Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Written by Lillian Moon

In addition to requirements to safeguard increasingly vast amounts of patient data, healthcare providers also need to be mindful of when that data can be used and disclosed. One key challenge in that area is understanding whether state or federal law applies. The U.S. Eleventh Circuit Court of Appeals (which covers Florida, Georgia, and Alabama), held that the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law, Section 400.145, that allowed for the release of medical records of deceased residents of nursing homes to specified individuals without prior authorization. Opis Management Resources, LLC et al. v. Secretary Florida Agency for Health Care Administration.

The plaintiffs, comprised of several nursing home facilities, filed suit in federal district court challenging the Florida Agency for Health Care Administration’s (“AHCA”) citations to the facilities for their refusal to disclose deceased residents’ medical records to surviving spouses, family members, and attorneys-in-fact who were not personal representatives under the relevant HIPAA provisions. The nursing homes asked a federal district court judge to declare that Florida Statute § 400.145 was preempted by HIPAA. The district (trial) court granted summary judgment in favor of the nursing facilities finding that the Florida law provided nursing home residents less protection than required under HIPAA.

On appeal, the Eleventh Circuit affirmed the district court’s grant of summary judgment concluding that Section 400.145

impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule in keeping an individual’s protected health information confidential.

As the court explained, HIPAA includes a preemption clause providing that HIPAA supersedes any contrary state law provision, including any state law which “stands as an obstacle to the accomplishment and execution of [HIPAA’s] full purposes and objectives.” In other words, if a state law provides for less stringent protection than that already provided by HIPAA, it is preempted or superseded by HIPAA. HIPAA, however, does not preempt state laws providing more stringent protections.

Since 2000, the federal Department of Health and Human Services has issued extensive regulations, known as the Privacy Rule, that establish procedures by which protected health information (“PHI”) may be used or disclosed by a covered entity or business associate. Under the most recent set of regulations issued in January, HIPAA protection of PHI for deceased individuals remains in effect for a period of fifty (50) years after the individual’s death. The Privacy Rule further provides that PHI may be disclosed to a personal representative (one who under applicable state law is an executor, administrator or other individual with the authority to act on behalf of a deceased person or the individual’s estate). Additionally, a covered entity may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. In such a case, PHI of the deceased can be released to the extent it is relevant to such person’s involvement in the care or payment for the care.

Section 400.145, Florida Statutes, provides in pertinent part that “[u]nless expressly prohibited by a legally competent resident, any nursing home licensed pursuant to this part shall furnish to the spouse, guardian, surrogate, proxy, or attorney in fact . . . of a current resident, . . . or of a former resident, . . . a copy of that resident’s records which are in the possession of the facility.” The court found that although the statute lists a number of individuals to whom records could be disclosed, it “does not empower or require an individual to act on behalf of a deceased resident,” and, therefore, does not identify any of those individuals to qualify as personal representatives under HIPAA. Therefore, the statute provides a much broader class of individuals than under HIPAA to whom the deceased’s PHI may be disclosed without authorization. Additionally, the Florida statute does not contain the same limitations or restrictions as the Privacy Rule with regard to releasing PHI of a deceased individual to those involved in the individual’s care or who paid for it and only to the extent the information is relevant to the person’s involvement or payment. Accordingly, the court found HIPAA provided more stringent protections of PHI than the Florida statute and held HIPAA preempts Section 400.145.
 

• Email This
• Print
• Comments
• Trackbacks

In 2012, medical malpractice defendants and their defense attorneys earned the right to petition the court for a qualified protective order that would allow them to interview plaintiffs' health care providers without the presence of the claimants or their attorneys. At that time, one of the conditions for the order was that it limit the disclosure of any protected health information to the litigation before the court.

That law was amended on March 20, 2013, when Tennessee Gov. Bill Haslam signed S.B. 273. The new law requires the defendants to return or destroy the protected health information obtained under such an order, including all copies, when the litigation ends. This new requirement, similar to the requirement that exists under HIPAA, applies to litigations that begin on and after July 1, 2013. Defendants in these cases - health care providers - will need to be sure they keep track of all this health information they obtain under these orders, including all electronic versions, to ensure they are returned or destroyed as required under the new law.

• Email This
• Print
• Comments
• Trackbacks

In response to a massive data breach in 2012 involving over 700,000 people, Utah's Governor Gary R. Herbert signed a new law (S.B. 20) to ensure Utah residents will be notified of the possibility that their individually identifiable health information may be shared with the eligibility databases for Medicaid and the Children's Health Insurance Program (CHIP). The law becomes effective July 1, 2013.

To notify residents, the law requires health care providers in the state to include this information in their notices of privacy practices (NPP) that they are required to provide under the HIPAA Privacy Rule. HIPAA-covered health care providers should already be updating their NPPs following the final HIPAA regulations issued in January, although S.B. 20 may require Utah providers to act more quickly in updating their NPPs than is required under the HIPAA final regulations, which has September 23, 2013 compliance date. S.B. 20 also requires Medicare and CHIP to check that the notices are in place, and to deny providers access to their eligibility databases if the notices are not in place. The law also gives the state's Department of Health the authority to develop model language for the NPP.

Because of the seriousness of the breach, S.B. 20 also lays the groundwork to assemble a group that will be charged with establishing best practices for data security. Utah providers will need to monitor this development closely, particularly if the "best practices" create standards that are more stringent than those under the HIPAA privacy and security regulations.  

• Email This
• Print
• Comments
• Trackbacks

One of the more common issues faced by healthcare practices (and businesses generally) is how to respond to subpoenas or other requests for medical records of patients and employees. Those who receive these requests often feel compelled to respond in a timely fashion, particularly when it is an attorney subpoena or letter. Unfortunately, responses are made before fully considering critical legal and professional risks.

Consider the following examples:

• A New Jersey physician was forced to defend his access to family medical records without consent or authorization before the New Jersey Board of Medical Examiners resulting in defense costs and ultimately continuing education requirements for the physician;
• An Illinois hospital incurred significant legal fees to defend its disclosure of medical records in connection with the plaintiff’s divorce action.
• Ohio's Cleveland Clinic could not convince a federal district court to dismiss a patient's claim for invasion of privacy following the clinic’s disclosure of medical records to a grand jury in response to a subpoena. The court found the state's patient-physician privilege more protective than HIPAA. Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010).
• An Alabama patient's claim that his physician impermissibly disclosed his medical records to his employer survived a motion for summary judgment because the physician made the disclosure without having received a written request, as required under state law.
• In Wisconsin, a pharmacist was sued after disclosing an employee's prescription history to his employer. The pharmacist's ignorance of the states privacy laws and the employee's attorneys false pretenses to obtain the information were not a sufficient defense. The court found the release was knowing and willful and held the pharmacist must be familiar with the technical requirements for releasing patient data.
• A Court held another New Jersey doctor liable when he released a patient's records to opposing counsel pursuant to an improper subpoena, even though the subpoena's defects were of a technical nature. Again, the Court required the doctor to know the laws regarding patient privacy, specifically noting it was the doctor's burden to consult with legal counsel to ensure the release is proper. Crescenzo v. Crane, 350 N.J. Super. 531 (App. Div. 2002), cert. den. 174 N.J. 364 (2002).

Responding to these requests often is a delicate balance between avoiding being hauled into court for non-compliance with the subpoena/request and violating patient rights, such as by responding to a subpoena that may be improper or invalid, or otherwise failing to take into account applicable federal and state requirements before releasing the records.

Some of the most common issues which must be considered are:

1. What type of information is contained within the records requested?
2. What statutory, regulatory or common law protections apply to some or all of the information requested, such as the patient-physician privilege?
3. Is the authorization valid?
4. Whether responding to the subpoena is appropriate without patient authorization or providing the patient an opportunity to object to the disclosure?
5. Is a court order, including an order with specific findings, needed for some or all of the responsive information?
6. Is the requesting party authorized to be acting for the individual/patient/employee?
7. What safeguards should be taken to ensure the disclosure is made in a secure manner?
8. Must the business keep a record/account for the disclosure?

As more and more individuals, entities and attorneys seek medical information, including through discovery in litigation, these issues will only become more prevalent. Most healthcare practices look to HIPAA as the governing law that determines the proper use and disclosure of patient data, but state laws and professional obligations also must also be considered. Under HIPAA, a covered entity generally may not use or disclose an individual’s protected health information without a written authorization or providing the individual the opportunity to agree or object. There are, however, a number of thorny exceptions, such as for requests made in the course of judicial or administrative proceedings, or disclosures to law enforcement.

Nevertheless, HIPAA generally provides that these exceptions can be trumped by more stringent state laws that prohibit uses or disclosures of PHI without certain additional protections. In fact, courts routinely look to not only generally applicable state statutory requirements, but also protections under the "common law." This fact has been highlighted in decisions from courts throughout the country, as well as decisions by state boards of medical examiners, including those summarized above. In addition to fines and penalties which can be extensive, the cost of litigation to defend these suits can run into the tens of thousands of dollars, all for “simply” responding to what appears to be a lawfully issued subpoena or request.

Medical offices, clinics and practices, in particular, need to have a comprehensive, easy to understand plan that addresses what to do when staff receive requests for patient records. The plan should anticipate the kinds of requests that are likely to be received and the acceptable responses, including approved form documents to be used, as well as a means for documenting the request, verification steps taken and the response. Of course, the plan should alert the user to situations where additional guidance might be advisable to ensure the disclosure itself is proper, as well as the method of disclosure. 

• Email This
• Print
• Comments
• Trackbacks

In this case (Doe v Guthrie Clinic, Ltd, March 25, 2013), the Second Circuit Court of Appeals (covering New York, Connecticut and Vermont) is asking New York's highest court to determine whether the common law permits a medical corporation to be sued for a breach of the fiduciary duty of confidentiality concerning patient medical records when a non-physician employee makes an unauthorized disclosure of those records. The position the New York Court of Appeals takes will be watched closely by health care providers across the Empire State as the requirements for securing patient data continue to tighten with, among other things, the final HIPAA regulations being issued under HITECH this past January.

Here, Doe (patient) sued Guthrie Clinic because one of the clinic's nurses (and sister-in-law of Doe's girlfriend) texted Doe's girlfriend about Doe's treatment for a sexually transmitted disease (STD). All of the patient's claims, including a claim for common law breach of fiduciary duty to maintain the confidentiality of personal health information, were dismissed by the lower court. Doe appealed the dismissal to the Second Circuit. 

The federal appellate court reversed the dismissal of the fiduciary breach claim, noting that New York courts have not addressed this situation. That is, there are no decisions in New York that specifically address whether a medical practice could be liable under a breach of fiduciary duty theory when its non-physician employee wrongfully discloses confidential medical information. Employers in New York generally are liable for the foreseeable actions of their employees which are within the scope of employment, but usually not when those actions are driven by personal reasons of the employee.

Under the facts in this case, New York's high court may find no cause of action exists, leaving patients/plaintiffs with one less avenue to sue. The risks and exposures remain, however, for health care providers who will incur significant costs defending these actions in court and addressing complaints before state and federal agencies. Strong policies and employee training  will not prevent patient claims and complaints, but they will help to put providers in a better position to defend their actions.

• Email This
• Print
• Comments
• Trackbacks

Unwilling to wait for Congress to act, President Obama signed an executive order on Feb. 12, 2013, the same date that he delivered the State of the Union address. The executive order directs certain federal agencies to develop voluntary standards for achieving cybersecurity, an effort to be led, in part, by the National Institute of Standards and Technology, a component of the Commerce Department.

Citing national security concerns, the President's order seeks cooperation and collaboration with the private sector. It is unclear at this point how far the "voluntary" standards will reach, or how much the President can force compliance absent Congressional action. However, once in place, companies may feel compelled to comply in order to remain competitive and to ensure a stronger defensible position in litigation involving lapses in security of critical data. 

