Connecticut Insurance Commissioner Announces Data Breach Notification Mandate

Posted on August 26, 2010 by Joseph Lazzarotti

On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any "information security incident." This post provides a brief summary of this new requirement.

Who must provide the notice?

The Bulletin applies to all licensees and registrants of the Department. This generally means all entities regulated by the Insurance Department, including, insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans.

Additionally, in cases where the information security incident happens at a vendor or business associate, the Department expects to be notified of the incident as well as how the

licensee or registrant is managing the vendor's/business associate's activities and what protections and remedies are being put in place by the vendor/business associate for the Connecticut consumers.

What is an "information security incident"? 

Under this Bulletin, an information security incident is:

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

Thus, unlike the general Connecticut data breach notification statute which requires notification only with respect to computerized personal information, this mandate applies to paper documents which includes personal health, financial or personal information. Also, encrypted data is not exempt from this notification requirement.

What is personal health, financial, or personal information?

The Bulletin does not define this term and, therefore, is unclear in this regard. However, in discussing its authority to impose the requirement, the Department cites to Conn. Gen. Stat. §42-471, which defines "personal information" to mean:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

This definition, however, may not be as broad as how the Department views the term "personal health, financial or personal information." Licensees and registrants should be careful here and err on the side of being more inclusive when deciding whether an incident needs to be handled in accordance with this Bulletin.

When must notification be provided?

The Bulletin requires licensees and registrants of the Department to notify it of the incident as soon as the incident is identified, but no later than five (5) calendar days after the incident is identified.

Where should notice be sent?

Notification should be sent to the Insurance Commissioner in writing via first class mail, overnight delivery service or electronic mail.

What must the notice include?

Notification should include as much information as is known concerning the incident. The Bulletin provides the following list of items of information to be reported to the Department:

  • Date of the incident
  • Description of incident (how information was lost, stolen, breached)
  • How discovered
  • Has lost, stolen, or breached information been recovered and if so, how
  • Have individuals involved in the incident (both internal and external) been identified
  • Has a police report been filed
  • Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc)
  • Was information encrypted
  • Lost, stolen or breached information covers what period of time
  • How many Connecticut residents affected
  • Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed
  • Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur.
  • Copies of the licensee/registrants Privacy Policies and Data Breach Policy.
  • Regulated entity contact person for the Department to contact regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant)
  • Other regulatory or law enforcement agencies notified (who, when)

One of the items on this list to note is a Data Breach Policy which all entities should consider adopting even if not subject to this Bulletin.

Does the Department require that credit monitoring be offered in the event of an information security incident?

It looks like the Department may require credit monitoring in some circumstances. The Bulletin states that:

Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time. 

In addition, the Department wants to review the draft letters informing individuals of the information security incident.

Will the Department impose penalties?

The Bulletin states that the Department will evaluate each incident independently based on the applicable circumstances, and notes that some situations may warrant imposition of administrative penalties. The Department urges licenses and registrants to follow these procedures in order to minimize the possibility for penalties.

Licenses and registrants surely will need to review this guidance and incorporate it into their information security programs. Other entities should take note of this development and recognize the increasing efforts by federal and state agencies to safeguard personal information.

Tags: , , , , , ,

California Bill Would Strengthen Existing Breach Notification Law

Posted on August 23, 2010 by Joseph Lazzarotti

California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed information about the breach and that businesses experiencing data breaches affecting more than 500 Californians notify the State’s Attorney General.

Since California enacted its data breach notification law, lawmakers have been trying to make changes to it, with mixed results. Assembly Bill 1298 ("A.B. 1298"), which became effective January 1, 2008, expanded the application of the existing law to include medical and health information. However, to date, attempts to add content requirements to the notice and require notification to the State’s Attorney General have failed, despite similar requirements in the laws of a number of other states, such as Massachusetts, New York, North Carolina.

S.B. 1166 marks the third attempt by Senator Joe Simitian to amend the law in this manner. Both prior attempts were vetoed by the Governor Schwarzenegger. In addition to requiring notice to the State’s Attorney General for certain breaches, his current effort would require notices stating:

  • a general description of the breach incident;
  • the type of information breached;
  • the date and time of the breach;
  • whether the notification was delayed because of a law enforcement investigation; and
  • a toll-free number of major credit reporting agencies if the breach exposed Social Security numbers, driver's license numbers, or state identification card numbers.

Because many states have similar content requirements and there are a number of websites that report on data breaches, passage of S.B. 1166 should not impose a significant burden in breaches involving individuals in multiple states. Nonetheless, companies should be alert to developments in California and be prepared to update their California data breach notification policies should the measure pass.
 

