again “absence of evidence is not evidence of absence.”

Applying the Rumsfeld test, I believe Women & Infants is facing both “known unknowns” and “unknown unknowns.” They know that they don’t and cannot be certain whether the data has been accessed, but if it has been, they cannot know the extent of the potential damage to the affected individuals. The long-overdue “mega-regulation,” which may finally see the light of day now that the election is over, may provide some useful guidance.

In the meantime, enjoy some of former Secretary Rumsfeld's greatest hits.

A Reader's Comment about a Third Potential Posting on the HHS Breach Parade for Massachusetts Eye and Ear Infirmary

Michael Kline — Fri, 02 Nov 2012 13:29:54 -0500

A thoughtful reader commented on the recent blog post in this series that asked whether the 2012 Breach of Massachusetts Eye and Ear Infirmary (“MEEI”) should have by now been reflected in a third posting respecting MEEI on the HHS List. (Capitalized terms not otherwise defined herein shall have the meanings assigned to them in the earlier blog post.)

The reader’s comments included the following:

I have been wondering—and this article [the blog post] continues to make me wonder—whether covered entities will be less likely to “err on the side of caution” in making breach reports, now that they see the potentially draconian consequences of making such a report. I think it’s pretty clear (and I think OCR [the Office of Civil Rights] has even said publicly) that large breach reports will trigger investigations and, as we have seen, investigations are likely to open to scrutiny all aspects of the covered entity’s HIPAA policies, practices and procedures. Seeing million dollar resolution agreements may give covered entities pause about blowing the whistle on themselves, particularly where there is room to argue whether the disclosure creates a significant risk of harm. . . .

The reader’s comments point out the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach, even if it appears not to rise to the level of a potential List Breach. I concur with the reader that more attention may be given by a covered entity in the future to make a risk analysis of the probable harm of a potential List Breach. One of the purposes will be to determine the number of involved individuals and whether the entity can reasonably conclude that a List Breach has not occurred, and, therefore, there may be no need for a List Breach report to HHS.

The covered entity may so conclude even if it publicizes the PHI security breach, notifies “potentially affected individuals,” posts information about the breach on its Web site, engages in some “voluntary” remedial action for such potentially affected individuals, disciplines involved employees and makes improvements to its policies and procedures. Repeat marchers in the Breach Parade may be especially motivated to conclude that a List Breach has not occurred.

However, the stakes may be high for a covered entity to conclude that a List Breach has not occurred. The penalties that can flow from the potentially “draconian consequences of making such a report” to HHS can be greatly amplified if the conclusion not to report the security breach as a List Breach turns out to be erroneous. The failure to report a List Breach is a separate violation and can give rise to significant penalties. Moreover, the covered entity must consider that most states have adopted their own requirements to make timely reports to state regulators about a PHI security breach, often with different standards for reporting, and state Attorneys General can seek to enforce a failure to make a mandatory report under both state law and HIPAA.

To some observers, elements of the risk analysis of a covered entity for reporting a possible List Breach may be somewhat analogous to the considerations that exist for self-reporting by healthcare providers of potential false claims to the HHS Office of Inspector General under its voluntary disclosure program. The important difference is that voluntary disclosure is optional; reporting a PHI security breach that is a List Breach to HHS is mandatory, with potential materially adverse consequences for failure to comply.

As the Breach Parade Passes 500 Marchers: Should There be a Posting on the HHS List for a Third Massachusetts Eye and Ear Infirmary Breach?

Michael Kline — Sun, 28 Oct 2012 20:05:06 -0500

Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services (“HHS”) the sum of $1.5 million to settle potential violations involving an alleged security breach (the “2010 Breach”) of Protected Health Information (“PHI”) under HIPAA. However, relatively little has been written that the 2010 Breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years.

This blog series has been following breaches of PHI that have been reported on the HHS list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 502 List Breaches. The first List Breach posted for MEEI on the HHS List (the “2009 Breach”) was reported to have occurred by reason of a theft on November 10, 2009 that was said to have affected 1,076 individuals.

