Attorney General Securing Personal Data in Indiana

Posted on August 6, 2010 by Jason C. Gavejian

Indiana recently enacted a new law which grants authority to the Indiana Office of the Attorney General's Identity Theft Unit to obtain and secure abandoned records with personally identifying information, including health records, and either destroy them or return them to their owners. Additionally, the new law sets fines and other legal ramifications for violations of the law by health care providers or licensed professionals who leave such records unsecured in violation of state law. In fact, the Attorney General has already utilized this authority to obtain personal records from four entities. 

This additional grant of authority to the Indiana Attorney General, is in addition to the authority previously granted by the Health Information Technology for Economic and Clinical Health (HITECH) Act to enforce the privacy and security protections of HIPAA for protected health information. As we have previously discussed, the Connecticut Attorney General has filed a civil action against Health Net, as well as instituted an investigation against Griffin Hospital for violations of HIPAA. 

The Indiana statute, as with the authority granted to Attorney Generals under HITECH, highlight the need for companies to develop and implement comprehensive data security polices to secure their records. 

Tags: , , , , , , , , , ,

HHS to Issue Proposed Regulations Concerning HITECH

Posted on July 8, 2010 by Joseph Lazzarotti

The Department of Health and Human Services announced this morning that it will be issuing a notice of proposed rulemaking to begin implementing the recent statutory amendments under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”). According to HHS, the proposed regulations (pdf), set to be published July 14, 2010, are designed to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of the existing HIPAA privacy and security rules. 

More specifically, the proposed rules would modify the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), the Security Standards for the Protection of Electronic Protected Health Information (Security Rule), and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) issued under HIPAA.

We will be reviewing these regulations and reporting on them further as appropriate.

Tags: ,

New Challenges for HIPAA Business Associates Under ARRA and HITECH

Posted on June 1, 2010 by Joseph Lazzarotti

Have you noticed that negotiating that business associate agreement has gotten a lot more difficult? Many companies that serve health care providers and health plans, generally known as business associates, have noticed. These companies include software vendors, benefits brokers, cloud computing providers, data storage/destruction companies, and accountants, among others.

The clients of these companies are citing HIPAA, ARRA, HITECH, data breach notification requirements, and state law mandates as they demand stricter contract language and additional rights and protections, such as the right to audit the business associate and to be held harmless in the event of any data mishap. Business associates that took HIPAA lightly in 2003 and 2004, when the HIPAA regulations first became effective (2005 and 2006 for the security regulations), are playing catch-up.

When President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA), “business associates” may not have expected the significant effects that law would have on their businesses. Chief among those effects are mainly due to four sentences in The Health Information Technology for Economic and Clinical Health (HITECH) Act (pdf), passed as part of ARRA, and which generally became effective on February 17, 2010 (the breach notification mandate became effective on September 23, 2009), one year after enactment:

  • “Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporate[d] into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13401(a). This statement makes business associates directly subject to nearly all of the HIPAA security regulations, the HIPAA rules relating to electronic protected health information. Prior to the change, these obligations existed for business associates only as a matter of contract.
  • “A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach.” ARRA Sec. 13402(b). This statement creates a new obligation for business associates – report to covered entities breaches of unsecured protected health information.
  • “The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13404(a). This statement makes business associates directly subject to nearly all of the HIPAA privacy regulations. Prior to the change, as with the security regulations, these obligations existed for business associates only as a matter of contract.

In response to these law changes, and in the absence of regulatory guidance, covered entities have been demanding modifications to existing business associate agreements or requesting new agreements. In both cases, covered entities are seeking greater assurances from their business associates concerning the handling of the covered entities’ protected health information.

On top of that, covered entities are weaving into business associate agreements and other agreements requirements under newly enacted state laws requiring protections for “personal information” in the hands of vendors (e.g., business associates) to curb identity theft. Given the cost and reputational harm that could come from a data breach, as well a growing enforcement activity, many covered entities are becoming more forceful in their negotiations, citing legal mandates and established company policies for their unwillingness to budge on many provisions, even those that go beyond statutory mandates.

