Data Privacy & Security

A Pennsylvania resident (“Plaintiff”) has filed a class action complaint (the “Complaint”) in the United States District Court for the Central District of California against Sunshine Behavioral Health Group LLC (“Sunshine Behavioral”), which operates drug and alcohol addiction rehabilitation centers. The Complaint alleges, among other things, violations of the California Consumer Protection Act (Cal. Civ. Code § 1798.100, et seq.) (“CCPA”) in connection with a September 2019 data breach. The complaint alleges that Sunshine Behavioral violated the CCPA by exposing class members’ personal and health information because of a failure to “implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information.” Plaintiff seeks injunctive relief enjoining further violation of the CCPA, as well as potential “actual, punitive, and statutory damages[.]” The Complaint further alleges that, although Sunshine Behavioral was made aware of the data breach in September 2019, it failed to provide affected individuals and the California Attorney General notice of the breach until January 21, 2020.

The CCPA offers a limited private right of action to consumers “whose nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure” resulting from a failure to implement reasonable security measures. Except for specific pecuniary damages, however, plaintiffs may only seek damages after notifying defendant of the purported violation and allowing 30 days to cure the violation.

Continue Reading Former Patient Brings Class Action Against Rehab Center Under CCPA’s Private Right of Action

It has been a busy last few weeks at the U.S. Department of Health and Human Services Office for Civil Rights (OCR).  OCR has announced four new enforcement actions, the most recent of which is rooted in a healthcare provider’s failure to properly identify and report a breach of protected health information (PHI), and the others in healthcare providers’ failure to conduct thorough, enterprise-wide HIPAA security risk analyses.

Interestingly, the actions involve a varied group of healthcare providers, from a state health services agency to a multi-hospital system—only two of which decided to enter into settlement agreements with OCR.  Despite the differences in the healthcare providers and their approaches to reaching a resolution, the enforcement actions provide several key takeaways for other covered entities and business associates. 
Continue Reading Spate of New OCR HIPAA Enforcement Actions Confirms the Importance of (No Surprise!) Conducting a Thorough Risk Assessment and Prompt Breach Reporting

The laws, rules, and regulations regarding privacy and data security are changing throughout the world. In the United States, California recently passed the California Consumer Privacy Act (CCPA), which is due to take effect in 2020. In May 2018, Europe enacted the General Data Protection Regulation (GDPR), which introduced sweeping changes to EU privacy law and contains specific requirements regarding data security and safeguarding information. Brazil and India have respectively passed and proposed privacy laws that borrow heavily from the GDPR. Other countries and states are also in the process of implementing or updating their privacy and security laws. These laws will require organizations to ensure that privacy and data security—beyond just HIPAA—are key considerations in the early stages of new product and service development and throughout the life cycle of these products and services. Venable has compiled a helpful summary of the high-level privacy and security considerations to keep in mind while designing products and services and during the entire life cycle of those products and services. The considerations outlined below are drawn from certain common principles in these laws and should be used to help plan and manage new or materially changed products and services.

Continue Reading Global Privacy and Security by Design Considerations

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced last week that it entered into a Resolution Agreement with a Florida medical center (“Medical Center”) following allegations that the Medical Center failed to respond to a patient’s request for medical records in a timely fashion and in violation of the patient’s right to access such records under HIPAA. While the $85,000 settlement amount is relatively small in comparison to the seven-figure settlements that OCR has entered into in recent years, this enforcement action is notable for being the first related to OCR’s Right of Access Initiative launched earlier this year. The OCR Right of Access Initiative seeks to enforce patients’ right to receive copies of their medical records promptly and without being overcharged.

The Settlement

OCR initiated an investigation into the Medical Center following its receipt of a complaint from a mother who requested access to her unborn baby’s medical records under the HIPAA right of access. The HIPAA right of access extends to personal representatives of the patient, such as parents of minor children. The mother first requested access to her baby’s medical records in October 2017, at which point the Medical Center informed the mother that the records could not be found. The mother’s attorney subsequently requested the records on her behalf in January 2018 and again in February 2018. The Medical Center did not provide the mother with a complete set of records until August 2018, after she had already submitted her complaint to OCR and OCR’s investigation had commenced.

