Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

During the summer of 2010, while dumping his own garbage at the Georgetown Transfer Station, a Boston Globe photographer saw a large pile of paper which, after further inspection, turned out to be medical records of more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed. His discovery led to a Boston Globe article and the eventual investigation by Massachusetts Attorney General Martha Coakley. On January 7, 2013, Attorney General Coakley announced a $140,000 settlement with the individual and entities involved - one physician, three medical practices, and the medical billing vendor for these health care providers.

The health care providers and the billing company all were subject to the Massachusetts data security regulations, including the obligation to dispose of and destroy personal information in a secure manner. Massachusetts General Laws Chapter 93I. Of course, with regard to the health care providers, the Attorney General alleged they failed to take reasonable steps to select and retain a service provider (the medical billing company) that would maintain appropriate security measures to protect such confidential information. In addition, the providers and the medical billing company had obligations to safeguard the protected health information in the documents that were discarded under the HIPAA privacy and security regulations, as amended by the HITECH Act. As a result, the Attorney General could exercise her enforcement authority under state law, as would be expected, but also under HIPAA, pursuant to the authority granted under the HITECH Act.

This incident represents another reminder for companies (health care providers, in particular) to appropriately evaluate their vendors and service providers to ensure they will safeguard the personal information with which they have been entrusted.

• Email This
• Print
• Comments
• Trackbacks

In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively.  

On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents are notified of a data breach. The California bill also would require certain information be included in the notices.

While similar attempts to modify California’s data breach law have been vetoed by then-Gov. Arnold Schwarzenegger (R), the state’s new governor, Edmund G. “Jerry” Brown, Jr. (D) may likely sign S.B. 24. The bill also would amend the substitute notice provisions for breaches to require placing a notice that a breach has occurred on the business’s website and in major statewide media and notifying the California Office of Privacy Protection. 

While California’s current breach notice statute does not specify the information that must be included in an individual breach notification, S.B. 24 would mandate the notice include, among other things, the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.

On April 13, 2011, Massachusetts H.B. 3360 was referred for committee consideration. Under the bill, vendors of photocopiers in Massachusetts that fail to adequately notify purchasers of potential data security risks would be subject to a civil fine of up to $50,000 and could be sued by customers whose personal information is subsequently compromised.  Also, Massachusetts businesses that sell photocopiers must tell customers if a particular machine is equipped with a hard drive capable of retaining information from copied documents. Vendors must provide a notice stating that "the photocopier does or does not contain an eraser that deletes and destroys any previously captured picture from the copier's hard drive.” The notice must “inform the user of the risk of retention of such private data or images.” In addition, if a machine is such a “digital copier,” the vendor also must place a “conspicuous,” written data-security warning on the top of the copier.

H.B. 3360 also authorizes the state attorney general to enforce the law by filing a civil action seeking a fine of up to $50,000. Additionally, the bill would permit a lawsuit by customers who did not receive the required notification and warnings and whose private data was subsequently “misused.”

• Email This
• Print
• Comments
• Trackbacks

A British TV station investigation into India's medical transcription industry, known as Business Process Outsourcing (BPO), uncovered unsettling news for British subjects, as well as American citizens. Medical records sent to India to be transcribed and computerized are being sold. The Economic Times report on the investigation out of New Delhi suspects a "hardening of stance on the outsourcing industry by the western world." The article states:

The revelation has forced police of the two countries to join hands to launch an official investigation into the data pilferage of the records stored by the Indian BPOs. If found true, the allegations could hit the flourishing BPO sector in India hard, fueling doubts about their integrity and efficiency.

Security breaches of this kind can have far reaching effects beyond the businesses and individuals directly impacted. The hopes for funding U.S. healthcare reform rest, in part, on administrative cost savings. Under the HITECH Act, enacted as part of the 2009 federal stimulus bill, the U.S. will spend 36 billion to spur the health care industry to purchase and create systems and equipment, including electronic health records systems, to better network the healthcare industry. Reluctance to outsource and increased security are likely to chip away at whatever cost savings can be achieved through enhanced technology in healthcare. 

In the short run, businesses must be more vigilant in vetting their vendors, as well as the vendors of their vendors. These efforts should include stronger agreements, deeper examinations of security protocols, knowing where information is ultimately stored and processed, and having a better understanding of the applicable legal and industry standards concerning data security. These efforts can not stop at the water's edge.

• Email This
• Print
• Comments
• Trackbacks