Tags: , , , , , , , ,

Another Facebook Post, Another Fired Employee

Posted on August 20, 2010 by Joseph Lazzarotti

ABC news reported yesterday about an employee fired for statements made on a social networking site – this time Facebook. The employee, Massachusetts high school teacher June Talvitie-Siple, was fired by her school district for statements she made about the community, her students and their parents. The 54-year-old teacher mistakenly thought her statements were being communicated only to her circle of friends on the popular site, not to the entire world. As others have found before her, such a misconception can be costly.

What did Talvitie-Siple say on Facebook? In one post, she referred to the students as “germ-bags,” on account of the multiple times she caught illnesses from them. She also described the community and the parents as “arrogant” and “snobby.”

Whether these are the kinds of posts that warrant termination of employment is beyond the scope of this discussion.

The ABC report shows that the negative consequences of unflattering social media communications are on the rise (even though employees have yet to realize it). Companies need to think through their policies concerning these kinds of electronic communications, made both at and outside of work, particularly regarding the appropriate levels of discipline. A helpful discussion of this and other issues employers should be thinking when it comes to social media can be found here.
 

Tags: , ,

State Law Developments for Credit and Criminal Background Checks

Posted on August 12, 2010 by Joseph Lazzarotti

Recent state law developments will affect whether and to what extent certain employers can conduct credit and criminal background checks on employees and applicants. Employers, particularly multi-state employers, should be sure to review these new requirements and adjust their practices accordingly.

Massachusetts

The Commonwealth has changed how employers access and use criminal offender record information ("CORI") under a new law signed by Governor Deval Patrick on August 6, 2010. Among other things, the new CORI law bans the use of questions about criminal history on written employment applications. This ban becomes effective November 4, 2010. The law also creates a new method and database for employers to access criminal records, replacing the current procedure with the Criminal History Systems Board. This becomes effective in May 2012.

(more information about this change)

Illinois

Illinois employers will have a tougher time conducting credit checks on applicants and employees and using the information for employment purposes beginning January 1, 2011. The state’s new Employee Privacy Act (House Bill 4658), signed by Governor Pat Quinn on August 10, 2010, prohibits all but a handful of employers from:

  1. inquiring into an applicant’s or an employee’s credit history;
  2. ordering a credit report on an applicant or employee from a consumer reporting agency; or
  3. taking any adverse employment action (such as refusing to hire) because of the individual’s credit history or credit report.

An aggrieved individual can bring a private cause of action in state court to enforce the Act and can seek injunctive relief and damages as well as costs and attorneys’ fees.
 

(more information about this change)

Oregon

Oregon employers’ ability to conduct credit checks and use the information for employment purposes has been significantly restricted since July 1, 2010, but the implications of this law extend well beyond state borders. With limited exceptions, Oregon Senate Bill 1045 prohibits employers from considering for employment purposes any information that bears on a consumer’s creditworthiness, credit standing or credit capacity, unless such information is substantially related to the individual’s current or potential job. Employers who believe credit information meets this job-related standard must provide the employee or applicant the reasons for their determination in writing.

(more information about this change)

Tags: , , , , , ,

Federal Law Introduced to Require Credit Monitoring Following Data Breach

Posted on August 11, 2010 by Joseph Lazzarotti

On August 5, 2010, U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV)  introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances, including credit monitoring services.

More specifically, the "Data Security and Breach Notification Act of 2010" would require entities that own or possess data containing personal information to establish reasonable security policies and procedures to protect that data. If a security breach occurs, entities would have to notify each individual whose information was acquired or accessed as a result of the breach within 60 days. Affected consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.

In support of the new law, the press release issued by the Senate Committee on Commerce, Science, and Transportation notes that data security breaches and identity theft are a growing problem in the United States. In 2009, the business industry experienced the greatest number of data breaches (41.8%), followed by government/military (18.1%) and education sectors (15.7%).

Of course, passage of this measure is possible, but, given the number of prior efforts to pass a national data breach notification law, passage seems unlikely. This outcome is made more likely by the inclusion of the credit monitoring mandate, the cost of which could be considerable to businesses affected by a data breach. Businesses should stay tuned . . .

Tags: , , ,

Attorney General Securing Personal Data in Indiana

Posted on August 6, 2010 by Jason C. Gavejian

Indiana recently enacted a new law which grants authority to the Indiana Office of the Attorney General's Identity Theft Unit to obtain and secure abandoned records with personally identifying information, including health records, and either destroy them or return them to their owners. Additionally, the new law sets fines and other legal ramifications for violations of the law by health care providers or licensed professionals who leave such records unsecured in violation of state law. In fact, the Attorney General has already utilized this authority to obtain personal records from four entities. 

