As we continue to examine the final HIPAA privacy and security regulations, as amended by the HITECH Act and the Genetic Information Nondiscrimination Act, we pulled together a summary of some of the key points. We fully expect additional sub-regulatory guidance to be provided by OCR, such as frequently asked questions and sample business associate agreement provisions.
As we previously discussed, the Office of Civil Rights (“OCR”) continues to push forward with the HIPAA audits required by the HITECH Act. To this end, the OCR recently posted the protocol which is used to conduct the HIPAA audits on its website.
The HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, OCR piloted a program to perform audits of covered entities to assess privacy and security compliance. This HIPAA audit program analyzes processes, controls, and policies of selected covered entities (e.g., health plans, health care clearinghouses, and certain health care providers) as well as the requirements to be assessed through these performance audits. The audit protocol is organized around “modules,” as follows:
- The first audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for Protected Health Information (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- The second protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
- The third protocol covers requirements for the Breach Notification Rule.
Notably, the combination of these multiple requirements may vary based on the type of covered entity selected for review. Healthcare providers, health plans, and business associates, all who could be affected by the HIPAA audits, need to not only be aware of the OCR’s audit activities, but also HHS’s efforts to increase enforcement of HIPAA.
Accretive Health, Inc.'s legal issues continue to evolve as new allegations by Minnesota Attorney General Lori Swanson accuse Accretive of operating without a HIPAA-required business associate agreement (BAA) and then creating a back-dated agreement in response to litigation.
As we previously reported, Accretive, a Chicago-based health care consulting company and debt collection agency, originally caught the attention of Attorney General Swanson when it was discovered that an unencrypted lap top computer with medical information of over 23,531 Minnesota patients was stolen on or about July 25, 2011. This led to revelations suggesting that Accretive was engaged in improper collection activities in the emergency rooms of two Minneapolis-area hospitals, Fairview Health Systems and North Memorial Hospital, and engaging in bedside collection visits. It was then disclosed that one or more officers of Fairview had family connections with employees of Accretive. In January, Minnesota Attorney General Lori Swanson sued Accretive Health for violation of HIPAA, the HITECH Act, the Minnesota Health Records Act and various Minnesota consumer protection and debt collection statutes. Perhaps the strangest twist occurred in May when Chicago mayor Rahm Emanuel reportedly sent a letter to Swanson asking her to back off the litigation until he could arrange a meeting with Accretive's CEO. Swanson declined the suggestion.
Swanson now seeks to file a second amended and supplemental complaint to add new factual allegations. Specifically, Swanson alleges that at the time she requested documents in October of 2011, Accretive did not have a business associate agreement in place with North Memorial. Following the request, she claims that Accretive created one and made it look as if it had been signed on March 21, 2011.
The Attorney General acknowledges that it is the covered entity's obligation to have a BAA in place before making protected health information available to a vendor, such as Accretive. However, the Attorney General argues that Accretive's actions with respect to not having the BAA supports her claims that Accretive disregarded its HIPAA obligations. It would be surprising if a sophisticated health care provider like North Memorial had not had implemented such a basic required document with a business associate like Accretive, to say nothing of the alleged "deception" as characterized by Swanson.
This case is a good example of the growing propensity for state Attorneys General to engage in HIPAA enforcement actions as we have discussed. Regardless of how the legal saga turns out, it is also a good reminder to have compliant business associate agreements in place as required by HIPAA.
HHS continues to show signs of increased enforcement of HIPAA. Earlier this month, the agency announced it would hold 2-day, instructor-led HIPAA Enforcement Training courses in 4 locations across the country. Some Attorneys General, such as Connecticut's former Attorney General Richard Blumenthal, have already used their new found authority to enforce HIPAA. This announcement follows two significant, high profile Office of Civil Rights (OCR) press releases touting its own enforcement activities, one involving the first imposition of penalties under HIPAA and the other involving a significant settlement with a Massachusetts hospital.
The Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.
