Category Archives: Electronic Health Records

OCR’s latest expensive HIPAA lessons

On January 18, 2017, the Office for Civil Rights (OCR) announced a HIPAA settlement based on the disclosure of unsecured electronic protected health information (ePHI) by MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) stored in a USB storage device.    Simply put, a thumb drive stolen in 2011 from MAPFRE’s IT department cost it an astounding $2.2 million as a “resolution amount” in addition to a fairly onerous corrective action plan.

Apparently, the fact that MAPFRE is the U.S. subsidiary of a large “global multinational insurance company headquartered in Spain” played some role in the harsh fine.  The USB data storage device included complete names, dates of birth and Social Security numbers and impacted 2,209 individuals.   Given that MAPFRE’s lack of encryption was an adverse mitigating factor for OCR, covered entities should bite the bullet and continue to encrypt all devices touching ePHI no matter what the budget constraints.

Another recent HIPAA settlement allowed OCR to shine a light on something else of concern to HHS, namely the need to report breaches within the 60-day reporting window applicable to breaches impacting 500 or more patients.  On January 9, 2017, OCR issued a press release that says it all:  “First HIPAA enforcement action for lack of timely breach notification settles for $475,000”.  Rather than report within 60 days, Presence Health – a large health care network serving Illinois, took 104 days to report the loss of “paper-based operating room schedules, which contained the PHI of 836 individuals.”  A spokesman from Presence Health said in a statement that contact and financial information were not even compromised.

As done in the past when it came to the need for properly-worded business associate agreements, undergoing a comprehensive risk analysis, and cooperating in investigations, covered entities should be appreciate the examples made of MAPFRE and Presence Health – encrypt and timely report after a breach.

OCR focuses on HIPAA business associate agreements with $750,000 settlement

On April 20, 2016, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that provider group Raleigh Orthopaedic Clinic, P.A. of North Carolina (“Raleigh Orthopaedic”) agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule “by handing over protected health information (“PHI”) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.”

OCR initiated its investigation of Raleigh Orthopaedic following receipt of a “breach report” on April 30, 2013.  OCR’s investigation indicated that Raleigh Orthopaedic released x-ray films and related protected health information of 17,300 patients to an entity contracted to transfer the x-ray images to electronic media in exchange for harvesting the silver from the films.  Raleigh Orthopedic did not execute a business associate agreement with this entity prior to turning over the x-rays and PHI.

In addition to the $750,000 payment, Raleigh Orthopaedic ultimately agreed to revise its policies and procedures to: “establish a process for assessing whether entities are business associates; designate a responsible individual to ensure  business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.”

Raleigh Orthopaedic would have avoided a fine of $750,000, devoting time to a three-year investigation, and the stigma of a Corrective Action Plan if only someone on staff ensured that released PHI was subject to a properly worded business associate agreement. Given that HHS even offers model business associate agreement language there is really no excuse for any covered entity or business associate not to use this simply contractual safeguard — especially given that it is mandated.  Moreover, there really is no excuse for not having a standard process in place that documents the use and maintenance of business associate agreements — even the smallest of practice groups has an office manager who could implement this process.

OCR Privacy and Security Audits Round Two

On the heels of two recently announced settlements that should serve as wake up calls for covered entities, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced on March 21, 2016 that it will be conducting “Phase Two” of its audits of covered entities and their business associates.  According to the announcement, such audits “are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.”

This Phase Two will be quite comprehensive in scope — with a not-so-subtle threat to those who ignore the initial data gathering used to determine the “pool” of audit participants.  Specifically, the process begins with verification of an entity’s address and contact information by sending emails to covered entities and business associates with a request that full contact information be provided to OCR in a timely manner.   OCR will then transmit “a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.”

If an entity does not respond to the initial request to verify contact information or the pre-audit questionnaire, OCR will simply use publicly available information about the entity to create its own audit subject pool.  As set forth in the announcement, “an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.”

According to OCR, information gleaned from the audits will be used to “develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.”   Dangling what it considers a carrot to participants, OCR further explains that it will “broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”

Of significance to this entire audit process is the fact that HHS “is responsible for the on-site auditors.  Neither covered entities nor their business associates are responsible for the costs of the audit program.”    This may actually turn out to be a harbinger of bad things to come for certain covered entities and business associates.  Similar to those “fine-funded” EU Data Protection Agencies such as the Spanish agency that has gone after Google for the past several years, OCR will likely hit hard in order to justify its audit budget.   Ultimately, in the same way a good accountant can mitigate an IRS audit, covered entities and business associates must rely on seasoned counsel as early as possible in the audit process in order to ensure a good learning experience does not morph into a financial hardship.  Simply put, before one of these letters come in the mail, make sure you have your counsel lined up.

