Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

In addition to concerns about social media, school districts across the country need to address a growing interest in the personal data of the students they educate. No, this interest does not stem from a desire to see if kids are reading at the desired level, or if the children have the resources they need to receive an adequate education. Data thieves want this information to commit identity theft. 

As reported by the Huffington Post:

Identity theft in schools is more than theoretical. Last July, Sheyla Diaz, 44, a former Broward County, Florida high school teacher, was sentenced to six months of house arrest for stealing the identities of former students. In 2009, Jonathan E. Kelly, who worked as a police officer for the Palm Beach County School District, was sentenced to eight years in prison for stealing the identities of former students and teachers.

The thieves know that children have pristine credit and that school districts, hampered by substantial budget cuts, may not be doing all they could to safeguard this information. Parents and school districts need to take steps to address this growing risk.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While we do not know the exact nature and scope of the imminent HIPAA audits, we do know that HIPAA compliance and the verification of compliance (the audit) can be a very daunting process that mandates a great deal of preparation and organization. Beyond getting legally compliant, HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate this compliance should they find an OCR investigator knocking at the door.

We have asked Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC (CSA2) to discuss how certain applications can facilitate the response to a HIPAA audit, including minimizing the time staff needs to be involved. The following is an excerpt from Alan's discussion of this issue:

For many health care providers and other covered entities, compliance with HIPAA and other data privacy and security requirements is a multifaceted and ongoing process of assessing changing risks, policy development and implementation across various departments, conducting and tracking training of workforce members, monitoring compliance, managing vendors and vendor agreements, responding the customer complaints and so on. When an OCR auditor is on the doorstep, pulling evidence of all of these efforts together would likely sap an already thin workforce of most covered entities. When various segments of the covered entity are not coordinated, the files are incomplete, and the persons leading the effort are in disarray, the auditor is likely to suspect there are substantial deficiencies and adjust the audit accordingly.

It is not difficult to imagine the Privacy Officer having to go from department to department asking, among other things:

• Where are the current policies and procedures for your department concerning privacy and security?

• Would you please send me the training sign-in sheets for your group? Why was that group not trained?

• Where are the signed copies of the business associate agreements? Is this all of them?

• Where can I find a copy of the risk assessment for your department? Is it updated?

• How was that complaint resolved? Were there any others?

• Do you have all of the documents for the data breach that affected the radiology department?

• Can you send me your evaluation logs and what changes you have made based upon those efforts?

It is also not difficult to imagine how much easier this process would be if the covered entity's compliance efforts were tracked, maintained and documented in a single environment. An environment that would, for example

• Allow different departments/groups to log on an update their compliance efforts,

• Secure email notification/reminders for maintenance to update all required analysis, training, network architecture diagrams, etc.,

• Digital repository for all required employee affidavits, training sign-in sheets and managed with email notification for maintenance and updating,

• Maintain and track policy changes via secure email notification/reminders to all departments and employees from Privacy Officer or legal counsel,

• Track and document responses to patient complaints,

• Digitize interactive system for updating and obtaining required commentary from all required departments and Business Associates to establish and audit trail for creating “defensible position” to regulators.

• Centralize administration for permissions to all employees, advisors or Business Associates access to read only, print, edit, etc., with watermark capabilities on all printed and viewed documents.

• Centralize reporting dashboard status of all projects as well as the ability to digitally feed approved 3rd party software analytic results for centralized viewing to permission based participants with email notification of updates.

• Prepare for post-breach requirements in a pre-breach environment allowing reduction in costs of time sensitive response.

Such a tool also could be designed to permit the auditor limited access to conduct the audit with less effort on the part of the privacy officer or his or her staff. While certainly not required under HIPAA, organizing compliance in this way would simplify the compliance process and put the covered entity in a much better position to survive an OCR audit with minimal effort.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR's website answers some helpful questions for covered entities and business associates... 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As previously discussed, the federal appeals court in San Francisco had reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) for trying to start a business that would compete with his former employer. Now, however, at the urging of the former employee’s counsel, by order dated October 27, the same court has agreed to rehear, en banc, its previous indictment reinstatement order.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against former employee David Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court had reaffirmed that employers determine what access or authorization an employee has to an employer’s computer. It also pointed to specific examples of what the employer did to limit access to and authorized uses of information, including using unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop up on each employee’s computer screen whenever the employee logs onto the company’s system.

The Ninth Circuit’s pending rehearing by the full court of the issue of unauthorized employee access to information under the CFAA puts its previous interpretation in doubt. It is clear, however, is that employers that wish to rely on the CFAA as a means of recovery against employees who steal data or take other actions to harm company computers must plan ahead. That is, employers must clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.  

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published its first round of annual reports to Congress under the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 to Congress. The first report concerns HHS’s HIPAA (Health Insurance Portability and Accountability Act of 1996) enforcement activity for 2009 and 2010 and the second report focuses on reported or recorded data breaches occurring in 2009 and 2010.  

The HITECH Act contains multiple breach notification requirements for HIPAA-covered entities and their business associates. Covered entities and business associates that create unreadable or indecipherable protected health information, however, are exempt from such requirements. Covered entities must notify individuals and the Secretary of HHS of any breach of unsecured protected health information within 60 days following the discovery of the breach. For breaches involving more than 500 residents of a state, a covered entity must also notify the media in addition to the individuals and the Secretary of HHS. Business associates of covered entities under HIPAA must notify the covered entity of any breach of unsecured protected health information so the covered entity can notify affected individuals. 

As reported by HHS, between September 23, 2009 and December 31, 2010, the HHS Office of Civil Rights received 45 reports of breaches affecting 500 individuals or more in 2009 and 207 reports in 2010, resulting in notification of 7.8 million affected individuals. 

The general causes of breaches of unsecured protected health information included, first and foremost, theft.  27 of the 45 large 2009 incidents involved theft and 17 of those incidents occurred on the premises of a covered entity or its business associates. Likewise, 99 of the 207 incidents in 2010 involved theft, primarily of electronic or paper records, affecting some 2,979,121 people. Types of theft noted by HHS included theft of back-up tapes transported by a vendor of a medical facility, of laptops or desk-top computers at covered entity sites, and of smart phones or flash drives. Other causes of breaches generally involved loss of electronic media or paper records containing protected health information, unauthorized access to, use of or disclosure of protected health information, human error, and improper disposal. Notably, loss of portable electronic devices is a major factor in the loss of electronic media.