Attendees at each of the HIPAA Enforcement Training sessions will receive instruction on a number of enforcement topics including:
- Investigative techniques for identifying and prosecuting potential violations
- A review of HIPAA and State Law
- The role and responsibility of an Attorney General under HIPAA and the HITECH Act
- Resources available to Attorneys General to pursue alleged HIPAA violations
In addition to training, OCR promises that it will collaborate with and assist State Attorneys General seeking to bring civil actions to enforce HIPAA and Security Rules. This collaboration and assistance will include OCR providing to Attorneys General (i) information upon request about pending or concluded OCR actions against covered entities or business associates related to attorney general investigations, and (ii) guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.
While years of lax enforcement may have lulled many HIPAA covered entities and business associates to not take HIPAA seriously, these recent activities should spur renewed efforts toward compliance.
Proposed HITECH Regulations: Will Subcontractors of Business Associates Be Subject to the HIPAA Privacy and Security Rule?
Further to our discussions of the proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), we summarize here a proposed changed to the definition of “business associate.” A significant part of the “HIPAA community” (covered entities, business associates and their agents and subcontractors) already is aware of the expanded application of HIPAA to business associates under HITECH. This expansion went into effect February 18, 2010, and, in fact, many business associate agreements currently are being modified in an attempt to reflect the statutory provisions. The HIPAA community, however, may not yet be aware of the proposal to further expand the direct application of the privacy and security rules under HIPAA to subcontractors performing functions for business associates.
A New Class of Business Associate
Prior to the HITECH Act changes, business associates and their agents and subcontractors were not directly subject to HIPAA. Instead, HIPAA required covered entities to obtain certain written assurances from their business associates. One of those written assurances was that business associates would ensure that their agents and subcontractors would agree to be subject to the same conditions and restrictions contained in the business associate agreement entered into with the covered entity.
The proposed regulations would include subcontractors in the group of “business associates” to the extent that they require access to protected health information. Such subcontractors are those persons who are not members of the business associate’s workforce, but perform functions for or provide services to a business associate. This would be the case even if the business associate has failed to enter into a business associate contract with the subcontractor. The regulator’s goal is to ensure the privacy and security protections will not lapse merely because a function is performed by an entity with no direct relationship with a covered entity, although the regulations seek public comments on the definition of subcontractor.
The proposed regulations state (emphasis added):
[W]e propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance. We note, and further explain below, that this proposed modification would not require the covered entity to have a contract with the subcontractor; rather, the obligation would remain on each business associate to obtain satisfactory assurances in the form of a written contract or other arrangement that a subcontractor will appropriately safeguard protected health information. For example, under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to
securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).
As the example above shows, if made final, the proposed regulation would further HIPAA’s reach and affect many businesses that may not currently view themselves as directly subject to the requirements or penalties under HIPAA. Many companies, including those that service the healthcare industry, such as health plans, likely will need to revisit their HIPAA-compliance measures.
We recently reported here that the Department of Health and Human Services (HHS) is issuing proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). These proposed regulations contain a number of important points to think about for HIPAA covered entities (and business associates), even though these rules are in proposed form. One is avoiding HIPAA violations involving “willful neglect," which under the HITECH Act will require a formal investigation and civil penalties.
To date, the Secretary of HHS has attempted to resolve complaints and certain violations by informal means, as required by § 160.312 of the current regulations. A significant change to the HIPAA enforcement scheme in the HITECH Act requires that if a preliminary investigation of the facts of a complaint indicates a possible violation due to willful neglect, the Secretary is required to commence a formal investigation. If the formal investigation finds a HIPAA violation involving willful neglect, the Secretary must impose a civil money penalty.
What is “willful neglect”?
Willful neglect is defined at § 160.401 as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The term not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur, but also encompasses a conscious intent or degree of recklessness with regard to the entity’s compliance obligations.
So what does that mean, what are some examples? The proposed regulations provide the following examples:
- A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.
- A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.
- A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.
In addition to having actual or constructive knowledge of one or more violations, the covered entities in the examples above, particularly Example 1, failed to develop or implement compliant policies and procedures and, thus, demonstrated either conscious intent or reckless disregard with respect to the compliance obligations under HIPAA.