• Email This
• Print
• Comments
• Trackbacks

Linking his announcement to National Privacy Day, January 28, 2013, Maryland Attorney General Douglas F. Gansler informed the public that his office has formed an Internet Privacy Unit. (See similar step taken by Connecticut AG)

The stated purpose of the Unit is to protect the privacy of online users. The Unit will be charged with "monitor[ing] companies to ensure they are in compliance with state and federal consumer protection laws." In addition, the Unit will "examine weaknesses in online privacy policies" and help to create awareness about privacy rights. Of course, the Unit also will pursue enforcement actions to ensure consumer protection.

As in other states, such as Massachusetts and California, Maryland has a Personal Information Protection Act.  The Act provides, in part:

To protect personal information from unauthorized access, use, modification, or disclosure, a business that owns or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.

Md. Code Ann. Comm. Section 14-3503. The Attorney General's Office has published some guidance about the data breach provisions of the law.

Maryland businesses and businesses which maintain personal information about Maryland residents should review their online privacy statements, as well as the policies and procedures for safeguarding personal information. In his press release, Attorney General Gansler acknowledged "the emergence and evolution of the Digital Age has created new and significant privacy risks for both consumers and businesses." Businesses need to be prepared to address these risks and defend against enforcement activities.

• Email This
• Print
• Comments
• Trackbacks

As we continue to examine the final HIPAA privacy and security regulations, as amended by the HITECH Act and the Genetic Information Nondiscrimination Act, we pulled together a summary of some of the key points. We fully expect additional sub-regulatory guidance to be provided by OCR, such as frequently asked questions and sample business associate agreement provisions.

• Email This
• Print
• Comments
• Trackbacks

Prepared by Jason Gavejian and Joseph Lazzarotti

In honor of National Data Privacy Day, we have laid out 13 key issues affecting businesses in 2013. While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2013.

1. BYOD. As advancements in technology continue at a breakneck pace, many businesses are confronted with the idea of implementing a Bring Your Own Device (“BYOD”) program. Under these programs, employees are permitted to connect their own personal devices to the company’s networks and systems to complete job tasks either in the office or working remotely. While BYOD programs have advantages, they also have associated risks. Developing a thorough implementation strategy with appropriate policies is critical.
2. Bans On Requesting Social Media Passwords. As we have previously discussed  fourteen states introduced legislation in 2012 which would prohibit employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. Six states have passed and/or enacted such legislation and it is anticipated that other states will pass similar measures in 2013.
3. Final HIPAA Regulations. On January 17, 2012, the Office for Civil Rights released final privacy and security regulations under the Health Insurance Portability and Accountability Act. In addition to incorporating the HITECH Act which, among other things, expands the application of the rules to business associates, the final rules also apply the rules to subcontractors and remove the risk of harm trigger for data breaches affecting unsecured protected health information.
4. Disaster Recovery Plans. Hurricane Sandy caused extensive damage on the east coast in 2012, greatly affecting not only personal residences, but many businesses up and down the coast. Unfortunately, protecting information and technology assets from natural disasters and other emergencies is often an afterthought. However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
5. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights. This is true even when the number of individuals affected is relatively small.
6. Investigating Social Media. As the use of social media continues to grow throughout the world, it is only natural that social media content is being sought to aid in litigation. While public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow. This is especially true for attorneys and their staff who attempt to aid their clients by accessing social media content.
7. International Data Protection. More and more company information is being stored in electronic format and shared with various corporate divisions through company intranets or email. While U.S. law requires some safeguarding of this information, international protections on personal information can be much more stringent. When the transfer of data across international borders is possible, or actively occurring, companies should be advised on the potential risks and requirements associated with same.
8. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For some companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Texas, Connecticut and others, a WISP in one form or another is required.
9. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists. And failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
10. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s toolkit for safeguarding information.
11. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will aid in defending any potential breach of privacy claim that may be asserted against the company.
12. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision to adopt.
13. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

• Email This
• Print
• Comments (1)
• Trackbacks

Under the HITECH Act, business associates are subject to the HIPAA privacy and security rules (the "HIPAA Rules") virtually to the same extent as covered entities. In addition to implementing this change for business associates ("BAs"), and providing additional guidance concerning what entities are business associates, the final HIPAA regulations issued last week also treat certain subcontractors of BAs as BAs directly subject to the HIPAA Rules. As a result of some of these changes, covered entities and BAs need to re-examine the relationships with their subcontractors to ensure they obtain the appropriate satisfactory assurances concerning the "protected health information" (PHI) they make available to those subcontractors.

Below are some of the key points from the final regulations concerning BAs and subcontractors:

• Subcontractors. The final HIPAA regulations provide that subcontractors that create, receive, maintain, or transmit PHI on behalf of a BA are business associates. This is a significant expansion of the application of the HIPAA Rules; it makes subcontractors directly liable under the HIPAA Rules.

As a result of this change, just as covered entities need to ensure that they obtain satisfactory assurances concerning compliance with the HIPAA Rules (usually in the form of a business associate agreement, BAA) from their BAs, BAs must do the same with regard to certain subcontractors. This must continue no matter how far “down the chain” the PHI flows.

• Business Associate Agreement Not Necessary to Establish Status as Business Associate. The final HIPAA regulations confirm that persons and entities that meet the definition of a BA have that status regardless of whether a "business associate agreement" is in place.

• Data Storage Companies. Entities that maintain PHI (digital or hard copy) on behalf of a covered entity are BAs, "even if [they] do not actually view the [PHI]."  This provision may create significant compliance issues for cloud service providers, as well as hard copy document storage companies, that have access to the records of their clients but may never look at them. The conduit exception is a narrow one and only applies transmissions of data, not storage. 

• Certain Groups Not Considered Business Associates.
  • Researchers generally are not considered BAs when performing research functions.
  • Banking institutions generally are not considered BAs with respect to certain payment processing activities (e.g., cashing a check or conducting a funds transfer)
  • Malpractice insurers generally are not considered BAs when providing services related to the insurance, but may be BAs when providing risk management and similar services to covered entities.

Transition rule for compliance. A transition rule under the final HIPAA regulations permits covered entities and BAs to continue to operate under certain existing contracts for up to one year beyond the compliance date (September 23, 2013) of the final regulations. A qualifying business associate agreement will be deemed compliant until the earlier of (i) the date such agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. This rule only applies to the language in the agreements, the parties must operate as required under the HIPAA Rules in accordance with the applicable compliance dates. 

Covered entities and business associates may want to act more quickly to identify and contract with those individuals and entities from whom they must obtain satisfactory assurances under HIPAA.

• Email This
• Print
• Comments
• Trackbacks

The Office for Civil Rights released on January 17, 2013, final privacy and security regulations (563 pages) under the Health Insurance Portability and Accountability Act. The rules address four key issues:

• Reflecting the changes made by the Health Information for Economic and Clinical Health Act (HITECH);
• Revisions to the HIPAA enforcement rule;
• Updates to the previously issued data breach regulations; and
• Incorporating the changes made by the Genetic Information Nondiscrimination Act.

In general, covered entities and business associates will need to comply by September 23, 2013. We expect to be reporting on some of the key changes shortly.  

ACCESS SUMMARY HERE
 

• Email This
• Print
• Comments
• Trackbacks

Following the mass shootings in Newtown, CT, and Aurora, CO, Office for Civil Rights Director Leon Rodriguez issued a letter on January 15, 2013, reminding covered health care providers about disclosures of protected health information that may be made to avert threats to health and safety.

The letter points out, for example, that mental health professionals may alert police, a parent or other family member, school administrators or campus police, and others who are in a position to stop a credible threat by a patient to inflict serious and imminent bodily harm on one or more persons. It is important that the letter also points out that while HIPAA may permit the disclosure, other federal and state laws, along with professional ethical standards, need to be taken into account because they may provide greater protections. Of course, health care providers should not wait for a crisis to happen to think through these issues, but should instead address this issue in its crisis management policy.

• Email This
• Print
• Comments
• Trackbacks

In 2012, California took significant steps to increase privacy protections for users of mobile applications (apps) which involved working with companies such as Amazon, Apple, Facebook, Google, Hewlett-Packard, and Microsoft. In July 2012, the Attorney General created the Privacy Enforcement and Protection Unit, with the mission of protecting the inalienable right to privacy conferred by the California Constitution.

These efforts led to the "Privacy on the Go" booklet published this month which sets out a range of helpful recommendations for app developers. Of course, many of the same principles discussed in this booklet would be helpful to any organization seeking to secure personal information. 

• Email This
• Print
• Comments
• Trackbacks

During the summer of 2010, while dumping his own garbage at the Georgetown Transfer Station, a Boston Globe photographer saw a large pile of paper which, after further inspection, turned out to be medical records of more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed. His discovery led to a Boston Globe article and the eventual investigation by Massachusetts Attorney General Martha Coakley. On January 7, 2013, Attorney General Coakley announced a $140,000 settlement with the individual and entities involved - one physician, three medical practices, and the medical billing vendor for these health care providers.

The health care providers and the billing company all were subject to the Massachusetts data security regulations, including the obligation to dispose of and destroy personal information in a secure manner. Massachusetts General Laws Chapter 93I. Of course, with regard to the health care providers, the Attorney General alleged they failed to take reasonable steps to select and retain a service provider (the medical billing company) that would maintain appropriate security measures to protect such confidential information. In addition, the providers and the medical billing company had obligations to safeguard the protected health information in the documents that were discarded under the HIPAA privacy and security regulations, as amended by the HITECH Act. As a result, the Attorney General could exercise her enforcement authority under state law, as would be expected, but also under HIPAA, pursuant to the authority granted under the HITECH Act.

This incident represents another reminder for companies (health care providers, in particular) to appropriately evaluate their vendors and service providers to ensure they will safeguard the personal information with which they have been entrusted.

• Email This
• Print
• Comments
• Trackbacks

The $50,000 in penalties that the Office for Civil Rights (OCR) recently imposed on a health care provider in Idaho was due in part to allegations that the HIPAA covered entity had not conducted a risk assessment as required under the HIPAA privacy and security regulations. Of course, HIPAA is not the only law that requires a risk assessment. State laws, such as the Massachusetts data security regulations, contemplate and require a risk assessment in order to establish reasonable safeguards for personal information.

In short, this process involves examining what information the organization maintains, the nature of that information, how it moves through the organization and to/from its vendors, and the organization's current set of safeguards in order to determine the vulnerabilities to that information in terms of privacy, security, accessibility and integrity. This process is critical to ensuring that privacy and security policies are appropriate for the organization. There are a number of resources to assist you in getting started - here are a couple:

• High level risk assessment power point
• HHS guidance concerning risk assessments under HIPAA 

Organizations that have performed risk assessements need to periodically re-evaluate their prior efforts based on changes in their business. So, whether your organization has not conducted a risk assessment, or it has been a few years since your last assessment, or there have been substantial changes in your business, this may be as good a time as any to make this a priority.

• Email This
• Print
• Comments
• Trackbacks

The U.S. Department of Health and Human Services’ (HHS) reported today its first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals. According to a statement from the Office for Civil Rights Director Leon Rodriguez, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

The breach occurred in June 2010, when an unencrypted laptop belonging to the Hospice of North Idaho (HONI) that contained ePHI of 441 patients was stolen. The Office for Civil Rights (OCR) learned of the incident when HONI reported it to OCR pursuant to the annual reporting requirement for breaches affecting fewer than 500 individuals under the Health Information Technology for Economic and Clinical Health (HITECH). When OCR investigated, it discovered "that HONI had not conducted a risk analysis to safeguard ePHI." OCR also reported that HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. 

HONI agreed to pay HHS $50,000 to settle potential violations of the Security Rule.

• Email This
• Print
• Comments
• Trackbacks

On Monday, the Office for Civil Rights released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule and as required by the American Recovery and Reinvestment Act of 2009.

