HIPAA and $15 Million in 2016

For years, many questioned whether the HIPAA privacy and security rules would be enforced. The agency responsible for enforcement, Health and Human Services’ Office for Civil Rights (OCR), promised it would enforce the rules, but just after a period “soft” enforcement and compliance assistance. That period appears to be ending. During the first seven months of 2016, OCR has announced nearly $15,000,000 in settlement payments to the agency relating to a wide range of compliance failures alleged against covered entities and business associates. At the same time, OCR is conducting audits of covered entities around the country, and plans similar audits of business associates later this year. If you have been waiting to tackle HIPAA compliance, it is probably a good time to get it done.

Below is a summary of the circumstances that led to some of the settlements and civil monetary penalties:

  • Stolen laptop, vulnerable wireless access. Following notification to OCR of a breach involving a stolen laptop (not an uncommon occurrence!), OCR investigated and reported discovering that electronic protected health information (ePHI) on the covered entity’s network drive was vulnerable to unauthorized access via its wireless network – users could access 67,000 files after entering a generic username and password. OCR also cited among other things failures to implement policies and procedures to prevent, detect, contain, and correct security violations, to implement certain physical safeguards. Settlement $2.75M
  • Vulnerabilities identified must be timely addressed. In another case, a covered entity had conducted a number of risk analyses since 2003, but the OCR claimed these analyses did not cover all ePHI at the entity. OCR also reported that the covered entity did not act timely to implement measures to address documented risks and vulnerabilities, nor did it implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure, despite having identified this lack of encryption as a risk. Settlement $2.7M.
  • Not-for-profits serving underserved communities not immune. A data breach affecting just over 400 persons caused by the theft of a company-issued iPhone triggered an OCR investigation. The iPhone was unencrypted and was not password protected, and contained extensive ePHI including SSNs, medical diagnosis, and names of family members and legal guardians. According to OCR, among other things, the covered entity had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. In its public announcement, OCR acknowledged that the $650,000 settlement was after considering that the covered entity provides unique and much-needed services to elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.
  • No business associate agreement. When a covered entity’s business associate experienced a breach affecting over 17,000 patients, OCR again investigated. It claimed no business associate agreement was in place, leaving PHI without safeguards and vulnerable to misuse or improper disclosure. Settlement $750,000.
  • Civil monetary penalties against home care provider. In only the second time OCR has sought civil penalties under HIPAA, a judge awarded $239,800 in penalties due to privacy and security compliance failures. In this case, a patient complaint led to an OCR investigation – the patient complained that an employee of the covered entity left PHI in places where an unauthorized persons had access and in some cases abandoned the information altogether. Other compliance issues included covered entity’s maintaining inadequate policies and procedures to safeguard PHI taken offsite, and storing PHI in employee vehicles for extended periods of time.

It is true that these are only a handful of cases with large settlement amounts. But the agency does seem to be sending a message – that is, it wants to see compliance and it is not afraid to seek significant settlement amounts from covered entities or business associates, large or small. In some cases, relatively simple steps such as making sure to have business associate agreements in place, can help avoid these kinds of enforcement actions.

The Privacy Shield Is Finally Here

Earlier today the European Union and U.S. officials announced the final approval of the EU-U.S. Privacy Shield data transfer agreement (“the Privacy Shield”).  Beginning August 1, 2016, organizations based in the U.S. will be able to self-certify their compliance with the Privacy Shield.

The Privacy Shield is meant to replace the EU-U.S. Safe Harbour agreement which was invalidated on October 6, 2015, by the Court of Justice of the European Union’s (CJEU) ruling in Schrems v. Data Protection Commissioner. Post Schrems, U.S. companies have been unclear what to do to transfer data out of the EU in a compliant manner.  The final approval of the Privacy Shield should provide some measure of comfort to the 4,400 U.S. companies who previously relied on the Safe Harbour agreement.

