Prior to the Health Information Technology for Economic and Clinical Health (HITECH) Act becoming law, the HIPAA Privacy Rule required covered entities to provide individuals with an accounting of certain disclosures of their protected health information (PHI). HITECH enhances these accounting rules and requires that individuals be able to know who has accessed their electronic PHI. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is proposing changes to the Privacy Rule to implement these new requirements and is seeking comments from the public to help shape the law so as to provide the greatest transparency for individuals with respect to access to and disclosures of their PHI, while minimizing the burden on covered entities and business associates. Remember, under HITECH, business associate are subject to nearly all of the requirements under the HIPAA Privacy and Security Rules as covered entities. The discussion below touches on some of the key proposals.

HHS’ Notice of Proposed Rulemaking would enhance the rules concerning the obligation to provide an accounting of certain disclosures of PHI and fleshes out the right of individuals to get a report on who has electronically accessed their PHI. These two rights, to an accounting of disclosures and to an access report, would be distinct but complementary. The right to an access report would provide information on who has accessed electronic PHI in a designated record set (including access for purposes of treatment, payment, and health care operations), while the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations). The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information.  In contrast, the intent of the accounting of disclosures is to provide more detailed information (a “full accounting”) for certain disclosures that are most likely to impact the individual.

In general, designated record sets include the medical and health care payment records maintained by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals. See the definition of “designated record set” at 45 CFR § 164.501. An example of PHI that is outside the designated record set are transcripts of customer calls that are used only for purposes of customer service review, rather than to make decisions about the individual.

HHS believes the access report requirement will not present an unreasonable burden on covered entities and business associates because by limiting the access report to information maintained in an electronic designated record set, the report will include information that a covered entity is already required to collect under the HIPAA Security Rule. That is, under §§ 164.308(a)(1)(ii)(D) and 164.312(b) of the HIPAA Security Rule, a covered entity is required to record and examine activity in information systems and to regularly review records of such activity. Access reports would cover a three-year period, and would provide the individual with information about who has accessed the individual’s electronic PHI held by a covered entity or business associate. They would not distinguish between “uses” and “disclosures,” and thus, would apply when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the covered entity. The report would be required to identify the date, time, and name of the person (or name of the entity if the person’s name is unavailable) who accessed the information, and potentially a description of the protected health information that was accessed and the user’s action, if that information is available.

The right to an accounting of disclosures would encompass disclosures of both hard copy and electronic PHI that is maintained in a designated record set. It would cover a three-year period (down from the current six year period), and would require a covered entity and its business associates to account for the disclosures of PHI believed to be of most interest to individuals. That is, the proposed rule explicitly lists the types of disclosures that are subject to the accounting requirement, rather than the previous approach of listing the types of disclosures for which an accounting was not required. In general, the proposed rule would continue to include in the accounting requirement, without limitation, disclosures for public health activities (except those involving reports of child abuse or neglect), for judicial and administrative proceedings, for law enforcement activities, to avert a serious threat to health or safety, for military and veterans activities, for the Department of State’s medical suitability determinations, to government programs providing public benefits, and for workers’ compensation.  Also, covered entities will continue to be required to account for disclosures that are impermissible under the Privacy Rule, even if those disclosures did not amount to a "breach" under the Breach Notification Rule at § 164.404.

While the proposed rules referenced above may vary when made final, they will require covered entities to re-examine their current practices to comply with the new rules. In addition, covered entities and business associates may need to make modifications to business associate agreements (as well as agreements with subcontractors and other vendors).  The Notice of Privacy Practices also will require modification to explain to individuals these new and modified rights concerning their PHI.

In regard to when action is needed, the rules propose that covered entities (including small health plans) and business associates comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication). As for the right to an access report, the rules propose that covered entities and business associates be prepared to make this available beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.

It’s hard to miss the National Labor Relations Board’s recent activity targeting employer decisions based on workers’ use of social media – as it attempts to establish parameters in the work-life balance between social media and rights protected by the National Labor Relations Act. Just when employers understandably may feel compelled to stop basing employment decisions on social media use, a recent Advice Memorandum is giving employers hope.

The Arizona Daily Star had encouraged its reporter to use social media to reach people who might not read the paper and to drive readers to the newspaper’s website. The employee tweeted using his work computer, his company-provided cellphone and his home computer and linked his Twitter account to his Facebook and MySpace pages. Therefore, whenever he tweeted, the same message would be posted on Facebook and MySpace.

In one tweet, the employee criticized the Daily Star’s television staff. The employer warned the employee that his comments were inappropriate, but he continued to post inappropriate tweets, while commenting as a public safety reporter. The tweets included, “What?/?/?/? No overnight homicide? WTF? You’re slacking Tuscon.”