The 2010 Breach was reported to have occurred on February 19, 2010, only slightly more than three months after the 2009 Breach. According to the HHS List, it affected 3,621 individuals. A statement from MEEI on its Web site reports that HHS review of the 2010 Breach was “triggered by the hospital’s proactive self-reporting of a doctor’s unencrypted laptop being stolen while he was traveling abroad in 2010.” MEEI further stated that it “has no indication that any patients were harmed by this isolated incident.” Query: How “isolated” was the incident in view of the fact that the 2010 Breach occurred soon after the 2009 Breach?

Potential entries in the PHI Breach Parade did not end for MEEI, however, with the 2010 Breach. On April 16, 2012, during a time that MEEI was likely to have been heavily negotiating with HHS about the $1.5 million payment, MEEI posted the following statement on its Web site (the “2012 Statement”), about which relatively little was reported in the media:

On March 5, 2012, the Quincy, Massachusetts, Police Department informed [MEEI] that they were investigating a [MEEI] employee for inappropriately using the names, Social Security numbers and dates of birth of certain individuals, some of whom were believed to be MEEI patients. . . .

While [MEEI] is only aware of four individuals whose personal information was actually misused, as a precaution we are notifying, by mail, approximately 3,600 patients whose Social Security numbers were available to the former employee in the course of performing her assigned duties.

The 2012 Statement went on to say that MEEI will “provide one year of free credit monitoring to potentially affected individuals to protect them against possible harm resulting from this incident.” [Emphasis supplied.]

It is perplexing that nothing about the 2012 Breach has been posted on the HHS List to this point, although

(i) the MEEI Web site reported the event more than six months ago,

(ii) the number of “potentially” affected individuals far exceeded the 500 minimum threshold for placement on the HHS List, and

(iii) the period during which MEEI was dealing with HHS after the 2010 Breach overlapped with the occurrence and aftermath of the 2012 Breach.

Queries: Did MEEI not report the 2012 Breach to the HHS List because it ultimately concluded that the 2012 Breach did not involve more than 500 individuals even though it does offer credit monitoring to more than 3,600 individuals? (As a potential third time marcher in the Breach Parade, MEEI was certainly aware of its reporting obligations to HHS.) In other words, did MEEI determine by a reasonable risk assessment that the potential access by the former employee to PHI of 3,600 individuals was not sufficient to require a report for the HHS List, absent more substantial proof that the PHI of 500 or more individuals was actually accessed and/or that 500 or more individuals were actually harmed by such access?

Alternatively, is it simply possible that HHS has been slow in reporting additional List Breaches on the HHS List, similar to a suggestion in an earlier post in this blog series that HHS may be slow in posting Summaries of cases that it has investigated and closed?

This blog series will continue to monitor developments in this area.

As the Parade of Major PHI Breaches Marches Ever Onward, Where Have All the OCR Summaries Gone?

Michael Kline — Fri, 05 Oct 2012 16:08:32 -0500

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 498 List Breaches reported by covered entities (“CEs”), of which approximately 102 (20.5%) have been reported as also involving business associates (“BAs”).

As stated in an earlier posting in this blog series, the HHS List includes valuable guidance for CEs and BAs in the form of “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” To date, the HHS List has posted approximately 96 summaries (“Summaries”) respecting the 498 current postings for CE marchers in the Breach Parade (which include some multiple postings of List Breaches where a single alleged breach by a BA caused a number of CEs to have List Breaches). Of the 96 List Breaches for which Summaries have been posted by OCR, 19 (19.8%) were reported as involving BAs.

Unfortunately, since May 10, 2012, it would appear that only one new Summary has been posted by OCR, which relates to List Breach number 337 reported by Indiana University School of Optometry as CE. According to the OCR Summary, that List Breach affected 757 individuals and resulted in accessibility over the Internet of patient names, birth dates, medical history, diagnoses and treatment plans for the period from August 8, 2011 through September 9, 2011.

No Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011, already a year ago. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011, as discussed in an earlier posting in this blog series.

