OCR Issues Protocol For HIPAA Privacy, Security and Breach Notification Audit Program

Posted on June 27, 2012 by Jason C. Gavejian

As we previously discussed, the Office of Civil Rights (“OCR”) continues to push forward with the HIPAA audits required by the HITECH Act.  To this end, the OCR recently posted the protocol which is used to conduct the HIPAA audits on its website. 

The HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To implement this mandate, OCR piloted a program to perform audits of covered entities to assess privacy and security compliance.   This HIPAA audit program analyzes processes, controls, and policies of selected covered entities (e.g., health plans, health care clearinghouses, and certain health care providers) as well as the requirements to be assessed through these performance audits. The audit protocol is organized around “modules,” as follows:

  • The first audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for Protected Health Information (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The second protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
  • The third protocol covers requirements for the Breach Notification Rule.

Notably, the combination of these multiple requirements may vary based on the type of covered entity selected for review.  Healthcare providers, health plans, and business associates, all who could be affected by the HIPAA audits, need to not only be aware of the OCR’s audit activities, but also HHS’s efforts to increase enforcement of HIPAA.   

Tags: , , , , , , , , , , , , , ,
Like Tweet LinkedIn Email

Connecticut Amends Data Breach Notification Statute; Notice to Attorney General Now Required

Posted on June 19, 2012 by Joseph Lazzarotti

On June 15, 2012, Connecticut Governor Dannel P. Malloy signed budget bills H.B. 6001 (pdf) and S.B. 501 into law which, among many other things, updated the state's data breach notification law.

The key change - persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the State's Attorney General within the same time frame. Adding a requirement to notify the AG makes Connecticut's law similar to the laws in states such as Massachusetts, New Hampshire, New York, and Vermont

This change becomes effective October 1, 2012.

Tags: , , , , , , ,
Like Tweet LinkedIn Email

Vermont Strengthens Data Breach Notification Requirements

Posted on June 16, 2012 by Joseph Lazzarotti

Recent amendments to Vermont's Security Breach Notice Act (Act) will further complicate compliance for entities and practitioners handling data breaches, particularly those breaches affecting individuals residing in multiple states, where one of the states is Vermont. The amendments became effective May 8.

After reviewing these changes, businesses should reassess and modify, as necessary, their data incident response procedures. (Or, they should consider creating procedures to address these situations. Data security regulations in Massachusetts and HIPAA require such procedures be in place.)

For example, businesses should consider procedures and materials that facilitate quick action to comply, including draft notification letters, template scripts to respond to inquiries following a breach, and establishing relationships with computer forensic, crisis management and other firms.  Businesses that provide personally identifiable information to third party service providers (such as payroll companies, benefits brokers, accountants, and others) also should review their service contracts with those providers to ensure the businesses will be able to meet the time frames and other breach notification requirements.

What are the key changes?  (Click below for more analysis on each of these changes)

  • 45-Day Notice to Affected Individuals.
  • 14-Day Attorney General Notice.
  • WISP Exception to 14-Day Attorney General Notice.
  • Revised Definition of "Security Breach".   
  • Assistance in determining whether a security breach has occurred.

What are the key changes?

  • 45-Day Notice to Affected Individuals. Vermont becomes the fourth state (after Florida, Ohio and Wisconsin) to require notification to consumers (individuals residing in the Green Mountain State) within 45 days after discovering or being notified of a security breach. Of course, like all other breach notification requirements, the Act continues to provide that notice must be provided in the most expedient time possible and without unreasonable delay.

So, even complying with the 45-day rule may create exposure if 45 days was not the most expedient time possible. Additionally, the new timeframe continues to be qualified by the legitimate needs of the law enforcement agency, and with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data system.