His employer suspended him then terminated his employment. He filed a charge with the NLRB Regional Office claiming he was terminated for engaging in NLRA-protected concerted activity. The Regional Office, as instructed by Office of the General Counsel’s Memorandum dated April 12, 2011, referred the charge to the Division of Advice (“Division”) because the charge involved discipline for engaging in alleged protected concerted activity using social media.
The Division did not find a violation of the NLRA. It instructed the NLRB Regional Office to dismiss the unfair labor practice charge. It determined that after opening a Twitter account and linking it to the Daily Star’s website, the employee engaged in “inappropriate and offensive Twitter postings that did not involve protected concerted activity” and was terminated for engaging in misconduct. This is an important development for employers, perhaps signaling the NLRB’s seemingly aggressive social media stance may not be one-sided.

The victory, however, has been tempered by the NLRB General Counsel’s May 9, 2011, complaint against Hispanics United of Buffalo, a nonprofit organization that provides social services to low-income clients. The complaint alleges the firing of five employees for Facebook postings that criticized working conditions was improper interference with protected concerted activity. It alleged that an employee posted a co-worker’s allegations that employees did not help the company’s clients enough and other employees responded to the post by defending their work and blaming working conditions, including staffing workload issues. The employer fired the five employees after learning of the posts because it found the comments were harassing to the employee who made the original post. A hearing has been scheduled for June 22, 2011.

These latest developments seem to show the NLRB searching for balance between the workplace and social media. The Wall Street Journal reports the Board said it had more than two dozen cases involving worker complaints aired on the social media site Facebook. Stay tuned . . . but in the mean time, employers need to think carefully before acting.

The Maryland Senate recently referred Senate Bill 971 which prohibits Maryland employers from demanding that workers and job applicants turn over their passwords to specific websites or web-based accounts. 

Under the bill, employers would be prohibited from refusing to hire applicants and disciplining, terminating, or taking other adverse employment action against employees who refuse to provide their passwords. The bill also bans employers’ threats of such action.  

The bill was introduced in response to employers’ asking applicants and employees for their passwords as part of background checks to see the content posted by the individuals on social networking sites (e.g., Facebook ). S.B. 971 would, however, permit employers to require workers to disclose their passwords only to the employers’ internal computer systems.  

This proposed Maryland law, and case law from New Jersey, should alert employers that utilizing social media in their hiring, discipline, or termination decisions is under scrutiny.

One might think that bankruptcy is a private matter, with little to no bearing on whether one can meet the qualifications for a particular job. As my colleagues report today, the U.S. Court of Appeals for the Eleventh Circuit (with jurisdiction over Alabama, Florida and Georgia) joins its sister Circuits (the Third and Fifth Circuits) in holding that it is not impermissible under the Bankruptcy Code for an employer to refuse to hire an applicant due to a prior bankruptcy. Myers v. Toojay’s Mgmt. Corp., No. 10-10774 (11th Cir. May 17, 2011). However, as discussed in their report, the Code does state that a private employer may not “terminate the employment of, or discriminate with respect to employment against” an employee due to a bankruptcy. 11 U.S.C. § 525(b).

Of course, what is permissible under the Bankruptcy Code may not be under state law. As the report notes, and as reported here, a handful of states (e.g., Hawaii, Illinois, Maryland, Oregon, and Washington) have enacted limitations on an employer’s ability to acquire or use credit information in making hiring decisions. Further, any bankruptcy information acquired with respect to an applicant may include personal information that may need to be safeguarded, and as my colleagues advise, the use of that information should be based on job-related considerations to avoid Equal Employment Opportunity Commission claims based on adverse impact theories. 

In a report issued earlier this week, the Office of Inspector General found that the Center for Medicare and Medicaid Services’ (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the HIPAA Security Rule.

OIG’s recommendation: Continue the compliance review process (audits) that began in 2009 and implement procedures for conducting compliance reviews to ensure that HIPAA Security Rule controls are in place and operating as intended to protect ePHI at covered entities.

To reach this conclusion, OIG audited 7 hospitals throughout the country (locations in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas).  These audits focused primarily on:

  1. wireless electronic communications network or security measures the security management staff implemented in its computerized information systems (technical safeguards);
  2. the physical access to electronic information systems and the facilities in which they are housed (physical safeguards); and
  3. the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI (administrative safeguards).

Significant vulnerabilities identified. The audits identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. A high vulnerability refers to one that

may result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury.

The report noted that outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge. Although each of the seven hospitals had implemented some controls, policies, and procedures to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule. Clearly, mediocre compliance is not sufficient.  

