Last week, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided guidance for HIPAA covered entities and business associates that use or want to use cloud computing services involving protected health information (PHI). Covered entities and business associates seeking cloud services often have many concerns regarding HIPAA compliance, and this guidance helps to address some of those concerns. The guidance also will help cloud service providers (CSPs) understand some of their obligations when serving the vast health care sector. Frankly, this guidance is helpful for any entity that desires to use cloud services to store, transfer or otherwise process sensitive information, including personal information. We summarized some of the key points in the guidance below.

CSPs that only store PHI and provide “no-view” services are not subject to HIPAA, right?

Wrong. OCR reminds everyone that when a covered entity engages a CSP to create, receive, maintain, store or transmit ePHI, on its behalf, the CSP is a business associate under HIPAA.  Likewise, when a business associate subcontracts with a CSP for similar services, the CSP is a business associate.

Practically, however, with regard to no-view services, CSPs and their HIPAA-covered customers can take advantage of the flexibility and scalability built into the HIPAA rules. OCR’s guidance points out that when a CSP is providing only no-view services, certain Security Rule requirements may be satisfied for both parties through the actions of one of the parties. For example, certain access controls, such as unique user identification, may be the responsibility of the customer (when the customer has sole access to ePHI), while others, such as encryption, may be the responsibility of the CSP.  Thus, the parties will have to review these issues carefully and modify the agreements accordingly.

Is this true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data?

Yes. Accordingly, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable under the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules. Note that the absence of a BAA does not change that the CSP is a business associate subject to the applicable requirements under the rules, but the HIPAA covered entity would not have contractual protection, such as breach of contract claims and indemnity.

For entities not covered by HIPAA, you may have other legal obligations that apply when you decide to share certain information with a CSP. For example, rules in California and Massachusetts generally require businesses to obtain written agreements from third parties to safeguard the personal information they maintain for the business to perform the desired services.

So, if we use a CSP, we only have to worry about having a BAA in place?

Probably not. Use of cloud services likely will require the covered entity or business associate to perform a risk assessment to understand how those services will affect overall HIPAA compliance. Some of those compliance issues will be addressed in the BAA. However, contracting with a CSP often involves a “Service Level Agreement” or “SLA” which can raise other HIPAA compliance issues. For example, specific SLA provisions concerning system availability or back-up and data recovery may not be permissible under HIPAA. Entities not covered by HIPAA have similar needs to ensure that the cloud services will meet their needs with respect to these and other issues, such as return of data following termination of the SLA.

If data is encrypted in the cloud, is HIPAA satisfied?

No. Strong encryption reduces risk to PHI for sure, but does not maintain its integrity and availability. That is, for example, encryption does not ensure that ePHI is not corrupted by malware, or that it will remain available to authorized persons during emergency situations. Further, encryption does not address other administrative and physical safeguards. For example, even when the parties have agreed that the customer is responsible for authenticating access to ePHI, the CSP may still need to implement appropriate internal controls to assure only authorized access to administrative tools that manage resources (e.g., storage, memory, network interfaces, CPUs).  The SLA and the BAA are important vehicles for confirming which entity is responsible for these requirements.

Can CSPs block our access to PHI?

No. Blocking a covered entity’s access to PHI would violate the Privacy Rule. Thus, for example, an SLA cannot contain a provision that allows the CSP to block access to ePHI to resolve a payment dispute. Note this may not be the case with arrangements not covered by HIPAA. Accordingly, owners of the data in these situations need to proceed with care when negotiating and disputing payment under come SLAs.

Do CSPs have to report “pings” and others unsuccessful security incidents?

In general, the answer is yes. Security Rule § 164.314(a)(2)(i)(C) provides that a BAA must require the business associate to report any security incidents of which it becomes aware. A security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.  However, the Security Rule is flexible and does not prescribe the level of detail, frequency, or format of reports of security incidents, which may be worked out in the BAA.  Thus, the parties should consider different levels of detail, frequency, and formatting of reports based on the nature of the security incidents.

Does HIPAA permit PHI to be stored in the cloud outside of the United States?

In short, the answer is yes. But, as noted above, the covered entity or business associate needs to consider the applicable risks.