  • 14-Day Attorney General Notice. In the case of a reportable breach, a data collector must notify the Vermont Attorney General within 14 business days following the earlier of notifying consumers or discovering the security breach. 
    • The notice must include the date of the security breach, the date of discovery of the breach and a preliminary description of the breach.
    • After notifying consumers, the data collector has to inform the Attorney General of the number of consumers affected , if known, and provide a copy of the notice. 
    • To avoid public disclosure by the Attorney General of the personally identifiable information acquired in the breach, the Act allows data collectors to send a second copy of the notice to consumers which redacts that information. Note, however, that other federal and state agencies make required notices public, without this option. See, e.g., New Hampshire, and the Department of Health and Human Services in the case of HIPAA breaches.
    • Remember, a "data collector" under the Vermont law includes state agencies, political subdivisions of the state, public and private universities, privately and publicly held corporations, limited liability companies, financial institutions, retail operators, and any other entity that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic personal information.
    • Note that under the amendment, the Act now uses the term “personally identifiable information,” instead of “personal information.” However, the reference to "personal information" in the definition of "data collector" was left unchanged. We expect this technical issue will be corrected and will not affect the application of the statute. 
  • WISP Exception to 14-Day Attorney General Notice. Data collectors that have sworn in writing to the Attorney General, on a form provided by the Attorney General and prior to the data of a security breach, that they (i) have written policies and procedures to maintain the security of personally identifiable information (a written information security program, WISP) and (ii) would respond to a breach in a manner consistent with Vermont law, need only notify the Attorney General, prior to notifying consumers, of the date of the security breach, the date of discovery of the breach and a description of the breach.
    • The 14-day AG notice requirement coupled with the change in the definition of security breach (see below) could put data collectors in a difficult position of having to notify the AG of an incident that turns out not being a security breach, potentially creating unnecessary media attention, business partner inquiries and employee concerns. The WISP exception may help to provide data collectors more time before deciding to pull the trigger on notification.
  • Revised Definition of "Security Breach".  Under the Act, as amended, a security breach means "the unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or
    integrity of a consumer’s personally identifiable information maintained by the data collector." The change removes unauthorized "access" from what constitutes a security breach, but expands the definition to include situations where the data collector has a reasonable belief of an unauthorized acquisition. 
  • Assistance in determining whether a security breach has occurred. The amendment added factors that data collectors may consider, along with others, to determine is a security breach has occurred. The factors are indications that:
    • the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen electronic device containing information;
    • the information has been downloaded or copied;
    • the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported;
    • that the information has been made public.

 
Tags: , , , , , ,
Like Tweet LinkedIn Email

HHS Makes HIPAA Training Materials Available to State Attorneys General

Posted on June 5, 2012 by Joseph Lazzarotti

To date, State Attorneys General (State AGs) in at least four states (Connecticut, Indiana, Minnesota, Vermont) have exercised their authority to enforce the HIPAA privacy and security rules as granted by the Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009 (ARRA). Following a nationwide live training campaign, the Office of Civil Rights (OCR) is continuing its efforts to train State AGs by making training materials available online

The training materials now available through the OCR website include videos and slides from in-person training sessions for State AGs that OCR conducted in 2011, as well as computer-based training modules that can be downloaded. Topics include:

  • General introduction to the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR's role in enforcing the HIPAA Privacy and Security Rules
  • State AG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for State AGs in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

State AG interest in pursing these cases may be growing. For example, the Connecticut Attorney General's website instructs residents on how to file complaints concerning HIPAA. This action by OCR also may indicate it is closer to issuing the long awaited final regulations under HITECH. Health care providers, health plan sponsors and administrators and business associates should be taking steps to ensure they are ready to survive a HIPAA audit, as well as an enforcement action by a State AG. 

Tags: , , ,
Like Tweet LinkedIn Email

Massachusetts Company Fined $15,000 Under State's Data Security Law

Posted on April 10, 2012 by Joseph Lazzarotti

Written by Keturah Martin

As yet another example of the Massachusetts Attorney General enforcing compliance with the Commonwealth’s data privacy and security laws, that office recently reached a $15,000 settlement in an enforcement action involving Maloney Properties, Inc. (MPI), a property management company based in Massachusetts.

In the lawsuit, the AG alleged that MPI’s policies and procedures failed to adequately protect its customers’ personal information when an MPI employee stored the unencrypted personal information of 621 Massachusetts residents on a company laptop, left the laptop in a personal vehicle overnight, and the laptop was then stolen.

Although there was no indication that any of the personal information on the laptop was acquired or used by an unauthorized person or for an unauthorized purpose, the AG still required MPI to pay a monetary penalty of $15,000 and agree to take certain steps before ending its action against the company.

Some of the steps MPI agreed to take include complying with the Commonwealth’s regulations – including the requirement to encrypt personal information on portable devices, to the extent technically feasible. This also includes encrypting personal information on company-owned portable devices, ensuring that the devices are kept in secure locations, purging personal information when it’s not needed anymore, training its employees at least annually on encryption and proper storage, and performing an annual audit of its compliance with its Written Information Security Program (WISP). In addition, the company must submit the results of its 2012 and 2013 annual WISP audits to the AG’s Office.