HIPAA covered entities and business associates recognize the increasing risks related to handling "protected health information." One way to reduce these risks is through the "de-dentification" process. When performed correctly, de-identification causes the remaining information to no longer constitute "protected health information," and therefore no longer subject to the HIPAA privacy and security rules.  

The OCR page provides greater detail, in question and answer format, concerning the two methods that can be used to satisfy the Privacy Rule’s de-identification standard:

• "Expert Determination" -  a formal determination by a qualified expert.
• "Safe Harbor" - the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity (or business associate) that the remaining information could be used alone or in combination with other information to identify the individual.

Under either method, PHI is no longer protected by the Privacy Rule, but the remaining data has limited usefulness. However, the guidance also describes de-identification strategies that can minimize the loss of usefulness to the data. Of course, where de-identification is not practical, which is often the case, covered entities and business associates need to ensure compliance with HIPAA privacy and security rules.

• Email This
• Print
• Comments
• Trackbacks

California Governor Jerry Brown has signed into law (AB 2674) new requirements specifying when and how employers must respond to their employees’ requests for inspection and copying of their personnel files. The new requirements become effective January 1, 2013.

Click here for more information about the new law.

• Email This
• Print
• Comments
• Trackbacks

Have you received this letter? If you did, it is part of Attorney General Kamala D. Harris efforts to formally notify scores of mobile application developers and companies that they are not in compliance with one aspect of California's privacy law. Letters are being sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms. Even if you have not received the letter, you may want to think about whether you need to comply.

The California Online Privacy Protection Act (CalOPPA) requires commercial operators of online services, including websites and mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy. Privacy policies should address how companies collect, use, and share personal information. Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.

This enforcement action by Attorney General Harris is directed at mobile and social app platforms, but CalOPPA applies more broadly - to all commercial operators of online services that collect personal identifiable information about Californians.

It also is important to note that CalOPPA is just one of a number of privacy laws that the Privacy Enforcement and Protection Unit is charged with enforcing. Created in 2012, the Privacy Unit’s mission is to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.

The establishment of the Privacy Unit and this more recent enforcement of CalOPPA suggests California is stepping up the enforcement of its privacy laws. Privacy officers, security officers, compliance officers, information security officers, risk managers, and others in California and beyond should take stock of their compliance efforts and make adjustments where necessary.

• Email This
• Print
• Comments
• Trackbacks

The effects of a hurricane like Sandy should be a reminder to all businesses of the importance of disaster recovery planning. When these storms threaten there is no shortage of images of sandbags and plywood being used to prevent harm to companies' bricks and mortar. However, rarely do we see steps businesses should be taking to protect their information and technology assets from natural disasters. Information and technology assets are essential to the success of most organizations, making appropriate preparations critical.

There are many aspects to comprehensive disaster recovery planning. Below are just a few of the key steps a company should take concerning its information and technology assets:

• Have a clear purpose and avoid internal silos. Companies should be clear about what they are setting out to do and involve the appropriate segments of their organizations. Disasters do not just affect IT departments, they also affect the sales force, human resources, legal, finance, and top management. Leadership from these and other business segments need to be at the table to ensure, among other things, appropriate coordination among the segments and an awareness of all available company resources. Excluding critical segments from the process will make it difficult to carry out the next critical step - assessing the risks.

• Assess risks. Before a company can develop a disaster recovery plan, it must first identify the information and technology assets it needs to protect, their locations, their role to the success of the business, their associated costs and the overall and specific risks that apply to those assets. Different disasters pose different risks and require different safeguards. It also is important to analyze how the businesses' operations would be affected upon the loss of vital components and assets, including identifying what information and technology systems are needed to safely keep the doors open.

• Employee safety. Information and technology assets are critically important, but not at the expense of human life. Employees need to be reminded that their safety comes first.

• Develop your plan. Having involved key personnel and assessed the risks, the business is in a position to develop an enterprise-wide disaster recovery plan. Such a plan might include the following specific steps:
  • Establish redundancies. If a data center in lower Manhattan is underwater, being able to switch to another in California, Texas or another part of New York State will be essential to business continuity. The same is true for voice and electronic communications systems.
  • Regular backups. Frequent and regular backups are critical to ensuring the preservation of important company data, as well as the data it may maintain for others. Companies also have to consider the integrity and accessibility of that data, which easily can be compromised by certain disasters.
  • Train employees. No one likes fire drills, but they serve a valuable purpose. Companies should not wait for a disaster in order for employees to learn about the company's disaster recovery program.

• Update plan. As the business changes, grows, and adds locations and new people, the disaster recovery plan also may need to change to address those changes. A regular review of the plan is critical.

So, as you clean up from Sandy, think about whether your disaster recovery plan worked the way you expected. If it did not, make appropriate changes. If you think your company could have benefited from such a plan, there is no time like the present to begin developing one.

• Email This
• Print
• Comments
• Trackbacks

To help businesses comply with amendments to Connecticut's data breach notification law, which becomes effective October 1, 2012, CT Attorney General George Jepsen's Privacy Task Force has made an email address - ag.breach@ct.gov - available to facilitate breach reporting, reports Hartford Business.com.

According to the AG's press release, a Web page detailing the new law’s requirements will go live on the AG's Website when the amendment goes into effect. The key change made by the amendment is that persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the Attorney General's office within the same time frame. The email address and informational website should facilitate the breach reporting process in Connecticut.  

• Email This
• Print
• Comments
• Trackbacks

In another case of a breach reported to HHS Office for Civil Rights (“OCR”), a HIPAA covered health care provider, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, “MEEI”), has settled charges of potential HIPAA security rule violations. MEEI agreed (i) to pay $1.5 million and (ii) to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.

As in the Alaska Department of Health and Social Services (DHSS) case, an unencrypted electronic storage device was stolen, the covered entity reported the breach, OCR investigated the breach and broader compliance with HIPAA's privacy and security rules, and found potential violations.  

For more information about the MEEI incident, click here.

This kind of enforcement activity could be lucrative for cash-strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to prepare for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

• Email This
• Print
• Comments
• Trackbacks

Prepared by Lillian Moon

The U.S. Department of Defense (DOD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) on August 24, 2012, proposed amendments to the Federal Acquisition Regulation - the rules governing the process through which the government purchases goods and services - addressing data security.

In short, the proposed rule would add a required contract clause for federal contractors to “address requirements for the basic safeguarding of contractor information systems” containing or processing government information. DoD, GSA, and NASA all recognize that an outgrowth of the requirements for Federal agencies to provide information security for information and information systems that support agency operations and assets, as set forth under the Federal Information Security Management Act (FISMA) of 2002, includes the information and information systems managed by contractors.

The rule would apply to information provided by or generated for the Government that will be contained in or processed through a contractor’s or subcontractor’s information system. Basic safeguarding of such systems would include:

• Protecting information on public computers or web sites;
• Transmitting electronic information using technology and processes that provide the best level of security and privacy;
• Transmitting voice and fax information only with reasonable assurances that access is limited to authorized recipients;
• Protect information by at least one physical or electronic barrier;
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal;
• Provide protection against computer intrusions and the unauthorized release of data including current and regularly updated malware protection services and security-relevant software upgrades.

Additionally, contractors would be required to include the substance of the contract clause in all subcontracts for subcontractors who may have information subject to the rule residing in or transiting through the subcontractors' information systems.

Federal contractors will need to reevaluate their information systems and written information security programs (WISPs) if this rule is made final and such provisions are added to their contracts.
 

• Email This
• Print
• Comments
• Trackbacks

New York takes another step toward safeguarding Social Security Numbers (SSN), this time limiting certain entities, including employers, from requiring a person to disclose or furnish his or her SSN for any purpose. Signed into law by Gov. Andrew Cuomo on August 14, 2012, the new law (A.8992-A / S.6608-A) adds a new section 399-ddd to the General Business Law of the Empire State, that becomes effective 120 days from enactment (December 12, 2012). Businesses will need to revisit their practices with employees, customers and other individuals in situations where all or a part of the Social Security Number is involved. 

There are two important points to note about the law: (i) the definition of SSN; and (ii) the exceptions.

Under the new law, SSN includes the 9-digit number issued by the Social Security Administration, but also "any number derived from such number," unless the number is encrypted.  So, for example, unless one of the exceptions below applies, requiring employees or customers to use the last four digits of their SSN as part of an identification number will become unlawful later this year.  

Here are some of the exceptions:  

• The individual consents to the acquisition or use of his or her SSN (of course, while not expressly stated in the statute, a court would likely interpret this provisions to mean a voluntary consent);

• The SSN is expressly required by federal, state or local law or regulation; 

• The SSN is used for internal verification or fraud investigation;
   
• The SSN is requested for credit or credit card transaction initiated by the consumer or in connection with a lawful request for a consumer report or investigating consumer report (in addition to permissible background checks under the Fair Credit Reporting Act and New York law, this provision also may cover corporate credit card programs, frequently used by companies to better manage business expense reimbursement);

• The SSN is requested for purposes of employment, including in the course of administration of a claim, benefits, or procedure related to employment, such as termination from employment, retirement, workplace injury, or unemployment claims;

• The SSN is requested for tax compliance, collecting child or spousal support, or determining whether a person has a criminal record; and

• The SSN is requested by an authorized insurance company for purposes of furnishing information to the Centers for Medicare and Medicaid Services (this likely captures the recent reporting requirements under Section 111 of the Medicare, Medicaid and SCHIP Extension Act of 2007). 

The law does not provide for a private right of action; it is enforced by Attorney General of the State and carries a civil penalty for a first offense of not more the $500 per violation ($1,000 for second offenses). However, the law seems to suggest that so long as reasonable measures have been adopted to avoid a violation, unintentional, bona fide errors will not result in penalties. 

• Email This
• Print
• Comments
• Trackbacks

Bringing work home is nothing new, but for one Oregon Health & Science University Hospital (OHSU) employee, it resulted in a significant data breach when a flash drive was stolen from the employee's house containing protected health and other personal information on over 14,000 patients and OHSU employees, as reported by a health information privacy watchdog.

Based on a statement OHSU put out concerning the breach, it appears the organization had taken steps to safeguard the information:

OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.

However, it remains to be seen whether those safeguards will stand up to scrutiny should the Office of Civil Rights investigate the situation and review with 20/20 hindsight OHSU's policies and procedures. When developing policies and procedures, covered entities under HIPAA, business associates and any other entity charged with protecting personal information should be thinking about not only whether their safeguards are reasonable and "compliant," but whether they will stand up to the applicable regulatory agency's scrutiny following a data breach.    

• Email This
• Print
• Comments
• Trackbacks (1)

When an electronic storage device potentially containing ePHI was stolen from the vehicle of an Alaska Department of Health and Social Services (DHSS) employee on October 12, 2009, DHSS reported the breach to the Office of Civil Rights (OCR) pursuant to the HIPAA breach notification rule. The breach reportedly affected 501 individuals. However, according to a resolution agreement, OCR's subsequent investigation found significant violations of some of the most basic HIPAA rules. Without admitting liability, DHSS agreed to pay $1,700,000 and to comply with a three-year corrective action plan.

After four rounds of written responses from DHSS, and a two-day on-site visit, OCR found that  DHSS had not:

1. completed a risk analysis;
2. implemented sufficient risk management measures;
3. completed security training for DHSS workforce members;
4. implemented device and media controls; or
5. addressed device and media encryption.

Data breaches continue to occur on a fairly regular basis, and the ubiquity of electronic storage devices, particularly those that are not encrypted, make these incidents even more likely. This and other cases should help covered entities to realize that enforcement agencies are acting on notices they receive under the applicable breach notification statutes or regulations to find compliance violations.

This kind of enforcement activity, as with this case, could turn out to be quite a lucrative practice for cash strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to be prepared for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

• Email This
• Print
• Comments
• Trackbacks

Written by Keturah Martin

As yet another example of the Massachusetts Attorney General enforcing compliance with the Commonwealth’s data privacy and security laws, that office recently reached a $15,000 settlement in an enforcement action involving Maloney Properties, Inc. (MPI), a property management company based in Massachusetts.