 

Cloud services can yield substantial cost savings and offer substantial convenience to users. CSPs also tend to offer a higher level of sophistication in the area of data security than most health care providers and their service providers. But the failure to think carefully about adoption and implementation of these services can create substantial exposure for the company. Significant exposure can result not only from a breach of PHI in the cloud environment, but also from the failure to appropriately consider and document the risks relating to that environment.

 

In an election year that has divided much of the country, we are providing you with a clear and simple choice this voting cycle.  To this end, we are proud to announce that the Workplace Privacy Report Has Been Nominated for The Expert Institute’s Best Legal Blog Competition.

From a field of hundreds of potential nominees, the Workplace Privacy Report has received enough nominations to join one of the largest competitions for legal blog writing online today.  If you enjoy the Workplace Privacy Report, it is up to you, our readers, to follow the link below and vote!

To vote, simply click here!

We appreciate your readership and will continue to provide new and exciting content for you in the future.

New York Governor Andrew M. Cuomo announced yesterday a new proposed regulation to address the growing threat posed by cyber-attacks. According to the State’s press release, the proposed regulation, which is subject to a 45-day notice and public comment period before final issuance, “aims NYDFS-Logo-300x300to protect consumer data and financial systems from terrorist organizations and other criminal enterprises.”  In the past 18 months, several other states – including Connecticut, Nevada, and Washington – have also taken legislative action to promote greater protection against cyber-threats.

Once in place, New York’s regulation will require regulated organizations – specifically banks, insurance companies, and other financial services institutions regulated by the State’s Department of Financial Services – to: (1) establish a cybersecurity program; (2) adopt a written cybersecurity policy; (3) designate a Chief Information Security Officer; and (4) implement policies and procedures designed to ensure the security of information systems. The Department of Financial Services has published guidance fleshing out each of the foregoing requirements.

In the wake of Gov. Cuomo’s announcement, banks, insurance companies, and subject financial services institutions that do business in New York should carefully review their current programs, policies, and procedures to evaluate what action, if any, they will need to take to comply with the new obligations contemplated by the State’s proposed regulation.

 

Likely because most victims comply with their demands, the incidence of attacks by ransomware hackers has exploded in 2016. Guidance issued by the U.S. Department of Health and Human Services (“HHS”) in July notes that, on average, there have been 4,000 reported ransomware attacks per day thus far in 2016, far exceeding the average of 1,000 attacks per day last year.

What Is Ransomware?

Ransomware is a type of malware that denies the affected user access to his or her data, typically by encrypting it. Once the user’s data is encrypted, the hacker who launched the ransomware attack notifies him or her that, in order to obtain a key to decrypt the data, he or she must pay a ransom, often in a cryptocurrency such as Bitcoin.  Hackers sometimes impersonate government entities – like the IRS or FBI – in their ransom notes.

Image result for ransomwareImage result for ransomware

Can I Just Pay The Ransom And Move On?

While it may be tempting to do so, there are serious risks to this approach. Even if the ransom demanded by a ransomware hacker is not prohibitively expensive, an organization victimized by an attack must bear in mind that simply paying off the hacker is unlikely to make its problems go away.

As an initial matter, there is no guarantee that, upon receipt of the ransom payment, the hacker will provide a fully functional key that enables your organization to regain access to its data. Moreover, your organization must evaluate whether the ransomware attack triggered legal obligations under federal or state privacy laws, or other regulatory or contractual requirements.

What Are My Legal Obligations In The Event Of A Ransomware Attack?

Determining your organization’s legal obligations in responding to a ransomware attack requires a fact-specific inquiry. For organizations subject to HIPAA, for example, HHS’s guidance indicates that a ransomware attack is presumed to be a breach triggering HIPAA obligations unless the affected organization can demonstrate that there is a low probability that protected health information (“PHI”) has been compromised.  This low probability analysis, the HHS instructs, should include consideration of a the following four factors, among others: (1) the nature of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.