Some of the more significant vulnerabilities found related to (i) wireless access; (ii) access controls, and (iii) integrity controls. In the case of wireless access problems, the report identified vulnerabilities including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, the inability to detect rogue devices intruding on the wireless network, and no procedures for continuously monitoring the wireless networks. Access control problems included inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI, and excessive access to root folders. According to the OIG, these conditions could have led to unauthorized individuals viewing or altering ePHI data on nonclinical workstations that were not automatically logged off after a period of inactivity; ePHI being compromised on lost or stolen unencrypted laptops; and unauthorized users circumventing system controls and harming system files.

The list goes on and on.

The Office of Civil Rights (OCR), the arm of HHS now charged with enforcing the HIPAA security regulations, may be listening. As reported here earlier, OCR appears to be taking steps to improve its enforcement efforts, which likely will include increasing the number of compliance reviews/audits at hospitals and health care providers around the country. These efforts include a request by the agency to increase its budget for 2012 by $5.6 million, or 13.6%, to be aimed at enforcement. 

Because HIPAA now applies to business associates, it would not be surprising to see business associates on an audit list. Accordingly, covered entities and business associates should be taking steps now to ensure compliance.

A registered nurse terminated from employment for posting on Facebook while dispensing medication to a patient could not collect unemployment benefits in Pennsylvania. Chapman v. Unemployment Comp. Bd. of Review. This case is another example why it is critical to have clear, written electronic communication and social media policies in place that are reasonable and enforced consistently. Without the policy in place, this employer surely would have had a more difficult time defending the unemployment claim.

In this case:

  • the employer’s policies provided that (i) it may immediately discharge an employee who engages in conduct that could cause a life threatening situation and (ii) cell phone usage is prohibited while on duty;
  • the employee was aware of these policies and had previoulsy been warned about them;
  • while on duty and dispensing medicine to patients, the employee used her personal cell phone to post comments on her Facebook page about an unpleasant and embarrasing incident experienced by a coworker;
  • the nursing director heard other nurses speaking about the Facebook posts in the hall and asked one of the nurses to show them to her; and
  • the employer terminated the nurse who made the posts on grounds that her conduct could cause a life threatening situation to patients.  

Reversing an earlier decision that would have allowed the employee to receive unemployment because her actions did not constitute "willful misconduct," Pennsylvania’s Unemployment Compensation Board of Review noted that the nurse "was aware of the employer’s policy prohibiting the use of cell phones while on duty, yet she violated that policy despite having been previously warned for doing so.” The Pennsylvania Commonwealth Court agreed.

Today the White House issued a Cybersecurity Legislative Proposal. The proposed legislation focuses on protecting the American people, the nation’s critical infrastructure, and the federal government’s computers and networks.  While legislation of this nature would simplify the breach reporting process for businesses, and overall streamline cybersecurity laws, a number of legislative attempts to do this have previously failed.  It is important to note that while this proposal sets forth some guidelines, the specific details of how each provision would be instituted are not yet clear

Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusion, and cyber crime has increased dramatically over the law decade. The President has thus made cybersecurity an Administration priority. 

  1.  To protect the American people, the proposed legislation calls for a national data breach reporting law which would simplify and standardize the existing patchwork of 47 state laws that contain these requirements. Additionally, the proposal calls for penalties for computer criminals and clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure.
  2. To protect our nation’s critical infrastructure the proposal calls on legislative changes to fully protect this infrastructure. Specifically, proposal will enable the Department of Homeland Security (DHS) to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.

Additionally, the proposal permits businesses, states, and local governments to share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it also provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Further, the proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.

Finally, the proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would then take steps to address cyber threats, develop risk mitigation plans, and permit DHS to modify the processes which are implemented if they are insufficient. 

  1.  To protect federal government computers and networks the legislative proposal includes: an update to the Federal Information Security Management Act (FISMA) as well as formalizing DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise; giving DHS more flexibility in hiring highly-qualified cybersecurity professionals; the permanency of DHS’s authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers while codifying strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process; and preventions on states requiring companies to build their data centers in that state, as opposed to in the cloud, except where expressly authorized by federal law.

The Administration’s proposal also attempts to ensure the protection of individuals’ privacy and civil liberties through a framework designed expressly to address the challenges of cybersecurity. Some of these provisions include: requiring federal agencies (and likely federal contractors) to follow privacy and civil liberties procedures; limitations on monitoring, collecting, using, retaining, and sharing of information; requiring efforts to remove identifying information unrelated to cybersecurity threats; as well as immunity provisions for those business which comply with the proposal’s requirements.  