The AG’s actions in this matter demonstrate that it does not take lightly the loss of Massachusetts residents’ personal information, even if that loss has not caused any known harm to the affected residents, and that it may remain watchful over the subject of an investigation for years to come. This provides a timely reminder for all companies of the importance of understanding and complying with the Commonwealth’s requirements in this area.
 

Tags: , , , , , , ,
Like Tweet LinkedIn Email

HHS to Help Train State Attorneys General to Enforce HIPAA

Posted on March 19, 2011 by Joseph Lazzarotti

HHS continues to show signs of increased enforcement of HIPAA. Earlier this month, the agency announced it would hold 2-day, instructor-led HIPAA Enforcement Training courses in 4 locations across the country. Some Attorneys General, such as Connecticut's former Attorney General Richard Blumenthal, have already used their new found authority to enforce HIPAA. This announcement follows two significant, high profile Office of Civil Rights (OCR) press releases touting its own enforcement activities, one involving the first imposition of penalties under HIPAA and the other involving a significant settlement with a Massachusetts hospital

The Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.

Attendees at each of the HIPAA Enforcement Training sessions will receive instruction on a number of enforcement topics including:

  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • The role and responsibility of an Attorney General under HIPAA and the HITECH Act
  • Resources available to Attorneys General to pursue alleged HIPAA violations

In addition to training, OCR promises that it will collaborate with and assist State Attorneys General seeking to bring civil actions to enforce HIPAA and Security Rules. This collaboration and assistance will include OCR providing to Attorneys General (i) information upon request about pending or concluded OCR actions against covered entities or business associates related to attorney general investigations, and (ii) guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.  

While years of lax enforcement may have lulled many HIPAA covered entities and business associates to not take HIPAA seriously, these recent activities should spur renewed efforts toward compliance. 

Tags: , , , , , ,
Like Tweet LinkedIn Email

California Bill Would Strengthen Existing Breach Notification Law

Posted on August 23, 2010 by Joseph Lazzarotti

Update - On September 29, 2010, Governor Arnold Schwarzenegger for the third time vetoed S.B. 1166.

California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed information about the breach and that businesses experiencing data breaches affecting more than 500 Californians notify the State’s Attorney General.

Since California enacted its data breach notification law, lawmakers have been trying to make changes to it, with mixed results. Assembly Bill 1298 ("A.B. 1298"), which became effective January 1, 2008, expanded the application of the existing law to include medical and health information. However, to date, attempts to add content requirements to the notice and require notification to the State’s Attorney General have failed, despite similar requirements in the laws of a number of other states, such as Massachusetts, New York, North Carolina.

S.B. 1166 marks the third attempt by Senator Joe Simitian to amend the law in this manner. Both prior attempts were vetoed by the Governor Schwarzenegger. In addition to requiring notice to the State’s Attorney General for certain breaches, his current effort would require notices stating:

  • a general description of the breach incident;
  • the type of information breached;
  • the date and time of the breach;
  • whether the notification was delayed because of a law enforcement investigation; and
  • a toll-free number of major credit reporting agencies if the breach exposed Social Security numbers, driver's license numbers, or state identification card numbers.

Because many states have similar content requirements and there are a number of websites that report on data breaches, passage of S.B. 1166 should not impose a significant burden in breaches involving individuals in multiple states. Nonetheless, companies should be alert to developments in California and be prepared to update their California data breach notification policies should the measure pass.
 

Tags: , , , , , , , ,
Like Tweet LinkedIn Email

Attorney General Securing Personal Data in Indiana

Posted on August 6, 2010 by Jason C. Gavejian

Indiana recently enacted a new law which grants authority to the Indiana Office of the Attorney General's Identity Theft Unit to obtain and secure abandoned records with personally identifying information, including health records, and either destroy them or return them to their owners. Additionally, the new law sets fines and other legal ramifications for violations of the law by health care providers or licensed professionals who leave such records unsecured in violation of state law. In fact, the Attorney General has already utilized this authority to obtain personal records from four entities. 

This additional grant of authority to the Indiana Attorney General, is in addition to the authority previously granted by the Health Information Technology for Economic and Clinical Health (HITECH) Act to enforce the privacy and security protections of HIPAA for protected health information. As we have previously discussed, the Connecticut Attorney General has filed a civil action against Health Net, as well as instituted an investigation against Griffin Hospital for violations of HIPAA. 