Moreover, the substantial majority of Summaries posted by OCR relate to List Breaches affecting fewer than 10,000 persons. While this Summary history may be reflective of the population of List Breaches as discussed in an earlier post in this blog series, the largest number of affected individuals for which a Summary has been posted to date is 83,000. That List Breach, which occurred on November 12, 2009 and was number 21 on the HHS List, related to unauthorized access/disclosure of paper information and was reported by Universal American in New York as the CE with Democracy Data & Communications, LLC as an involved BA. In light of the existence of complex List Breaches that reportedly affect hundreds of thousands or even millions of individuals, Summaries respecting larger List Breaches may be helpful in providing new and different insights for CEs and BAs.

There is great value in the guidance provided by the posted Summaries for educating CEs and BAs as to what OCR may deem to be significant with respect to List Breaches. OCR Summaries may provide analysis not only of the List Breaches themselves but also subsequent actions taken by the affected CEs and BAs. However, because the paucity of recent postings of Summaries can dampen their overall educational benefit, OCR is encouraged to increase the frequency, number, currentness and diversity of the Summaries posted.

PHI Breach Involving Health Plan Leads to Lawsuit by Identity Theft Victims Who Were Plan Members

Elizabeth Litten — Tue, 18 Sep 2012 10:26:27 -0500

A previous post to this blog by Patricia McManus pointed out that individuals whose protected health information (“PHI”) is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws. That may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11^th Circuit.

The 11^th Circuit District Court (Southern District of Florida) decision that came out on September 5, 2012 involved stolen unencrypted laptops containing PHI of approximately 1.2 million AvMed (health plan) patients. The lower court had dismissed the originally-filed class action because plaintiffs sought "to predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft." The case was re-filed, naming as plaintiffs a subset of patients whose identities had been actually stolen since the laptop theft, alleging negligence by AvMed in protecting the sensitive information, breach of contract, unjust enrichment, breach of the implied covenant of good faith and fair dealing, and breach of fiduciary duty.

The District Court's decision to deny AvMed's motion to dismiss plaintiffs' claim that AvMed's data breach caused plaintiffs' identity theft was based on its finding that plaintiffs "sufficiently alleged a nexus between the data theft and the identify theft and therefore meet the federal pleading standards... ," even though the computers were stolen 10 and 14 months prior to the identity thefts of the two specific plaintiffs named in the action. The court pointed out that both individuals were very protective of their personal data and did not transmit sensitive data electronically or store it on computers. One plaintiff's sensitive information was used to open a Bank of America account and change her address with the US Post Office, while the other plaintiff's sensitive information was used to open an E*Trade Financial account. Neither had experienced identify theft before the theft of the AvMed laptops.

The court also refused to dismiss the plaintiffs' unjust enrichment claim, which was based on the fact that AvMed received premiums that were payments, at least in part, to protect sensitive information with "data management and security measures that are mandated by industry standards." Plaintiffs alleged AvMed failed to implement or inadequately implemented these policies.

If plaintiffs are ultimately successful in obtaining refunds of premiums and/or payments from AvMed for damages incurred as a result of the identity thefts, it could set an interesting precedent for future HIPAA breach victims, particularly if the court’s decision relies (as it seemed to rely in this decision) on the fact that the victims could show they were extremely careful not to store or transmit personal information via electronic means. In this age of intensive use of computers and the Internet for financial transactions, such plaintiffs are probably highly unusual. An individual who makes frequent or even occasional on-line purchases or pays bills electronically and who becomes the victim of a HIPAA breach might have difficulty demonstrating that a subsequent identity theft was the direct result of the breach.