With respect to complaints and compliance with HIPAA’s Privacy Rule, HHS reports that from April 14, 2003, the date HIPAA-covered entities were to comply with the Privacy Rule, through December 31, 2010, it received 57,375 complaints and resolved 91% of them.   Through the same time period, HHS investigated 19,161 complaints, achieved corrective action in 66% of them and found no violation in 34%. 

HHS further reports that between April 20, 2005, and December 31, 2010, it investigated 289 complaints of the 803 it received related to HIPAA’s Security Rule, resolving 77% of them and finding no violation in 48%. 

The compliance issues related to the Privacy Rule most investigated included impermissible uses and disclosures of protected health information, lack of safeguards, and denial of individual access. HHS Security Rule investigations focused on a covered entity’s failures to demonstrate adequate policies and procedures to address response or reporting of security incidents, security training, access controls and workstation security.  

The two HHS reports to Congress show a marked improvement in compliance with HIPAA’s Privacy Rule. However, the reports also highlight a continuing vulnerability for covered entities that rely on electronic devices and employee accountability for elements of their privacy and security compliance programs under HIPAA (as we have touched on in previous posts). As noted by HHS, remedial actions for violations include revising policies and procedures; improving physical security; training or retraining workforce members; adopting encryption technologies; changing passwords; performing new risk assessments; and revising business associate agreements to specify required confidentiality protections. The HHS reports remind covered entities and their business associates to review and place appropriate limits on employee access to protected health information and incorporate HHS’s remedial measures into their best practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Connecticut Attorney General George Jepsen announced on September 14, 2011, the creation of a Privacy Task Force to help educate the public about data protection requirements and to focus his Office’s response to Internet privacy concerns and data breaches that affect consumers. According to Attorney General Jepsen's press release, “Internet and data privacy have been among the biggest issues affecting the broad public interest during my first eight months in office” and nearly a dozen investigations have been initiated or pursued regarding security breaches that resulted in the loss of medical and insurance records or personal customer information.

Like nearly all states across the country, Connecticut has a data breach notification law. The State's Insurance Commissioner has also adopted rules concerning data breach notification requirements for its licensees. Among other laws, the Nutmeg state has also enacted specific protections for Social Security Numbers, employment applications, and personal information, which includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.  

The Task Force will be responsible for all investigations of consumer privacy breaches, which we are assuming will apply to breaches of any personal information for which notification is required, including patients and employees. The Task Force will also help to educate the public and business community about their responsibilities, which include protecting personally sensitive data and promptly notifying affected individuals when breaches do occur.

Clearly a sign of increased attention to and enforcement of the state's data security and consumer protection mandates, Connecticut businesses and businesses maintaining personal information of Connecticut residents should revisit their information security programs and data breach response plans to ensure they could withstand the scrutiny of an inquiry by the Attorney General's office.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Reuters and other news outlets are reporting that Representative Mary Bono Mack has circulated draft legislation in response to the steady stream of data breaches that have occurred this year. According to the report, Senate Majority leader Harry Reid also has asked four Senate committees to pull together a comprehensive cybersecurity bill, hoping it will be brought to the floor by late summer. After years of failed attempts at data breach legislation, the federal government could be poised to enact broadly applicable requirements for safeguarding data and responding to data breaches. 

Some key provisions of the draft legislation would require covered entities (basically, any person engaged in interstate commerce) to:

• establish and implement policies and procedures to protect personal information (defined in a manner similar to most current state breach notification laws) to include, without limitation, designating a point person to manage information security, and having a process for identifying and assessing foreseeable vulnerabilities;
• erase personal data that is no longer needed and otherwise take steps to minimize the amount of personal information maintained;
• notify law enforcement within 48 hours of a data breach, and if data could be used to steal a customer's identity, notify the Federal Trade Commission within 48 hours and begin contacting the affected persons; and
• provide 2 years of credit reporting services or credit monitoring services to individuals affected by a covered data breach.

The law would be enforceable by state attorneys general and the Federal Trade Commission with maximum penalties running into the millions of dollars. The law would generally preempt similar state laws, but would not permit private lawsuits. 

Of course, companies should not be waiting to see if any action is taken at the federal level. There are a number of states with similar laws already on the books. In addition, exposure from a data breach, particularly when there were no safeguards in place to prevent the breach, should be sufficient motivation to take steps to safeguard personal data.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a report issued earlier this week, the Office of Inspector General found that the Center for Medicare and Medicaid Services' (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the HIPAA Security Rule.

OIG's recommendation: Continue the compliance review process (audits) that began in 2009 and implement procedures for conducting compliance reviews to ensure that HIPAA Security Rule controls are in place and operating as intended to protect ePHI at covered entities.

To reach this conclusion, OIG audited 7 hospitals throughout the country (locations in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas).  These audits focused primarily on:

1. wireless electronic communications network or security measures the security management staff implemented in its computerized information systems (technical safeguards);
2. the physical access to electronic information systems and the facilities in which they are housed (physical safeguards); and
3. the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI (administrative safeguards).

Significant vulnerabilities identified. The audits identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. A high vulnerability refers to one that

may result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury.

The report noted that outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge. Although each of the seven hospitals had implemented some controls, policies, and procedures to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule. Clearly, mediocre compliance is not sufficient.  

Some of the more significant vulnerabilities found related to (i) wireless access; (ii) access controls, and (iii) integrity controls. In the case of wireless access problems, the report identified vulnerabilities including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, the inability to detect rogue devices intruding on the wireless network, and no procedures for continuously monitoring the wireless networks. Access control problems included inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI, and excessive access to root folders. According to the OIG, these conditions could have led to unauthorized individuals viewing or altering ePHI data on nonclinical workstations that were not automatically logged off after a period of inactivity; ePHI being compromised on lost or stolen unencrypted laptops; and unauthorized users circumventing system controls and harming system files.

The list goes on and on.

The Office of Civil Rights (OCR), the arm of HHS now charged with enforcing the HIPAA security regulations, may be listening. As reported here earlier, OCR appears to be taking steps to improve its enforcement efforts, which likely will include increasing the number of compliance reviews/audits at hospitals and health care providers around the country. These efforts include a request by the agency to increase its budget for 2012 by $5.6 million, or 13.6%, to be aimed at enforcement. 

Because HIPAA now applies to business associates, it would not be surprising to see business associates on an audit list. Accordingly, covered entities and business associates should be taking steps now to ensure compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

NBC's Bob Sullivan reported on a rising trend of identity thieves targeting children. Why? Well, having no real credit history, most children’s credit is clean and good. Also, children, particularly younger children, are not going to be needing or looking at their credit for some time. These factors make children more attractive targets of identity theft.