What is a business associate to do? Here are some thoughts:

  1. Confirm your company is a business associate. (go to HHS HIPAA frequently asked questions and insert "business associate" for helpful guidance). In some cases, covered entities are blanketing all of their vendors with these agreements. If believe your company is not a business associate, raise it with your client. Of course, even if you avoid being considered a business associate, your customer/client still may demand written assurances under state law for the personal information you handle on its behalf.
  2. Become compliant. As noted above, the HIPAA privacy and security requirements are now directly applicable to business associates. While additional guidance is expected as to what this means precisely, there is enough existing guidance concerning covered entities for business associates to use to achieve compliance. Among other things, compliance means conducting a risk assessment, adopting a written set of policies and procedures concerning the safeguarding of protected health information, and training staff. Being compliant not only reduces risk, but in an environment of increasing attention to data privacy and security, compliance can be a competitive advantage.
  3. Review agreements carefully. Covered entities increasingly include contract provisions that provide the covered entity with greater protections than the law requires. To the extent possible, try to remove those provisions. In any event, it is important to know your obligations under these agreements; they can vary dramatically from covered entity to covered entity.
  4. Develop strategies for reviewing/complying with multiple contracts. Some business associates have many clients and, therefore, business associate agreements. Managing unique provisions multiple agreements can be daunting, although the ability to negotiate a uniform agreement across a client basis is increasingly unlikely. So, where possible, try to use similar provisions in all agreements and know ahead of time your approach to certain key provisions, such as handling data breaches.
  5. Understand the law. Even if you’ve mastered the determination of whether you are a business associate, the rules outlining your business' obligations likely will be evolving under HIPAA over the next few years, particularly with the expected growth of electronic health records and the expansion of health care. The same is true of state laws concerning personal information. In many cases these laws might coexist peacefully, in other cases there will be conflict. You need to be aware of the conflicts and be prepared to act accordingly.

 

Tags: , , , , , , ,

Best Buy Counsel Speaks on Data Privacy

Posted on February 5, 2010 by V. John Ella

On January 29, 2009, I had the opportunity to attend a brief presentation sponsored by Minnesota CLE entitled, “Corporate Data Privacy & Security: 10 Legal Practice Tips,” given by Brad Bolin, Senior Corporate Counsel for Best Buy, Inc. a Fortune 500 electronics retailer headquartered in Richfield, Minnesota. Bolin is a specialist in information security and privacy law. I was curious to hear what data privacy issues were on the mind of someone who monitors these issues for a living on behalf of a large corporation, especially a company that sells some of the very devices that make data privacy more challenging and which is known for its “results oriented” work environment. Many of the issues relate to topics discussed on this blog. The views expressed were strictly those of Bolin, not Best Buy. Here were his observations:

1. Work/Life Balance.  Electronic connections are collapsing the distinctions between work and personal life. Employees expect to be connected 24 -7. Bolin quoted Best Buy CEO Brian Dunn as noting, “Technology is … a constant backdrop in people’s lives, at home, at work, on the road and literally in the palms of their hands. We call it the ‘connected world’ and, as exciting as it is, it’s also increasingly complex, and difficult to keep pace with.”

12259312. Smart Phones Part 1.  Smart phones are becoming common and are a great example of how the “limited personal use” exception is swallowing the rule. He cited a survey showing that 20% of companies allow their employees to use personal devices for work, and the number is surely growing. Bolin discussed how under the old corporate model, a company that pays for an employee’s smart phone ought to take it back from the employee upon his or her departure, erase the contents and either recycle or reuse the device to prevent the disclosure of confidential corporate information. But what about the employee’s personal photographs, “apps”, movies, contacts and downloaded songs? What if the employee paid for the device but the company reimburses the cost? Securing employee-owned smart phones is not the same as securing corporate-owned devices, he emphasized.

3. Smart Phones Part 2.  Bolin said that, whatever rules you choose, a departing employee should be able to take his or her personal data, while IT should be able to ensure that any corporate information has been safely removed. The process should be simple and transparent to all. Adopt simple rules that make corporate data on an employee's smart phone easier to identify and control. For example, distinguish between media files on the one hand, and xls doc, ppt, and pdf documents on the other. Have a transparent dialog with employees about the trade-offs that exist cost when placing personal phones on the corporate network. For example, an employee might be required to archive SMS text messages on his phone for e-discovery purposes.