Image result for ransomware

Organizations that are not subject to HIPAA must also assess their legal obligations in the wake of a ransomware attack, such as those imposed by the Gramm-Leach-Bliley Act or under state law. Under the data breach laws of certain states – such as New Jersey, Connecticut, Florida, Kansas, and Louisiana – unauthorized access to personal information constitutes a breach, even absent evidence that the personal information accessed was actually acquired.  Organizations whose affected employees or consumers work or reside in these states thus face increased risk that a ransomware incident will trigger breach notification obligations.

Additionally, during some ransomware attacks, hackers do not simply block the user’s access to its data, but also exfiltrate that data to external locations, and/or destroy or alter it. Accordingly, organizations subject to the data breach laws of any state may be required to take certain actions in the event of a ransomware incident.

What Should I Do After I Discover A Ransomware Attack?

If you believe your organization has been victimized by a ransomware attack, you should proceed as follows, carefully documenting each of the steps laid out below:

ONE: Notify your cyber liability insurer. This step is essential not only to ensure applicable coverage, but also because your insurance contact will likely be able to provide valuable early-stage guidance, such as on retention of qualified data security professionals to investigate the ransomware incident, and implementation of appropriate measures to mitigate existing and future risk.

TWO: Investigate the incident. Your internal or outside data security professionals should immediately launch (and document) an investigation of the incident. This investigation should include, at minimum, analysis of:

  • When the incident occurred.
  • The methods the hackers used to carry out the attack.
  • Which of your systems were affected.
  • The nature of the data affected – e.g., was PHI or personal information accessed or acquired. (Most state breach notification laws define personal information as the affected individual’s full name, or first initial and last name, in combination with any of the following data elements: (i) social security number; (ii) government identification card number; or (iii) account number or credit / debit card number with any required security code, access code, or password.)
  • The states in which the individuals whose data was affected work or reside.
  • Whether there is evidence that the affected data was exfiltrated to the attacker’s servers, or elsewhere.
  • Whether the attack is completed or ongoing; and, if that latter, whether additional systems have been compromised.
  • What mitigation measures were and are in place. For example:
    • Were the affected files encrypted and, if so, is there evidence that the hackers successfully decrypted those files.
    • What data backup, disaster recovery, and/or data restoration plans did you have in place.
    • What post-discovery steps did you take to prevent continued or future acquisition, access, use, or disclosure of the compromised data.

THREE: Consult legal counsel.  As discussed above, ransomware attacks may trigger obligations under federal and state privacy laws, such as HIPAA, the Gramm-Leach-Bliley Act, and state breach notification laws.  They may also require an affected organization to comply with other regulatory and contractual requirements, and to communicate with government agencies like the FBI, U.S. Secret Service, or state attorneys general offices.  Consulting an experienced attorney upon discovery of a ransomware attack will ensure that your organization complies with applicable legal requirements, thereby controlling the costs inflicted by the attack to full extent possible.

Earlier this month, United States District Court Judge Peter Sheridan dismissed a class action brought against Work Out World (“WOW”) under the Telephone Consumer Protection Act (TCPA).  In doing so, Judge Sheridan relied on the recent decision by the United States Supreme Court in Spokeo, Inc. v. Robins.

The named plaintiff, Norreen Susinno, filed a class action complaint against WOW alleging WOW negligently, knowingly and/or willfully contacted the plaintiffs on their cellular telephones in violation of the TCPA and thereby invaded their privacy.  Ms. Susinno sought to certify a nationwide class of all persons who, in the preceding four years, had received telephone calls from WOW which were made with the use of an automatic telephone dialing system and/or used an artificial or prerecorded voice.

On June 10, 2016, WOW filed a motion to dismiss the complaint. Following a hearing on the motion to dismiss, Judge Sheridan granted WOW’s motion and dismissed the matter with prejudice.

Although Ms. Susinno filed an appeal of the district court’s decision, the decision may be very helpful to companies that are looking for various arguments to dispose of and otherwise defend against class claims, particularly where the alleged harm at issue is negligible, to the extent there is any harm at all.

For additional insight regarding this case, please see our related post on our Employment Class and Collective Action Update.