In the lawsuit, the AG alleged that MPI’s policies and procedures failed to adequately protect its customers’ personal information when an MPI employee stored the unencrypted personal information of 621 Massachusetts residents on a company laptop, left the laptop in a personal vehicle overnight, and the laptop was then stolen.

Although there was no indication that any of the personal information on the laptop was acquired or used by an unauthorized person or for an unauthorized purpose, the AG still required MPI to pay a monetary penalty of $15,000 and agree to take certain steps before ending its action against the company.

Some of the steps MPI agreed to take include complying with the Commonwealth’s regulations – including the requirement to encrypt personal information on portable devices, to the extent technically feasible. This also includes encrypting personal information on company-owned portable devices, ensuring that the devices are kept in secure locations, purging personal information when it’s not needed anymore, training its employees at least annually on encryption and proper storage, and performing an annual audit of its compliance with its Written Information Security Program (WISP). In addition, the company must submit the results of its 2012 and 2013 annual WISP audits to the AG’s Office.

The AG’s actions in this matter demonstrate that it does not take lightly the loss of Massachusetts residents’ personal information, even if that loss has not caused any known harm to the affected residents, and that it may remain watchful over the subject of an investigation for years to come. This provides a timely reminder for all companies of the importance of understanding and complying with the Commonwealth’s requirements in this area.
 

• Email This
• Print
• Comments
• Trackbacks

Employers increasingly have health professionals on-site providing medical services to employees. For some employers, the reason is to address the rising costs of health care, including uncertainties about the full impact of health care reform, the Affordable Care Act, looming in 2014. For others, more comprehensive approaches to disability and leave management can mitigate compliance and litigation concerns. 

Whether it is a single nurse at a facility providing basic first aid and assisting in fitness-for-duty exams, or a full-scale health clinic staffed with physicians, nurses and others, there are a range of issues the company should be thinking about – e.g., workplace safety, disability/leave management, labor, employee benefits, and privacy. Some of our practice group leaders put together a white paper to aid employers in spotting these issues. We hope you find this helpful and easy to read. 

Click here to access the White Paper: An Overview of Legal Considerations When Bringing Health Care "In-House"
 

• Email This
• Print
• Comments
• Trackbacks

Like any business that handles personal information, debt collection agencies have obligations to maintain reasonable safeguards to protect that information. Recent enforcement activity by the Minnesota Attorney General's office makes this clear. The banks, health care providers and other businesses that utilize collection services are also driving compliance as they demand these companies have written information security programs in place to protect the personal information of their customers/patients. Increasingly, debt collection companies are required to complete comprehensive surveys about their data protection practices, and are not always in the best position to do so.

In the Minnesota case, even where appropriate safeguards may have been in place, a breach resulting from a stolen laptop triggered the state's Attorney General to inquire into not only the company's privacy safeguards, but its business model as well. According to Attorney General's office, the company employee left an unencrypted laptop containing sensitive information on 23,500 Minnesota hospital patients in a rental car in the parking area located in a bar and restaurant district of Minneapolis where it was stolen.

For these companies, the requirements can be complex since they will depend on not only the kinds of information they collect, but also the businesses they serve (and what laws regulate those businesses), the state of residency of the individuals whose records the collection agency maintains, and the states in which the company does business.

• Email This
• Print
• Comments
• Trackbacks

According to a Ponemon Institute study*, data breaches occurring in the hands of third-party vendors amounted to 39 percent of breaches in 2010.  Whether it be cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers and other businesses, most companies utilize third party vendors to provide an array of services. Those services often involve letting the vendor access, store and/or process personal information, which creates additional risk and legal obligations for the company using the vendor, such as the service provider contract requirement in Massachusetts.

Massachusetts deadline. A number of states have passed laws requiring companies that put personal information in the hands of third party service providers must obtain the written agreement of the third party to safeguard this information. The Massachusetts data security regulations that went into effect March 1, 2010, gave businesses until March 1, 2012 to update contracts with service providers that were entered into no later than March 1, 2010. However, next month that grace period expires. Thus, beginning March 1, 2012, a contract to safeguard personal information must be in place with all service providers who handle personal information concerning a Massachusetts resident on behalf of the company.   

Other mandates. Requirements to ensure third party vendors are safeguarding personal information is not limited to Massachusetts. Examples include:

• States such as California, Maryland, Nevada, Oregon, and Texas have had for some time a contract requirement similar to the Massachusetts rule.
• The privacy and security regulations under HIPAA have a more expansive requirement for “business associates” and “subcontractors.” Businesses subject to HIPAA are anxiously awaiting final regulations under HITECH which will be specifically addressing business associate agreement requirements, among other things.
• The Payment Card Industry (PCI) standards require similar agreements.
• Law firms in many states are subject to specific state ethical mandates to have written assurances from vendors handling client data (these mandates are not limited to personal information, but seem to apply to all client information). For example, lawyers in states such as ME, MO, NJ, NY, OR, VT, WI are required to make sure that contractors maintain appropriate safeguards through a “legally enforceable obligation.”   

What to do next? Vendor management should be part of an overall strategy to safeguard company and personal information. It is important to add that while personal information typically is the focus of this risk because of the breach reporting obligations across the country, confidential and proprietary company data is, of course, also at risk in the hands of vendors.

Companies should develop a list of all of their vendors and require all that have access to sensitive personal or company information to agree to amend the services agreement to include a requirement that the vendor have in place appropriate data privacy and security safeguards. Careful negotiations and drafting is critical to ensure legal compliance and protection/indemnity in the event of a data breach. In addition, some business might want to maintain a right to audit operations and require certain specific safeguards, depending on the volume and sensitivity of the information at issue. Companies also have developed comprehensive questionnaires and assessments for their vendors to complete to obtain a more complete picture of the vendors' data security protocols.

Whatever the approach, companies should at a minimum obtain written assurances from their vendors concerning the safeguarding of personal information.  
 

*Ponemon Institute, LLC. 2010 Annual Study: U.S. Cost of a Data Breach, March 2011.

• Email This
• Print
• Comments
• Trackbacks

In addition to concerns about social media, school districts across the country need to address a growing interest in the personal data of the students they educate. No, this interest does not stem from a desire to see if kids are reading at the desired level, or if the children have the resources they need to receive an adequate education. Data thieves want this information to commit identity theft. 

As reported by the Huffington Post:

Identity theft in schools is more than theoretical. Last July, Sheyla Diaz, 44, a former Broward County, Florida high school teacher, was sentenced to six months of house arrest for stealing the identities of former students. In 2009, Jonathan E. Kelly, who worked as a police officer for the Palm Beach County School District, was sentenced to eight years in prison for stealing the identities of former students and teachers.

The thieves know that children have pristine credit and that school districts, hampered by substantial budget cuts, may not be doing all they could to safeguard this information. Parents and school districts need to take steps to address this growing risk.

• Email This
• Print
• Comments
• Trackbacks

While we do not know the exact nature and scope of the imminent HIPAA audits, we do know that HIPAA compliance and the verification of compliance (the audit) can be a very daunting process that mandates a great deal of preparation and organization. Beyond getting legally compliant, HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate this compliance should they find an OCR investigator knocking at the door.

We have asked Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC (CSA2) to discuss how certain applications can facilitate the response to a HIPAA audit, including minimizing the time staff needs to be involved. The following is an excerpt from Alan's discussion of this issue:

For many health care providers and other covered entities, compliance with HIPAA and other data privacy and security requirements is a multifaceted and ongoing process of assessing changing risks, policy development and implementation across various departments, conducting and tracking training of workforce members, monitoring compliance, managing vendors and vendor agreements, responding the customer complaints and so on. When an OCR auditor is on the doorstep, pulling evidence of all of these efforts together would likely sap an already thin workforce of most covered entities. When various segments of the covered entity are not coordinated, the files are incomplete, and the persons leading the effort are in disarray, the auditor is likely to suspect there are substantial deficiencies and adjust the audit accordingly.

It is not difficult to imagine the Privacy Officer having to go from department to department asking, among other things:

• Where are the current policies and procedures for your department concerning privacy and security?

• Would you please send me the training sign-in sheets for your group? Why was that group not trained?

• Where are the signed copies of the business associate agreements? Is this all of them?

• Where can I find a copy of the risk assessment for your department? Is it updated?

• How was that complaint resolved? Were there any others?

• Do you have all of the documents for the data breach that affected the radiology department?

• Can you send me your evaluation logs and what changes you have made based upon those efforts?

It is also not difficult to imagine how much easier this process would be if the covered entity's compliance efforts were tracked, maintained and documented in a single environment. An environment that would, for example

• Allow different departments/groups to log on an update their compliance efforts,

• Secure email notification/reminders for maintenance to update all required analysis, training, network architecture diagrams, etc.,

• Digital repository for all required employee affidavits, training sign-in sheets and managed with email notification for maintenance and updating,

• Maintain and track policy changes via secure email notification/reminders to all departments and employees from Privacy Officer or legal counsel,

• Track and document responses to patient complaints,

• Digitize interactive system for updating and obtaining required commentary from all required departments and Business Associates to establish and audit trail for creating “defensible position” to regulators.

• Centralize administration for permissions to all employees, advisors or Business Associates access to read only, print, edit, etc., with watermark capabilities on all printed and viewed documents.

• Centralize reporting dashboard status of all projects as well as the ability to digitally feed approved 3rd party software analytic results for centralized viewing to permission based participants with email notification of updates.

• Prepare for post-breach requirements in a pre-breach environment allowing reduction in costs of time sensitive response.

Such a tool also could be designed to permit the auditor limited access to conduct the audit with less effort on the part of the privacy officer or his or her staff. While certainly not required under HIPAA, organizing compliance in this way would simplify the compliance process and put the covered entity in a much better position to survive an OCR audit with minimal effort.

• Email This
• Print
• Comments
• Trackbacks

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR's website answers some helpful questions for covered entities and business associates... 

• Email This
• Print
• Comments
• Trackbacks

As previously discussed, the federal appeals court in San Francisco had reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) for trying to start a business that would compete with his former employer. Now, however, at the urging of the former employee’s counsel, by order dated October 27, the same court has agreed to rehear, en banc, its previous indictment reinstatement order.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against former employee David Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court had reaffirmed that employers determine what access or authorization an employee has to an employer’s computer. It also pointed to specific examples of what the employer did to limit access to and authorized uses of information, including using unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop up on each employee’s computer screen whenever the employee logs onto the company’s system.

The Ninth Circuit’s pending rehearing by the full court of the issue of unauthorized employee access to information under the CFAA puts its previous interpretation in doubt. It is clear, however, is that employers that wish to rely on the CFAA as a means of recovery against employees who steal data or take other actions to harm company computers must plan ahead. That is, employers must clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.
 

• Email This
• Print
• Comments (1)
• Trackbacks

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.  

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.   

• Email This
• Print
• Comments
• Trackbacks

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published its first round of annual reports to Congress under the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 to Congress. The first report concerns HHS’s HIPAA (Health Insurance Portability and Accountability Act of 1996) enforcement activity for 2009 and 2010 and the second report focuses on reported or recorded data breaches occurring in 2009 and 2010.  

The HITECH Act contains multiple breach notification requirements for HIPAA-covered entities and their business associates. Covered entities and business associates that create unreadable or indecipherable protected health information, however, are exempt from such requirements. Covered entities must notify individuals and the Secretary of HHS of any breach of unsecured protected health information within 60 days following the discovery of the breach. For breaches involving more than 500 residents of a state, a covered entity must also notify the media in addition to the individuals and the Secretary of HHS. Business associates of covered entities under HIPAA must notify the covered entity of any breach of unsecured protected health information so the covered entity can notify affected individuals. 

As reported by HHS, between September 23, 2009 and December 31, 2010, the HHS Office of Civil Rights received 45 reports of breaches affecting 500 individuals or more in 2009 and 207 reports in 2010, resulting in notification of 7.8 million affected individuals. 