This additional grant of authority to the Indiana Attorney General, is in addition to the authority previously granted by the Health Information Technology for Economic and Clinical Health (HITECH) Act to enforce the privacy and security protections of HIPAA for protected health information. As we have previously discussed, the Connecticut Attorney General has filed a civil action against Health Net, as well as instituted an investigation against Griffin Hospital for violations of HIPAA. 

The Indiana statute, as with the authority granted to Attorney Generals under HITECH, highlight the need for companies to develop and implement comprehensive data security polices to secure their records. 

Tags: , , , , , , , , , ,

EEOC and 7-Eleven of Hawaii Settle Over Disclosure of Former Employee's Medical Information

Posted on August 6, 2010 by Joseph Lazzarotti

 Does your HR staff know the limits on what they could tell prospective employers about former employees?

In this case, the US Equal Employment Opportunity Commission (EEOC) alleged that 7-Eleven of Hawaii failed to keep a former employee’s medical information confidential by disclosing the information to a prospective employer, in violation of the ADA, which caused the prospective employer to rescind a job offer. The EEOC filed suit in federal district court ( EEOC v 7-Eleven of Hawaii, Inc, DHaw, No CV 07-00478-SPK-BMK) and, after the District Court ruled in 7-Eleven’s favor, the EEOC appealed the decision in August 2008 to the US Court of Appeals for the Ninth Circuit.

However, on August 2, the EEOC announced a settlement under which 7-Eleven of Hawaii will:

  1. pay $10,000,   
  2. provide annual training to its human resources personnel and managers in equal employment opportunity, with an emphasis the ADA requirements concerning confidentiality, and
  3. for a period of two years, 7-Eleven will also be required to report annually to the EEOC regarding the company’s policies and proposed training programs with respect to disability discrimination, medical disclosure, non-retaliation, and reasonable accommodation.

In comments about the case, EEOC representatives made clear that the ADA confidentiality requirements apply to applicants, current employees and former employees. Earlier in the year, we wrote about a recent EEOC senior staff attorney's informal letter concerning the duties of federal employees and contractors relating to medical confidentiality. It is unclear whether these actions by the EEOC suggests a greater emphasis on enforcement of medical records confidentiality under the ADA. Regardless, employers should be taking preventive steps to comply with these requirements. Some steps include:

  • Creating a culture of confidentiality concerning medical records, whether those records are subject to ADA, HIPAA or some other law.
  • Reminding employees that medical information is confidential and access is on a need-to-know basis.
  • Reviewing and revising administrative, physical, and technical safeguards as necessary and appropriate to safeguard medical information, such as requiring employees to keep their desks clear of sensitive information and locking doors and file cabinets.
Tags: , , ,

Rite Aid Agrees to $1 Million Payment to HHS Concerning Potential HIPAA Privacy Violations

Posted on July 27, 2010 by Joseph Lazzarotti

Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

The lesson to be learned from this case:

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.

The Office of Civil Rights, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

The investigation also indicated other potential concerns about Rite Aid's policies related to safeguarding patient information during the disposal process, training employees, and a related sanction policy.

The Director of OCR noted:

It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA.

The corrective action Rite Aid has agreed to includes improving policies and procedures to safeguard the privacy of its customers' health information, and applies to all of its nearly 4,800 retail pharmacies. More specifically, the settlement requires Rite Aid to take a number of steps including

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS and FTC.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. The length and scope of these plans show the seriousness these agencies are taking concerning compliance with requirements to safeguard personal information.  

Tags: , , , , , ,

To host or not to host?

Posted on July 23, 2010 by Joseph Lazzarotti

Guest Post from Pat Yu* of Accero. We are happy to make Mr. Yu's insights available to our readers as they are important considerations for companies considering alternative data and systems management strategies. Enjoy this post: 

To host or not to host . . . That’s ultimately the critical question when it comes to major internal system deployments, such as human capital management (HCM) solutions. To help you move toward a smart, strategic decision, here is a high-level overview of each model:

Licensed

Still widely used by most companies, licensed software delivery often provides user’s more control. You purchase a license, install the software and use your internal resources to manage and configure or customize the solution. When companies purchase licenses for a major software solution, they are ultimately responsible for all aspects of application management, including: installing upgrades, troubleshooting issues and hardware maintenance.