The Indiana statute, as with the authority granted to Attorney Generals under HITECH, highlight the need for companies to develop and implement comprehensive data security polices to secure their records. 

Tags: , , , , , , , , , ,
Like Tweet LinkedIn Email

Connecticut Attorney General Working on Second HIPAA Breach Investigation

Posted on June 2, 2010 by Joseph Lazzarotti

Connecticut Attorney General Richard Blumenthal has commenced an investigation in a second case involving potential HIPAA violations by a worker at Griffin Hospital. This follows the suit commenced against Health Net for HIPAA violations following a data breach. As reported by George Gombossy of ctwatchdog.com, this would be the second time a state attorney general has used the enforcement authority granted under the Health Information Technology for Economic and Clinical Health Act (HITECH).

The Attorney General’s press release states:

My office is investigating allegations that a radiologist formerly affiliated with Griffin Hospital improperly accessed the medical information of almost 1,000 of the hospital’s patients.

These charges, if true, are deeply disturbing. Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals.

Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts.

Griffin Hospital rightly informed my office of this alleged data breach and is cooperating with our investigation.

Efforts are underway to help state Attorneys General become more actively involved in HIPAA enforcement. For example, the Department of Health and Human Services (HHS) has awarded a $1.7 million contract to train attorneys general on enforcing HIPAA and, specifically, to assist the Office of Civil Rights (an arm of HHS) “in conceptualizing and implementing a training curriculum for state attorneys general staff and others affected by the HIPAA Privacy and Security Rules.”

It is important that HIPAA-covered entities and business associates focus on compliance so when there is a data breach, they will be better positioned to respond to a state attorney general inquiry.

Tags: , , , , ,
Like Tweet LinkedIn Email

Florida AG Settles Data Breach under "Deceptive and Unfair Trade Practices" Authority

Posted on April 19, 2010 by Joseph Lazzarotti

On April 16, 2010, Florida Attorney General Bill McCollum announced a settlement (pdf) with Certegy Check Services, Inc. over how the company secures consumer records. The Attorney General’s enforcement action stems from a massive data breach by a former Certegy employee who stole personal identification information from approximately 5.9 million consumer files.

According to the Attorney General’s press release, Certegy promptly notified the Attorney General and consumers of the data thefts, and cooperated with the Attorney General’s investigation. In addition to agreeing to maintain a comprehensive information security program, under the settlement, Certegy will contribute $125,000 to the Attorney General’s “Seniors vs. Crime Program” for educational, investigative and crime prevention programs for the benefit of senior citizens and the community. Further, it will pay $850,000 for the state’s investigative costs and attorney’s fees.

Massachusetts and some other states have specific statutory provisions requiring the safeguarding of personal information. No similar law exists in Florida. The Attorney General commenced its action against Certegy under the State’s deceptive and unfair trade practices statutes. Businesses with data security safeguards that can be viewed as subpar, therefore, cannot depend on the absence of specific state statutes to shield them from state action in case of a data breach or allegations that personal information is not being adequately safeguarded.

In addition to the nearly one million dollars Certegy will pay the State of Florida, the company agreed to

maintain a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements safeguards to protect that consumer information, and regularly monitors and tests the effectiveness of those safeguards. Certegy and its related entities will also adhere to payment card industry data security standards as those standards continue to evolve.

Significantly, the settlement requires Certegy to conduct initial and annual assessments of its policies and procedure.

The settlement with the Attorney General followed a class action settlement in U.S. District Court in Tampa. Under that settlement, Certegy made certain monitoring services available to affected consumers, who also were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. 

Tags: , , , , , , ,
Like Tweet LinkedIn ">Email

Dealing with Data Breaches: Health Net Suit Highlights Need for Effective Security Incident Procedures and Training

Posted on February 2, 2010 by Jason C. Gavejian

As we have discussed before, data breach notification is one of the most rapidly emerging areas of law. Good security incident procedures as well as effective training can help avoid the risk of data breach. (Sample data breach training). 