Recent HIPAA settlements are wake up calls

On March 16, 2016, the Office for Civil Rights (“OCR”) announced its $1.55 million Resolution Agreement and Corrective Action Plan with North Memorial Health Care of Minnesota.  North Memorial  agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

OCR initiated its investigation of North Memorial following receipt of a report on September 27, 2011, which indicated that “an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.”

The investigation indicated that North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. OCR further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure – “including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.”

In addition to the $1,550,000 payment, North Memorial is required to develop “an organization-wide risk analysis and risk management plan, as required under the Security Rule.”  North Memorial will also train appropriate workforce members on “all policies and procedures newly developed or revised pursuant to this corrective action plan.”

In by now typical fashion, OCR announced another settlement right after the North Memorial settlement.

On March 17, 2016, the OCR announced its $3.9 million HIPAA settlement with the biomedical research institute, Feinstein Institute for Medical Research.  Feinstein settled potential HIPAA violations by agreeing to undertake a substantial corrective action plan.  OCR’s investigation began after Feinstein filed a report indicating that on September 2, 2012, a laptop computer containing ePHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included “names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.”

OCR’s investigation discovered that Feinstein’s security management process was “limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.” Further, Feinstein lacked “policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.”

The Feinstein and North Memorial settlements are obvious wake-up calls.

First, OCR apparently has no problem whatsoever finding that research institutions are covered entities even though such organizations may not squarely fit into the provider, health plan or clearinghouse bucket for all their activities.  See 45 C.F.R. § 160.103.   As set forth by the OCR Director Jocelyn Samuels in the press release, “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

Second, it is much preferable to hire legal counsel and spend several thousand dollars on a good business associate agreement and perhaps $20,000 on a comprehensive risk analysis than it is to pay $1.55 million on an OCR settlement.

And finally, train employees on proper handling of laptops and make sure your laptops are encrypted just in case they are ever lost or stolen.  In both cases, the actual trigger leading to these seven figure settlements was a breach report sent to OCR because of a laptop stolen from a car.

OCR: Lost Records of 192 Patients = $1 million

On the heels of the Cignet Health CMP, the OCR has just announced a Resolution Agreement with Massachusetts General that includes a $1 million “resolution amount”.  Under this Resolution Agreement, Mass General is also required to develop and implement “a comprehensive set of policies and procedures to safeguard the privacy of its patients.”

According to the OCR’s Resolution Agreement dated February 14, 2011, the incident giving rise to the agreement involved the loss of protected health information of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.   Specifically, the facts (as recited in the Resolution Agreement) are as follows:

On March 6, 2009, an MGH employee removed from the MGH premises documents containing protected health information (“PHI”). The MGH employee removed the PHI from the MGH premises for the purpose of working on the documents from home. The documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients.

On March 9, 2009, while commuting to work on the subway, the MGH employee removed the documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered.  These documents contained the PHI of 192 individuals.

In other words, HHS has just determined that employee negligence of the most common variety is worth a cool $1 million.   Enough said.

OCR Gets Serious: $4.3 Million Penalty Under Privacy Rule

As shown by yesterday’s press release and this morning’s email blast, OCR is certainly eager to let the world know that it just issued a Notice of Final Determination and Notice of Proposed Determination finding that Cignet Health violated the HIPAA Privacy Rule to the tune of $4.3 million dollars.

According to yesterday’s Associated Press news feed that blanketed the news outlets as well as fed many privacy blogs, Cignet Health “is a Christian-influenced medical service, has four locations in Prince George’s County, in southern Maryland just outside Washington.”   And, according to its website, “[t]he focus of Cignet health center is to minister to the whole person, both spiritually and physically. Our desire is to help the sick and suffering people the best way we can to the glory of God.”   Cignet Health offers health plans in Nigeria as well as Ghana and acts as “a patient-Provider advocacy alternative to other healthcare presently available in the healthcare market today.”