Mr. Sullivan’s colleague Jeff Rossen and the "TODAY" show dig into this issue and provide some valuable information for parents about the problem and how to safeguard their children.

Businesses need to be in tune to this as well. All of the country’s data breach notification laws (46 states, plus other jurisdictions), as well as the laws requiring safeguards for personal information apply to “individuals,” not adults or persons over a certain age.

Some companies may believe they do not have personal information about children, but most companies do. For example, companies sponsoring medical, dental or vision coverage for employees, or health and dependent care flexible spending accounts maintain (or require vendors to maintain) personal information about children of covered employees. This kind of information also could be contained in retirement or life insurance plan beneficiary designation records, as well as records supporting leaves of absence and other matters.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Bypassing the media attention that often accompany high-dollar penalties and settlements, the Department of Health and Human Services (HHS) has quitely reported a settlement concerning the HIPAA privacy and security rules that highlights the increasing cooperation of federal government agencies to enforce a steadily expanding and complex compliance environment. 

Late in 2009, HHS opened an investigation of Management Services Organization Washington, Inc. (MSO) following a referral from the HHS Office of Inspector General (OIG) and Department of Justice, Civil Division (DOJC), which had been investigating MSO and its owner for violations of the
federal False Claims Act (FCA). During the course of its investigation, OIG discovered that MSO's owner also owns Washington Practice Management, LLC (WPM) that earns commissions by marketing and selling Medicare Advantage plans.

According to the HHS Resolution Agreement with the company, the tip from OIG and DOJC led HHS to find that MSO:

• impermissibly disclosed electronic protected health information (ePHI) of numerous individuals to WPM without a valid authorization, for WPM'S purpose of marketing Medicare Advantage plans to those individuals; and
• did not have in place and did not implement appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of the ePHI.

Without acknowledging a HIPAA violation, MSO agreed to a resolution payment of $35,000 and to a two-year "Corrective Action Plan," which includes, among other things:

• adopting written policies and procedures to be reviewed and approved by HHS;
• obtaining a signed certification from all workers concerning the policies and procedures;
• changing its policies and procedures only with HHS approval; and
• conducting monitoring reviews every 180 days, which include performing unannounced interviews of workforce members.

It is not uncommon for companies considering compliance measures to assess the likelihood of a government audit or inquiry. Any illusion an organization may hold that it is operating “under the radar” of regulators should be shattered in the current compliance environment. Governmental agencies are increasingly able to efficiently coordinate with one another in matters of enforcement. Should HHS receive the additional $5.6 million it is seeking to enforce the HIPAA privacy and security regulations in its 2012 budget, flying under the radar will become more difficult.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Promising a company that you will safeguard its employees’ information and then failing to do it according to Federal Trade Commission (FTC) standards likely will be viewed by the FTC as an unfair and deceptive business practice and trigger an enforcement action.

This was the case for Lookout Services, Inc., a company that maintains large amounts of sensitive information about the employees of its business customers, including Social Security numbers. According to an FTC announcement on May 3, 2011, Lookout claimed it would take reasonable measures to secure the consumer data it maintained, including Social Security numbers, but failed to do so.

Lookout markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. (Note that an FTC complaint is not a finding or ruling that a respondent, such as Lookout , actually has violated the law.) For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser, the complaint asserted. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, it was claimed, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement agreed to by Lookout to resolve these charges is comprehensive. Among other things, the settlement order requires Lookout (i) to conduct a risk assessment, (ii) to implement a comprehensive, written information security program, (iii) to cease making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers, (iv) to obtain independent third party security audits of the program every other year for 20 years, and (v) to make the settlement order available to its current and future employees having responsibilities relating to safeguarding customer data.

For companies that maintain personal information on other businesses’ employees in the course of providing services to those businesses, this development is an important reminder: Promises made to those businesses concerning the safeguarding of personal information must be supported by comprehensive policies and procedures. In addition to this kind of enforcement exposure, which also could arise at the state level from the states’ attorneys general, the employers that these businesses serve also could have causes of action for negligence and/or breach of contract. Increasingly, state laws require businesses to contractually obligate vendors to have appropriate safeguards to protect personal information provided to the vendor to perform its services. States having such laws include California, Maryland, Massachusetts, and Texas.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Acknowledging the need "to help states combat the growing threat of business identity theft," the National Association of Secretaries of State (NASS) announced on April 18, 2011, the formation of a "Business Identity Theft Task Force." The focus of this task force is to assist states (not necessarily private business) with combating business identity theft in areas such as "the types of technology used by states in housing business documents, solutions for securing state business filing information and records, and key partnerships/liaisons for conducting outreach."

However, this action by the NASS highlights a growing problem for small and medium sized businesses: 

"With the downturn in the economy, the newest victims of identity theft are small and medium-sized businesses, including dormant or inactive companies," said NASS President Mark Ritchie of Minnesota, who serves on the task force. "As the state officials who oversee business registrations and corporate filings, secretaries of state have come together to educate business owners on how they can reduce their chances of falling prey to identity thieves and to explore safeguards for state filing systems." 

Identity thieves are not just attacking state filing systems, so businesses need to take steps of their own to safeguard not only personal information of customers, employees and others, but also the businesses' corporate and financial data. Many of the same principles that apply in the safeguarding of personal information also would apply to safeguarding the information of the business. Two critical steps in this process are conducting a risk assessment and developing a written information security program.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Coauthored with Jason Gavejian

California hospitals and nursing homes take note - the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information. 

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

• $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
• $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility's confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without "unreasonable delay."

As the number of data security incidents in the health care industry continue to mount, CDPH's enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

We've written extensively here on the importance of safeguarding personal information. We've also made clear that the safeguarding of data should not stop with individually identifiable personal information. In fact, many times a company's most sensitive information, data critical to the survival of its business, is its corporate trade secrets, proprietary information, and its clients' information. My partner, Patricia Diulus-Myers, in our Pittsburgh office, drives this point home during a Q&A session with the Smart Business Network.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As reported by the American Bar Association and PHIprivacy.net, lawyers, accountants, health care providers and others soon may get some clarity as to whether the "red flag" rules apply to them. The United States Senate voted unanimously to pass the Red Flag Program Clarification Act of 2010. Under the Act, according to statements from Sen. Christoper Dodd (D) of Connecticut:

lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers and other service providers will no longer be classified as “creditors” for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

After the Red Flags Rule became final, many businesses indicated that they were not aware that they would be covered by this rule. Despite the Federal Trade Commission delaying enforcement of the rule several times to allow these entities time to come into compliance, a number of professional organizations, including the American Bar Association and the American Medical Association, sued the FTC for taking the position that professionals were “creditors” when they allowed consumers to pay later, and would have to comply with its Red Flags Rule. On May 28, 2010, the FTC announced that it would delay enforcing its Red Flags Rule through December 31, 2010 and asked Congress to pass legislation that would resolve any questions about which entities should be covered as “creditors” and to obviate the need for further enforcement delays.