Many companies have experienced the departure of an employee and the elimination of that former employees access to the company’s computers and networks. In the recent case of USA v. Nosal, D.C. No. 3:08-cr-00237-EMC-1 (July 5, 2016), the Ninth Circuit Court of Appeals was presented with the following facts:  Nosal, a former employee of Korn/Ferry departed and launched a competitive entity.  When Nosal left the company, the company revoked his computer access credentials.  After his departure, Nosal was nevertheless able to continue accessing the company’s confidential and proprietary information when his former secretary provided Nosal with her database access credentials.  In Nosal, the question for the court was whether the jury properly convicted David Nosal of the crime of conspiracy under the Computer Fraud and Abuse Act (“CFAA”) for accessing and downloading information from the company’s database “without authorization.”  The Court in a 2-1 decision held that indeed Nosal violated the criminal provisions of CFAA even though he did not himself access and download the information.

The CFAA prohibits access to a computer or computer system by ones who are either exceeding authorized use or are not authorized users.  18 U.S.C. § 1030.  The applicable section of the CFAA addressed in the Nosal case provides that:

Whoever . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct further the intended fraud and obtains anything of value. . .shall be punished. . . . .

The prosecution successfully argued that after Nosal left the company, he lacked any rights to use the company’s network.  Because he lacked rights to access the network, the use of the secretary’s login credentials violated the CFAA’s ban on access “without authorization.” The court found that Nosal violated the CFAA because he “knowingly and with intent to defraud blatantly circumvented the affirmative revocation of his computer access.  This access falls squarely within the CFAA’s prohibition on access ‘without authorization’ and thus we affirm Nosal’s conviction for violations of . . . the CFAA.”

But, what about the fact that a person who did have authorization – Nosal’s secretary – granted Nosal permission to access the database?  On this point, the court stated that access:

‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.

The court further stated that an “employee could willy nilly give out passwords to anyone outside the company – former employees whose access had been revoked, competitors, industrious hackers, or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery.”

As a result of this decision, some privacy groups have expressed concern that the court’s ruling could make it easier to prosecute people for ordinary password sharing, such as when a husband logs into his wife’s Facebook account with her credentials and permission, or to print a boarding pass.

However, the majority addressed this concern square on stating that “hypotheticals about the dire consequences of criminalizing password sharing. . . miss the mark in this case.  This case is not about password sharing” and noted that the case “bears little resemblance to asking a spouse to log in to an email account to print a boarding pass.”

While this decision involved a criminal prosecution, with which most companies would not be involved, it is still worthy of consideration for employers.  Many employers have some form of agreement in place that would make accessing the company’s database after termination a violation.  In light of Nosal it would be prudent for a company to also include in its policies and agreements what is seemingly obvious – prohibit current employees from providing their passwords to former employees.  At least with this statement in writing, the company will have (1) a basis upon which to take appropriate disciplinary action – including termination – against the current employee who provided their password to a former employee, and (2) the ability to commence a civil legal action against the former employee under the CFAA.

The HIPAA breach notification rule has two buckets for classifying data breaches – those that involve “protected health information” (PHI) of 500 or more individuals and those that involve fewer than 500 individuals. Since the breach notification rule became effective, the Office of Civil Rights’ (OCR) focus has been on the 500 and over bucket. But no more. The agency announced yesterday that beginning this month, it will more widely investigate the root causes of breaches affecting fewer than 500 individuals. Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.

OCR investigates all reported breaches involving the PHI of 500 or more individuals. However, it has not ignored smaller breaches. For example, following an investigation concerning a breach affecting 441 individuals in 2013, OCR reached a settlement with the covered entity for $50,000. The plan to look at more smaller breaches makes some sense from an enforcement perspective as the extent of an entity’s noncompliance does not necessarily correlate with the number of individuals affected by a breach. For example, it would seem more likely that a covered entity that suffered five breaches during a year, each affecting 200 individuals, would have more significant gaps in its HIPAA compliance than an organization with one breach during the year affecting 1,000 individuals.

OCR is not saying it will be investigating all smaller breaches. As noted above, Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, and it will apply that discretion considering the following factors:

  • The size of the breach;
  • Theft of or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved;  or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

This is just one more reason covered entities and business associates need to achieve and maintain compliance with the HIPAA privacy and security rules. Now small breaches are more likely to lead to an OCR investigation that could find substantial and systemic compliance violations. In a year when millions of dollars in penalties and settlements have been paid to OCR, it is clear that HIPAA enforcement is on the rise.