Based on the proposed regulations, covered entities can no longer expect the velvet hand of the regulators to resolve a violation informally in all cases. Covered entities that fail to have policies and procedure and make a good faith compliance effort likely will find themselves subject to mandatory formal investigations and penalties.
Covered entities like the one in example 1 above might want to consider certain precautions, including:
• maintaining a record retention policy,
• maintaining media re-use policy,
• maintaining a data destruction policy,
• maintaining an e-discovery policy, and
• and engaging a good data destruction/shredding company.
Dealing with Data Breaches: Health Net Suit Highlights Need for Effective Security Incident Procedures and Training
As we have discussed before, data breach notification is one of the most rapidly emerging areas of law. Good security incident procedures as well as effective training can help avoid the risk of data breach. (Sample data breach training).
A case in point: Connecticut's Attorney General has filed a civil action against Health Net of the Northeast Inc. (“Health Net”) for failing to secure approximately 446,000 individuals’ patient information on a missing portable computer disk drive, and for failing to provide prompt notice of the breach. Among other things, the suit alleges Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, when it failed to provide prompt notice, failed to encrypt the data, failed to provide for and implement appropriate policies to safeguard the information, and failed to supervise and train its workforce on safeguarding protected health information and personal information.
As this suit demonstrates, state Attorneys General will use the authority granted by HITECH to enforce the privacy and security protections of HIPAA for protected health information, as many breaches involving such information may not be covered by state data breach laws. Such enforcement will only add to the cost of a data breach, which, according to the 2009 Ponemon Institute Annual Cost of a Data Breach study, continues to rise.
While a company’s first line of defense always should be a comprehensive data security policy, preparation should include an effective security incident procedure. Several key questions, some of which will form the foundation for any good security incident procedure, must be answered immediately following a breach:
- How did the breach occur?
- Are measures in place to contain the breach?
- What information was compromised?
- Whose information was compromised?
- Will the local authorities be alerted?
- What potential breach notice laws are implicated?
- Does notice of the breach have to be provided?
- If so, to whom and how will notice be provided?
- Does the company have applicable insurance to cover the notification process?
- Will any monitoring service be provided for affected individuals?
- Are measures in place for public relations implications?
However, a security incident procedure is only as strong as the awareness you create among your employees as to what constitutes a data breach and who to notify in the event of a possible breach. Therefore, in addition to an effective security incident procedure, it is essential that training, like the sample above, be provided to employees on a regular basis.
New Hampshire Enacts Strict Data Breach Notification Law Affecting Health Care Providers and Business Associates
New Hampshire’s new breach notification law builds on the breach notification requirements under the HITECH Act by requiring health care providers and business associates to notify individuals of disclosures of their protected health information that are prohibited by New Hampshire law, even if such disclosures are permitted under HIPAA or other federal law. This new health information protection was enacted with other measures relating to privacy of electronic medical records and allowing individuals to opt out of sharing their names, addresses, and protected health care information with e-health data exchanges.
H.B. 619 becomes effective for data breaches occurring on and after January 1, 2010. Individuals may sue for violations of the notification requirement and, significantly, seek damages of not less than $1,000 per violation. The law also expressly requires business associates to cover the costs of notification if the use or disclosure triggering notification was made by the business associate.
Now, when New Hampshire health care providers and business associates experience a possible data breach, they will have to consider a number of laws to determine the appropriate response. These include H.B. 619, the state’s general breach notification statute, and the breach notification rules under the HITECH Act and implementing regulations. This is even more complex for health care providers and business associates operating in multiple states as at least five other states (Arkansas, California, Delaware, Missouri, Texas) and Puerto Rico require notification in the event some form of medical information is breached.