Presently, only the Senate has acted on this request. The measure will need to be approved by the House of Representatives and signed by President Obama. Still, this is encouraging news for many concerned about compliance with this new mandate.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Welcome to the next advancement in the delivery of health services -

monitoring patients and promoting healthy behavior through mobile phones and other portable devices

The Washington Post reported today about a service offered through Voxiva whereby expectant mothers receive free text messages concerning prenatal health advice. The pilot program has been in place since February and since then more than 100,000 expectant mothers are reported to have participated in the program. These technologies clearly are in line with initiatives in this country to move to electronic health records. However, whether these methods for delivering health care take hold remains to be seen. As the WP notes, while these technologies are attractive, there are challenges:

• As noted by WP reporter Steven Overly, communicating to a wide variety of patients through a "wide variety of mobile devices, operating systems and network speeds" raises significant challenges. 
• Another issue, of course, is HIPAA and how these communications and devices will meet the privacy and security requirements under those regulations.
• Human error easily could cause the wrong messages to be sent to the wrong patients creating data breach, malpractice and other risks.
• One of our more recent posts highlights the concern about information maintained on cellphones and other mobile devices and what happens to that information when the phones are discarded. 
• Employers who provide phones to their employees and have the right to review text messages, see recent U.S. Supreme Court decision in Quon v. City of Ontario, can easily find themselves with access to all kinds of medical information of employees and possibly their dependents who give their doctors their cell phone number. This risks here could be significant.   

As with the adoption of any new technology or new application of technology, companies and employers should be careful to think through all of the issues and take appropriate preventive steps toward minimizing risks.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In March 2010, we reported on a decision by the U.S. District Court for the District of New Jersey that allowed an employee's retaliation claim to proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity - voicing concerns regarding his employer’s handling of data security. A California Appellate Court recently adopted a similar line of reasoning. 

Rather than addressing an employee’s concerns, a company fired the employee for questioning whether the company’s networks and information systems adequately protected HIPAA patient information contained on those systems. Cutler v. Dike, 2010 WL 3341663 (Cal. Ct. App. Aug 26, 2010) (unpublished). Based on his employment contract, the employee reasonably believed that his job included acting as the company’s privacy officer. As the court found, the employee also reasonably believed:

the database used to test the company’s . . . software contained confidential patient information which would be exposed in violation of HIPAA, because [the company president] had told him it was patient information . . . [and that] confidential patient data would be used in the future as the program was implemented.

The employee had refused to participate in configuring the computer system as directed and voiced his objections that doing so would violate HIPAA rules and regulations. In response, the company president recommended that the employee resign or risk being fired “since you have chosen to be very negative about issues in the organization.” The employee sued the employer for wrongful termination and the jury found against the employer. The employer appealed the jury verdict.

The court began by citing the relevant section of the California Labor Code (Section 1102.5), which states:

[a]n employer may not retaliate against an employee for refusing to participate in an activity that would result in a violation of state or federal statute, or a violation or noncompliance with a state or federal rule or regulation.

The court went on to hold, “[T]he protection of confidential patient information is clearly the type of general public interest that supports a cause of action for wrongful termination in violation of public policy.” Accordingly, the court upheld the jury’s finding of liability against the employer for wrongful termination in violation of public policy.

Employers across the country generally are prohibited from retaliating against employees for refusing to participate in activities that are impermissible under state or federal law or regulations. This includes retaliating against employees that raise concerns under the HIPAA privacy and security regulations, or other data security mandates under federal or state laws, such as those in Massachusetts, Connecticut, or New Jersey. Employers may find themselves responding to more of these kinds of concerns from employees as employees are more aware of breaches reported in the media over the past few years and become anxious over their own sensitive personal information in their employer’s possession.

An employer should avoid reacting to an employee’s complaint of weaknesses in its data system by firing or disciplining the employee. Shooting the messenger is not acceptable. The company should investigate the issues which have been raised and, if necessary, address them appropriately. Employers are better served by employees who feel secure enough to come forward with unpleasant news, than by suppressing such reports and enduring embarrassing and costly disclosures later. Of course, vulnerabilities can be minimized by taking the preventive steps required under many state and federal laws to safeguard personal and confidential information.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Federal contractors are subject to numerous requirements under federal law and, as we have previously highlighted here, need to keep pace with changes in law and regulation. 

Under the Federal Information Security Management Act of 2002 (FISMA) each federal agency is required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Accordingly, FISMA provides authority for the imposition of requirements on those companies which qualify as federal contractors. 

By way of example, the Centers for Medicare and Medicaid Services (CMS), as well as the Department of Veterans Affairs impose specific requirements on their contractors.   

Adding new data protection requirements for federal contractors who use or handle U.S. Department of Defense (DOD) information, the DOD earlier this year issued an advanced notice of proposed rulemaking regarding amendments, 75 F.R. 9563, to the Defense Federal Acquisition Regulation Supplement (DFARS). 

The proposed amendments require “adequate security,” defined as “protection measures … commensurate with the risks of loss, misuse, or unauthorized access to or modification of information,” and have three main subparts; basic safeguarding, enhanced safeguarding, and cyber intrusion reporting. 

Basic safeguards, required for any unclassified DOD information, include:

• Designating  the level of access and dissemination of informationProtecting DOD information on public computer or Web sites
• Transmitting electronic information using technology and processes that provide the best level of security and privacy
• Transmitting voice and fax information on with reasonable assurances that access is limited
• Protect information by at least one physical or electronic barrier
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal
• Provide protection against computer intrusions and the unauthorized release of data. 

In addition to the basic safeguards outlined above, contractors are required to implement enhanced safeguards to certain types of data. The enhanced safeguards include:

• Encryption/Storage controls
• Network intrusion protection
• Implement information security controls

Additionally, a reporting requirement has now been proposed, requiring contractors to report to the DOD within 72 hours of any cyber intrusion event that affects DOD information resident on or transiting the contractor’s unclassified information systems.