As the proposal concludes: 

Our Nation is at risk… [t]he Administration has responded to Congress’ call for input on the cybersecurity legislation that our Nation needs, and we look forward to engaging with Congress as they move forward on this issue.

NBC’s Bob Sullivan reported on a rising trend of identity thieves targeting children. Why? Well, having no real credit history, most children’s credit is clean and good. Also, children, particularly younger children, are not going to be needing or looking at their credit for some time. These factors make children more attractive targets of identity theft.

Mr. Sullivan’s colleague Jeff Rossen and the "TODAY" show dig into this issue and provide some valuable information for parents about the problem and how to safeguard their children.

Businesses need to be in tune to this as well. All of the country’s data breach notification laws (46 states, plus other jurisdictions), as well as the laws requiring safeguards for personal information apply to “individuals,” not adults or persons over a certain age.

Some companies may believe they do not have personal information about children, but most companies do. For example, companies sponsoring medical, dental or vision coverage for employees, or health and dependent care flexible spending accounts maintain (or require vendors to maintain) personal information about children of covered employees. This kind of information also could be contained in retirement or life insurance plan beneficiary designation records, as well as records supporting leaves of absence and other matters.
 

The Minneapolis Star Tribune has reported that two hospitals in Anoka County, Minnesota, terminated a combined total of 32 employees for unauthorized access of electronic medical records on May 6, 2011.  The two hospitals, Unity Hospital in Fridley, Minnesota and Mercy Hospital in Coon Rapids, Minnesota, are both part of the Allina Health System.  In April, the Minnesota Court of Appeals, in an unemployment compensation decision, upheld the enforcement of Allina’s "zero-tolerance policy" with regard to unauthorized access to medical records.  Allina relied on the same policy in the latest firings.

The records leading to the mass termination related to a tragic incident involving 11 teenagers and young adults who were hospitalized after overdosing on synthetic drugs after a party on March 17.  One of them, a 19-year old, died and murder charges have been brought against a Blaine, Minnesota, man who allegedly provided the drugs.

Allina stated that it has the ability to track any employee’s access of electronic medical records and, because these patients were involved in a "high profile case," the hospital conducted a review of their audit trails and discovered that 32 employees had accessed the records without authorization. 

The increasing use of electronic medical records make these types of audits easier and more important than ever before.  Although the high number of employees involved is unusual, according the Star Tribune report, it is not the largest on record – in 2007 more than 100 employees were suspended from another Minnesota medical provider for similar concerns. 

 The HIPAA security regulations require that covered entities be able to audit activities on information systems containing electronic protected health information.  With increasing agency enforcement, health care providers and other covered entities and business associates should revisit this aspect of the HIPAA policies and procedures.

 Update: read the Star Tribune editorial justifying the firings.

 

Bypassing the media attention that often accompany high-dollar penalties and settlements, the Department of Health and Human Services (HHS) has quitely reported a settlement concerning the HIPAA privacy and security rules that highlights the increasing cooperation of federal government agencies to enforce a steadily expanding and complex compliance environment. 

Late in 2009, HHS opened an investigation of Management Services Organization Washington, Inc. (MSO) following a referral from the HHS Office of Inspector General (OIG) and Department of Justice, Civil Division (DOJC), which had been investigating MSO and its owner for violations of the
federal False Claims Act (FCA). During the course of its investigation, OIG discovered that MSO’s owner also owns Washington Practice Management, LLC (WPM) that earns commissions by marketing and selling Medicare Advantage plans.

According to the HHS Resolution Agreement with the company, the tip from OIG and DOJC led HHS to find that MSO:

  • impermissibly disclosed electronic protected health information (ePHI) of numerous individuals to WPM without a valid authorization, for WPM’S purpose of marketing Medicare Advantage plans to those individuals; and
  • did not have in place and did not implement appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of the ePHI.

Without acknowledging a HIPAA violation, MSO agreed to a resolution payment of $35,000 and to a two-year "Corrective Action Plan," which includes, among other things:

  • adopting written policies and procedures to be reviewed and approved by HHS;
  • obtaining a signed certification from all workers concerning the policies and procedures;
  • changing its policies and procedures only with HHS approval; and
  • conducting monitoring reviews every 180 days, which include performing unannounced interviews of workforce members.

It is not uncommon for companies considering compliance measures to assess the likelihood of a government audit or inquiry. Any illusion an organization may hold that it is operating “under the radar” of regulators should be shattered in the current compliance environment. Governmental agencies are increasingly able to efficiently coordinate with one another in matters of enforcement. Should HHS receive the additional $5.6 million it is seeking to enforce the HIPAA privacy and security regulations in its 2012 budget, flying under the radar will become more difficult.