It is unknown whether this apparently small-scale operation is equipped to pay a $4.3 million penalty.  Frankly, it is pretty surprising that such a small healthcare player has the honor of being the very first CE in which HHS has imposed a civil money penalty (CMP) for alleged  violations of the HIPAA Privacy Rule.  As well, this CMP is the first one based on the “violation categories and increased penalty amounts authorized under the Health Information Technology for Economic and Clinical Health (HITECH) Act.”  The HITECH Act has certainly seen noteworthy action given the Connecticut AG’s HITECH Act penalties against Health Net – the first time a state has used the HITECH Act to settle a data breach claim — as well as the enforcement of the HITECH Act’s public disclosure of data breaches.  Cignet Health, however, did not sustain a data breach so the huge penalty is curious to say the least.

What exactly did Cignet Health do?  For starters, it did NOT breach the privacy rights of its patients in any traditional sense.  Unlike with the Health Net breach or the HITECH publications of breaches, this incident involved a more vanilla HIPAA violation.  According to the OCR:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009.  These patients individually filed complaints with OCR, initiating investigations of each complaint.  The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records.  Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena.  OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010.  On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.  Covered entities are required under law to cooperate with the Department’s investigations.  The CMP for these violations is $3 million.

In other words, Cignet Health failed to give 41 patients copies of their records on a timely basis and then “failed to cooperate with OCR’s investigations” after complaints were filed by these patients.   Although OCR points out in its Notice of Proposed Determination that the boxes provided to OCR by Cignet Health “also contained the medical records of approximately 4,500 individuals for whom OCR made no request or demand and for whom Cignet had no basis for the disclosure of their protected health information to OCR” this inadvertent disclosure was not the basis of the CMP.

This Cignet Health result is in contrast to the non-CMP “resolution amount” of $100,000 issued to Providence Health in 2008 for alleged HIPAA privacy violations involving unprotected backup tapes, optical disks and laptops that compromised the protected health information of more than 386,000 patients.  HHS publicly stated there was no need for a CMP given the level of cooperation given during the investigation.  Providence Health did, however, sustain significant defense costs and a corrective action plan that brought that $100,000 fee into the millions.

The lesson here is that if called upon to respond to an investigation, do it.  Based on the Cignet Health result and public statements made by OCR personnel at various privacy seminars, OCR certainly places a significant premium on what it perceives to be good faith during an investigation.  As well, be ready to smile into the camera because the OCR is obviously launching into an aggressive enforcement campaign in 2011 and beyond.   For example, the OCR email missive of February 23, 2011 includes the following appeal to potential claimants and whistleblowers:

If you believe that a person or organization covered by the Privacy and Security Rules (a “covered entity”) violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR.  For additional information about how to file a complaint, visit OCR’s web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

Make no mistake about it:  The OCR is HHS’s enforcement arm and is looking to knock some heads together and make some money for the boss.  And, the tools, i.e., the HITECH Act and accompanying regs, are now in place to make that Supranos moment a reality.

A Data Security Trend For 2011: The Data Threat Hype Continues

The new year appears to be continuing a trend begun in 2008 — ever increasing hype concerning the level of data security threats faced by public and private entities.  This hype is not just about increasing public breach disclosures (which have primarily been driven by the increase in breach notification laws) given it also manifests in:   the perceived threat of involuntary corporate transparency brought into public view by the “Wikileaks Effect”, the fact that papers such as the LA Times are able to report as true the powerful Stuxnet worm was able to trim years off of the Iranian nuclear program, and the fact that the Organisation for Economic Co-operation and Development (OECD), in a recent report, paints a picture of a world where “[p]reventative and detective security technologies will not provide protection against all the threats [so] considerable effort will be needed to mitigate and recover from losses.”  OECD Report (dated 14 January 2011) at 82.

For example, in the LA Times article, the Stuxnet worm was removed from its unique Iranian context and given broad scare appeal:  “Now that Stuxnet is in the public domain, experts are deeply concerned that hackers, criminals or terrorist groups could use some of the vulnerabilities it reveals to attack systems that control power grids, chemical plants and air traffic control.”

Third-party threats have indeed shifted but that shift took place over five years ago – when organized crime realized that stealing data could be more lucrative — and much safer — than traditional criminal activity.  The ego-driven hackers of yesterday may still exist in the form of the hackavists of today but they remain a minor threat compared to the threats driven by organized crime.  But that is not something new.

On the other hand, the hype that has filled the data security landscape has only risen to a fever pitch these past several years.  Not exactly sure why this is happening.  It may be the fact that more big business has entered the data security consulting/technology space – well equipped with PR firms in tow.  It may be because news organizations have found a new bogeyman that can help drive sales.  It may just be the case reporters and pundits truly feel the hype is justified.