The new proposed DOD amendments, along with the various other federal contractor requirements, including those imposed by CMS and the Department of Veterans Affairs, highlight the necessity for companies that qualify as federal contractors to be up to date on their legal obligations or risk loss of their federal contractor status. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A UK law firm may find itself subject to significant penalties following reports of a data breach affecting thousands of people.  The recent 2010 ABA Annual Meeting in San Francisco devoted two sessions to the topic, specifically dealing with “cloud computing,” and the risks and ethical issues it raises for law firms. As data privacy and security risks mount for all businesses, they are perhaps even more critical for law firms. 

Law schools in the United States teach their students about a long-standing and fundamental tenet of the legal profession – the attorney-client privilege. It is indeed the general obligation of attorneys to keep client communications confidential. Law schools generally do not teach, at least not nearly to the same degree, how lawyers as law firm business owners ought to protect the personal information of their clients from unauthorized acquisition or access, without hampering their practice.

This primer is intended to provide a brief discussion of the key issues for law firms and some helpful steps for developing a plan to safeguard such information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Beginning March 1, 2010, businesses will be required to safeguard from identity theft and other dangers personal information about Massachusetts residents under a “written information security program” or WISP. Similar requirements exist in other states around the country, although those requirements generally are not as comprehensive as those becoming effective in the Bay state.

Our complimentary webinar is designed to help employers and businesses become compliant. The program will cover:

• the emergence of data security mandates across the country,
• the Massachusetts approach to data security – breach notification, data destruction, the nuts and bolts of the identity theft/data security regulations, and
• best practices when creating a WISP.

We hope you enjoy the webinar.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The most frequent question we hear from clients who want to develop or tighten their data privacy and security policies and procedures: Where do we start?

In most cases, the first step for the group charged with this task is to understand the organization's "information risk." This means, in short, examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards. The process for gaining this understanding is generally referred to as a risk assessment. 

Click here for a power point presentation on key features of a risk assessment.

Risk assessments come in many forms and should be designed to fit your particular organization. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

The lesson to be learned from this case:

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.

The Office of Civil Rights, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

The investigation also indicated other potential concerns about Rite Aid's policies related to safeguarding patient information during the disposal process, training employees, and a related sanction policy.

The Director of OCR noted:

It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA.

The corrective action Rite Aid has agreed to includes improving policies and procedures to safeguard the privacy of its customers' health information, and applies to all of its nearly 4,800 retail pharmacies. More specifically, the settlement requires Rite Aid to take a number of steps including

• Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
• Training workforce members on these new requirements;
• Conducting internal monitoring; and
• Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS and FTC.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. The length and scope of these plans show the seriousness these agencies are taking concerning compliance with requirements to safeguard personal information.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

U.S. Department of Health and Human Services Secretary Kathleen Sebelius has announced final rules for eligible health care professionals and hospitals to qualify for a portion of the $27 billion or so in Medicare and Medicaid incentive payments for implementation and meaningful use of certified electronic health records (EHR). Many are concerned these incentives will increase the risks for data privacy and security that will come with more health data being maintained, used and disclosed in electronic format. Under the rules, eligible professionals may receive as much as $44,000 under Medicare and $63,750 under Medicaid, and hospitals may receive millions of dollars under both Medicare and Medicaid.
 

"We will make the immediate investments necessary to ensure that within five years, all of America's medical records are computerized."

President Barack H. Obama, January 8, 2009 

HHS’s July 13 action is consistent with the agenda of President Obama and some of his predecessors to help improve Americans’ health, increase safety and reduce health care costs through expanding use of EHRs and simplifying the administrative costs of healthcare. The enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 significantly advanced this agenda by establishing the statutory structure for eligible health care professionals and hospitals to receive government subsidies to adopt certified EHR technology. The HITECH Act, however, also expanded and tightened the HIPAA privacy and security regulations to address, in part, concerns about improper access and use of EHRs.

HHS’s regulations (consisting of more than 1,000 pages) define the minimum requirements and “meaningful use” objectives to qualify for the bonus payments (pdf) and identify the technical capabilities required for certified EHR technology (pdf). At the same time, providers and hospitals will need to focus on the evolving privacy and security mandates under HITECH, as well as under state law, to minimize the risks to protected health information and other personal information. So, as providers and hospitals look to Medicare and Medicaid funds to jumpstart their move to EHR systems, it will be important for them to be sure to have in place the appropriate policies, procedures and agreements to safeguard those records, which should include the careful handling and/or disposition of the mountains of paper records they currently maintain.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Further to our discussions of the proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), we summarize here a proposed changed to the definition of “business associate.” A significant part of the “HIPAA community” (covered entities, business associates and their agents and subcontractors) already is aware of the expanded application of HIPAA to business associates under HITECH. This expansion went into effect February 18, 2010, and, in fact, many business associate agreements currently are being modified in an attempt to reflect the statutory provisions. The HIPAA community, however, may not yet be aware of the proposal to further expand the direct application of the privacy and security rules under HIPAA to subcontractors performing functions for business associates.

A New Class of Business Associate

Prior to the HITECH Act changes, business associates and their agents and subcontractors were not directly subject to HIPAA. Instead, HIPAA required covered entities to obtain certain written assurances from their business associates. One of those written assurances was that business associates would ensure that their agents and subcontractors would agree to be subject to the same conditions and restrictions contained in the business associate agreement entered into with the covered entity.

The proposed regulations would include subcontractors in the group of “business associates” to the extent that they require access to protected health information. Such subcontractors are those persons who are not members of the business associate’s workforce, but perform functions for or provide services to a business associate. This would be the case even if the business associate has failed to enter into a business associate contract with the subcontractor. The regulator’s goal is to ensure the privacy and security protections will not lapse merely because a function is performed by an entity with no direct relationship with a covered entity, although the regulations seek public comments on the definition of subcontractor.

The proposed regulations state (emphasis added):

[W]e propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance. We note, and further explain below, that this proposed modification would not require the covered entity to have a contract with the subcontractor; rather, the obligation would remain on each business associate to obtain satisfactory assurances in the form of a written contract or other arrangement that a subcontractor will appropriately safeguard protected health information. For example, under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to
securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).

As the example above shows, if made final, the proposed regulation would further HIPAA’s reach and affect many businesses that may not currently view themselves as directly subject to the requirements or penalties under HIPAA. Many companies, including those that service the healthcare industry, such as health plans, likely will need to revisit their HIPAA-compliance measures.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

We recently reported here that the Department of Health and Human Services (HHS) is issuing proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). These proposed regulations contain a number of important points to think about for HIPAA covered entities (and business associates), even though these rules are in proposed form. One is avoiding HIPAA violations involving “willful neglect," which under the HITECH Act will require a formal investigation and civil penalties.

