Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

In another example of a medical provider facing potential civil liability for providing medical records in response to a subpoena, a federal court in the Northern District of Ohio denied summary judgment for the Cleveland Clinic and other defendants in Turk v. Oiler, No. 09-CV-381 (N. D. Ohio Feb 1, 2010.  We previously discussed the decision in Kim v. St. Elizabeth's Hosp. in which a court allowed similar claims to proceed under an Illinois law protecting mental health records. In Turk, the claims were based in part on the Ohio physician-patient privilege codified at Ohio Rev. Code Section 2317.02.

Plaintiff James Turk was a private investigator accused of possessing a weapon while under a disability in violation of Ohio law.  The Cleveland Clinic received a grand jury subpoena from the Cuyahoga County Court of Common Pleas seeking Turk's medical records. The clinic complied with the subpoena and produced the records. Turk and his wife later brought suit against the clinic claiming damages for invasion of privacy, negligent disclosure of medical records, and violation of the First Amendment.

The clinic moved for summary judgment, arguing that it was required to respond to a grand jury subpoena and that Section 2317.02 was preempted by the Health Insurance Portability and Accountability Act ("HIPAA").  The federal district court denied the motion and allowed the claims to proceed, reasoning that Ohio law was not preempted by HIPAA where it provided greater protections than the federal law.  The case stands for the proposition that compliance with HIPAA by itself is not enough and reinforces yet again the caution which health care providers must exercise when responding to subpoenas or other requests for medical records without a proper release.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On February 22, 2010, the Office of Civil Rights (OCR) posted on its website its first list of covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. OCR acknowledged the HITECH Act requires HHS to make this information public by posting it on an HHS website.

The breach notification rule became effective on September 23, 2009. In short, as we reported previously, the rule requires covered entities to provide notification of breaches of unsecured protected health information directly to the Secretary of HHS, as well as to the affected individuals. Breaches that affect 500 or more individuals must be reported to HHS within 60 days, and covered entities must provide this notification via the online form on the OCR website.

Of course, covered entities need to be aware that breaches reported to HHS will be made public on its site. Some states, such as Maryland and New Hampshire, have had a similar policy in effect for some time for breaches of personal information affecting residents of their states.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As reported by the December 23 Rochester, Minnesota Post Bulletin, the Mayo Clinic has terminated two medical professionals, a physician and another staff member, after determining that they had inappropriately accessed a patient’s confidential electronic health records (EHRs).

The access highlights what should be a growing concern for health care industry employers: the increased availability EHRs provide about patients’ private information that is otherwise protected by HIPAA. As reported in the Bulletin, according to the President of the Minnesota-based Citizens’ Council on Health Care, “the development of the electronic medical record has allowed all sorts of people to have access” that they would not have had before the advent of EHRs.

As previously reported here, the risks of data breaches and misuses of personal information rise significantly when the information is in electronic format. The trend toward putting more information in electronic format will only continue given the significant cost savings through technological advancements and, for health information, federal subsidies for the adoption of EHRs. Despite protections mandated by law, the portability and availability of EHRs nevertheless facilitate the improper viewing or misuse patients’ protected health information.

The Mayo Clinic terminations come on the heels of a string of employee terminations in 2008 by the UCLA Medical Center, which, through investigations dating back to 2004, found that at least 127 employees had improperly accessed the medical records of celebrities. One employee was even indicted in 2009 after she was found to have purposefully removed the social security numbers of celebrity patients and recorded actor Farah Fawcett’s medical records. Farah Fawcett subsequently sued her.

While most medical providers are well-aware of HIPAA’s requirements, the interest in all things celebrity may be too much for some to resist. We expect that the American Recovery and Reinvestment Act of 2009 (ARRA) [pdf] may only increase the risk of privacy breaches for it provides incentives to health care-related businesses to develop even more extensive uses of electronic health records. However, even famous celebrities have privacy rights under HIPAA, and health care employers should revisit their policies, procedures and training in the area of maintaining patient privacy and more closely monitor the use of electronic medical records.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Like individuals, businesses have resolutions/goals for 2010, perhaps even this new decade. As information risk, such as HIPAA or the occurrence of a data breach, continues threaten companies and put individuals’ personal identities, finances and medical information in jeopardy, addressing this issue in the coming years is a worthy resolution for any business. With this January 28, 2010, being the second National Data Privacy Day, January is as good a time as any to begin thinking about your organization’s information risk. The following list, which is by no means exhaustive, provides ten critical areas businesses will need to consider when addressing this issue.

1. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists.
2. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Connecticut and others, a WISP in one form or another is required.
3. Vendors/Business Partners. Businesses addressing their information risk cannot stop at their information systems, buildings, and employees. Very often, vendors of the business maintain significant amounts of sensitive company and personal information of that business. This list of vendors can be long and include service providers such as: employee benefits consultants/administrators/brokers, accountants, lawyers, record storage/destructions companies, office cleaning services, professional employer organizations, payroll companies, cloud computing or other information service providers, and so on. Businesses that turn over sensitive information to a vendor need to take steps to ensure the vendor has implemented appropriate safeguards to protect the information. If this information is personal information, a number of states mandate contract provisions requiring the vendor to safeguard the information.
4. HIPAA. The recent changes by the HITECH Act, under the American Recovery and Reinvestment Act of 2009, will drive increased focus on HIPAA in 2010, particularly for business associates which for the first time become directly subject to many of the same privacy and security requirements as covered entities. The addition of a HIPAA breach notification requirement, effective September 23, 2009, and the growth of electronic health records, already are driving covered entities to amend their business associate agreements. Plan sponsors, health care providers and business associates all need to refocus their attention on HIPAA in 2010.
5. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s plan for safeguarding information.
6. Identify “Red Flags”. Identifying “red flags” is the next step after implementing a WISP, beyond safeguarding sensitive information. The concept of “red flags” is to have policies and procedures designed to detect, prevent, and mitigate instances of identity theft – that is, with safeguards already in place, businesses need to be able to identify circumstances (“red flags”) which indicate incidents of identity theft could be occurring, and then take steps to prevent the identity theft or mitigate its effects. After a number of extensions, on June 1, 2010, the Federal Trade Commission will begin enforcing its “red flag” regulations that apply to financial institutions and creditors.
7. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security, training deserves special mention if only to remind businesses to remind employees how powerful the small devices are that they carry around.
8. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights.
9. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision whether to adopt the technology. For example, cloud computing is fast becoming a popular tool used by businesses to enhance their computing capabilities, at substantially reduced costs in some cases, but it raises a number of issues concerning information risk.
10. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. It seems to be only a matter of time before U.S. companies are subject to a national law requiring the protection of personal information. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

New Hampshire’s new breach notification law builds on the breach notification requirements under the HITECH Act by requiring health care providers and business associates to notify individuals of disclosures of their protected health information that are prohibited by New Hampshire law, even if such disclosures are permitted under HIPAA or other federal law. This new health information protection was enacted with other measures relating to privacy of electronic medical records and allowing individuals to opt out of sharing their names, addresses, and protected health care information with e-health data exchanges.

H.B. 619 becomes effective for data breaches occurring on and after January 1, 2010. Individuals may sue for violations of the notification requirement and, significantly, seek damages of not less than $1,000 per violation. The law also expressly requires business associates to cover the costs of notification if the use or disclosure triggering notification was made by the business associate.

Now, when New Hampshire health care providers and business associates experience a possible data breach, they will have to consider a number of laws to determine the appropriate response. These include H.B. 619, the state’s general breach notification statute, and the breach notification rules under the HITECH Act and implementing regulations. This is even more complex for health care providers and business associates operating in multiple states as at least five other states (Arkansas, California, Delaware, Missouri, Texas) and Puerto Rico require notification in the event some form of medical information is breached.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Continuing our thoughts on how disclosures of private or confidential information may adversely impact the institution and the persons affected by such disclosure, we now focus on something near and dear to lawyers’ hearts: paper shredding.

Many businesses regularly shred documents they no longer need to protect them from disclosure. While this may secure the information contained in those documents, an additional concern exists for HIPAA-covered entities, such as hospitals, medical providers or their business associates. Often, those documents might consist of old medical records, charts, notes, or other information containing protected health information (“PHI”) specifically protected from disclosure under HIPAA.  

Shredding frequently is done by outsourced vendors.  They shred what is provided to them and then resell it as fill, packaging material or for other recyclable-type uses. But shredding alone may not be sufficient to secure data under HIPAA. This can cause a HIPAA headache, as suggested by recent occurrences overseas.  A gift-wrapping company owner in England discovered protected health data (including names of patients) from a local hospital on the shredding she used for work. In another situation being investigated by British authorities, an outsourced medical transcription company in India disclosed shredded health data. Although those situations occurred abroad, they could just as easily happen in the U.S., or occur outside the U.S. but affect information involving U.S. citizens.