Unlike New Hampshire’s general data breach notification statute, this law applies only to health care providers and business associates. H.B. 619 incorporates the definitions of “business associate” and “protected health information” under the HIPAA privacy regulations, but the term “health care provider” includes:
any person, corporation, facility, or institution either licensed by this state or otherwise lawfully providing health care services, including, but not limited to, a physician, hospital, office, clinic, health center or other health care facility, dentist, nurse, optometrist, pharmacist, podiatrist, physical therapist, or mental health professional, and any officer, employee, or agent of such provider acting in the course and scope of employment or agency related to or supportive of health care services.
Of course, health care providers and business associates remain subject to the state’s general breach notification law. That law requires all businesses to notify state residents of an unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by the business. The general notification law contains a “risk of harm” trigger – that is, no notice is required by covered entities that have determined misuse of the information has not occurred or is not reasonably likely to occur. H.B. 619 contains no such “risk of harm” trigger.
“Cloud computing” takes many forms, but, fundamentally, it is a computer network system that allows consumers, businesses, and other entities to store data off-site and manage it with third-party-owned software accessed through the Internet. Files and software are stored centrally on a network to which end users can connect to access their files using computers that are less powerful and sophisticated than those we use today. This technology reduces the need for expensive multiple servers and PCs with enough capacity to store massive data and application files. Some believe the PC of the future will need simply the capacity to connect to a web browser for the user to access his or her applications and files.
If you are not already computing in a cloud, you likely will be hearing more about “cloud computing” soon. Last month, for example, the City Council for the City of Los Angeles voted to move city employee e-mail and other applications from city computer networks to a cloud service provider – in this case, Google Inc. City officials cite significant cost savings (which they estimate to be in the millions) as one of the reasons for the switch. They acknowledged that concerns over data privacy, security and management remain.
We’ll agree that significant cost savings can be achieved through, among other things, reduced infrastructure. Questions and concerns many have with cloud computing, however, relate to the privacy, security and management of the information in the cloud. These include:
- What if the cloud starts to rain – a cloud computing data breach – who is responsible for notifying affected persons (and bearing the costs)?
- Which company owns the data placed in the cloud?
- If the data in the cloud is employee e-mail, is the employer still permitted to access and monitor email communications? Will new policies/notices be needed?
- Will company proprietary information be safe?
- Who has access to the data? Who should have access?
- Is the cloud service provider a business associate under HIPAA, prepared to comply with the HITECH Act? What other legal compliance requirements are there?
- Do we still need to maintain a back-up of data in the cloud?
- Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards? Does one location as opposed to another provide better access or security? What if data is stored in multiple places, will we be able to locate what we need when we need it?
- How big is the cloud? How much can we store?
- What if the cloud goes down? How do we get our data and access the applications needed to run our business?
- How do we move between clouds? Can our data be held captive when contract negotiations fall through?
- Can we put our clients’ data in the cloud? Do we have to tell them where it is?
- What happens to the data if the cloud service provider or the cloud customer goes out of business?
- Will applications in the cloud work the same way, be as flexible, and respond with the same speed as those on current PCs?
Organizations such as the Cloud Security Alliance have been formed to grapple with some of these issues. Indeed, the City of Los Angeles has had to respond to some of these concerns. So, while cloud computing may yield substantial cost savings and appear tempting, these and other questions and concerns should be addressed before moving in that direction.
The Department of Health and Human Services (HHS) published interim final regulations on October 30, 2009, to update existing enforcement regulations under HIPAA for statutory revisions made by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These regulations become effective November 30, 2009, and only address the provisions of the HITECH Act already in effect.
The interim final regulations, among other things, implement the increases in civil penalties and the four categories of violations and corresponding penalties established by the HITECH Act. Also, under the Act and the regulations, penalties will apply even where the covered entity did not know (and with the exercise of reasonable diligence would not have known) of the violation. However, HHS has the authority to reduce penalties in certain circumstances.
There have been a number of recent changes that enhance and strengthen HIPAA's enforcement provisions - the HITECH Act, the interim final regulations discussed above and agency reorganization. These measures suggest an increasing likelihood of enforcement concerning the HIPAA privacy and security regulations. As a result, health care providers and health plans should be reviewing their compliance with HIPAA and preparing for additional guidance expected to be issued shortly.