Today’s announcement was not unexpected as the EU and U.S. had previously agreed on changes to address many of the concerns expressed with the original draft of the Privacy Shield.  Following the announcement, the European Commission also made public the final amended text of the agreement, as well as annexes and a fact sheet on the Privacy Shield.

The European Commission’s decision takes immediate effect, but companies will be given until August 1 to review the Privacy Shield to enable a “smooth transition” according to the U.S. Secretary of Commerce, Penny Pritzker.

Colorado Law Grants Employees Right to Access Personnel Files

Beginning January 1, 2017, employees in Colorado will now have a right to inspect and copy their personnel files.  Prior to this law, Colorado had no law granting private-sector employees access to their personnel records.

Under the new law, upon a current employee’s request, an employer must allow that employee to inspect and obtain a copy of any part of the employee’s personnel file at least once annually. A former employee, however, may make only one inspection of his or her personnel file after termination of employment.  The new law also permits an employer to restrict an employee’s review of his or her personnel file to be only in the presence of an individual designated by the employer and the employer may require the employee or former employee to pay the reasonable cost of duplication of documents.

The new law does not require employers to create, maintain, or retain a personnel file on an employee or former employee nor does it require an employer to retain for a specific period of time documents that are or were contained in an employee’s personnel file.  Importantly, the law also does not create a private right of action for employees alleging violations of the law.

For additional details regarding this new law, please see the related article authored by our colleagues in Denver.

EU, U.S. Agree On Revisions To Privacy Shield

According to reports, the European Union and the United States have agreed on changes to the EU-U.S. Privacy Shield (Privacy Shield) which will be sent to the EU member states and the college of the 28 EU commissioners ultimately paving the way for final approval early next month.  “We have agreed on the changes and will be able to adopt it in early July,” said European Commission spokesman Christian Wigand.

Addressing many of the concerns expressed with the original draft of the Privacy Shield, the revisions include stricter rules for organizations which hold information on European citizens as well as clearer limits on U.S. surveillance.  The revisions are also reported to include requirements for companies to delete personal data which no longer serves the purpose it was collected for as well as requirements for third party organizations processing data to guarantee the same level of protections as companies who have directly signed up under the Privacy Shield.

Once approved, the revised Privacy Shield will replace the invalidated EU-U.S. Safe Harbour and provide a way for organizations to transfer data across the Atlantic.  Nevertheless, it is likely the Privacy Shield will face difficult tests in court requiring vigilance as organizations look to get back to the level of stability previously provided by the Safe Harbour for transatlantic transfers of data.

While the Privacy Shield remains pending, the European Commission has issued guidance on transatlantic data transfers.

5 Practice Tips for Law Firms as Data Breach Spotlight Swings Their Way

While data breach incidents affecting the entertainment, retail, healthcare, and financial industries have garnered more attention in past years, the data breach spotlight recently shifted to law firms.

This shift was triggered by media coverage of the breach and leak of the Panama Papers, and by reports that, in 2015, hackers breached the networks of two well-known and highly-regarded U.S.-based firms, Cravath, Swaine & Moore and Weil, Gotshal & Manges. It also has been reported that a Russian cybercriminal recently attempted to breach the systems of dozens of other major firms, seeking insider information on which to trade.

Law firms, which tend to lag behind businesses in other industries in data security preparedness, are entrusted with financial, intellectual property, medical, and embarrassing personal data that may draw cybercriminals. Breaches of this data expose law firms to potentially massive liability. Erosion of client confidence and reputational injury may be the most obvious (and hardest to quantify) examples, but firms also are exposed to malpractice lawsuits alleging negligent handling of confidential client data and to state agency and private actions for failure, in the wake of breaches, to timely notify affected individuals, including employees, clients, and other parties and witnesses to litigations. Attorneys employed by firms that experience breaches also may be found to have violated the rules of professional conduct.

In light of these risks, law firms should act expediently to safeguard the data under their care and should consider these recommendations for key actions they can take to prevent breaches from occurring and to effectively respond to them if they do.