If a data breach is discovered by the unauthorized disclosure of PHI through shredding or otherwise, under the American Recovery and Reinvestment Act of 2009 (“ARRA”), covered-entities and business associates must notify those affected by the disclosure of unsecured PHI within 60 days after a breach. If the breach involves disclosure of PHI for over 500 persons, a covered-entity and/or a business associate must also notify Department of Health and Human Services and the media. “Unsecured” under ARRA means any data not rendered unusable, unreasonable or indecipherable. Thus, an individual’s name legible on a snippet of shredded paper together with some health information may be enough to trigger ARRA’s disclosure requirements and constitute a HIPAA violation. For more information about data breaches under HIPAA, click here.

We therefore remind HIPAA-covered entities to ensure that their vendors are compliant with the HIPAA security requirements, that they have appropriate business associate agreements where necessary, and that they actively monitor compliance with those agreements.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Co-Author:  V. John Ella, Esq.

In a key step toward developing a proposed U.S. health information technology (HIT) infrastructure, the Centers for Medicare & Medicaid Services has announced that Iowa’s Medicaid program is the first to receive federal matching funds for planning activities necessary to implement the electronic health record (EHR) incentive program established by the American Recovery and Reinvestment Act of 2009 (ARRA). 

ARRA was signed into law by President Obama on February 17, 2009. Among its various parts, ARRA includes provisions for the improvement of our nation’s health care through health information technology (also known as Health IT or HIT), Medicare and Medicaid Health IT provisions which provide incentives and support for the adoption of certified electronic health records (EHRs); and provisions to expand, enforce, and enhance the privacy and security safeguards required by HIPAA. The proposed goal of a switch to EHRs is to improve the quality of health care for individuals, make care more efficient by making it easier for providers treating a patient to coordinate care, and make it easier for individual patients to access the information they need to make decisions about their own health care. Responsibility for implementing this program falls to the National Coordinator for Health Information Technology, a position currently filled by Dr. David Blumenthal at the Department of Health and Human Services (“HHS”). In furtherance of this goal, Mr. Blumenthal recently announced $80 million in grants to develop a HIT workforce. Additionally, the HHS has created a helpful website on the topic of health information technology with links to resources on privacy issues.

In discussing the approximately $1.16 million in federal matching funds Iowa will receive, Cindy Mann, director of the Center for Medicaid and State Operations at CMS said, “While Iowa is the first state to receive approval of its plan for implementing the Recovery Act’s EHR incentive program, a number of other states have submitted plans as well, meaningful and interoperable use of EHRs in Medicaid will increase health care efficiency, reduce medical errors and improve quality-outcomes and patient satisfaction within and across the states.”   As the first state to receive federal funding, Iowa will use the funds to focus on planning, information gathering, analysis, and assessment with respect HIT and the use of EHR within the state.  

A HIT Infrastructure is likely to raise a range of new issues involving the handling of sensitive personal information. For instance, anytime extensive personal and medical information is placed in electronic form, the chance of a data breach or information misuse rises significantly. This is especially true given the recent growth in the area of medical identity theft. Additionally, as some commentators have reported, physicians, hospitals, and clinics have all expressed concerns regarding the technical feasibility of the system, potential for patient mix-ups, as well as the extensive cost to make the switch to EHR. How such a system would affect employers and group health plan administration remains unclear.  

With such an emphasis on a switch to EHR, and billions of federal dollars fueling the conversion, all businesses, particularly health care providers, need to be consider how they will be affected by the new HIT infrastructure. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

“Cloud computing” takes many forms, but, fundamentally, it is a computer network system that allows consumers, businesses, and other entities to store data off-site and manage it with third-party-owned software accessed through the Internet. Files and software are stored centrally on a network to which end users can connect to access their files using computers that are less powerful and sophisticated than those we use today.  This technology reduces the need for expensive multiple servers and PCs with enough capacity to store massive data and application files. Some believe the PC of the future will need simply the capacity to connect to a web browser for the user to access his or her applications and files.

For more information on how cloud computing works, click here. For information on the FTC investigation of cloud computing, click here.

If you are not already computing in a cloud, you likely will be hearing more about “cloud computing” soon. Last month, for example, the City Council for the City of Los Angeles voted to move city employee e-mail and other applications from city computer networks to a cloud service provider – in this case, Google Inc. City officials cite significant cost savings (which they estimate to be in the millions) as one of the reasons for the switch. They acknowledged that concerns over data privacy, security and management remain.