Continue Reading New HIPAA Settlement Is the First under OCR’s Right of Access Initiative

The Department of Health and Human Services Office for Civil Rights (OCR) has shown once again that it is willing to enforce HIPAA against business associates, as seen in a recent settlement. The settlement highlights the importance of thorough risk analysis conducted by business associates and covered entities, as required by the HIPAA Security Rule, and serves as an indication that OCR remains ready to exercise its authority to enforce HIPAA’s requirements for business associates. Following the settlement, OCR released a fact sheet that provides guidance for HIPAA compliance and direct liability for business associates.

Recent Settlement

On May 23, 2019, OCR announced a settlement with a business associate relating to a 2015 data breach. The business associate provides software to healthcare providers that allows patients to access and manage their electronic health records through a patient portal. The company has agreed to pay OCR $100,000 to settle potential violations of HIPAA.

In July 2015, the company filed a breach report with OCR following discovery that hackers had used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million individuals. The hackers gained access to a server containing names, addresses, usernames, passwords, and health insurance information. An investigation by OCR revealed that the company did not conduct a comprehensive risk analysis prior to the breach. In addition to a $100,000 settlement with OCR, the company will also undergo a two-year corrective action plan that includes a complete, enterprise-wide risk analysis. As part of the corrective action plan, the company has agreed to:

Continue Reading Recent Settlement with OCR and New OCR Fact Sheet Serve as Reminders That Business Associates Have Direct Liability under HIPAA

A private practice (Practice) comprising three physicians has agreed to pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $125,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). While the fine is small compared with OCR’s October announcement of the $16 million settlement with Anthem, it confirms OCR’s ongoing commitment to enforcing HIPAA compliance, regardless of an organization’s size or the number of impacted individuals. Additionally noteworthy is that this enforcement action originated with a civil rights complaint filed by the Connecticut Office of Protection and Advocacy for Persons with Disabilities with the U.S. Attorney’s Office for the District of Connecticut, which initiated a joint investigation into the matter with OCR.

In February 2015, a patient of the Practice contacted a local television station to inform a reporter of a dispute with one of the Practice’s physicians related to the patient’s service animal. When the reporter contacted the physician for comment, the physician responded to the inquiry and, in the process, released the patient’s PHI to the public, even though the Practice’s privacy officer counseled the physician not to respond to the reporter or to respond with “no comment.” OCR determined that the physician’s conversation with the media demonstrated reckless disregard for the patient’s privacy rights, and further found that the Practice failed to take corrective actions or sanction the physician following the impermissible disclosure.

Continue Reading Small Physician Practice Settles with OCR: Yet Another Reminder of the Perils of Responding to Patient Complaints in a Public Forum

After a relatively quiet start to 2018, the Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) has had an incredibly busy week, with the announcement of a blockbuster settlement, an updated security risk assessment tool, and new priorities for the agency.

Anthem Settlement

In a record-breaking settlement, Anthem, one of the nation’s largest health benefits companies, has agreed to pay OCR $16 million and take substantial corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) after self-reporting a series of cyberattacks that resulted in the largest health information data breach in U.S. history. Notably, the breach included electronic protected health information (ePHI) that Anthem maintained as a business associate acting on behalf of its affiliated health plans, making this week’s enforcement action by OCR one of the few involving a business associate.

In March of 2015, Anthem filed a breach report with OCR informing the agency of its discovery that cyberattackers had gained access to its information and technology (IT) systems through an undetected continuous and targeted cyberattack for the alleged purpose of extracting data. After filing the report, Anthem later discovered that the cyberattackers had infiltrated its IT systems through a phishing scam sent to one of its subsidiaries that was initiated by at least one employee responding to a malicious e-mail.

Continue Reading A Busy Week at OCR: The Anthem Settlement, an Updated Security Risk Assessment Tool, and New Priorities for OCR

A U.S. Department of Health and Human Services (“HHS”) administrative law judge (“ALJ”) ordered the University of Texas MD Anderson Cancer Center (“MD Anderson”) last month to pay a $4,348,000 civil monetary penalty because of violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  While the vast majority of enforcement actions taken

On April 4, 2018, the New Jersey Attorney General’s office announced a settlement with a large network of physicians affiliated with medical and surgical practices throughout New Jersey (the “Medical Group”) for health privacy and security violations related to a breach of more than 1,650 patient records.  The settlement for violations of the federal Health

Under the HIPAA Breach Notification Rule, Covered Entities must report to the Secretary of the U.S. Department of Health and Human Services (HHS) breaches of unsecured protected health information  affecting fewer than 500 individuals (“small breaches”) no later than 60 days after the end of the calendar year in which the breaches were discovered. This