The general causes of breaches of unsecured protected health information included, first and foremost, theft.  27 of the 45 large 2009 incidents involved theft and 17 of those incidents occurred on the premises of a covered entity or its business associates. Likewise, 99 of the 207 incidents in 2010 involved theft, primarily of electronic or paper records, affecting some 2,979,121 people. Types of theft noted by HHS included theft of back-up tapes transported by a vendor of a medical facility, of laptops or desk-top computers at covered entity sites, and of smart phones or flash drives. Other causes of breaches generally involved loss of electronic media or paper records containing protected health information, unauthorized access to, use of or disclosure of protected health information, human error, and improper disposal. Notably, loss of portable electronic devices is a major factor in the loss of electronic media.

With respect to complaints and compliance with HIPAA’s Privacy Rule, HHS reports that from April 14, 2003, the date HIPAA-covered entities were to comply with the Privacy Rule, through December 31, 2010, it received 57,375 complaints and resolved 91% of them.   Through the same time period, HHS investigated 19,161 complaints, achieved corrective action in 66% of them and found no violation in 34%. 

HHS further reports that between April 20, 2005, and December 31, 2010, it investigated 289 complaints of the 803 it received related to HIPAA’s Security Rule, resolving 77% of them and finding no violation in 48%. 

The compliance issues related to the Privacy Rule most investigated included impermissible uses and disclosures of protected health information, lack of safeguards, and denial of individual access. HHS Security Rule investigations focused on a covered entity’s failures to demonstrate adequate policies and procedures to address response or reporting of security incidents, security training, access controls and workstation security.  

The two HHS reports to Congress show a marked improvement in compliance with HIPAA’s Privacy Rule. However, the reports also highlight a continuing vulnerability for covered entities that rely on electronic devices and employee accountability for elements of their privacy and security compliance programs under HIPAA (as we have touched on in previous posts). As noted by HHS, remedial actions for violations include revising policies and procedures; improving physical security; training or retraining workforce members; adopting encryption technologies; changing passwords; performing new risk assessments; and revising business associate agreements to specify required confidentiality protections. The HHS reports remind covered entities and their business associates to review and place appropriate limits on employee access to protected health information and incorporate HHS’s remedial measures into their best practices.

• Email This
• Print
• Comments
• Trackbacks

Connecticut Attorney General George Jepsen announced on September 14, 2011, the creation of a Privacy Task Force to help educate the public about data protection requirements and to focus his Office’s response to Internet privacy concerns and data breaches that affect consumers. According to Attorney General Jepsen's press release, “Internet and data privacy have been among the biggest issues affecting the broad public interest during my first eight months in office” and nearly a dozen investigations have been initiated or pursued regarding security breaches that resulted in the loss of medical and insurance records or personal customer information.

Like nearly all states across the country, Connecticut has a data breach notification law. The State's Insurance Commissioner has also adopted rules concerning data breach notification requirements for its licensees. Among other laws, the Nutmeg state has also enacted specific protections for Social Security Numbers, employment applications, and personal information, which includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.  

The Task Force will be responsible for all investigations of consumer privacy breaches, which we are assuming will apply to breaches of any personal information for which notification is required, including patients and employees. The Task Force will also help to educate the public and business community about their responsibilities, which include protecting personally sensitive data and promptly notifying affected individuals when breaches do occur.

Clearly a sign of increased attention to and enforcement of the state's data security and consumer protection mandates, Connecticut businesses and businesses maintaining personal information of Connecticut residents should revisit their information security programs and data breach response plans to ensure they could withstand the scrutiny of an inquiry by the Attorney General's office.  

• Email This
• Print
• Comments
• Trackbacks

Reuters and other news outlets are reporting that Representative Mary Bono Mack has circulated draft legislation in response to the steady stream of data breaches that have occurred this year. According to the report, Senate Majority leader Harry Reid also has asked four Senate committees to pull together a comprehensive cybersecurity bill, hoping it will be brought to the floor by late summer. After years of failed attempts at data breach legislation, the federal government could be poised to enact broadly applicable requirements for safeguarding data and responding to data breaches. 

Some key provisions of the draft legislation would require covered entities (basically, any person engaged in interstate commerce) to:

• establish and implement policies and procedures to protect personal information (defined in a manner similar to most current state breach notification laws) to include, without limitation, designating a point person to manage information security, and having a process for identifying and assessing foreseeable vulnerabilities;
• erase personal data that is no longer needed and otherwise take steps to minimize the amount of personal information maintained;
• notify law enforcement within 48 hours of a data breach, and if data could be used to steal a customer's identity, notify the Federal Trade Commission within 48 hours and begin contacting the affected persons; and
• provide 2 years of credit reporting services or credit monitoring services to individuals affected by a covered data breach.

The law would be enforceable by state attorneys general and the Federal Trade Commission with maximum penalties running into the millions of dollars. The law would generally preempt similar state laws, but would not permit private lawsuits. 

Of course, companies should not be waiting to see if any action is taken at the federal level. There are a number of states with similar laws already on the books. In addition, exposure from a data breach, particularly when there were no safeguards in place to prevent the breach, should be sufficient motivation to take steps to safeguard personal data.

• Email This
• Print
• Comments
• Trackbacks

In a report issued earlier this week, the Office of Inspector General found that the Center for Medicare and Medicaid Services' (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the HIPAA Security Rule.

OIG's recommendation: Continue the compliance review process (audits) that began in 2009 and implement procedures for conducting compliance reviews to ensure that HIPAA Security Rule controls are in place and operating as intended to protect ePHI at covered entities.

To reach this conclusion, OIG audited 7 hospitals throughout the country (locations in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas).  These audits focused primarily on:

1. wireless electronic communications network or security measures the security management staff implemented in its computerized information systems (technical safeguards);
2. the physical access to electronic information systems and the facilities in which they are housed (physical safeguards); and
3. the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI (administrative safeguards).

Significant vulnerabilities identified. The audits identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. A high vulnerability refers to one that

may result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury.

The report noted that outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge. Although each of the seven hospitals had implemented some controls, policies, and procedures to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule. Clearly, mediocre compliance is not sufficient.  

Some of the more significant vulnerabilities found related to (i) wireless access; (ii) access controls, and (iii) integrity controls. In the case of wireless access problems, the report identified vulnerabilities including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, the inability to detect rogue devices intruding on the wireless network, and no procedures for continuously monitoring the wireless networks. Access control problems included inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI, and excessive access to root folders. According to the OIG, these conditions could have led to unauthorized individuals viewing or altering ePHI data on nonclinical workstations that were not automatically logged off after a period of inactivity; ePHI being compromised on lost or stolen unencrypted laptops; and unauthorized users circumventing system controls and harming system files.

The list goes on and on.

The Office of Civil Rights (OCR), the arm of HHS now charged with enforcing the HIPAA security regulations, may be listening. As reported here earlier, OCR appears to be taking steps to improve its enforcement efforts, which likely will include increasing the number of compliance reviews/audits at hospitals and health care providers around the country. These efforts include a request by the agency to increase its budget for 2012 by $5.6 million, or 13.6%, to be aimed at enforcement. 

Because HIPAA now applies to business associates, it would not be surprising to see business associates on an audit list. Accordingly, covered entities and business associates should be taking steps now to ensure compliance.

• Email This
• Print
• Comments
• Trackbacks

NBC's Bob Sullivan reported on a rising trend of identity thieves targeting children. Why? Well, having no real credit history, most children’s credit is clean and good. Also, children, particularly younger children, are not going to be needing or looking at their credit for some time. These factors make children more attractive targets of identity theft.

Mr. Sullivan’s colleague Jeff Rossen and the "TODAY" show dig into this issue and provide some valuable information for parents about the problem and how to safeguard their children.

Businesses need to be in tune to this as well. All of the country’s data breach notification laws (46 states, plus other jurisdictions), as well as the laws requiring safeguards for personal information apply to “individuals,” not adults or persons over a certain age.

Some companies may believe they do not have personal information about children, but most companies do. For example, companies sponsoring medical, dental or vision coverage for employees, or health and dependent care flexible spending accounts maintain (or require vendors to maintain) personal information about children of covered employees. This kind of information also could be contained in retirement or life insurance plan beneficiary designation records, as well as records supporting leaves of absence and other matters.
 

• Email This
• Print
• Comments
• Trackbacks

Bypassing the media attention that often accompany high-dollar penalties and settlements, the Department of Health and Human Services (HHS) has quitely reported a settlement concerning the HIPAA privacy and security rules that highlights the increasing cooperation of federal government agencies to enforce a steadily expanding and complex compliance environment. 

Late in 2009, HHS opened an investigation of Management Services Organization Washington, Inc. (MSO) following a referral from the HHS Office of Inspector General (OIG) and Department of Justice, Civil Division (DOJC), which had been investigating MSO and its owner for violations of the
federal False Claims Act (FCA). During the course of its investigation, OIG discovered that MSO's owner also owns Washington Practice Management, LLC (WPM) that earns commissions by marketing and selling Medicare Advantage plans.

According to the HHS Resolution Agreement with the company, the tip from OIG and DOJC led HHS to find that MSO:

• impermissibly disclosed electronic protected health information (ePHI) of numerous individuals to WPM without a valid authorization, for WPM'S purpose of marketing Medicare Advantage plans to those individuals; and
• did not have in place and did not implement appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of the ePHI.

Without acknowledging a HIPAA violation, MSO agreed to a resolution payment of $35,000 and to a two-year "Corrective Action Plan," which includes, among other things:

• adopting written policies and procedures to be reviewed and approved by HHS;
• obtaining a signed certification from all workers concerning the policies and procedures;
• changing its policies and procedures only with HHS approval; and
• conducting monitoring reviews every 180 days, which include performing unannounced interviews of workforce members.

It is not uncommon for companies considering compliance measures to assess the likelihood of a government audit or inquiry. Any illusion an organization may hold that it is operating “under the radar” of regulators should be shattered in the current compliance environment. Governmental agencies are increasingly able to efficiently coordinate with one another in matters of enforcement. Should HHS receive the additional $5.6 million it is seeking to enforce the HIPAA privacy and security regulations in its 2012 budget, flying under the radar will become more difficult.  

• Email This
• Print
• Comments
• Trackbacks

Promising a company that you will safeguard its employees’ information and then failing to do it according to Federal Trade Commission (FTC) standards likely will be viewed by the FTC as an unfair and deceptive business practice and trigger an enforcement action.

This was the case for Lookout Services, Inc., a company that maintains large amounts of sensitive information about the employees of its business customers, including Social Security numbers. According to an FTC announcement on May 3, 2011, Lookout claimed it would take reasonable measures to secure the consumer data it maintained, including Social Security numbers, but failed to do so.

Lookout markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. (Note that an FTC complaint is not a finding or ruling that a respondent, such as Lookout , actually has violated the law.) For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser, the complaint asserted. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, it was claimed, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement agreed to by Lookout to resolve these charges is comprehensive. Among other things, the settlement order requires Lookout (i) to conduct a risk assessment, (ii) to implement a comprehensive, written information security program, (iii) to cease making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers, (iv) to obtain independent third party security audits of the program every other year for 20 years, and (v) to make the settlement order available to its current and future employees having responsibilities relating to safeguarding customer data.

For companies that maintain personal information on other businesses’ employees in the course of providing services to those businesses, this development is an important reminder: Promises made to those businesses concerning the safeguarding of personal information must be supported by comprehensive policies and procedures. In addition to this kind of enforcement exposure, which also could arise at the state level from the states’ attorneys general, the employers that these businesses serve also could have causes of action for negligence and/or breach of contract. Increasingly, state laws require businesses to contractually obligate vendors to have appropriate safeguards to protect personal information provided to the vendor to perform its services. States having such laws include California, Maryland, Massachusetts, and Texas.