Hosted
 

Hosting is most often provided today in the form of Software as a Service, or SaaS. In this model, the vendor hosts the solution and users access it via the web. One of the key benefits of selecting a hosted model, besides the scalability and convenience of 24x7 web access, is the fact that the software provider is responsible for:

  • Managing both the software and hardware components of the application
  • Network issues such as redundancy, data backup and disaster recovery planning
  • Managing the data center or centers that deliver the application
  • Upgrading the software automatically for customers on a regular schedule

A checklist for decision makers

Hosting in and of itself is simply a delivery model. A software application must meet your business requirements; how it is delivered (licensed vs. SaaS) may be part of your requirement, but it should not be the primary factor. Follow the checklist below to help your organization determine which solution best fits your needs:

  • Clearly define your business requirements
  • Inventory solution providers (licensed and hosted)
  • Evaluate systems to ensure they meet your high priority requirements
  • Consider growth strategies and make sure the solution will scale to match
  • Prepare a minimum four-year cost analysis to evaluate cost of ownership (this should include the cost to host the solution in house if you are considering a traditional license – and the IT resources needed to manage it)
  • Review implementation timeframe (SaaS is often faster to deploy)
  • Consider other costs – IT resources, hardware, software, time, etc.

*Pat Yu is the Director of Product Development at Accero, a Payroll, Human Resources and Human Capital Management software and service provider. Visit www.accero.com or call 800.429.2674.
 

Tags: , , , ,

HHS Announces Final EHR Regulations Charting Path to Billions in Incentives for Providers and Hospitals to Adopt EHR Systems

Posted on July 13, 2010 by Joseph Lazzarotti

U.S. Department of Health and Human Services Secretary Kathleen Sebelius has announced final rules for eligible health care professionals and hospitals to qualify for a portion of the $27 billion or so in Medicare and Medicaid incentive payments for implementation and meaningful use of certified electronic health records (EHR). Many are concerned these incentives will increase the risks for data privacy and security that will come with more health data being maintained, used and disclosed in electronic format. Under the rules, eligible professionals may receive as much as $44,000 under Medicare and $63,750 under Medicaid, and hospitals may receive millions of dollars under both Medicare and Medicaid.
 

"We will make the immediate investments necessary to ensure that within five years, all of America's medical records are computerized."

President Barack H. Obama, January 8, 2009 

HHS’s July 13 action is consistent with the agenda of President Obama and some of his predecessors to help improve Americans’ health, increase safety and reduce health care costs through expanding use of EHRs and simplifying the administrative costs of healthcare. The enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 significantly advanced this agenda by establishing the statutory structure for eligible health care professionals and hospitals to receive government subsidies to adopt certified EHR technology. The HITECH Act, however, also expanded and tightened the HIPAA privacy and security regulations to address, in part, concerns about improper access and use of EHRs.

HHS’s regulations (consisting of more than 1,000 pages) define the minimum requirements and “meaningful use” objectives to qualify for the bonus payments (pdf) and identify the technical capabilities required for certified EHR technology (pdf). At the same time, providers and hospitals will need to focus on the evolving privacy and security mandates under HITECH, as well as under state law, to minimize the risks to protected health information and other personal information. So, as providers and hospitals look to Medicare and Medicaid funds to jumpstart their move to EHR systems, it will be important for them to be sure to have in place the appropriate policies, procedures and agreements to safeguard those records, which should include the careful handling and/or disposition of the mountains of paper records they currently maintain.

Tags: , , ,

Proposed HITECH Regulations: Will Subcontractors of Business Associates Be Subject to the HIPAA Privacy and Security Rule?

Posted on July 13, 2010 by Joseph Lazzarotti

Further to our discussions of the proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), we summarize here a proposed changed to the definition of “business associate.” A significant part of the “HIPAA community” (covered entities, business associates and their agents and subcontractors) already is aware of the expanded application of HIPAA to business associates under HITECH. This expansion went into effect February 18, 2010, and, in fact, many business associate agreements currently are being modified in an attempt to reflect the statutory provisions. The HIPAA community, however, may not yet be aware of the proposal to further expand the direct application of the privacy and security rules under HIPAA to subcontractors performing functions for business associates.

A New Class of Business Associate

Prior to the HITECH Act changes, business associates and their agents and subcontractors were not directly subject to HIPAA. Instead, HIPAA required covered entities to obtain certain written assurances from their business associates. One of those written assurances was that business associates would ensure that their agents and subcontractors would agree to be subject to the same conditions and restrictions contained in the business associate agreement entered into with the covered entity.