We’ll agree that significant cost savings can be achieved through, among other things, reduced infrastructure. Questions and concerns many have with cloud computing, however, relate to the privacy, security and management of the information in the cloud. These include:

• What if the cloud starts to rain – a cloud computing data breach – who is responsible for notifying affected persons (and bearing the costs)?
• Which company owns the data placed in the cloud?
• If the data in the cloud is employee e-mail, is the employer still permitted to access and monitor email communications? Will new policies/notices be needed?
• Will company proprietary information be safe?
• Who has access to the data? Who should have access?
• Is the cloud service provider a business associate under HIPAA, prepared to comply with the HITECH Act? What other legal compliance requirements are there?
• Do we still need to maintain a back-up of data in the cloud?
• Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards? Does one location as opposed to another provide better access or security? What if data is stored in multiple places, will we be able to locate what we need when we need it?
• How big is the cloud? How much can we store?
• What if the cloud goes down? How do we get our data and access the applications needed to run our business?
• How do we move between clouds? Can our data be held captive when contract negotiations fall through?
• Can we put our clients’ data in the cloud? Do we have to tell them where it is?
• What happens to the data if the cloud service provider or the cloud customer goes out of business?
• Will applications in the cloud work the same way, be as flexible, and respond with the same speed as those on current PCs?

Organizations such as the Cloud Security Alliance have been formed to grapple with some of these issues. Indeed, the City of Los Angeles has had to respond to some of these concerns. So, while cloud computing may yield substantial cost savings and appear tempting, these and other questions and concerns should be addressed before moving in that direction.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Department of Health and Human Services (HHS) published interim final regulations on October 30, 2009, to update existing enforcement regulations under HIPAA for statutory revisions made by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These regulations become effective November 30, 2009, and only address the provisions of the HITECH Act already in effect.

The interim final regulations, among other things, implement the increases in civil penalties and the four categories of violations and corresponding penalties established by the HITECH Act. Also, under the Act and the regulations, penalties will apply even where the covered entity did not know (and with the exercise of reasonable diligence would not have known) of the violation. However, HHS has the authority to reduce penalties in certain circumstances.

There have been a number of recent changes that enhance and strengthen HIPAA's enforcement provisions - the HITECH Act, the interim final regulations discussed above and agency reorganization. These measures suggest an increasing likelihood of enforcement concerning the HIPAA privacy and security regulations.  As a result, health care providers and health plans should be reviewing their compliance with HIPAA and preparing for additional guidance expected to be issued shortly.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A British TV station investigation into India's medical transcription industry, known as Business Process Outsourcing (BPO), uncovered unsettling news for British subjects, as well as American citizens. Medical records sent to India to be transcribed and computerized are being sold. The Economic Times report on the investigation out of New Delhi suspects a "hardening of stance on the outsourcing industry by the western world." The article states:

The revelation has forced police of the two countries to join hands to launch an official investigation into the data pilferage of the records stored by the Indian BPOs. If found true, the allegations could hit the flourishing BPO sector in India hard, fueling doubts about their integrity and efficiency.

Security breaches of this kind can have far reaching effects beyond the businesses and individuals directly impacted. The hopes for funding U.S. healthcare reform rest, in part, on administrative cost savings. Under the HITECH Act, enacted as part of the 2009 federal stimulus bill, the U.S. will spend 36 billion to spur the health care industry to purchase and create systems and equipment, including electronic health records systems, to better network the healthcare industry. Reluctance to outsource and increased security are likely to chip away at whatever cost savings can be achieved through enhanced technology in healthcare. 

In the short run, businesses must be more vigilant in vetting their vendors, as well as the vendors of their vendors. These efforts should include stronger agreements, deeper examinations of security protocols, knowing where information is ultimately stored and processed, and having a better understanding of the applicable legal and industry standards concerning data security. These efforts can not stop at the water's edge.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Little more than one month after the HIPAA breach notification regulations became effective (September 23, 2009), covered entities (health care providers, health plans) and their business associates are struggling with the effects of these new rules. Many are asking:

• What is a breach?
• Do we have to notify in all cases, what are the exceptions?
• Who do we notify?
• Do we have to notify the government?
• Do we have to modify our business associate agreements?
• Do we have to create, update our policies and procedures?

Indeed, it is important to learn about these issues before a breach happens. However, if a reportable breaches happens, covered entities will need to know how and when to notify the Department of Health and Human Services (HHS). For breaches involving 500 or more individuals, the covered entity must notify HHS at the same time as the affected individuals. For breaches involving fewer than 500 individuals, the covered entity must maintain a log of the breaches during the calendar year and report them to the Secretary within 60 days following the end of that year.

HHS established a website for reporting breaches, with separate links for immediate and annual notifications. Note that in addition to gathering information specific to the breach, both forms ask about the safeguards in place prior to the breach and steps taken following the breach. Also, the instructions require covered entities to complete a separate on-line form for each breach.

Remember: Breaches triggering a notification requirement under HIPAA also may require notice under state law, including notice to certain state agencies and officials.

• Email This
• Print
• Comments
• Trackbacks
• Share Link