• Email This
• Print
• Comments
• Trackbacks

Acknowledging the need "to help states combat the growing threat of business identity theft," the National Association of Secretaries of State (NASS) announced on April 18, 2011, the formation of a "Business Identity Theft Task Force." The focus of this task force is to assist states (not necessarily private business) with combating business identity theft in areas such as "the types of technology used by states in housing business documents, solutions for securing state business filing information and records, and key partnerships/liaisons for conducting outreach."

However, this action by the NASS highlights a growing problem for small and medium sized businesses: 

"With the downturn in the economy, the newest victims of identity theft are small and medium-sized businesses, including dormant or inactive companies," said NASS President Mark Ritchie of Minnesota, who serves on the task force. "As the state officials who oversee business registrations and corporate filings, secretaries of state have come together to educate business owners on how they can reduce their chances of falling prey to identity thieves and to explore safeguards for state filing systems." 

Identity thieves are not just attacking state filing systems, so businesses need to take steps of their own to safeguard not only personal information of customers, employees and others, but also the businesses' corporate and financial data. Many of the same principles that apply in the safeguarding of personal information also would apply to safeguarding the information of the business. Two critical steps in this process are conducting a risk assessment and developing a written information security program.

• Email This
• Print
• Comments
• Trackbacks

Coauthored with Jason Gavejian

California hospitals and nursing homes take note - the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information. 

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

• $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
• $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility's confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without "unreasonable delay."

As the number of data security incidents in the health care industry continue to mount, CDPH's enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

• Email This
• Print
• Comments
• Trackbacks

We've written extensively here on the importance of safeguarding personal information. We've also made clear that the safeguarding of data should not stop with individually identifiable personal information. In fact, many times a company's most sensitive information, data critical to the survival of its business, is its corporate trade secrets, proprietary information, and its clients' information. My partner, Patricia Diulus-Myers, in our Pittsburgh office, drives this point home during a Q&A session with the Smart Business Network.

• Email This
• Print
• Comments
• Trackbacks

As reported by the American Bar Association and PHIprivacy.net, lawyers, accountants, health care providers and others soon may get some clarity as to whether the "red flag" rules apply to them. The United States Senate voted unanimously to pass the Red Flag Program Clarification Act of 2010. Under the Act, according to statements from Sen. Christoper Dodd (D) of Connecticut:

lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers and other service providers will no longer be classified as “creditors” for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

After the Red Flags Rule became final, many businesses indicated that they were not aware that they would be covered by this rule. Despite the Federal Trade Commission delaying enforcement of the rule several times to allow these entities time to come into compliance, a number of professional organizations, including the American Bar Association and the American Medical Association, sued the FTC for taking the position that professionals were “creditors” when they allowed consumers to pay later, and would have to comply with its Red Flags Rule. On May 28, 2010, the FTC announced that it would delay enforcing its Red Flags Rule through December 31, 2010 and asked Congress to pass legislation that would resolve any questions about which entities should be covered as “creditors” and to obviate the need for further enforcement delays.

Presently, only the Senate has acted on this request. The measure will need to be approved by the House of Representatives and signed by President Obama. Still, this is encouraging news for many concerned about compliance with this new mandate.  

• Email This
• Print
• Comments
• Trackbacks

Welcome to the next advancement in the delivery of health services -

monitoring patients and promoting healthy behavior through mobile phones and other portable devices

The Washington Post reported today about a service offered through Voxiva whereby expectant mothers receive free text messages concerning prenatal health advice. The pilot program has been in place since February and since then more than 100,000 expectant mothers are reported to have participated in the program. These technologies clearly are in line with initiatives in this country to move to electronic health records. However, whether these methods for delivering health care take hold remains to be seen. As the WP notes, while these technologies are attractive, there are challenges:

• As noted by WP reporter Steven Overly, communicating to a wide variety of patients through a "wide variety of mobile devices, operating systems and network speeds" raises significant challenges. 
• Another issue, of course, is HIPAA and how these communications and devices will meet the privacy and security requirements under those regulations.
• Human error easily could cause the wrong messages to be sent to the wrong patients creating data breach, malpractice and other risks.
• One of our more recent posts highlights the concern about information maintained on cellphones and other mobile devices and what happens to that information when the phones are discarded. 
• Employers who provide phones to their employees and have the right to review text messages, see recent U.S. Supreme Court decision in Quon v. City of Ontario, can easily find themselves with access to all kinds of medical information of employees and possibly their dependents who give their doctors their cell phone number. This risks here could be significant.   

As with the adoption of any new technology or new application of technology, companies and employers should be careful to think through all of the issues and take appropriate preventive steps toward minimizing risks.

• Email This
• Print
• Comments
• Trackbacks

In March 2010, we reported on a decision by the U.S. District Court for the District of New Jersey that allowed an employee's retaliation claim to proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity - voicing concerns regarding his employer’s handling of data security. A California Appellate Court recently adopted a similar line of reasoning. 

Rather than addressing an employee’s concerns, a company fired the employee for questioning whether the company’s networks and information systems adequately protected HIPAA patient information contained on those systems. Cutler v. Dike, 2010 WL 3341663 (Cal. Ct. App. Aug 26, 2010) (unpublished). Based on his employment contract, the employee reasonably believed that his job included acting as the company’s privacy officer. As the court found, the employee also reasonably believed:

the database used to test the company’s . . . software contained confidential patient information which would be exposed in violation of HIPAA, because [the company president] had told him it was patient information . . . [and that] confidential patient data would be used in the future as the program was implemented.

The employee had refused to participate in configuring the computer system as directed and voiced his objections that doing so would violate HIPAA rules and regulations. In response, the company president recommended that the employee resign or risk being fired “since you have chosen to be very negative about issues in the organization.” The employee sued the employer for wrongful termination and the jury found against the employer. The employer appealed the jury verdict.

The court began by citing the relevant section of the California Labor Code (Section 1102.5), which states:

[a]n employer may not retaliate against an employee for refusing to participate in an activity that would result in a violation of state or federal statute, or a violation or noncompliance with a state or federal rule or regulation.

The court went on to hold, “[T]he protection of confidential patient information is clearly the type of general public interest that supports a cause of action for wrongful termination in violation of public policy.” Accordingly, the court upheld the jury’s finding of liability against the employer for wrongful termination in violation of public policy.

Employers across the country generally are prohibited from retaliating against employees for refusing to participate in activities that are impermissible under state or federal law or regulations. This includes retaliating against employees that raise concerns under the HIPAA privacy and security regulations, or other data security mandates under federal or state laws, such as those in Massachusetts, Connecticut, or New Jersey. Employers may find themselves responding to more of these kinds of concerns from employees as employees are more aware of breaches reported in the media over the past few years and become anxious over their own sensitive personal information in their employer’s possession.

An employer should avoid reacting to an employee’s complaint of weaknesses in its data system by firing or disciplining the employee. Shooting the messenger is not acceptable. The company should investigate the issues which have been raised and, if necessary, address them appropriately. Employers are better served by employees who feel secure enough to come forward with unpleasant news, than by suppressing such reports and enduring embarrassing and costly disclosures later. Of course, vulnerabilities can be minimized by taking the preventive steps required under many state and federal laws to safeguard personal and confidential information.  

• Email This
• Print
• Comments
• Trackbacks

Federal contractors are subject to numerous requirements under federal law and, as we have previously highlighted here, need to keep pace with changes in law and regulation. 

Under the Federal Information Security Management Act of 2002 (FISMA) each federal agency is required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Accordingly, FISMA provides authority for the imposition of requirements on those companies which qualify as federal contractors. 

By way of example, the Centers for Medicare and Medicaid Services (CMS), as well as the Department of Veterans Affairs impose specific requirements on their contractors.   

Adding new data protection requirements for federal contractors who use or handle U.S. Department of Defense (DOD) information, the DOD earlier this year issued an advanced notice of proposed rulemaking regarding amendments, 75 F.R. 9563, to the Defense Federal Acquisition Regulation Supplement (DFARS). 

The proposed amendments require “adequate security,” defined as “protection measures … commensurate with the risks of loss, misuse, or unauthorized access to or modification of information,” and have three main subparts; basic safeguarding, enhanced safeguarding, and cyber intrusion reporting. 

Basic safeguards, required for any unclassified DOD information, include:

• Designating  the level of access and dissemination of informationProtecting DOD information on public computer or Web sites
• Transmitting electronic information using technology and processes that provide the best level of security and privacy
• Transmitting voice and fax information on with reasonable assurances that access is limited
• Protect information by at least one physical or electronic barrier
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal
• Provide protection against computer intrusions and the unauthorized release of data. 

In addition to the basic safeguards outlined above, contractors are required to implement enhanced safeguards to certain types of data. The enhanced safeguards include:

• Encryption/Storage controls
• Network intrusion protection
• Implement information security controls

Additionally, a reporting requirement has now been proposed, requiring contractors to report to the DOD within 72 hours of any cyber intrusion event that affects DOD information resident on or transiting the contractor’s unclassified information systems.

The new proposed DOD amendments, along with the various other federal contractor requirements, including those imposed by CMS and the Department of Veterans Affairs, highlight the necessity for companies that qualify as federal contractors to be up to date on their legal obligations or risk loss of their federal contractor status. 

• Email This
• Print
• Comments
• Trackbacks

A UK law firm may find itself subject to significant penalties following reports of a data breach affecting thousands of people.  The recent 2010 ABA Annual Meeting in San Francisco devoted two sessions to the topic, specifically dealing with “cloud computing,” and the risks and ethical issues it raises for law firms. As data privacy and security risks mount for all businesses, they are perhaps even more critical for law firms. 

Law schools in the United States teach their students about a long-standing and fundamental tenet of the legal profession – the attorney-client privilege. It is indeed the general obligation of attorneys to keep client communications confidential. Law schools generally do not teach, at least not nearly to the same degree, how lawyers as law firm business owners ought to protect the personal information of their clients from unauthorized acquisition or access, without hampering their practice.

This primer is intended to provide a brief discussion of the key issues for law firms and some helpful steps for developing a plan to safeguard such information.

• Email This
• Print
• Comments
• Trackbacks

Beginning March 1, 2010, businesses will be required to safeguard from identity theft and other dangers personal information about Massachusetts residents under a “written information security program” or WISP. Similar requirements exist in other states around the country, although those requirements generally are not as comprehensive as those becoming effective in the Bay state.

Our complimentary webinar is designed to help employers and businesses become compliant. The program will cover:

• the emergence of data security mandates across the country,
• the Massachusetts approach to data security – breach notification, data destruction, the nuts and bolts of the identity theft/data security regulations, and
• best practices when creating a WISP.

We hope you enjoy the webinar.

• Email This
• Print
• Comments
• Trackbacks

The most frequent question we hear from clients who want to develop or tighten their data privacy and security policies and procedures: Where do we start?

In most cases, the first step for the group charged with this task is to understand the organization's "information risk." This means, in short, examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards. The process for gaining this understanding is generally referred to as a risk assessment. 

Click here for a power point presentation on key features of a risk assessment.

Risk assessments come in many forms and should be designed to fit your particular organization. 

• Email This
• Print
• Comments
• Trackbacks

Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

The lesson to be learned from this case:

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.

The Office of Civil Rights, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

The investigation also indicated other potential concerns about Rite Aid's policies related to safeguarding patient information during the disposal process, training employees, and a related sanction policy.

The Director of OCR noted:

It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA.

The corrective action Rite Aid has agreed to includes improving policies and procedures to safeguard the privacy of its customers' health information, and applies to all of its nearly 4,800 retail pharmacies. More specifically, the settlement requires Rite Aid to take a number of steps including

• Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
• Training workforce members on these new requirements;
• Conducting internal monitoring; and
• Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS and FTC.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. The length and scope of these plans show the seriousness these agencies are taking concerning compliance with requirements to safeguard personal information.  