The proposed regulations would include subcontractors in the group of “business associates” to the extent that they require access to protected health information. Such subcontractors are those persons who are not members of the business associate’s workforce, but perform functions for or provide services to a business associate. This would be the case even if the business associate has failed to enter into a business associate contract with the subcontractor. The regulator’s goal is to ensure the privacy and security protections will not lapse merely because a function is performed by an entity with no direct relationship with a covered entity, although the regulations seek public comments on the definition of subcontractor.

The proposed regulations state (emphasis added):

[W]e propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance. We note, and further explain below, that this proposed modification would not require the covered entity to have a contract with the subcontractor; rather, the obligation would remain on each business associate to obtain satisfactory assurances in the form of a written contract or other arrangement that a subcontractor will appropriately safeguard protected health information. For example, under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to
securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).

As the example above shows, if made final, the proposed regulation would further HIPAA’s reach and affect many businesses that may not currently view themselves as directly subject to the requirements or penalties under HIPAA. Many companies, including those that service the healthcare industry, such as health plans, likely will need to revisit their HIPAA-compliance measures.

Tags: , , , ,

Shredding and Data Destruction Companies - A HIPAA-Covered Entity's Best Friend

Posted on July 12, 2010 by Joseph Lazzarotti

We recently reported here that the Department of Health and Human Services (HHS) is issuing proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). These proposed regulations contain a number of important points to think about for HIPAA covered entities (and business associates), even though these rules are in proposed form. One is avoiding HIPAA violations involving “willful neglect," which under the HITECH Act will require a formal investigation and civil penalties.

To date, the Secretary of HHS has attempted to resolve complaints and certain violations by informal means, as required by § 160.312 of the current regulations. A significant change to the HIPAA enforcement scheme in the HITECH Act requires that if a preliminary investigation of the facts of a complaint indicates a possible violation due to willful neglect, the Secretary is required to commence a formal investigation. If the formal investigation finds a HIPAA violation involving willful neglect, the Secretary must impose a civil money penalty.

What is “willful neglect”?

Willful neglect is defined at § 160.401 as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The term not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur, but also encompasses a conscious intent or degree of recklessness with regard to the entity’s compliance obligations.

So what does that mean, what are some examples? The proposed regulations provide the following examples:

  1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.
  2. A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.
  3. A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

In addition to having actual or constructive knowledge of one or more violations, the covered entities in the examples above, particularly Example 1, failed to develop or implement compliant policies and procedures and, thus, demonstrated either conscious intent or reckless disregard with respect to the compliance obligations under HIPAA.

Based on the proposed regulations, covered entities can no longer expect the velvet hand of the regulators to resolve a violation informally in all cases. Covered entities that fail to have policies and procedure and make a good faith compliance effort likely will find themselves subject to mandatory formal investigations and penalties.

Covered entities like the one in example 1 above might want to consider certain precautions, including:

• maintaining a record retention policy,
• maintaining media re-use policy,
• maintaining a data destruction policy,
• maintaining an e-discovery policy, and
• and engaging a good data destruction/shredding company.
 

Tags: , , , ,

HHS to Issue Proposed Regulations Concerning HITECH

Posted on July 8, 2010 by Joseph Lazzarotti

The Department of Health and Human Services announced this morning that it will be issuing a notice of proposed rulemaking to begin implementing the recent statutory amendments under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”). According to HHS, the proposed regulations (pdf), set to be published July 14, 2010, are designed to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of the existing HIPAA privacy and security rules. 

More specifically, the proposed rules would modify the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), the Security Standards for the Protection of Electronic Protected Health Information (Security Rule), and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) issued under HIPAA.

We will be reviewing these regulations and reporting on them further as appropriate.

Tags: ,

Alberta Becomes First Canadian Province to Enact Data Breach Notification Law

Posted on June 28, 2010 by Joseph Lazzarotti

Effective May 1, 2010, Alberta amended its Personal Information Protection Act (PIPA) to require breach reporting and notification requirements. U.S. businesses with a presence in Alberta should take note of the new law as it is a bit different than most of the state data breach notification laws in the United States. 

PIPA governs the collection, use and disclosure of personal information by businesses. Under the amendment to PIPA that adds the mandatory breach notification requirement, organizations that experience a breach will be required to report the incident to the Privacy Commissioner where there exists “a real risk of significant harm” to an individual. The Commissioner can, in turn, require the organization to notify the affected individuals.

Alberta's Privacy Commissioner Frank Work commented on the new law:

Now an organization has to report significant losses to my Office. I can then require notification of affected individuals. Our experience has been that most businesses already notify people affected by losses and we encourage this. This is not necessarily a matter of making businesses liable for losses of information; it is about warning people so that they can take precautions. Hopefully it will make businesses more aware of the need for reasonable security measures.”