Illinois Enacts Amendments to the Personal Information Protection Act

Last month, Illinois Governor Bruce Rauner signed into law a number of amendments to the State’s Personal Information Protection Act (“PIPA”) that expand the definition of protected personal information and increase certain data breach notification requirements.  The amendments, highlighted below, take effect January 1, 2017.

Currently, “personal information” is limited to an individual’s first name or first initial and last name in combination with the individual’s Social Security number; driver’s license number or state identification card number; or account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The amendments now expand the definition of “personal information” to include medical information, health insurance information, or unique biometric data. Importantly, beginning in January, PIPA will require entities that suffer a security breach to inform Illinois residents of the security breach even if the personal information was encrypted or redacted but the password/keys to unencrypt or underact that information is also acquired through the breach.

In addition, “personal information” will now include a user name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted.

Under the new provisions, if notice is required and the breach of security involved an individual’s user name or email address, the notice is required to direct individuals to promptly change their user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online account for which the individual uses the same user name or email address and password or security question and answer.

An entity in possession of personal information will be required to implement and maintain reasonable security measures to protect the records from unauthorized access, destruction, or disclosure. Any entity that is in compliance with Section 501(b) of the Gramm-Leach-Bliley Act will be deemed in compliance with this provision.  Similarly, a HIPAA covered entity or business associates subject to the privacy and security standards will also be deemed to be in compliance with PIPA.  A covered entity or business associate that is required to provide notification of a breach to the Secretary of Health and Human Services under the HITECH Act must also provide such notification to the Illinois Attorney General.

As states continue to expand their breach notification statutes, compliance will continue to become more and more difficult.

European Parliament: EU-U.S. Privacy Shield Needs Further Improvement

Earlier today, the European Parliament passed a non-legislative resolution saying the EU Commission should go back to negotiating with the United States to remedy “deficiencies” in the proposed EU-U.S. Privacy Shield for EU citizens’ data which is transferred to the US for commercial purposes.

The resolution, which passed by a vote of 501-119, with 31 abstentions, acknowledged the efforts of the EU Commission and the US Administration to achieve “substantial improvements” in the Privacy Shield as compared to the EU-U.S. Safe Harbour which it is meant to replace.  However, the Members of the European Parliament (MEPs) voiced concerns about “deficiencies” including:

  • the US authorities’ access to data transferred under the Privacy Shield,
  • the possibility of collecting bulk data, in some cases, which does not meet the criteria of “necessity” and “proportionality” laid down in the EU Charter of Fundamental Rights,
  • the proposed US ombudsperson, a new institution that MEPs accept is a step forward, but believe to be neither “sufficiently independent”, nor “vested with adequate powers to effectively exercise and enforce its duty”, and
  • the complexity of the redress mechanism, which the Commission and US administration need to make more “user-friendly and effective.”

The MEPs called on the European Commission to conduct periodic “robust reviews” of its decision that Privacy Shield protections are adequate, particularly in the light of the new EU data protection rules which are to take effect in two years.

Parliament’s resolution follows, and largely supports, the April 13, 2016, opinion of the Article 29 Working Party on the Privacy Shield.   While the European Parliament’s resolution and the Article 29 Working Party’s opinion are not binding on the European Commission, both the resolution and opinion raise serious doubts as to when, if at all, the thousands of companies who relied on the invalidated EU-U.S Safe Harbour will ever be able to rely EU-U.S. Privacy Shield for their data transfer needs.

FTC Issues Guidance for Background Screening Companies

Employers regularly turn to background screening companies in order to obtain information/reports about applicants and employees.  The Fair Credit Reporting Act (FCRA) applies to companies that sell or provide these background screening reports if such a report meets the FCRA’s definition of a “consumer report.”   A consumer report is a report which serves as a factor in determining a person’s eligibility for employment, credit, insurance, housing, or other purposes and includes information bearing on an individual’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.  Organizations that sell or provide consumer reports to employers are considered “consumer reporting agencies” under the FCRA.