No matter what the cause, one thing is for certain.  This hype does not help companies or governments better protect themselves.  Employees faced with this barrage of hype may be just a bit more lax — thinking there is little they can really do to prevent a theft.  This would be a grave mistake given that a significant source of data loss incidents is directly tied to employee negligence.   As well, if hype causes a CFO to think that state-sponsored incidents such as Stuxnet may be an imminent threat, he or she may suggest diverting resources from more important initiatives like employee training.

There are obviously ongoing data security threats faced by companies that are very real and not going away any time soon.  Marching into 2011, focused companies will weed the hype and address these many challenges utilizing a cost-effective risk management approach.   And, should they need legal or consultative advice, they will choose seasoned partners with the lowest volume setting.  Smart companies realize that succumbing to the hype is a zero-sum endeavor that will only benefit those who feed off the hype.

PC World: Self-Encrypted Drives Set to Become Standard Fare

Although they have been out now for a few years, it is only recently that manufacturers have decided to mass market self-encrypting hard drives, i.e., drives that have integrated keys within their chip set.  According to standards experts quoted in a recent PC World article, in a few years, companies will be relying on self-encrypting drives “and you won’t even realize it-because it will be so pervasive. The encryption just works, it doesn’t impact you.”

Companies looking to better navigate notification breach safe harbors and any recently enacted security standards should take an immediate hard look at deploying laptops, desktops, and storage devices using this relatively painless way of encrypting sensitive data.  That hard look should especially be taken by firms looking to comply with state laws such as the Massachusetts Data Protection Law or steer clear of possible penalties available under the HITECH Act.

Ponemon Institute: Lost Laptops Cost Billions

The Ponemon Institute’s latest report, “The Billion Dollar Laptop Study,” shows that 329 organizations surveyed lost more than 86,000 laptops over the course of a year.  Based on these findings and an earlier survey that put the average cost of lost laptop data at $49,246, the total cost amounts to more than $2.1 billion or $6.4 million per organization.

Some other key findings of the report:  (1)  while 46 percent of the lost systems contained confidential data, only 30 percent of those systems were encrypted; (2) only 10 percent had any other anti-theft technologies; and (3) 71 percent of laptops lost were not backed up so all work in progress was lost.

At the release media event reported on by InformationWeek, Larry Ponemon explained that most of the cost “is linked to the value of intellectual property on these laptops and the fees associated with data breaches and statutory notification requirements.”   During this same press conference, Ponemon recounted interviewing one woman at a company who had lost 11 laptops in two years:  “She claimed she wasn’t really that careful with laptops because the only way she could get a better one was to lose it.”

It is this disconnect — the value of the information lost vs. the relative interest in the user in protecting such information — that becomes the ultimate challenge faced by most firms.   Employee training remains the front line in addressing this challenge but having employees pay for their lost corporate laptops may actually yield more desirable results.   It would be interesting to have the next Ponemon lost laptop study include the ratio of lost business laptops compared to lost personal laptops, i.e., those actually purchased by an employee.

IW: CIOs See Smartphones As Data Breach Time Bomb

As recently reported by InformationWeek, a study conducted by market researcher Ovum and the European Association for e-Identity and Security found that eight out of 10 CIOs believe using smartphones in the workplace increases their firm’s vulnerability to attack.  Although these CIOs rank data breaches as their top related security concern, half of the organizations acknowledge that they fail to provide some basic security measures for the use of smartphones.

This report should be of major concern to doctors and lawyers — two groups of professionals that rely heavily on the use of smartphones to manage their workloads.    At the very least, an easily applied security precaution for smartphones should be the use of a strong password that is changed every 60 days or sooner.  Two-factor authentication is preferable.   Users should back up data regularly and not have it remain solely on a mobile device – unfortunately, default settings can have the communications emanating from your mobile device remain resident solely on a mobile network.  Make sure your mobile device is equipped with anti-virus protection and if you receive an e-mail from a company or person that you’re not familiar with, do what you do on your work computer – just delete it.   Use your idle timer feature to lock down your smartphone as you would your laptop.  

If you have an IT support team (in-house or outsourced), make sure it keeps your operating system and server patches up to date and strictly enforces what applications can be used and what connections can be accessed.   What OS is even used may impact security.   For example, researchers have recently discovered flaws in the WebOS smartphone platform that could let an attacker build a mobile botnet or execute other remote attacks.  More advanced security features include the use of remote wiping applications, encryption and data loss/leak prevention tools.  

Notwithstanding the fact it can also place a call, the key to improving your security posture is to respect the fact your mobile smartphone is now no different from any other computer you use at work.  Act accordingly.