Of course, the challenge for multi-national companies will be to consider and coordinate the laws in various jurisdictions.

Tags: , , , , ,

Does Your "Cyber" or "Data Breach" Insurance Cover What You Think It Does?

Posted on June 22, 2010 by Joseph Lazzarotti

As companies struggle with the risks and exposures related to data breaches, insurance can be an important part of an overall risk management strategy – so long as it is the right insurance.

Insurance carriers are offering products that purport to address this type of risk. Such insurance can be particularly important to businesses for which the handling of personal information or protected health information, such as some HIPAA “business associates,” is their lifeblood. However, as an ongoing litigation in a Utah federal district court makes clear, it is critical for businesses to be cautious and thorough when assessing insurance coverage, if only to avoid litigation about the scope of the coverage.

Court filings show that Perpetual Storage, a data storage company, had purchased certain insurance coverage through Colorado Casualty Insurance. One of Perpetual’s clients, University of Utah Hospitals and Clinics, stores significant amounts of its data with Perpetual, including personal information and protected health information. The University experienced a data breach on June 1, 2008, when storage disks were stolen from the car of a Perpetual employee who had picked up the disks from the University. The University claims the breach affected 1.7 million people. Claims expenses totaling approximately $3,354,753 were incurred in the course of responding to the breach. The specific costs alleged are $2,483,057 for credit monitoring expenses, $646,149 in printing and mailing costs, $81,389 in phone bank costs, and $144,158 in additional miscellaneous costs.

Naturally, the University is looking to Perpetual to reimburse it for these costs. In turn, Perpetual is looking to its insurance carrier, Colorado Casualty, to back it up. The insurer, however, has denied coverage. Colorado Casualty seems to be asserting that the claims do not constitute certain “bodily damages” or “property damages” as those terms are defined in the applicable policy. The insurer also claims that a number of policy exclusions support its decision to deny coverage.
At the same time, the University is seeking in its lawsuit to bring its insurance broker and adviser into the litigation, alleging they were "careless, negligent, and made various negligent misrepresentations about Perpetual's insurance coverage from Colorado Casualty."

A ruling in favor of Colorado Casualty likely would make it more difficult to seek reimbursement under commercial liability policies in connection with data breaches. Such a ruling also should be a wake-up call to businesses relying on their current commercial liability policies to deal with data breach issues.

The moral of the story for businesses - review your coverage with your insurance brokers or other insurance advisers to ensure appropriate coverage.

Tags: , , , , ,

Supreme Court Issues Decision in City of Ontario v. Quon - Search of Text Messages Held Reasonable, Ninth Circuit Reversed

Posted on June 17, 2010 by Jason C. Gavejian

The Supreme Court today issued its decision in City of Ontario, California v. Quon.  In a unanimous decision, the Court held that the search of Quon's text messages, sent or received on his department issued pager, was reasonable and did not violate Quon's Fourth Amendment rights. 

As set forth in the opinion, the Court did not resolve the parties disagreement over Quon's privacy expectations, and instead disposed the case on the narrower grounds of the reasonableness of the search.  While the Court chose not to utilize the facts of this case to establish far-reaching premises that define the existence, and extent, of privacy expectations of employees using employer-provided communication devices, the Court did note that 

Employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.

Click here for a more in depth analysis of the decision. See our previous posts on Quon, here and here

Tags: , , , , , , , ,

Employees Claiming Emotional Distress Must Produce Social Network (Facebook and MySpace) Information In Discovery

Posted on June 15, 2010 by Jason C. Gavejian

All information from plaintiffs’ social networking profiles and postings that relate to their general emotions, feelings, and mental states must be produced in discovery when they allege severe emotional trauma and harassment against their employer, a federal court in Indiana has ruled. (EEOC v. Simply Storage Management LLC, S.D. Ind., No. 1:09-cv-1223, discovery order 5/11/10).

Social networking sites (SNS) such as Facebook and MySpace are fast becoming a hot topic in litigation as they may contain a wealth of potentially relevant information. In Simply Storage, the Equal Employment Opportunity Commission brought suit on behalf of plaintiffs and other similarly situated employees who claimed their employers were liable for a supervisor’s alleged sexual harassment. The EEOC requested a discovery conference because counsel for the parties disagreed as to whether the two named plaintiffs must produce the Internet social networking site profiles, including postings, pictures, blogs, messages, personal information, lists of “friends,” and of causes joined that the user has placed or created online.