To date, the Secretary of HHS has attempted to resolve complaints and certain violations by informal means, as required by § 160.312 of the current regulations. A significant change to the HIPAA enforcement scheme in the HITECH Act requires that if a preliminary investigation of the facts of a complaint indicates a possible violation due to willful neglect, the Secretary is required to commence a formal investigation. If the formal investigation finds a HIPAA violation involving willful neglect, the Secretary must impose a civil money penalty.

What is “willful neglect”?

Willful neglect is defined at § 160.401 as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The term not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur, but also encompasses a conscious intent or degree of recklessness with regard to the entity’s compliance obligations.

So what does that mean, what are some examples? The proposed regulations provide the following examples:

1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.
2. A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.
3. A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

In addition to having actual or constructive knowledge of one or more violations, the covered entities in the examples above, particularly Example 1, failed to develop or implement compliant policies and procedures and, thus, demonstrated either conscious intent or reckless disregard with respect to the compliance obligations under HIPAA.

Based on the proposed regulations, covered entities can no longer expect the velvet hand of the regulators to resolve a violation informally in all cases. Covered entities that fail to have policies and procedure and make a good faith compliance effort likely will find themselves subject to mandatory formal investigations and penalties.

Covered entities like the one in example 1 above might want to consider certain precautions, including:

• maintaining a record retention policy,
• maintaining media re-use policy,
• maintaining a data destruction policy,
• maintaining an e-discovery policy, and
• and engaging a good data destruction/shredding company.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 10, 2010, the California Department of Public Health (CDPH) announced  issuing administrative penalties and fines totaling $675,000 against five hospitals in the state. CDPH cites the facilities’ failure to prevent unauthorized access to confidential patient medical information as required under new legislation (Section 1280.15 of California’s Health and Safety Code) (pdf) as the basis for the penalties and fines.

Relevant portions of Section 1280.15 of California’s Health and Safety Code provide:

A clinic, health facility, home health agency, or hospice . . . shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information . . . The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patients' medical information. For purposes of the investigation, the department shall consider the clinic's, health facility's, agency's, or hospice's history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility's ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section.

CDPH Director Dr. Mark Horton commented, “medical privacy is a fundamental right and a critical component of quality medical care in California.” His position and the actions taken by the agency highlight the need for health care providers to do more to safeguard patient records. In most of these cases, according to the CDPH announcement, multiple hospital employees accessed confidential patient medical information without authority to do so.

However, California hospitals should not be the only entities concerned about exposure relating to unauthorized access to confidential personal information, nor is California’s Health and Safety Code the only statutory obligation to safeguard such information. Mandates to protect personal information are growing and apply to industries beyond healthcare and persons other than patients. In short, businesses in all states and industries should be reviewing, at a minimum:

1. how they safeguard personal information, whether it be that of customers, patients, employees, or their dependents,
2. who they permit to access personal information, and
3. what their plan is in the event of unauthorized access or acquisition.

We’ve written about a number of these areas of concern:

• Pending Federal Legislation
• State Attorneys General enforcing (i) HIPAA, (ii) Deceptive and Unfair Trade Practices Laws, (iii) record destruction laws.
• Risks if You Are a Business Associate
• Criminal Penalties Under HIPAA
• State Laws Mandating Protections for Personal Information, not just medical information.
• HHS Enforcing HIPAA Following Data Breach
• Developing a Plan

Like most things, "an ounce of prevention is worth a pound of cure."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Have you noticed that negotiating that business associate agreement has gotten a lot more difficult? Many companies that serve health care providers and health plans, generally known as business associates, have noticed. These companies include software vendors, benefits brokers, cloud computing providers, data storage/destruction companies, and accountants, among others.

The clients of these companies are citing HIPAA, ARRA, HITECH, data breach notification requirements, and state law mandates as they demand stricter contract language and additional rights and protections, such as the right to audit the business associate and to be held harmless in the event of any data mishap. Business associates that took HIPAA lightly in 2003 and 2004, when the HIPAA regulations first became effective (2005 and 2006 for the security regulations), are playing catch-up.

When President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA), “business associates” may not have expected the significant effects that law would have on their businesses. Chief among those effects are mainly due to four sentences in The Health Information Technology for Economic and Clinical Health (HITECH) Act (pdf), passed as part of ARRA, and which generally became effective on February 17, 2010 (the breach notification mandate became effective on September 23, 2009), one year after enactment:

• “Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporate[d] into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13401(a). This statement makes business associates directly subject to nearly all of the HIPAA security regulations, the HIPAA rules relating to electronic protected health information. Prior to the change, these obligations existed for business associates only as a matter of contract.
• “A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach.” ARRA Sec. 13402(b). This statement creates a new obligation for business associates – report to covered entities breaches of unsecured protected health information.
• “The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13404(a). This statement makes business associates directly subject to nearly all of the HIPAA privacy regulations. Prior to the change, as with the security regulations, these obligations existed for business associates only as a matter of contract.

In response to these law changes, and in the absence of regulatory guidance, covered entities have been demanding modifications to existing business associate agreements or requesting new agreements. In both cases, covered entities are seeking greater assurances from their business associates concerning the handling of the covered entities’ protected health information.

On top of that, covered entities are weaving into business associate agreements and other agreements requirements under newly enacted state laws requiring protections for “personal information” in the hands of vendors (e.g., business associates) to curb identity theft. Given the cost and reputational harm that could come from a data breach, as well a growing enforcement activity, many covered entities are becoming more forceful in their negotiations, citing legal mandates and established company policies for their unwillingness to budge on many provisions, even those that go beyond statutory mandates.