A case in point: Connecticut's Attorney General has filed a civil action against Health Net of the Northeast Inc. (“Health Net”) for failing to secure approximately 446,000 individuals’ patient information on a missing portable computer disk drive, and for failing to provide prompt notice of the breach. Among other things, the suit alleges Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, when it failed to provide prompt notice, failed to encrypt the data, failed to provide for and implement appropriate policies to safeguard the information, and failed to supervise and train its workforce on safeguarding protected health information and personal information. 

As this suit demonstrates, state Attorneys General will use the authority granted by HITECH to enforce the privacy and security protections of HIPAA for protected health information, as many breaches involving such information may not be covered by state data breach laws. Such enforcement will only add to the cost of a data breach, which, according to the 2009 Ponemon Institute Annual Cost of a Data Breach study, continues to rise.

While a company’s first line of defense always should be a comprehensive data security policy, preparation should include an effective security incident procedure. Several key questions, some of which will form the foundation for any good security incident procedure, must be answered immediately following a breach: 

  • How did the breach occur?
  • Are measures in place to contain the breach?
  • What information was compromised? 
  • Whose information was compromised?
  • Will the local authorities be alerted?
  • What potential breach notice laws are implicated?
  • Does notice of the breach have to be provided?
  • If so, to whom and how will notice be provided?
  • Does the company have applicable insurance to cover the notification process?
  • Will any monitoring service be provided for affected individuals?
  • Are measures in place for public relations implications?

However, a security incident procedure is only as strong as the awareness you create among your employees as to what constitutes a data breach and who to notify in the event of a possible breach. Therefore, in addition to an effective security incident procedure, it is essential that training, like the sample above, be provided to employees on a regular basis.   

Tags: , , , , , , , , ,
Like Tweet LinkedIn Email

Electronic Health Records: The Work to Build a Health Information Technology Infrastructure Begins

Posted on December 1, 2009 by Jason C. Gavejian

Co-Author:  V. John Ella, Esq.

In a key step toward developing a proposed U.S. health information technology (HIT) infrastructure, the Centers for Medicare & Medicaid Services has announced that Iowa’s Medicaid program is the first to receive federal matching funds for planning activities necessary to implement the electronic health record (EHR) incentive program established by the American Recovery and Reinvestment Act of 2009 (ARRA). 

ARRA was signed into law by President Obama on February 17, 2009. Among its various parts, ARRA includes provisions for the improvement of our nation’s health care through health information technology (also known as Health IT or HIT), Medicare and Medicaid Health IT provisions which provide incentives and support for the adoption of certified electronic health records (EHRs); and provisions to expand, enforce, and enhance the privacy and security safeguards required by HIPAA. The proposed goal of a switch to EHRs is to improve the quality of health care for individuals, make care more efficient by making it easier for providers treating a patient to coordinate care, and make it easier for individual patients to access the information they need to make decisions about their own health care. Responsibility for implementing this program falls to the National Coordinator for Health Information Technology, a position currently filled by Dr. David Blumenthal at the Department of Health and Human Services (“HHS”). In furtherance of this goal, Mr. Blumenthal recently announced $80 million in grants to develop a HIT workforce. Additionally, the HHS has created a helpful website on the topic of health information technology with links to resources on privacy issues.

In discussing the approximately $1.16 million in federal matching funds Iowa will receive, Cindy Mann, director of the Center for Medicaid and State Operations at CMS said, “While Iowa is the first state to receive approval of its plan for implementing the Recovery Act’s EHR incentive program, a number of other states have submitted plans as well, meaningful and interoperable use of EHRs in Medicaid will increase health care efficiency, reduce medical errors and improve quality-outcomes and patient satisfaction within and across the states.”   As the first state to receive federal funding, Iowa will use the funds to focus on planning, information gathering, analysis, and assessment with respect HIT and the use of EHR within the state.  

A HIT Infrastructure is likely to raise a range of new issues involving the handling of sensitive personal information. For instance, anytime extensive personal and medical information is placed in electronic form, the chance of a data breach or information misuse rises significantly. This is especially true given the recent growth in the area of medical identity theft. Additionally, as some commentators have reported, physicians, hospitals, and clinics have all expressed concerns regarding the technical feasibility of the system, potential for patient mix-ups, as well as the extensive cost to make the switch to EHR. How such a system would affect employers and group health plan administration remains unclear.  

With such an emphasis on a switch to EHR, and billions of federal dollars fueling the conversion, all businesses, particularly health care providers, need to be consider how they will be affected by the new HIT infrastructure. 

Tags: , , , , , , , ,
Like Tweet LinkedIn Email