The EEOC objected to production of all SNS content (and to similar deposition questioning). It argued the requests were overbroad, not relevant, unduly burdensome (because they improperly infringe on claimants’ privacy), and would harass and embarrass the claimants. Simply Storage countered that discovery of these matters was proper because certain EEOC discovery responses placed the emotional health of particular claimants at issue, beyond that typically encountered in “garden variety emotional distress claims.”

The court weighed ordering complete discovery of the plaintiffs' Facebook and MySpace account information against limiting discovery to content specifically related to the alleged injury.  It found neither alternative satisfactory. According to the court, limiting discovery to posts that specifically referenced the mental issues and harassment alleged by the plaintiffs would be too narrow, while admitting the full profiles would include likely irrelevant—and potentially inflammatory—content. The court held, “It is reasonable to expect severe emotional or mental injury to manifest itself in some SNS content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress. Further, information that evidences other stressors that could have produced the alleged emotional distress is also relevant.”

The court therefore defined the relevant scope of discovery as including “any profiles, postings, or messages (including status updates, wall comments, causes joined, groups joined, activity streams, blog entries) … that reveal, refer, or relate to any emotion, feeling, or mental state, as well as communications that reveal, refer, or relate to events that could reasonably be expected to produce a significant emotion, feeling, or mental state.”

The court rejected the EEOC’s assertion that broad discovery of this kind would violate the plaintiffs' right to privacy and held that, while potentially relevant content may be embarrassing to the plaintiffs, “this is the inevitable result of alleging these sorts of injuries.” In addressing the argument that the profiles were “private” and password protected, the court held that these protections were insufficient to circumvent discovery. “[A] person's expectation and intent that her communications be maintained as private is not a legitimate basis for shielding those communications from discovery.”

This case illustrates the importance of expanding the traditional thinking behind discoverable information to cover social media. Employers, upon advice of counsel, should consider requesting information of this nature. 

Tags: , , , , , , , , , , ,

"Medical Privacy a Fundamental Right" - Five California Hospitals Fined for Failing to Secure that Right

Posted on June 14, 2010 by Joseph Lazzarotti

On June 10, 2010, the California Department of Public Health (CDPH) announced  issuing administrative penalties and fines totaling $675,000 against five hospitals in the state. CDPH cites the facilities’ failure to prevent unauthorized access to confidential patient medical information as required under new legislation (Section 1280.15 of California’s Health and Safety Code) (pdf) as the basis for the penalties and fines.

Relevant portions of Section 1280.15 of California’s Health and Safety Code provide:

A clinic, health facility, home health agency, or hospice . . . shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information . . . The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patients' medical information. For purposes of the investigation, the department shall consider the clinic's, health facility's, agency's, or hospice's history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility's ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section.

CDPH Director Dr. Mark Horton commented, “medical privacy is a fundamental right and a critical component of quality medical care in California.” His position and the actions taken by the agency highlight the need for health care providers to do more to safeguard patient records. In most of these cases, according to the CDPH announcement, multiple hospital employees accessed confidential patient medical information without authority to do so.

However, California hospitals should not be the only entities concerned about exposure relating to unauthorized access to confidential personal information, nor is California’s Health and Safety Code the only statutory obligation to safeguard such information. Mandates to protect personal information are growing and apply to industries beyond healthcare and persons other than patients. In short, businesses in all states and industries should be reviewing, at a minimum:

  1. how they safeguard personal information, whether it be that of customers, patients, employees, or their dependents,
  2. who they permit to access personal information, and
  3. what their plan is in the event of unauthorized access or acquisition.

We’ve written about a number of these areas of concern:

Like most things, "an ounce of prevention is worth a pound of cure."

Tags: , , ,

Connecticut Attorney General Working on Second HIPAA Breach Investigation

Posted on June 2, 2010 by Joseph Lazzarotti

Connecticut Attorney General Richard Blumenthal has commenced an investigation in a second case involving potential HIPAA violations by a worker at Griffin Hospital. This follows the suit commenced against Health Net for HIPAA violations following a data breach. As reported by George Gombossy of ctwatchdog.com, this would be the second time a state attorney general has used the enforcement authority granted under the Health Information Technology for Economic and Clinical Health Act (HITECH).

The Attorney General’s press release states:

My office is investigating allegations that a radiologist formerly affiliated with Griffin Hospital improperly accessed the medical information of almost 1,000 of the hospital’s patients.

These charges, if true, are deeply disturbing. Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals.

Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts.

Griffin Hospital rightly informed my office of this alleged data breach and is cooperating with our investigation.

Efforts are underway to help state Attorneys General become more actively involved in HIPAA enforcement. For example, the Department of Health and Human Services (HHS) has awarded a $1.7 million contract to train attorneys general on enforcing HIPAA and, specifically, to assist the Office of Civil Rights (an arm of HHS) “in conceptualizing and implementing a training curriculum for state attorneys general staff and others affected by the HIPAA Privacy and Security Rules.”

