Data Privacy & Security

A U.S. Department of Health and Human Services (“HHS”) administrative law judge (“ALJ”) ordered the University of Texas MD Anderson Cancer Center (“MD Anderson”) last month to pay a $4,348,000 civil monetary penalty because of violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  While the vast majority of enforcement actions taken against covered entities and business associates to date have been voluntary settlements, this action came in the form of summary judgment in favor of HHS.  MD Anderson has stated that it intends to appeal the ALJ’s decision.  If upheld, the civil monetary penalty would be the fourth-largest amount in HHS’s enforcement history.

The alleged HIPAA violations arose from three separate breaches reported by MD Anderson in 2012 and 2013, involving:  (1) the theft of an unencrypted laptop from the home of an MD Anderson physician and (2) the loss of two unencrypted thumb drives by MD Anderson personnel.  The lost devices in total contained the protected health information (“PHI”) of 34,883 patients, including information such as patient names, Social Security numbers, medical record numbers, and clinical and research information.

The ALJ’s sharp-tongued opinion provides several important reminders to covered entities and business associates with respect to HIPAA.

First, encryption is a strong mechanism for protecting organizations from breaches involving theft or loss of portable electronic devices.  Breach reports involving the loss or theft of portable electronic devices have triggered many of the HHS inquiries resulting in enforcement actions for HIPAA violations.  While the ALJ noted in his opinion that encryption is not specifically required by the HIPAA Security Rule, it is one way to help prevent reportable breaches involving the loss or theft of a portable electronic device containing PHI.

Second, the failure to implement approved security controls for the protection of PHI in a timely manner exposes organizations to significant risk.  The ALJ noted that MD Anderson first identified the need to encrypt its data in 2006—six years before the first breach reported in connection with the recent enforcement action occurred.  The ALJ stated that MD Anderson “delayed encryption of laptop devices for years, and then, proceeded with encryption at a snail’s pace.”  Indeed, MD Anderson had not encrypted all of its computers by January 2014.  Once MD Anderson decided to adopt encryption as its determined control for the protection of PHI on portable devices, according to the ALJ, “it was obligated to make it work.”  MD Anderson’s delay in fully implementing its encryption solution was ultimately found to be an aggravating factor supporting the reasonableness of the civil monetary penalty.

Third, establishing a HIPAA compliance program that exists solely on paper is not enough.  The 2006 edition of MD Anderson’s Information Resources Security Operations Manual required that data stored on laptops and other portable media be encrypted or protected with access controls.  In 2007, MD Anderson directed that confidential data should not be stored on portable devices, but that if it was, it must be encrypted using approved methods.  The ALJ was not persuaded by MD Anderson’s written commitments to encryption without follow-through on implementation and enforcement.

Fourth, organizations must consider how to sufficiently control PHI on portable electronic media purchased with technology stipends (sometimes called “Bring Your Own Devices” or “BYOD”).  One of the reported breaches that led to the recent enforcement action involved the theft of a laptop purchased by a physician with MD Anderson’s funds.  Because MD Anderson had not yet fully implemented its encryption plan in 2012 when the theft occurred, the laptop was not encrypted.  The laptop was not even password-protected.  Organization-issued laptops and other devices come standard with the organization’s access controls, including password protections, encryption, and other administrative controls preventing users from circumventing security efforts.  Organizations that offer technology stipends for the purchase of devices of the employees’ choosing should consider the mechanisms through which they should protect the security of the data accessed by such BYOD devices.  These could include, for example, mobile device management software or remote access controls that disallow storage of PHI on those devices, in addition to the policies and procedures governing the use of such devices.

Fifth, research data maintained by a covered entity must be protected in accordance with the HIPAA Privacy Rule and Security Rule.  MD Anderson argued that HIPAA did not apply to the data maintained on the lost and stolen devices because it was used in research, relying on preamble language that HIPAA does not apply to research records obtained by a researcher in its role as a researcher.  While MD Anderson attempted to read the pertinent preamble language broadly, the ALJ focused on the role of the institution conducting the research.  If the research was being conducted by a non-covered entity or non-business associate, that information would be subject to that narrow exception.  The ALJ suggested that a covered entity may be able to segregate its clinical functions from its research functions, which could be accomplished by a hybrid entity designation.  MD Anderson, however, did not argue that it segregated its clinical and research functions in this manner, resulting in the continued application of HIPAA to the data used for research.

HHS’s press release, the Notice of Proposed Determination, and the ALJ’s opinion are available here.

On April 4, 2018, the New Jersey Attorney General’s office announced a settlement with a large network of physicians affiliated with medical and surgical practices throughout New Jersey (the “Medical Group”) for health privacy and security violations related to a breach of more than 1,650 patient records.  The settlement for violations of the federal Health Insurance Portability and Accountability Act and its associated regulations (“HIPAA”) and New Jersey state law requires the Medical Group to pay $417,816 and implement a corrective action plan, including a comprehensive and thorough risk assessment, to improve its data privacy and security practices.

The breach occurred when its medical transcription company, an unrelated subcontractor with whom the Medical Group maintained a HIPAA business associate agreement, updated a file transfer protocol (“FTP”) site used for medical information storage.  In the process of implementing the update, the medical transcription company mistakenly removed password protection and allowed sensitive patient records to be accessed on the open internet.  Without the password protection in place, patient records could be accessed through Google searches for terms contained in the records themselves, as a web crawler from Google crawled and indexed the FTP site using an algorithmic process.

A patient discovered the breach when she found portions of her own medical records through a Google search.  The Medical Group then launched an internal investigation and notified state and federal law enforcement authorities.