What is a business associate to do? Here are some thoughts:

1. Confirm your company is a business associate. (go to HHS HIPAA frequently asked questions and insert "business associate" for helpful guidance). In some cases, covered entities are blanketing all of their vendors with these agreements. If believe your company is not a business associate, raise it with your client. Of course, even if you avoid being considered a business associate, your customer/client still may demand written assurances under state law for the personal information you handle on its behalf.
2. Become compliant. As noted above, the HIPAA privacy and security requirements are now directly applicable to business associates. While additional guidance is expected as to what this means precisely, there is enough existing guidance concerning covered entities for business associates to use to achieve compliance. Among other things, compliance means conducting a risk assessment, adopting a written set of policies and procedures concerning the safeguarding of protected health information, and training staff. Being compliant not only reduces risk, but in an environment of increasing attention to data privacy and security, compliance can be a competitive advantage.
3. Review agreements carefully. Covered entities increasingly include contract provisions that provide the covered entity with greater protections than the law requires. To the extent possible, try to remove those provisions. In any event, it is important to know your obligations under these agreements; they can vary dramatically from covered entity to covered entity.
4. Develop strategies for reviewing/complying with multiple contracts. Some business associates have many clients and, therefore, business associate agreements. Managing unique provisions multiple agreements can be daunting, although the ability to negotiate a uniform agreement across a client basis is increasingly unlikely. So, where possible, try to use similar provisions in all agreements and know ahead of time your approach to certain key provisions, such as handling data breaches.
5. Understand the law. Even if you’ve mastered the determination of whether you are a business associate, the rules outlining your business' obligations likely will be evolving under HIPAA over the next few years, particularly with the expected growth of electronic health records and the expansion of health care. The same is true of state laws concerning personal information. In many cases these laws might coexist peacefully, in other cases there will be conflict. You need to be aware of the conflicts and be prepared to act accordingly.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

The Federal Trade Commission announced it is further delaying its enforcement of the “Red Flags” Rule through December 31, 2010. This move comes at the request of several Members of Congress who want to further consider legislation that would clarify who is subject to the Rule.

The delay follows the lawsuit (pdf) filed by the American Medical Association and others arguing that the Red Flags Rule should not apply to physicians.  As reported by amednews.com, the plaintiffs bolster their case by pointing to a 2009 federal court ruling (pdf) (American Bar Assn. v. Federal Trade Commission) exempting lawyers from the Rule. That ruling is now on appeal to the U.S. Court of Appeals for the D.C. Circuit

Legislation is pending in the United States House of Representatives that would exempt certain professions, including physicians, from the Red Flags Rule. H.R. 3763 passed the House unanimously in October 2009, but there has been no further movement in Congress on this issue.

The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

In its announcement, the FTC notes that as was the case with prior enforcement delays, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports, or to the rule regarding changes of address applicable to card issuers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

We are honored that the National Association of Professional Employer Organizations (NAPEO), the largest national trade association for professional employer organizations (PEOs), recently published our article in its May 2010 edition of its PEO Insider publication, an important resource for any PEO.  

PEOs no doubt provide valuable services for businesses across the country. However, in doing so, they generally have access to and maintain vast amounts of personal information. Our article, "Key Data Privacy and Security Issues for PEOs," summarizes emerging data privacy and security laws and their effects on PEOs.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 16, 2010, Florida Attorney General Bill McCollum announced a settlement (pdf) with Certegy Check Services, Inc. over how the company secures consumer records. The Attorney General’s enforcement action stems from a massive data breach by a former Certegy employee who stole personal identification information from approximately 5.9 million consumer files.

According to the Attorney General’s press release, Certegy promptly notified the Attorney General and consumers of the data thefts, and cooperated with the Attorney General’s investigation. In addition to agreeing to maintain a comprehensive information security program, under the settlement, Certegy will contribute $125,000 to the Attorney General’s “Seniors vs. Crime Program” for educational, investigative and crime prevention programs for the benefit of senior citizens and the community. Further, it will pay $850,000 for the state’s investigative costs and attorney’s fees.

Massachusetts and some other states have specific statutory provisions requiring the safeguarding of personal information. No similar law exists in Florida. The Attorney General commenced its action against Certegy under the State’s deceptive and unfair trade practices statutes. Businesses with data security safeguards that can be viewed as subpar, therefore, cannot depend on the absence of specific state statutes to shield them from state action in case of a data breach or allegations that personal information is not being adequately safeguarded.

In addition to the nearly one million dollars Certegy will pay the State of Florida, the company agreed to

maintain a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements safeguards to protect that consumer information, and regularly monitors and tests the effectiveness of those safeguards. Certegy and its related entities will also adhere to payment card industry data security standards as those standards continue to evolve.

Significantly, the settlement requires Certegy to conduct initial and annual assessments of its policies and procedure.

The settlement with the Attorney General followed a class action settlement in U.S. District Court in Tampa. Under that settlement, Certegy made certain monitoring services available to affected consumers, who also were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.

Consider the following examples:

California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:

implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

For purposes of this requirement, “personal information" means:

an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.

Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.

Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.

Administrative safeguards include, for example: 

1. designating one or more employees to coordinate the program;
2. identifying reasonably foreseeable internal and external risks;
3. assessing the sufficiency of data safeguards;
4. training employees in the program’s practices and procedures;
5. limiting outside service providers to those maintaining adequate data security safeguards; and
6. adjusting the program according to business changes or new circumstances.

In New Jersey, regulations are pending that would create similar obligations.

Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:

safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.

For purposes of this law, “personal information” includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.

Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.

The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.

• Email This
• Print
• Comments (3)
• Trackbacks
• Share Link

It’s been around for a while, but could new products in the “cyber-insurance” market help companies focus on this emerging threat known as “information risk”?

The National Journal reports that for many companies online security is not a priority. Tom Risen’s article cites to a Verizon study conducted between 2004 and 2008 (pdf) that determined

75 percent of breaches were not discovered by the victimized organization, and that 87 percent could have been prevented with reasonable online protection.

Mr. Risen reports that historically cyber-insurance covered “hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures.” However, with the explosion of data breaches over the last 10 years or so, new, broader policies have emerged, covering costs related to responding to a data breach, such as sending notices, providing credit monitoring services, engaging legal counsel, employing a call center, and defense of claims by affected individuals and federal and state officials. Some companies in this space include Beazley, Chartis, Travelers, Chubb and others.

It may be, as Robert Parisi of Marsh suggested to Mr. Risen, that federal legislation might encourage more awareness of these issues, something we raised as well. Certainly, we are beginning to see greater attention to these issues as businesses are beginning to focus on the Massachusetts data security/identity theft regulations, which become effective March 1, 2010.

Whatever the driving force, businesses need to drill down on their data security needs and address their information risk. Preventive measures – in the form of a written information security program – are certainly necessary and appropriate. But it may not be enough. As anyone who drives knows, for example, it is not enough to drive carefully and wear a seat belt. Insurance can play a critical role in addressing risks that even the best safeguards can’t. For this reason, cyber-insurance should be considered as a part of any business’ comprehensive approach to information risk. 

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

 According to the newly revised Federal Trade Commission (“FTC”) Guides, employers may face liability for employees’ commenting on their employer’s services or products on “new media,” such as blogs or social networking sites, if the employment relationship is not disclosed. Potential liability may exist even if the comments were not sponsored or authorized by the employer. 