It is important that HIPAA-covered entities and business associates focus on compliance so when there is a data breach, they will be better positioned to respond to a state attorney general inquiry.

Tags: , , , , ,

New Challenges for HIPAA Business Associates Under ARRA and HITECH

Posted on June 1, 2010 by Joseph Lazzarotti

Have you noticed that negotiating that business associate agreement has gotten a lot more difficult? Many companies that serve health care providers and health plans, generally known as business associates, have noticed. These companies include software vendors, benefits brokers, cloud computing providers, data storage/destruction companies, and accountants, among others.

The clients of these companies are citing HIPAA, ARRA, HITECH, data breach notification requirements, and state law mandates as they demand stricter contract language and additional rights and protections, such as the right to audit the business associate and to be held harmless in the event of any data mishap. Business associates that took HIPAA lightly in 2003 and 2004, when the HIPAA regulations first became effective (2005 and 2006 for the security regulations), are playing catch-up.

When President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA), “business associates” may not have expected the significant effects that law would have on their businesses. Chief among those effects are mainly due to four sentences in The Health Information Technology for Economic and Clinical Health (HITECH) Act (pdf), passed as part of ARRA, and which generally became effective on February 17, 2010 (the breach notification mandate became effective on September 23, 2009), one year after enactment:

  • “Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporate[d] into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13401(a). This statement makes business associates directly subject to nearly all of the HIPAA security regulations, the HIPAA rules relating to electronic protected health information. Prior to the change, these obligations existed for business associates only as a matter of contract.
  • “A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach.” ARRA Sec. 13402(b). This statement creates a new obligation for business associates – report to covered entities breaches of unsecured protected health information.
  • “The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13404(a). This statement makes business associates directly subject to nearly all of the HIPAA privacy regulations. Prior to the change, as with the security regulations, these obligations existed for business associates only as a matter of contract.

In response to these law changes, and in the absence of regulatory guidance, covered entities have been demanding modifications to existing business associate agreements or requesting new agreements. In both cases, covered entities are seeking greater assurances from their business associates concerning the handling of the covered entities’ protected health information.

On top of that, covered entities are weaving into business associate agreements and other agreements requirements under newly enacted state laws requiring protections for “personal information” in the hands of vendors (e.g., business associates) to curb identity theft. Given the cost and reputational harm that could come from a data breach, as well a growing enforcement activity, many covered entities are becoming more forceful in their negotiations, citing legal mandates and established company policies for their unwillingness to budge on many provisions, even those that go beyond statutory mandates.

What is a business associate to do? Here are some thoughts:

  1. Confirm your company is a business associate. (go to HHS HIPAA frequently asked questions and insert "business associate" for helpful guidance). In some cases, covered entities are blanketing all of their vendors with these agreements. If believe your company is not a business associate, raise it with your client. Of course, even if you avoid being considered a business associate, your customer/client still may demand written assurances under state law for the personal information you handle on its behalf.
  2. Become compliant. As noted above, the HIPAA privacy and security requirements are now directly applicable to business associates. While additional guidance is expected as to what this means precisely, there is enough existing guidance concerning covered entities for business associates to use to achieve compliance. Among other things, compliance means conducting a risk assessment, adopting a written set of policies and procedures concerning the safeguarding of protected health information, and training staff. Being compliant not only reduces risk, but in an environment of increasing attention to data privacy and security, compliance can be a competitive advantage.
  3. Review agreements carefully. Covered entities increasingly include contract provisions that provide the covered entity with greater protections than the law requires. To the extent possible, try to remove those provisions. In any event, it is important to know your obligations under these agreements; they can vary dramatically from covered entity to covered entity.
  4. Develop strategies for reviewing/complying with multiple contracts. Some business associates have many clients and, therefore, business associate agreements. Managing unique provisions multiple agreements can be daunting, although the ability to negotiate a uniform agreement across a client basis is increasingly unlikely. So, where possible, try to use similar provisions in all agreements and know ahead of time your approach to certain key provisions, such as handling data breaches.
  5. Understand the law. Even if you’ve mastered the determination of whether you are a business associate, the rules outlining your business' obligations likely will be evolving under HIPAA over the next few years, particularly with the expected growth of electronic health records and the expansion of health care. The same is true of state laws concerning personal information. In many cases these laws might coexist peacefully, in other cases there will be conflict. You need to be aware of the conflicts and be prepared to act accordingly.

 

Tags: , , , , , , ,