As We All Continue to Anticipate the HIPAA/HITECH "Mega Rule" from HHS, We Can Test Our Prognosticating Skills

Michael Kline — Wed, 29 Aug 2012 10:36:16 -0500

We have seen substantial delay in publication of the long-awaited HIPAA/HITECH Omnibus Final Rule, sometimes affectionately referred to as the “Mega Rule.” Health Data Management reported on June 6 of this year that Farzad Mostashari, national coordinator for health information technology, had said that the HIPAA Mega rule, which will include modifications to the privacy and security rule, breach notification and enforcement, “should’ be published by “the end of summer.” After previous disappointments and delays in regulations in other contexts from the U.S. Department of Health and Human Services, however, it may be noteworthy that Mr. Mostashari was said to have used the word “should,” and did not specify the summer of what year, e.g., 2012, 2013, 2014, etc.

Now there has been some scuttlebutt that the Mega Rule may not surface until after Election Day, November 6, 2012, perhaps because of concerns about potential political implications. Even as we wait, there is some justifiable trepidation as to the number of pages of regulations that will be published. The recently-issued CMS final requirements that hospitals and other providers must meet to receive funding under the second phase of the federal electronic health-record incentive program, which is a relatively narrow topic, constituted 672 pages.

What can we expect from HHS on the Mega Rule? Well, we can register our own speculations. Marla Durben Hirsch, Editor of Medical Practice Compliance Alert published by DecisionHealth, Inc., informed me of a clever contest that is being conducted on line by idexperts as to the Mega Rule. Any household can put in a single entry as to the month, day and year that the Mega Rule will be published in the Federal Register. In the event of a tie, the number of pages in the Mega Rule will serve as a first tie breaker. The prize for first place is a contribution of $2,500 in the name of the winner to the Wounded Warrior Project, a $200 Amazon gift card, a year’s subscription to RADAR published by idexperts and, of course, internet bragging rights.

So, with the approach of Labor Day and the waning days of summer, join the contest and make the Mega Rule wait more enjoyable!

Employers: Beware of PHI "Minimum Necessary" Standards Lurking Under Statutes Other Than HIPAA and State PHI Statutes

Michael Kline — Sun, 12 Aug 2012 21:29:32 -0500

A recent posting by our partner Christina Stoneburner, Esq., on the Fox Rothschild Employment Discrimination blog discussed the need by employers to limit protected health information (“PHI”) that they provide with respect to medical examinations of employees and job applicants to the least amount of medical information necessary for evaluation. Interestingly, the focus of her posting was not disclosure under HIPAA/HITECH, or even state statutes regulating the use of PHI; it dealt with allegations that employees and job applicants had been sent for unnecessary medical examinations in violation of the Americans with Disabilities Act and the Genetic Information Nondisclosure Act.

Christina summarizes her posting with the following:

In short, the least amount of medical information necessary to evaluate an employee is what should be provided to examiners. For example, if you have an employee being evaluated to see if he can perform the essential functions of his job after a shoulder injury, the examining doctor should not be given the medical records relating to his planter's wart being removed.

In her discussion, Christina noted our blog series respecting large breaches and a particular recent posting by Elizabeth Litten, Esq. Christina also mentioned that the complaint on which her posting focused had alleged, "the employer often turned over Workers' Compensation records . . . , even where those records were not relevant to the examination.”

Workers’ compensation is an area where Christina’s posting comes full circle to our blog’s focus on HIPAA; as HIPAA directly confronts such area by making it clear that only the “minimum necessary” disclosure of PHI is permitted by covered entities without patient authorization pursuant to 45 CFR 164.512(l):

A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published further advice on how the workers’ compensation Regulation works:

Covered entities are required reasonably to limit the amount of protected health information disclosed . . . to the minimum necessary to accomplish the worker’s compensation purpose. Under this requirement, protected health information may be shared for such purposes to the full extent authorized by State or other law.

In summary, to avoid needless and costly violations, employers and other covered entities must be constantly aware of the need to comply with multiple regulatory schemes that may govern PHI, beyond those of HIPAA and State laws governing PHI; there is not unlimited flexibility to disclose PHI even within the context of State-governed workers’ compensation matters. When the long-anticipated “mega-regulation” regarding HIPAA/HITECH is finally published by HHS, special attention must be given to potential changes that may further tighten the “minimum necessary" standards.