Last month, the European Union and U.S. officials announced final approval of the EU-U.S. Privacy Shield (Privacy Shield), replacing the Safe Harbor which was invalidated by the Court of Justice of the European Union in October 2015.  Like it predecessor, the Privacy Shield will allow organizations based in the United States to self-certify compliance with the Privacy Shield’s requirements permitting personal data of EU subjects to be transferred to the U.S., but with an enhanced enforcement regime, among other things.

In conjunction with our International Employment Practice Group, we have prepared a comprehensive EU-U.S. Privacy Shield Q&A.  Our EU-U.S. Privacy Shield Q&A will provide you with key features about the Privacy Shield to assist you in determining if this is the proper mechanism to use when transferring data outside of the EU to the U.S., as well as information to help you comply with the Privacy Shield’s requirements.

 

 

 

As everyone is aware, the Pokémon GO craze has taken the world by storm in the past month. Reports estimate there have been over 75 million downloads of the digital game since the program became available on July 6.  Apple has not issued any concrete numbers, but has confirmed that it was the most downloaded app ever in its first week of availability.

When the game was first offered, users were required to grant permission not only to use a player’s smartphone camera and location data but also to gain full access to the user’s Google accounts — including email, calendars, photos, stored documents and any other data associated with the login. The game’s creator, Niantic, responded to a public outcry – including a letter from Minnesota Senator Al Franken – stating that the expansive permission requests were “erroneous” and that Pokémon GO did not use anything from players’ accounts other than basic Google profile information.  The company has since issued a fix to reduce access only to users’ basic Google account profile information.

As is often the case, remarkable success naturally attracts critics who take aim. In a letter dated July 22, 2016, the Electronic Privacy Information Center (EPIC) wrote to the Federal Trade Commission (FTC) requesting government oversight on Niantic’s data collection practices. EPIC is a non-profit public interest research center in Washington, D.C., focusing public attention on privacy and civil liberties issues.

Niantic’s Privacy Policy

EPIC’s letter highlighted a number of alleged issues with Niantic’s privacy policy:

  1. Niantic does not explain the scope of information gathered from Google profiles or why this is necessary to the function of the Pokémon GO app.
  2. Niantic collects users’ precise location information through “cell/mobile tower triangulation, wifi triangulation, and/or GPS.” The Company’s Privacy Policy states Niantic will “store” location information and “some of that location information, along with your … user name, may be shared through the App.” The Privacy Policy does not indicate any limitations on how long Niantic will retain location data or explain how indefinite retention of location data is necessary to the functionality of the Pokémon GO app.
  3. With Pokémon GO, Niantic has access to users’ mobile device camera. The Terms of Service for Pokémon GO grant Niantic a “nonexclusive, perpetual, irrevocable, transferable, sublicensable, worldwide, royalty-free license” to “User Content.” The Terms do not define “User Content” or specify whether this includes photos taken through the in-app camera function.
  4. The Pokémon GO Privacy Policy grants Niantic wide latitude to disclose user data to “third-party service providers,” “third parties,” and “to government or law enforcement officials or private parties as [Niantic], in [its] sole discretion, believe necessary or appropriate.” Niantic also deems user data, including personally identifiable information, to be a “business asset” that it can transfer to a third party in the event the company is sold. This issue has been identified as a particular concern to another non-profit organization – Common Sense Media, an independent non-profit organization focusing on children and technology. According to Common Sense Media, location information and history of children should not be considered a “business asset.”

EPIC’s Request to the FTC

Based on the issues highlighted above, EPIC requested that the FTC use its authority to regulate unfair competition under the Federal Trade Commission Act (15 U.S.C. § 45) to prohibit practices by Niantic and other similar apps that fail to conform with FTC’s Fair Information Practices and the principles set forth in The White House 2012 report, “Consumer Data Privacy In A Networked World.”

According to EPIC, Niantic’s unlimited collection and indefinite retention of detailed location data, violates 15 U.S.C. § 45(n) because it is “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

EPIC also contends that the unlimited collection and indefinite retention of detailed location data violate the data minimization requirements under the Children’s Online Privacy Protection Act (COPPA), which requires providers to “retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” 16 C.F.R. § 312.10.