The State of New Jersey has made it clear that it holds the Medical Group responsible for the breach, even though it was caused by a subcontractor.  The Acting Director of the New Jersey Division of Consumer Affairs stated:

Although it was a third-party vendor that caused this data breach, [Medical Group] is being held accountable because it was their patient data and it was their responsibility to protect it….This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough.  You must fully vet your vendors for their security as well.

It is no longer sufficient, if it ever was, for a covered entity (or upstream business associate) to rely solely on “satisfactory assurances” obtained pursuant to a written HIPAA business associate agreement that the business associate (or downstream business associate) will appropriately safeguard the health information shared with it.  This settlement clearly signals the need to vet a new vendor’s security practices and to continue ongoing vendor management and oversight during the course of the business relationship.

Venable’s healthcare practice group is continuously monitoring these issues and tracking the latest developments.  Please contact your Venable attorneys with any questions.

Under the HIPAA Breach Notification Rule, Covered Entities must report to the Secretary of the U.S. Department of Health and Human Services (HHS) breaches of unsecured protected health information  affecting fewer than 500 individuals (“small breaches”) no later than 60 days after the end of the calendar year in which the breaches were discovered. This year’s small breach reporting deadline is Thursday, March 1, 2018. Covered Entities must submit their reports of small breaches discovered in 2017 electronically on the HHS Office for Civil Rights website (located here) if they have not done so already.

Recent enforcement actions highlight the importance of the timely reporting of small breaches to HHS and impacted individuals. For example, in a resolution agreement announced in 2017, a large healthcare system agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a two-year corrective action plan following one large breach and several small breaches. Moreover, earlier this month, a large kidney dialysis provider entered into a $3.5 million resolution agreement and a two-year corrective action plan with HHS to settle potential HIPAA violations stemming from five separate small breaches. (For more information regarding the settlement with the large dialysis provider, click here.)

Covered Entities should take note of the significance HHS places on timely breach reporting—even for breaches that are “small.”

Late last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $3.5 million settlement with a large provider of kidney dialysis services (the “Provider”) for multiple violations of the Health Insurance Portability and Accountability Act and its associated regulations (HIPAA).  In early 2013, the Provider filed five separate breach reports for incidents that occurred in 2012 and involved several of its facilities.  These breaches involved, among other things, theft of desktop computers from a medical office, theft of a USB drive from a workforce member’s car, loss of a computer hard drive, and theft of a laptop from a parked car.

As part of its settlement with OCR, the Provider entered into a corrective action plan (CAP) that requires the company to improve its policies and procedures for the protection of patient health information.  The CAP specifically requires the Provider to conduct a thorough, system-wide risk analysis of potential risks to and vulnerabilities of the confidentiality, integrity, and availability of its ePHI; review and revise its policies and procedures, including those concerning device and media controls and facility access controls; and revise and enhance its health privacy training program.

This settlement once again emphasizes the importance of a comprehensive, up-to-date risk analysis.  It also highlights the fact that mobile device privacy and security continue to be important issues for a range of healthcare providers.  Moreover, it is a reminder that OCR can, and does, take interest in smaller breaches.  Each of the five reported breaches affected fewer than 500 individuals.  Contact a member of Venable’s health law team to discuss how your organization can stay ahead of the curve in today’s enforcement environment.

Please find the OCR press release here.

encrypted dataAfter roughly seven months since the last announced settlement, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human services has announced a settlement of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The first OCR settlement of 2018 concerns a HIPAA security breach of electronic data. At the same time, a recently announced settlement of a private class action against Aetna highlights the importance of HIPAA privacy and the continuing relevance of paper records.

The settlement concerns 21st Century Oncology, Inc. (21CO), a large oncology practice with treatment centers in 17 states and overseas. In 2015, 21CO was notified by the Federal Bureau of Investigation that its patient records had been compromised and were being sold illegally. In total, the records of 2,213,597 patients were affected. The information breached included names, social security numbers, diagnoses, treatments, and insurance information.

Continue Reading The First Health Privacy Settlements of 2018 Highlight the Ongoing Importance of HIPAA Privacy and Security

Last week, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released new guidance related to the sharing of mental health, behavioral health, and substance abuse disorder treatment information. The guidance focuses on how such information may be shared with the patient’s family and other caregivers under the Health Insurance Portability and Accountability Act (HIPAA) and 42 C.F.R. Part 2 (the regulations governing the use and disclosure of substance abuse treatment records) in various scenarios.

The guidance includes both fact sheets and decision-trees and highlights several scenarios related to caregiver relationships, such as parents of teenage or adult children with mental health or substance abuse issues, parents serving as “personal representatives,” when parents can access minor children’s mental health information, and how to access treatment information about a loved one. The guidance additionally touches on opioid addiction, which is a key focus under the Trump Administration. Within its corresponding press release, HHS reported that it will work to develop model training programs and materials for healthcare providers, patients, and their families pertaining to permitted uses and disclosures of mental and behavioral health information.

Venable’s Healthcare team has significant experience in health information privacy and security and will address any additional questions pertaining to the above. Please contact any of the authors if you have any questions.

No two health care companies are alike, but many face similar challenges when managing their data risk. Many of these challenges arise due to the competing desires with which every modern organization now struggles—one between innovation and growth on the one hand and compliance and legal risk on the other.

Specifically, the following five issues are top of mind:

  1. The tension between data growth and analytics and data minimization;
  2. Handling connected devices and mobile apps;
  3. Creating effective cross-functional privacy and security teams;
  4. The data implications of acquisitions; and
  5. Effective and tiered vendor management.

We discuss these issues and offer practical guidance on each.

Continue Reading Top Five Privacy and Data Security Issues Facing Healthcare Companies