• Email This
• Print
• Comments
• Trackbacks

U.S. Department of Health and Human Services Secretary Kathleen Sebelius has announced final rules for eligible health care professionals and hospitals to qualify for a portion of the $27 billion or so in Medicare and Medicaid incentive payments for implementation and meaningful use of certified electronic health records (EHR). Many are concerned these incentives will increase the risks for data privacy and security that will come with more health data being maintained, used and disclosed in electronic format. Under the rules, eligible professionals may receive as much as $44,000 under Medicare and $63,750 under Medicaid, and hospitals may receive millions of dollars under both Medicare and Medicaid.
 

"We will make the immediate investments necessary to ensure that within five years, all of America's medical records are computerized."

President Barack H. Obama, January 8, 2009 

HHS’s July 13 action is consistent with the agenda of President Obama and some of his predecessors to help improve Americans’ health, increase safety and reduce health care costs through expanding use of EHRs and simplifying the administrative costs of healthcare. The enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 significantly advanced this agenda by establishing the statutory structure for eligible health care professionals and hospitals to receive government subsidies to adopt certified EHR technology. The HITECH Act, however, also expanded and tightened the HIPAA privacy and security regulations to address, in part, concerns about improper access and use of EHRs.

HHS’s regulations (consisting of more than 1,000 pages) define the minimum requirements and “meaningful use” objectives to qualify for the bonus payments (pdf) and identify the technical capabilities required for certified EHR technology (pdf). At the same time, providers and hospitals will need to focus on the evolving privacy and security mandates under HITECH, as well as under state law, to minimize the risks to protected health information and other personal information. So, as providers and hospitals look to Medicare and Medicaid funds to jumpstart their move to EHR systems, it will be important for them to be sure to have in place the appropriate policies, procedures and agreements to safeguard those records, which should include the careful handling and/or disposition of the mountains of paper records they currently maintain.

• Email This
• Print
• Comments
• Trackbacks

Further to our discussions of the proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), we summarize here a proposed changed to the definition of “business associate.” A significant part of the “HIPAA community” (covered entities, business associates and their agents and subcontractors) already is aware of the expanded application of HIPAA to business associates under HITECH. This expansion went into effect February 18, 2010, and, in fact, many business associate agreements currently are being modified in an attempt to reflect the statutory provisions. The HIPAA community, however, may not yet be aware of the proposal to further expand the direct application of the privacy and security rules under HIPAA to subcontractors performing functions for business associates.

A New Class of Business Associate

Prior to the HITECH Act changes, business associates and their agents and subcontractors were not directly subject to HIPAA. Instead, HIPAA required covered entities to obtain certain written assurances from their business associates. One of those written assurances was that business associates would ensure that their agents and subcontractors would agree to be subject to the same conditions and restrictions contained in the business associate agreement entered into with the covered entity.

The proposed regulations would include subcontractors in the group of “business associates” to the extent that they require access to protected health information. Such subcontractors are those persons who are not members of the business associate’s workforce, but perform functions for or provide services to a business associate. This would be the case even if the business associate has failed to enter into a business associate contract with the subcontractor. The regulator’s goal is to ensure the privacy and security protections will not lapse merely because a function is performed by an entity with no direct relationship with a covered entity, although the regulations seek public comments on the definition of subcontractor.

The proposed regulations state (emphasis added):

[W]e propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance. We note, and further explain below, that this proposed modification would not require the covered entity to have a contract with the subcontractor; rather, the obligation would remain on each business associate to obtain satisfactory assurances in the form of a written contract or other arrangement that a subcontractor will appropriately safeguard protected health information. For example, under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to
securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).

As the example above shows, if made final, the proposed regulation would further HIPAA’s reach and affect many businesses that may not currently view themselves as directly subject to the requirements or penalties under HIPAA. Many companies, including those that service the healthcare industry, such as health plans, likely will need to revisit their HIPAA-compliance measures.

• Email This
• Print
• Comments
• Trackbacks

We recently reported here that the Department of Health and Human Services (HHS) is issuing proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). These proposed regulations contain a number of important points to think about for HIPAA covered entities (and business associates), even though these rules are in proposed form. One is avoiding HIPAA violations involving “willful neglect," which under the HITECH Act will require a formal investigation and civil penalties.

To date, the Secretary of HHS has attempted to resolve complaints and certain violations by informal means, as required by § 160.312 of the current regulations. A significant change to the HIPAA enforcement scheme in the HITECH Act requires that if a preliminary investigation of the facts of a complaint indicates a possible violation due to willful neglect, the Secretary is required to commence a formal investigation. If the formal investigation finds a HIPAA violation involving willful neglect, the Secretary must impose a civil money penalty.

What is “willful neglect”?

Willful neglect is defined at § 160.401 as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The term not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur, but also encompasses a conscious intent or degree of recklessness with regard to the entity’s compliance obligations.

So what does that mean, what are some examples? The proposed regulations provide the following examples:

1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.
2. A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.
3. A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

In addition to having actual or constructive knowledge of one or more violations, the covered entities in the examples above, particularly Example 1, failed to develop or implement compliant policies and procedures and, thus, demonstrated either conscious intent or reckless disregard with respect to the compliance obligations under HIPAA.

Based on the proposed regulations, covered entities can no longer expect the velvet hand of the regulators to resolve a violation informally in all cases. Covered entities that fail to have policies and procedure and make a good faith compliance effort likely will find themselves subject to mandatory formal investigations and penalties.

Covered entities like the one in example 1 above might want to consider certain precautions, including:

• maintaining a record retention policy,
• maintaining media re-use policy,
• maintaining a data destruction policy,
• maintaining an e-discovery policy, and
• and engaging a good data destruction/shredding company.
 

• Email This
• Print
• Comments
• Trackbacks

On June 10, 2010, the California Department of Public Health (CDPH) announced  issuing administrative penalties and fines totaling $675,000 against five hospitals in the state. CDPH cites the facilities’ failure to prevent unauthorized access to confidential patient medical information as required under new legislation (Section 1280.15 of California’s Health and Safety Code) (pdf) as the basis for the penalties and fines.

Relevant portions of Section 1280.15 of California’s Health and Safety Code provide:

A clinic, health facility, home health agency, or hospice . . . shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information . . . The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patients' medical information. For purposes of the investigation, the department shall consider the clinic's, health facility's, agency's, or hospice's history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility's ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section.

CDPH Director Dr. Mark Horton commented, “medical privacy is a fundamental right and a critical component of quality medical care in California.” His position and the actions taken by the agency highlight the need for health care providers to do more to safeguard patient records. In most of these cases, according to the CDPH announcement, multiple hospital employees accessed confidential patient medical information without authority to do so.

However, California hospitals should not be the only entities concerned about exposure relating to unauthorized access to confidential personal information, nor is California’s Health and Safety Code the only statutory obligation to safeguard such information. Mandates to protect personal information are growing and apply to industries beyond healthcare and persons other than patients. In short, businesses in all states and industries should be reviewing, at a minimum:

1. how they safeguard personal information, whether it be that of customers, patients, employees, or their dependents,
2. who they permit to access personal information, and
3. what their plan is in the event of unauthorized access or acquisition.

We’ve written about a number of these areas of concern:

• Pending Federal Legislation
• State Attorneys General enforcing (i) HIPAA, (ii) Deceptive and Unfair Trade Practices Laws, (iii) record destruction laws.
• Risks if You Are a Business Associate
• Criminal Penalties Under HIPAA
• State Laws Mandating Protections for Personal Information, not just medical information.
• HHS Enforcing HIPAA Following Data Breach
• Developing a Plan

Like most things, "an ounce of prevention is worth a pound of cure."

• Email This
• Print
• Comments
• Trackbacks

Have you noticed that negotiating that business associate agreement has gotten a lot more difficult? Many companies that serve health care providers and health plans, generally known as business associates, have noticed. These companies include software vendors, benefits brokers, cloud computing providers, data storage/destruction companies, and accountants, among others.

The clients of these companies are citing HIPAA, ARRA, HITECH, data breach notification requirements, and state law mandates as they demand stricter contract language and additional rights and protections, such as the right to audit the business associate and to be held harmless in the event of any data mishap. Business associates that took HIPAA lightly in 2003 and 2004, when the HIPAA regulations first became effective (2005 and 2006 for the security regulations), are playing catch-up.

When President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA), “business associates” may not have expected the significant effects that law would have on their businesses. Chief among those effects are mainly due to four sentences in The Health Information Technology for Economic and Clinical Health (HITECH) Act (pdf), passed as part of ARRA, and which generally became effective on February 17, 2010 (the breach notification mandate became effective on September 23, 2009), one year after enactment:

• “Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporate[d] into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13401(a). This statement makes business associates directly subject to nearly all of the HIPAA security regulations, the HIPAA rules relating to electronic protected health information. Prior to the change, these obligations existed for business associates only as a matter of contract.
• “A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach.” ARRA Sec. 13402(b). This statement creates a new obligation for business associates – report to covered entities breaches of unsecured protected health information.
• “The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13404(a). This statement makes business associates directly subject to nearly all of the HIPAA privacy regulations. Prior to the change, as with the security regulations, these obligations existed for business associates only as a matter of contract.

In response to these law changes, and in the absence of regulatory guidance, covered entities have been demanding modifications to existing business associate agreements or requesting new agreements. In both cases, covered entities are seeking greater assurances from their business associates concerning the handling of the covered entities’ protected health information.

On top of that, covered entities are weaving into business associate agreements and other agreements requirements under newly enacted state laws requiring protections for “personal information” in the hands of vendors (e.g., business associates) to curb identity theft. Given the cost and reputational harm that could come from a data breach, as well a growing enforcement activity, many covered entities are becoming more forceful in their negotiations, citing legal mandates and established company policies for their unwillingness to budge on many provisions, even those that go beyond statutory mandates.

What is a business associate to do? Here are some thoughts:

1. Confirm your company is a business associate. (go to HHS HIPAA frequently asked questions and insert "business associate" for helpful guidance). In some cases, covered entities are blanketing all of their vendors with these agreements. If believe your company is not a business associate, raise it with your client. Of course, even if you avoid being considered a business associate, your customer/client still may demand written assurances under state law for the personal information you handle on its behalf.
2. Become compliant. As noted above, the HIPAA privacy and security requirements are now directly applicable to business associates. While additional guidance is expected as to what this means precisely, there is enough existing guidance concerning covered entities for business associates to use to achieve compliance. Among other things, compliance means conducting a risk assessment, adopting a written set of policies and procedures concerning the safeguarding of protected health information, and training staff. Being compliant not only reduces risk, but in an environment of increasing attention to data privacy and security, compliance can be a competitive advantage.
3. Review agreements carefully. Covered entities increasingly include contract provisions that provide the covered entity with greater protections than the law requires. To the extent possible, try to remove those provisions. In any event, it is important to know your obligations under these agreements; they can vary dramatically from covered entity to covered entity.
4. Develop strategies for reviewing/complying with multiple contracts. Some business associates have many clients and, therefore, business associate agreements. Managing unique provisions multiple agreements can be daunting, although the ability to negotiate a uniform agreement across a client basis is increasingly unlikely. So, where possible, try to use similar provisions in all agreements and know ahead of time your approach to certain key provisions, such as handling data breaches.
5. Understand the law. Even if you’ve mastered the determination of whether you are a business associate, the rules outlining your business' obligations likely will be evolving under HIPAA over the next few years, particularly with the expected growth of electronic health records and the expansion of health care. The same is true of state laws concerning personal information. In many cases these laws might coexist peacefully, in other cases there will be conflict. You need to be aware of the conflicts and be prepared to act accordingly.

• Email This
• Print
• Comments (1)
• Trackbacks

The Federal Trade Commission announced it is further delaying its enforcement of the “Red Flags” Rule through December 31, 2010. This move comes at the request of several Members of Congress who want to further consider legislation that would clarify who is subject to the Rule.

