The laws, rules, and regulations regarding privacy and data security are changing throughout the world. In the United States, California recently passed the California Consumer Privacy Act (CCPA), which is due to take effect in 2020. In May 2018, Europe enacted the General Data Protection Regulation (GDPR), which introduced sweeping changes to EU privacy law and contains specific requirements regarding data security and safeguarding information. Brazil and India have respectively passed and proposed privacy laws that borrow heavily from the GDPR. Other countries and states are also in the process of implementing or updating their privacy and security laws. These laws will require organizations to ensure that privacy and data security—beyond just HIPAA—are key considerations in the early stages of new product and service development and throughout the life cycle of these products and services. Venable has compiled a helpful summary of the high-level privacy and security considerations to keep in mind while designing products and services and during the entire life cycle of those products and services. The considerations outlined below are drawn from certain common principles in these laws and should be used to help plan and manage new or materially changed products and services.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced last week that it entered into a Resolution Agreement with a Florida medical center (“Medical Center”) following allegations that the Medical Center failed to respond to a patient’s request for medical records in a timely fashion and in violation of the patient’s right to access such records under HIPAA. While the $85,000 settlement amount is relatively small in comparison to the seven-figure settlements that OCR has entered into in recent years, this enforcement action is notable for being the first related to OCR’s Right of Access Initiative launched earlier this year. The OCR Right of Access Initiative seeks to enforce patients’ right to receive copies of their medical records promptly and without being overcharged.
OCR initiated an investigation into the Medical Center following its receipt of a complaint from a mother who requested access to her unborn baby’s medical records under the HIPAA right of access. The HIPAA right of access extends to personal representatives of the patient, such as parents of minor children. The mother first requested access to her baby’s medical records in October 2017, at which point the Medical Center informed the mother that the records could not be found. The mother’s attorney subsequently requested the records on her behalf in January 2018 and again in February 2018. The Medical Center did not provide the mother with a complete set of records until August 2018, after she had already submitted her complaint to OCR and OCR’s investigation had commenced.
The Department of Health and Human Services Office for Civil Rights (OCR) has shown once again that it is willing to enforce HIPAA against business associates, as seen in a recent settlement. The settlement highlights the importance of thorough risk analysis conducted by business associates and covered entities, as required by the HIPAA Security Rule, and serves as an indication that OCR remains ready to exercise its authority to enforce HIPAA’s requirements for business associates. Following the settlement, OCR released a fact sheet that provides guidance for HIPAA compliance and direct liability for business associates.
On May 23, 2019, OCR announced a settlement with a business associate relating to a 2015 data breach. The business associate provides software to healthcare providers that allows patients to access and manage their electronic health records through a patient portal. The company has agreed to pay OCR $100,000 to settle potential violations of HIPAA.
In July 2015, the company filed a breach report with OCR following discovery that hackers had used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million individuals. The hackers gained access to a server containing names, addresses, usernames, passwords, and health insurance information. An investigation by OCR revealed that the company did not conduct a comprehensive risk analysis prior to the breach. In addition to a $100,000 settlement with OCR, the company will also undergo a two-year corrective action plan that includes a complete, enterprise-wide risk analysis. As part of the corrective action plan, the company has agreed to:
Despite the announcement made last week by the Department of Health and Human Services Office for Civil Rights (OCR) about certain reduced penalty caps under the Health Insurance Portability and Accountability Act (HIPAA), OCR has shown in this week’s settlement that it still plans to vigorously enforce HIPAA.
New Maximum Annual Penalty Caps
On April 30, 2019, OCR announced in a Notification of Enforcement Discretion new annual penalty caps for identical violations of a requirement or prohibition under HIPAA. Specifically, under HIPAA, the penalty tiers are based on four levels of culpability. Until the announcement, the annual cap for identical violations was $1.5 million for every level of culpability. Now, after the announcement, only the last tier (willful neglect-not corrected) is subject to that higher cap of $1.5 million. The lower three tiers of culpability have lesser annual caps for identical violations—specifically, willful neglect-corrected – $250,000; reasonable cause – $100,000, and no knowledge – $25,000. The settlement announced this week signals that OCR is still willing to pursue enforcement of HIPAA violations and to seek big settlements for those violations.
A private practice (Practice) comprising three physicians has agreed to pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $125,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). While the fine is small compared with OCR’s October announcement of the $16 million settlement with Anthem, it confirms OCR’s ongoing commitment to enforcing HIPAA compliance, regardless of an organization’s size or the number of impacted individuals. Additionally noteworthy is that this enforcement action originated with a civil rights complaint filed by the Connecticut Office of Protection and Advocacy for Persons with Disabilities with the U.S. Attorney’s Office for the District of Connecticut, which initiated a joint investigation into the matter with OCR.