To assist companies that compile background information for employment purposes to understand whether they are considered a consumer reporting agency and thus subject to the requirements of the FCRA, the Federal Trade Commission (FTC) recently issued guidance entitled “What Employment Background Screening Companies Need to Know About the Fair Credit Reporting Act.”  In addition to explaining the legal requirements for consumer reporting agencies, the FTC clarified that if you compile a consumer report containing public record information which is used for employment purposes, you still have obligations under FCRA, including notifying the subject of the consumer report or maintaining strict procedures to ensure the accuracy of the public record information.

Importantly, the FTC explained that even if you do not think of your organization as a consumer reporting agency, if you provide information about applicants or employees to an employer, you may be one.


Facebook’s “Trending” Section and Human Resources Analytics

According to a recent New York Times article, “Facebook scrambled on Monday to respond to a new and startling line of attack: accusations of political bias.” Slate followed with a report that the online social networking giant became the subject of a United States Senate inquiry, with Commerce Committee Chairman John Thune wanting information about how Facebook chooses stories for its “Trending” section, among other things. According to the reports, Facebook promotes its Trending section as an algorithmic tool that identifies the stories people using the site are most interested in at a given point in time, while former “curators” of the section tell a different story, that Facebook’s Trending section is a more subjective tool than users may realize.

Either way, the controversy raises an interesting issue – if Facebook’s Trending section is primarily driven objectively by algorithms (and not curators), could the algorithms be biased politically? If so, could algorithms used in other contexts also have embedded biases, albeit unintentional ones? If algorithms were deployed in the area of human resources, could conscious or unconscious bias undermine the employer’s desired results and violate existing employment laws, such as Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act, and the American with Disabilities Act?

We wrote about a recent FTC report discussing some of these concerns, including the potential for liability from uses of data analytics based on “disparate treatment” or “disparate impact” theories. We noted there that facially neutral policies or practices that have a disproportionate adverse effect or impact on a protected class create a disparate impact, unless those practices or policies further a legitimate business need that cannot reasonably be achieved by means that are less disparate in their impact.

Employers and their data scientists with appropriate counsel should consider these issues carefully to ensure their enormously powerful and valuable analytics programs produce reliable results with minimal legal risk.

Nebraska Amends Data Breach Notification Law

On April 13, 2016, Nebraska’s breach notification statute was amended when Governor Pete Ricketts signed LB835 into law.  The Amendment included a variety of changes, including a regulator notification requirement and broadens the definition of “personal information” in the state data breach notification statute, Neb. Rev. Stat. §87-802 – 87-804. These amendments become effective on July 20, 2016.

Specifically, the bill makes the following changes:

  • Attorney General Notification. The amendment requires notice to the State’s Attorney General concurrent with notice provided to affected individuals. These notices must be provided as soon as possible and without unreasonable delay consistent with law enforcement needs and the time necessary to determine the scope of the breach. This change follows a number of other states, such as California, Connecticut, Florida, Indiana, Maryland, Massachusetts, New Hampshire, New York, and North Carolina, which also require notification to the respective state’s Attorney General or other agency. Because the timing, form, content and manner of delivery of these notices vary state to state, organizations should take agency notifications into account when engaging in breach preparedness planning.
  • Personal Information Definition Expanded. The definition of “personal information” was amended to add a user name or email address, in combination with a password or security question and answer that would permit access to an online account, which, if acquired by an unauthorized person, would require notice. Recognizing the breadth of information consumers store online, Nebraska will become the fifth state, joining California, Florida, Nevada and Wyoming to require notification in the event of a breach of account credentials.
  • Encryption Exception Clarified. As amended, the state’s breach notification law provides that data will not be considered encrypted for purposes of avoiding notification if the breach of security includes acquisition of the encryption key or confidential encrypted method.

The notice obligations that are triggered when organizations have a breach of the security of their systems involving personal information continue to evolve. Preparedness is key so take some to develop a response plan, and practice it.