The delay follows the lawsuit (pdf) filed by the American Medical Association and others arguing that the Red Flags Rule should not apply to physicians.  As reported by amednews.com, the plaintiffs bolster their case by pointing to a 2009 federal court ruling (pdf) (American Bar Assn. v. Federal Trade Commission) exempting lawyers from the Rule. That ruling is now on appeal to the U.S. Court of Appeals for the D.C. Circuit

Legislation is pending in the United States House of Representatives that would exempt certain professions, including physicians, from the Red Flags Rule. H.R. 3763 passed the House unanimously in October 2009, but there has been no further movement in Congress on this issue.

The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

In its announcement, the FTC notes that as was the case with prior enforcement delays, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports, or to the rule regarding changes of address applicable to card issuers.

• Email This
• Print
• Comments
• Trackbacks

We are honored that the National Association of Professional Employer Organizations (NAPEO), the largest national trade association for professional employer organizations (PEOs), recently published our article in its May 2010 edition of its PEO Insider publication, an important resource for any PEO.  

PEOs no doubt provide valuable services for businesses across the country. However, in doing so, they generally have access to and maintain vast amounts of personal information. Our article, "Key Data Privacy and Security Issues for PEOs," summarizes emerging data privacy and security laws and their effects on PEOs.

• Email This
• Print
• Comments
• Trackbacks

On April 16, 2010, Florida Attorney General Bill McCollum announced a settlement (pdf) with Certegy Check Services, Inc. over how the company secures consumer records. The Attorney General’s enforcement action stems from a massive data breach by a former Certegy employee who stole personal identification information from approximately 5.9 million consumer files.

According to the Attorney General’s press release, Certegy promptly notified the Attorney General and consumers of the data thefts, and cooperated with the Attorney General’s investigation. In addition to agreeing to maintain a comprehensive information security program, under the settlement, Certegy will contribute $125,000 to the Attorney General’s “Seniors vs. Crime Program” for educational, investigative and crime prevention programs for the benefit of senior citizens and the community. Further, it will pay $850,000 for the state’s investigative costs and attorney’s fees.

Massachusetts and some other states have specific statutory provisions requiring the safeguarding of personal information. No similar law exists in Florida. The Attorney General commenced its action against Certegy under the State’s deceptive and unfair trade practices statutes. Businesses with data security safeguards that can be viewed as subpar, therefore, cannot depend on the absence of specific state statutes to shield them from state action in case of a data breach or allegations that personal information is not being adequately safeguarded.

In addition to the nearly one million dollars Certegy will pay the State of Florida, the company agreed to

maintain a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements safeguards to protect that consumer information, and regularly monitors and tests the effectiveness of those safeguards. Certegy and its related entities will also adhere to payment card industry data security standards as those standards continue to evolve.

Significantly, the settlement requires Certegy to conduct initial and annual assessments of its policies and procedure.

The settlement with the Attorney General followed a class action settlement in U.S. District Court in Tampa. Under that settlement, Certegy made certain monitoring services available to affected consumers, who also were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. 

• Email This
• Print
• Comments
• Trackbacks

Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.

Consider the following examples:

California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:

implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

For purposes of this requirement, “personal information" means:

an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.

Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.

Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.

Administrative safeguards include, for example: 

1. designating one or more employees to coordinate the program;
2. identifying reasonably foreseeable internal and external risks;
3. assessing the sufficiency of data safeguards;
4. training employees in the program’s practices and procedures;
5. limiting outside service providers to those maintaining adequate data security safeguards; and
6. adjusting the program according to business changes or new circumstances.

In New Jersey, regulations are pending that would create similar obligations.

Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:

safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.

For purposes of this law, “personal information” includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.

Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.

The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.

• Email This
• Print
• Comments (3)
• Trackbacks

It’s been around for a while, but could new products in the “cyber-insurance” market help companies focus on this emerging threat known as “information risk”?

The National Journal reports that for many companies online security is not a priority. Tom Risen’s article cites to a Verizon study conducted between 2004 and 2008 (pdf) that determined

75 percent of breaches were not discovered by the victimized organization, and that 87 percent could have been prevented with reasonable online protection.

Mr. Risen reports that historically cyber-insurance covered “hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures.” However, with the explosion of data breaches over the last 10 years or so, new, broader policies have emerged, covering costs related to responding to a data breach, such as sending notices, providing credit monitoring services, engaging legal counsel, employing a call center, and defense of claims by affected individuals and federal and state officials. Some companies in this space include Beazley, Chartis, Travelers, Chubb and others.

It may be, as Robert Parisi of Marsh suggested to Mr. Risen, that federal legislation might encourage more awareness of these issues, something we raised as well. Certainly, we are beginning to see greater attention to these issues as businesses are beginning to focus on the Massachusetts data security/identity theft regulations, which become effective March 1, 2010.

Whatever the driving force, businesses need to drill down on their data security needs and address their information risk. Preventive measures – in the form of a written information security program – are certainly necessary and appropriate. But it may not be enough. As anyone who drives knows, for example, it is not enough to drive carefully and wear a seat belt. Insurance can play a critical role in addressing risks that even the best safeguards can’t. For this reason, cyber-insurance should be considered as a part of any business’ comprehensive approach to information risk. 

• Email This
• Print
• Comments (2)
• Trackbacks

 According to the newly revised Federal Trade Commission (“FTC”) Guides, employers may face liability for employees’ commenting on their employer’s services or products on “new media,” such as blogs or social networking sites, if the employment relationship is not disclosed. Potential liability may exist even if the comments were not sponsored or authorized by the employer. 

The revised Guides took effect December 1, 2009. They address the application of Section 5 of the FTC Act (15 U.S.C 45) to the use of endorsements and testimonials in advertising and provide examples of the application of Section 5, including examples that could lead to potential employer liability. One such example specifies liability for an employee’s blog posting concerning his employers’ product, where the employment relationship is not previously disclosed:

An online message board designated for discussions of new music download technology is frequented by MP3 player enthusiasts. They exchange information about new products, utilities, and the functionality of numerous playback devices. Unbeknownst to the message board community, an employee of a leading playback device manufacturer has been posting messages on the discussion board promoting the manufacturer’s product. Knowledge of this poster’s employment likely would affect the weight or credibility of her endorsement. Therefore, the poster should clearly and conspicuously disclose her relationship to the manufacturer to members and readers of the message board.”

In comments to the proposed revisions, the Commission agreed that the establishment of appropriate procedures governing “new media” would be a factor in its determination as to whether law enforcement action is appropriate. Tellingly, the Commission stated that it has brought enforcement actions against companies “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury. However, the Commission refused to spell out the procedures companies should put in place to monitor compliance with the principles set forth in the Guides, leaving companies to determine for themselves the process that would best fulfill their responsibilities. 

In light of the FTC’s clear recognition of “new media” and enforcement goal, employers should adopt social media and blogging policies as soon as possible. Employers should consider policies and procedures which address employee use of blog or social networking sites. Those policies, like this sample policy, should articulate the types of disclosure employees must include when they discuss their employers or their employers’ products or services. 

• Email This
• Print
• Comments
• Trackbacks

Based on recent events, the University of East Anglia likely will agree that data privacy and security requires a comprehensive approach, as data breaches are not limited to incidents involving personal information and identity theft. In fact, the effects of a breach to an organization's information systems involving confidential company information can be far worse on the organization as a whole than if the breach involved personal information.

Take, for example, a report by The New York Times reporter Lauren Morello concerning a breach involving thousands of emails and documents of the Climatic Research Unit (CRU) at University of East Anglia. Apparently, hackers obtained and posted on the Internet emails and documents calling into question some of the positions about climate change and global warming held by the CRU. Whatever the truth or perception of the information contained in the posted emails and documents, the CRU surely is in an uncomfortable position of having to defend its statements and address their context. 

Last month we reported a data breach involving personal information of a different kind - ethics investigations of members of the United States Congress. Again, while not the kind of personal information that would lead to identity theft, or require notification be sent to the affected individuals, it is the kind of information that could have significant adverse consequences for the institution and the persons affected.

For this reason, organizations need to address "information risk" on an organization-wide basis, making sure that their written information security programs take into account how information of any kind, maintained in any medium by the organization, can, if misused, caused the organization harm. While remedies may be available through the criminal justice system or civil litigation under such laws as the Computer Fraud and Abuse Act, avoiding the breach in the first place obviously is preferred.

• Email This
• Print
• Comments
• Trackbacks

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced on November 4, 2009, the filing of final regulations (pdf) with the Secretary of State’s office, the final step before the regulations take effect March 1, 2010.

The final regulations differ slightly from the version of the regulations issued in August 2009, which made significant revisions to the earlier version of the rules.

OCABR clarified in the final regulations that:

• those who store personal information must comply, and
• until March 1, 2012, contracts with service providers will be deemed to satisfy the contract requirement, even if the contract does not require the service provider to maintain appropriate safeguards, as long as the contract was entered into no later than March 1, 2010. However, it is recommended that contracts with service providers be amended as soon as possible to require appropriate safeguards, as there may be similar requirements under federal or applicable state law (such as HIPAA or data security laws in Maryland, Oregon or Nevada). 

While the regulations have had a number of changes, the written information security program requirement remains, along with a number of other safeguards for personal information that require immediate attention. 

A checklist for the final regulations can be found here (pdf). 

• Email This
• Print
• Comments
• Trackbacks

Today, Connecticut Attorney General Richard Blumenthal announced his office will investigate a data breach that occurred in late August that affected approximately 18,817 Connecticut health care professionals. The American Medical Association reported earlier that this breach involved the personal information, including Social Security numbers, of an estimated 850,000 physicians nationwide. What is most troubling about this breach is that it probably was avoidable.

Like many data breaches, this one involved a stolen laptop, in this case from the employee’s car. However, as NewsTimes.com reported, despite the employer’s encryption policy, the employee downloaded the file to a laptop, without the required encryption, in order to work from home.

Even the best firewalls and other technology-based information system protections cannot save us from ourselves. It was possible here that not only did the employee violate the company’s encryption policy, but he or she also may have exercised poor judgment in leaving the laptop in a car. The ease with which employees acquire, handle and transport massive amounts of sensitive personal information make it critical that businesses ensure their employees have greater awareness of the sensitivity of this information and receive regular training about how to be more cautious handling it. This should be a part of any written information security plan. 

• Email This
• Print
• Comments
• Trackbacks

Yesterday, the U.S. Senate Judiciary Committee again approved two pieces of legislation that would require certain entities to safeguard personal information and notify individuals of breaches of that information. Over the last few years, similar legislation made it out of various Committees, but failed to go any further. Could this time be different?

The Committee voted in favor of the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), sponsored by Senators Patrick Leahy and Dianne Feinstein, respectively.  In its current form, S. 1490 would require that covered entities, among other things, perform risk assessments, limit access to sensitive information, train their work force, and require vendors by contract to implement appropriate safeguards. The Data Breach Notification Act would establish a national standard for federal agencies and businesses engaged in interstate commerce to report data breaches.

There are a number of circumstances that suggest this legislation is more likely to move forward than in years past:

• The Judiciary Committee approved both measures by significant majorities.
• The number of data breaches and complaints about them continue to mount.
• Congress recently had its own data breach (reported here), affecting personal information not likely to lead to identity theft, but which could hurt some members' reelection efforts.
• The change in administration which arguably is more focused on privacy concerns given the push for electronic health records.

Stay tuned. . . 

• Email This
• Print
• Comments
• Trackbacks

Data privacy and security laws in states such as Massachusetts, Maryland and Nevada require businesses to develop written policies and procedures that provide administrative, physical, and technological safeguards to protect personal information - or a "written information security program" or "WISP." These laws do not require protections for confidential company information and trade secrets, but such information also warrants protection.

Failure to do develop a WISP can leave a business exposed.

Certain businesses also can lose a business advantage as individuals (clients, employees, dependents, and others) and business partners increasingly demand heightened security of their sensitive and personal information.

But where does a business start?

Don't wait any longer! Develop a plan by reading the Data Privacy Primer (PDF).

• Email This
• Print
• Comments
• Trackbacks