In February 2015, a patient of the Practice contacted a local television station to inform a reporter of a dispute with one of the Practice’s physicians related to the patient’s service animal. When the reporter contacted the physician for comment, the physician responded to the inquiry and, in the process, released the patient’s PHI to the public, even though the Practice’s privacy officer counseled the physician not to respond to the reporter or to respond with “no comment.” OCR determined that the physician’s conversation with the media demonstrated reckless disregard for the patient’s privacy rights, and further found that the Practice failed to take corrective actions or sanction the physician following the impermissible disclosure.
After a relatively quiet start to 2018, the Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) has had an incredibly busy week, with the announcement of a blockbuster settlement, an updated security risk assessment tool, and new priorities for the agency.
In a record-breaking settlement, Anthem, one of the nation’s largest health benefits companies, has agreed to pay OCR $16 million and take substantial corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) after self-reporting a series of cyberattacks that resulted in the largest health information data breach in U.S. history. Notably, the breach included electronic protected health information (ePHI) that Anthem maintained as a business associate acting on behalf of its affiliated health plans, making this week’s enforcement action by OCR one of the few involving a business associate.
In March of 2015, Anthem filed a breach report with OCR informing the agency of its discovery that cyberattackers had gained access to its information and technology (IT) systems through an undetected continuous and targeted cyberattack for the alleged purpose of extracting data. After filing the report, Anthem later discovered that the cyberattackers had infiltrated its IT systems through a phishing scam sent to one of its subsidiaries that was initiated by at least one employee responding to a malicious e-mail.
Recently, the attorneys general of eleven states and the District of Columbia filed suit to challenge the Department of Labor’s (DOL) new association health plan (AHP) regulations (the “AG Litigation”). Although it is unclear at this time whether the AG Litigation will be successful in invalidating the regulations, it creates a potential impediment for a key aspect of the Trump administration’s effort to change the health insurance marketplace.
The AHP Regulations
An AHP is a group health plan that is sponsored by an association of employers and is treated as a single employee benefit plan for regulatory purposes. According to the DOL, AHPs offer small employers (and now self-employed individuals) the following key advantages over sponsoring a group health plan at the individual employer level (or procuring individual coverage):
- Because AHPs can negotiate with insurers or healthcare providers on behalf of the entire group (instead of each employer negotiating individually), the AHP will theoretically obtain lower premium rates; and
- Because AHPs typically have enough participants to qualify as a “large group” plan, an AHP is not subject to the more stringent Affordable Care Act (ACA) requirements imposed on plans in the “small group” and individual markets.
Although the concept of AHPs predates the DOL’s new regulations, associations had difficulty forming AHPs under prior law. Before the new regulations, an association could form an AHP only if it satisfied stringent “commonality of interest” standards. Those standards require that the association be formed for a purpose unrelated to the provision of benefits, and that it have a common economic or representational interest in a narrow sense. As a practical matter, few employers could satisfy these requirements, and AHPs have not been commonplace.
Last week, the Departments of Treasury, Labor, and Health and Human Services (the “Departments”) issued final regulations to redefine the meaning of “short-term, limited duration insurance” (“short-term insurance”). The controversial regulations are likely to expand the use of this limited form of health insurance among consumers who do not receive coverage through their employers.
The Affordable Care Act (“ACA”) imposes strict requirements on most individual health insurance coverage. Short-term insurance is exempt from most of those requirements. Significantly, short-term insurance (unlike other forms of individual insurance) is: (1) allowed to exclude or limit coverage for preexisting conditions; (2) not required to provide coverage for essential health benefits (such as coverage for emergency care, inpatient care, prescription drugs, and mental health services); and (3) permitted to impose annual and lifetime maximums to limit the amount that the insurance company pays.
A U.S. Department of Health and Human Services (“HHS”) administrative law judge (“ALJ”) ordered the University of Texas MD Anderson Cancer Center (“MD Anderson”) last month to pay a $4,348,000 civil monetary penalty because of violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While the vast majority of enforcement actions taken against covered entities and business associates to date have been voluntary settlements, this action came in the form of summary judgment in favor of HHS. MD Anderson has stated that it intends to appeal the ALJ’s decision. If upheld, the civil monetary penalty would be the fourth-largest amount in HHS’s enforcement history.
The alleged HIPAA violations arose from three separate breaches reported by MD Anderson in 2012 and 2013, involving: (1) the theft of an unencrypted laptop from the home of an MD Anderson physician and (2) the loss of two unencrypted thumb drives by MD Anderson personnel. The lost devices in total contained the protected health information (“PHI”) of 34,883 patients, including information such as patient names, Social Security numbers, medical record numbers, and clinical and research information.
The ALJ’s sharp-tongued opinion provides several important reminders to covered entities and business associates with respect to HIPAA.
First, encryption is a strong mechanism for protecting organizations from breaches involving theft or loss of portable electronic devices. Breach reports involving the loss or theft of portable electronic devices have triggered many of the HHS inquiries resulting in enforcement actions for HIPAA violations. While the ALJ noted in his opinion that encryption is not specifically required by the HIPAA Security Rule, it is one way to help prevent reportable breaches involving the loss or theft of a portable electronic device containing PHI.