The revised Guides took effect December 1, 2009. They address the application of Section 5 of the FTC Act (15 U.S.C 45) to the use of endorsements and testimonials in advertising and provide examples of the application of Section 5, including examples that could lead to potential employer liability. One such example specifies liability for an employee’s blog posting concerning his employers’ product, where the employment relationship is not previously disclosed:

An online message board designated for discussions of new music download technology is frequented by MP3 player enthusiasts. They exchange information about new products, utilities, and the functionality of numerous playback devices. Unbeknownst to the message board community, an employee of a leading playback device manufacturer has been posting messages on the discussion board promoting the manufacturer’s product. Knowledge of this poster’s employment likely would affect the weight or credibility of her endorsement. Therefore, the poster should clearly and conspicuously disclose her relationship to the manufacturer to members and readers of the message board.”

In comments to the proposed revisions, the Commission agreed that the establishment of appropriate procedures governing “new media” would be a factor in its determination as to whether law enforcement action is appropriate. Tellingly, the Commission stated that it has brought enforcement actions against companies “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury. However, the Commission refused to spell out the procedures companies should put in place to monitor compliance with the principles set forth in the Guides, leaving companies to determine for themselves the process that would best fulfill their responsibilities. 

In light of the FTC’s clear recognition of “new media” and enforcement goal, employers should adopt social media and blogging policies as soon as possible. Employers should consider policies and procedures which address employee use of blog or social networking sites. Those policies, like this sample policy, should articulate the types of disclosure employees must include when they discuss their employers or their employers’ products or services. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Based on recent events, the University of East Anglia likely will agree that data privacy and security requires a comprehensive approach, as data breaches are not limited to incidents involving personal information and identity theft. In fact, the effects of a breach to an organization's information systems involving confidential company information can be far worse on the organization as a whole than if the breach involved personal information.

Take, for example, a report by The New York Times reporter Lauren Morello concerning a breach involving thousands of emails and documents of the Climatic Research Unit (CRU) at University of East Anglia. Apparently, hackers obtained and posted on the Internet emails and documents calling into question some of the positions about climate change and global warming held by the CRU. Whatever the truth or perception of the information contained in the posted emails and documents, the CRU surely is in an uncomfortable position of having to defend its statements and address their context. 

Last month we reported a data breach involving personal information of a different kind - ethics investigations of members of the United States Congress. Again, while not the kind of personal information that would lead to identity theft, or require notification be sent to the affected individuals, it is the kind of information that could have significant adverse consequences for the institution and the persons affected.

For this reason, organizations need to address "information risk" on an organization-wide basis, making sure that their written information security programs take into account how information of any kind, maintained in any medium by the organization, can, if misused, caused the organization harm. While remedies may be available through the criminal justice system or civil litigation under such laws as the Computer Fraud and Abuse Act, avoiding the breach in the first place obviously is preferred.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced on November 4, 2009, the filing of final regulations (pdf) with the Secretary of State’s office, the final step before the regulations take effect March 1, 2010.

The final regulations differ slightly from the version of the regulations issued in August 2009, which made significant revisions to the earlier version of the rules.

OCABR clarified in the final regulations that:

• those who store personal information must comply, and
• until March 1, 2012, contracts with service providers will be deemed to satisfy the contract requirement, even if the contract does not require the service provider to maintain appropriate safeguards, as long as the contract was entered into no later than March 1, 2010. However, it is recommended that contracts with service providers be amended as soon as possible to require appropriate safeguards, as there may be similar requirements under federal or applicable state law (such as HIPAA or data security laws in Maryland, Oregon or Nevada). 

While the regulations have had a number of changes, the written information security program requirement remains, along with a number of other safeguards for personal information that require immediate attention. 

A checklist for the final regulations can be found here (pdf). 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, Connecticut Attorney General Richard Blumenthal announced his office will investigate a data breach that occurred in late August that affected approximately 18,817 Connecticut health care professionals. The American Medical Association reported earlier that this breach involved the personal information, including Social Security numbers, of an estimated 850,000 physicians nationwide. What is most troubling about this breach is that it probably was avoidable.

Like many data breaches, this one involved a stolen laptop, in this case from the employee’s car. However, as NewsTimes.com reported, despite the employer’s encryption policy, the employee downloaded the file to a laptop, without the required encryption, in order to work from home.

Even the best firewalls and other technology-based information system protections cannot save us from ourselves. It was possible here that not only did the employee violate the company’s encryption policy, but he or she also may have exercised poor judgment in leaving the laptop in a car. The ease with which employees acquire, handle and transport massive amounts of sensitive personal information make it critical that businesses ensure their employees have greater awareness of the sensitivity of this information and receive regular training about how to be more cautious handling it. This should be a part of any written information security plan. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, the U.S. Senate Judiciary Committee again approved two pieces of legislation that would require certain entities to safeguard personal information and notify individuals of breaches of that information. Over the last few years, similar legislation made it out of various Committees, but failed to go any further. Could this time be different?

The Committee voted in favor of the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), sponsored by Senators Patrick Leahy and Dianne Feinstein, respectively.  In its current form, S. 1490 would require that covered entities, among other things, perform risk assessments, limit access to sensitive information, train their work force, and require vendors by contract to implement appropriate safeguards. The Data Breach Notification Act would establish a national standard for federal agencies and businesses engaged in interstate commerce to report data breaches.

There are a number of circumstances that suggest this legislation is more likely to move forward than in years past:

• The Judiciary Committee approved both measures by significant majorities.
• The number of data breaches and complaints about them continue to mount.
• Congress recently had its own data breach (reported here), affecting personal information not likely to lead to identity theft, but which could hurt some members' reelection efforts.
• The change in administration which arguably is more focused on privacy concerns given the push for electronic health records.

Stay tuned. . . 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Data privacy and security laws in states such as Massachusetts, Maryland and Nevada require businesses to develop written policies and procedures that provide administrative, physical, and technological safeguards to protect personal information - or a "written information security program" or "WISP." These laws do not require protections for confidential company information and trade secrets, but such information also warrants protection.

Failure to do develop a WISP can leave a business exposed.

Certain businesses also can lose a business advantage as individuals (clients, employees, dependents, and others) and business partners increasingly demand heightened security of their sensitive and personal information.

But where does a business start?

Don't wait any longer! Develop a plan by reading the Data Privacy Primer (PDF).

• Email This
• Print
• Comments
• Trackbacks
• Share Link