4. Texting Issues.  While e-mail typically is stored on a common server, text messages usually are stored by cell phone companies or directly on phones, and often the employer does not directly pay for their storage. Employers must have either a warrant or the employee's permission to see cell phone text messages that are not stored by the employer or by someone the employer pays for storage, Bolin said, citing Quon v. Arch Wireless, et al. 529 F.3d 892 (9th Cir. 2008),  The case is now under review by the United States Supreme Court.

5. TMI = Too much information.  An embedded Global Positioning System (GPS) feature is great for supporting and measuring effectiveness of a mobile sales force, but it raises the danger of collecting information about employees regarding the personal part of their life.

6. Social Networking.  Much has been made of social networking, he says, but this is not different in kind from past employee disclosure concerns, only in degree. Most policies on employee's social networking tend to be recitations of or references to standard confidentiality, acceptable use, and other policies. He suggests guidelines like:

a. Disclose your affiliation with your employer.

b. State that it’s your opinion, not the employer’s.

c. Protect yourself – be careful of disclosing personal information on line.

d. Act responsibly end ethically.

e. Respect diversity and honor policies against discrimination.

7. Monitoring Electronic Communications. Bolin says the “old news” is having an electronic communications policy addressing employee expectations of privacy when using company email. The “new news” is that companies have to have a governance policy in place regarding how the company may and will use such information, and it needs to follow it. Tools to gather emails and other electronic information today are immensely powerful, and very easy to use. The temptation will be great to pursue investigations without adequate cause, or without sufficient protective boundaries in place. Bolin cited the Hewlett Packard pretexting scandal of 2006.

8. HITECH Act (HIPAA Redux).  HIPAA is still HIPAA, Bolin says, but HITECH ups the ante by requiring breach notification to government and affected consumers of Protected Health Information (‘PHI”), and placing enforcement powers in the hands of the states attorneys general. Covered entities must promptly notify affected individuals, Health and Human Services (“HHS”) and the media in cases where a breach affects more than 500 individuals, and report ALL breaches on an annual basis. Bolin noted that the “hysteria” that has arisen around recent credit card breach notifications could well develop around PHI breach notifications.

11555789. Employee Privacy in Europe.  Privacy is fundamental human right in the European Union and, unlike in United States, can't be waived, Bolin emphasized. If a company wishes to transmit data concerning EU employees to the U.S., he noted, “you'll be required to bring your game up” and enact policies to take advantage of the safe harbor provision.

I think he gives us all some good points to consider.
 
Tags: , , , , , ,

HIPAA Data Breaches in India Threaten Outsourcing Industry, Require Greater Vigilance at Home

Posted on October 31, 2009 by Joseph Lazzarotti

A British TV station investigation into India's medical transcription industry, known as Business Process Outsourcing (BPO), uncovered unsettling news for British subjects, as well as American citizens. Medical records sent to India to be transcribed and computerized are being sold. The Economic Times report on the investigation out of New Delhi suspects a "hardening of stance on the outsourcing industry by the western world." The article states:

The revelation has forced police of the two countries to join hands to launch an official investigation into the data pilferage of the records stored by the Indian BPOs. If found true, the allegations could hit the flourishing BPO sector in India hard, fueling doubts about their integrity and efficiency.

Security breaches of this kind can have far reaching effects beyond the businesses and individuals directly impacted. The hopes for funding U.S. healthcare reform rest, in part, on administrative cost savings. Under the HITECH Act, enacted as part of the 2009 federal stimulus bill, the U.S. will spend 36 billion to spur the health care industry to purchase and create systems and equipment, including electronic health records systems, to better network the healthcare industry. Reluctance to outsource and increased security are likely to chip away at whatever cost savings can be achieved through enhanced technology in healthcare. 

In the short run, businesses must be more vigilant in vetting their vendors, as well as the vendors of their vendors. These efforts should include stronger agreements, deeper examinations of security protocols, knowing where information is ultimately stored and processed, and having a better understanding of the applicable legal and industry standards concerning data security. These efforts can not stop at the water's edge.

Tags: , , , , , , , ,