Second, the failure to implement approved security controls for the protection of PHI in a timely manner exposes organizations to significant risk. The ALJ noted that MD Anderson first identified the need to encrypt its data in 2006—six years before the first breach reported in connection with the recent enforcement action occurred. The ALJ stated that MD Anderson “delayed encryption of laptop devices for years, and then, proceeded with encryption at a snail’s pace.” Indeed, MD Anderson had not encrypted all of its computers by January 2014. Once MD Anderson decided to adopt encryption as its determined control for the protection of PHI on portable devices, according to the ALJ, “it was obligated to make it work.” MD Anderson’s delay in fully implementing its encryption solution was ultimately found to be an aggravating factor supporting the reasonableness of the civil monetary penalty.
Third, establishing a HIPAA compliance program that exists solely on paper is not enough. The 2006 edition of MD Anderson’s Information Resources Security Operations Manual required that data stored on laptops and other portable media be encrypted or protected with access controls. In 2007, MD Anderson directed that confidential data should not be stored on portable devices, but that if it was, it must be encrypted using approved methods. The ALJ was not persuaded by MD Anderson’s written commitments to encryption without follow-through on implementation and enforcement.
Fourth, organizations must consider how to sufficiently control PHI on portable electronic media purchased with technology stipends (sometimes called “Bring Your Own Devices” or “BYOD”). One of the reported breaches that led to the recent enforcement action involved the theft of a laptop purchased by a physician with MD Anderson’s funds. Because MD Anderson had not yet fully implemented its encryption plan in 2012 when the theft occurred, the laptop was not encrypted. The laptop was not even password-protected. Organization-issued laptops and other devices come standard with the organization’s access controls, including password protections, encryption, and other administrative controls preventing users from circumventing security efforts. Organizations that offer technology stipends for the purchase of devices of the employees’ choosing should consider the mechanisms through which they should protect the security of the data accessed by such BYOD devices. These could include, for example, mobile device management software or remote access controls that disallow storage of PHI on those devices, in addition to the policies and procedures governing the use of such devices.
Fifth, research data maintained by a covered entity must be protected in accordance with the HIPAA Privacy Rule and Security Rule. MD Anderson argued that HIPAA did not apply to the data maintained on the lost and stolen devices because it was used in research, relying on preamble language that HIPAA does not apply to research records obtained by a researcher in its role as a researcher. While MD Anderson attempted to read the pertinent preamble language broadly, the ALJ focused on the role of the institution conducting the research. If the research was being conducted by a non-covered entity or non-business associate, that information would be subject to that narrow exception. The ALJ suggested that a covered entity may be able to segregate its clinical functions from its research functions, which could be accomplished by a hybrid entity designation. MD Anderson, however, did not argue that it segregated its clinical and research functions in this manner, resulting in the continued application of HIPAA to the data used for research.
HHS’s press release, the Notice of Proposed Determination, and the ALJ’s opinion are available here.
Commissioner Scott Gottlieb of the U.S. Food and Drug Administration (“FDA”) stole the spotlight this past month when he delivered a speech discussing big promises from the agency regarding artificial intelligence (“AI”) in healthcare. “One of the most promising digital health tools is artificial intelligence, particularly efforts that use machine learning,” said Gottlieb when explaining that the FDA was “actively developing a new regulatory framework to promote innovation in this space.”
Indeed, this year the FDA has shown a lot of support for AI in healthcare by authorizing the marketing of several cutting-edge AI technologies—one of which was even permitted to be marketed without the requirement for additional clinician oversight.
In February, the FDA permitted marketing of clinical decision support software that uses algorithms to help neurovascular specialists arrive at answers more quickly and speed time to treatment for potential stroke patients.
Then in April, the FDA permitted marketing of the first device to use AI to detect a medical condition. Called IDx-DR, the device utilizes an AI algorithm to screen for diabetic retinopathy. This device is unique in that its results do not require additional review by a specialized clinician, which allows the test to be performed in a primary care setting. Like many devices in the digital health space, IDx-DR was reviewed through the FDA’s De Novo premarket review pathway, which is a way for new medical devices that present “a low to moderate risk to patients” and have no legally marketed predicate device on which to base a determination of substantial equivalence to be reclassified into Class I or Class II and avoid the need for a full Premarket Approval (“PMA”) application.
IDx-DR was also granted Breakthrough Device designation, which expedites the review of medical devices that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions. The FDA has consistently shared its intention to be flexible with digital health product developers whose software and devices do not fall neatly into the FDA’s well-established “product types.” Most recently, in May, the FDA permitted the marketing of OsteoDetect, an AI algorithm for aiding providers in the detection of wrist fractures by analysis of two-dimensional X-ray images.
These examples of successful utilization of the De Novo pathway and Breakthrough Devices program are likely to continue to encourage AI innovation by medical device and digital health companies by using these pathways to market as an FDA roadmap for marketing authorization of their own products.