Private Lawsuit Filed Against Niantic

Subsequently, a Pokémon GO user has filed suit in Florida State Court alleging that the terms of service and privacy policy are deceptive and unfair, which violates the Florida Deceptive and Unfair Trade Practices Act. Beckman v. Niantic Inc., case number 50-2016-CA-008330, Fifteenth Judicial Circuit for Palm Beach County, Florida.

Practice Pointer

The issue of consumer privacy continues to garner significant attention. Whether you are an app developer or any other company that collects and retains personal information, it is time to review your applicable policies and take appropriate steps to ensure that your company is not the subject of government agency inquiry, litigation, or a data breach.

For employers whose employees may be bumping into each other in the hallway while playing the game, consideration should be given to ban or otherwise regulate employee involvement. Certainly a drop in productively is a concern. However, even if accessing the game during work time is barred, employers should be concerned about the potential compromise to proprietary and confidential information that could occur as the result of data breaches or through counterfeit games that are designed to allow hackers access to your protected information.

For years, many questioned whether the HIPAA privacy and security rules would be enforced. The agency responsible for enforcement, Health and Human Services’ Office for Civil Rights (OCR), promised it would enforce the rules, but just after a period “soft” enforcement and compliance assistance. That period appears to be ending. During the first seven months of 2016, OCR has announced nearly $15,000,000 in settlement payments to the agency relating to a wide range of compliance failures alleged against covered entities and business associates. At the same time, OCR is conducting audits of covered entities around the country, and plans similar audits of business associates later this year. If you have been waiting to tackle HIPAA compliance, it is probably a good time to get it done.

Below is a summary of the circumstances that led to some of the settlements and civil monetary penalties:

  • Stolen laptop, vulnerable wireless access. Following notification to OCR of a breach involving a stolen laptop (not an uncommon occurrence!), OCR investigated and reported discovering that electronic protected health information (ePHI) on the covered entity’s network drive was vulnerable to unauthorized access via its wireless network – users could access 67,000 files after entering a generic username and password. OCR also cited among other things failures to implement policies and procedures to prevent, detect, contain, and correct security violations, to implement certain physical safeguards. Settlement $2.75M
  • Vulnerabilities identified must be timely addressed. In another case, a covered entity had conducted a number of risk analyses since 2003, but the OCR claimed these analyses did not cover all ePHI at the entity. OCR also reported that the covered entity did not act timely to implement measures to address documented risks and vulnerabilities, nor did it implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure, despite having identified this lack of encryption as a risk. Settlement $2.7M.
  • Not-for-profits serving underserved communities not immune. A data breach affecting just over 400 persons caused by the theft of a company-issued iPhone triggered an OCR investigation. The iPhone was unencrypted and was not password protected, and contained extensive ePHI including SSNs, medical diagnosis, and names of family members and legal guardians. According to OCR, among other things, the covered entity had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. In its public announcement, OCR acknowledged that the $650,000 settlement was after considering that the covered entity provides unique and much-needed services to elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.
  • No business associate agreement. When a covered entity’s business associate experienced a breach affecting over 17,000 patients, OCR again investigated. It claimed no business associate agreement was in place, leaving PHI without safeguards and vulnerable to misuse or improper disclosure. Settlement $750,000.
  • Civil monetary penalties against home care provider. In only the second time OCR has sought civil penalties under HIPAA, a judge awarded $239,800 in penalties due to privacy and security compliance failures. In this case, a patient complaint led to an OCR investigation – the patient complained that an employee of the covered entity left PHI in places where an unauthorized persons had access and in some cases abandoned the information altogether. Other compliance issues included covered entity’s maintaining inadequate policies and procedures to safeguard PHI taken offsite, and storing PHI in employee vehicles for extended periods of time.

It is true that these are only a handful of cases with large settlement amounts. But the agency does seem to be sending a message – that is, it wants to see compliance and it is not afraid to seek significant settlement amounts from covered entities or business associates, large or small. In some cases, relatively simple steps such as making sure to have business associate agreements in place, can help avoid these kinds of enforcement actions.