Search right to access

Skagit County, Washington, has agreed to settle potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), according to an announcement by the Office for Civil Rights (OCR) on Friday.  OCR reported that Skagit County, home to approximately 118,000 residents, agreed to a $215,000 monetary settlement and to comply with a three-year HIPAA compliance program under OCR’s watchful eye.

OCR began investigating Skagit County and its Public Health Department when OCR received

a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

A relatively minor breach at first glance. However, OCR’s investigation revealed the incident was broader and included the ePHI of 1,581 individuals, in some cases involving files concerning the testing and treatment of infectious diseases. According to the resolution agreement, Skagit County allegedly failed to provide notification as required by the HIPAA Breach Notification Rule to all of the affected individuals for whom it knew or should have known that the privacy or security of the individuals’ ePHI had been compromised.

Like other OCR investigations, the enforcement activity uncovered “general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.” For example, OCR looked back to April 20, 2005 (the effective date of the HIPAA Security Rule), and alleged that Skagit County had not complied with various aspects of the HIPAA security regulations, including maintaining written policies and training employees.

The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. A $215,000 payment to OCR certainly will be a hit to the Department’s budget and the services it provides. Cities, counties and other public sector entities that perform HIPAA covered functions should be reviewing their HIPAA compliance efforts to ensure they are in a strong defensible position. Some basic compliance steps – risk assessment, written policies and procedures, training, a breach response plan, documentation, and others – can go a long way.

The U.S. Commodity Futures Trading Commission (Commission) issued a Staff Advisory on best practices for financial institutions that must comply with Gramm-Leach-Bliley Act (GLBA) provisions on data security and customer privacy.

GLBA was enacted to ensure that financial institutions respect the privacy of their customers and protect the security and confidentiality of nonpublic personal information.  Specifically, under the Commission’s regulations, futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants (covered entities) “must adopt polices and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”  Those policies and procedures must:

  1. Insure the security and confidentiality of customer records and information;
  2. Protect against any anticipated threats or hazards to the security or integrity of such records; and
  3. Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
The recommended best practices include:
  • Designating a specific employee with privacy and security management oversight responsibilities;
  • Identifying, in writing, all reasonably foreseeable internal and external risks to security, confidentiality, and integrity of personal information and systems processing personal information;
  • Designing and implement safeguards, in writing, to control the identified risks;
  • Training staff to implement the program;
  • Regularly testing and monitoring the safeguards;
  • Implementing third party service provider agreements which specify that the third party is maintaining appropriate safeguards;
  • Regularly evaluating and adjusting the program; and
  • Designing and implementing policies and procedures to respond to incidents involving unauthorized access, disclosure, or use of personal information.
The best practices should look familiar to those who are familiar with the various state laws which require companies to implement written information security programs, as well as entities which are required to comply with HIPAA’s requirements.  Ultimately, every entity who maintains personal information, whether that of customers, clients, patients, or employees, should consider implementing a program to safeguard such information.

The U.S. Department of Health and Human Services, Food and Drug Administration (FDA) recently issued draft guidance entitled “Guidance for Industry-Fulfilling Regulatory Requirements for Postmarketing Submissions of Interactive Promotional Media For Prescription Human and Animal Drugs and Biologics.”

The draft guidance is intended to describe the FDA’s current thinking about how manufacturers, packers, and distributors (firms) can fulfill regulatory requirements for post marketing submissions of interactive promotional media (e.g. blogs, microblogs such as Twitter, social networking sites like Facebook, online communities, and online podcasts) for FDA-approved products.

Under FDA regulations, if a firm has any control of, or influence on a site, it must submit promotional material about its product(s) to the FDA under the FDA’s postmarketing submission requirements.

Recognizing the challenges of submitting promotional materials that display real-time information, the FDA provided recommendations for submitting interactive promotional media.  In its examples, the FDA explained:

  • At the time of initial display, a firm should submit in its entirety all sites for which the firm is responsible, including submission in a way that allows the FDA to view and interact with the submission in the same way as the end user;
  • For third-party sites on which the firm’s participation is limited to interactive or real-time communications, a firm should submit the third-party site’s home page, along with the interactive page within the third-party site and the firm’s first communication;
  • Once a month, a firm should submit an updated listing of all non-restricted sites for which it is responsible or in which it remains an active participant;
  • If a site has restricted access, a firm should submit all content related to the discussion to adequately provide context to facilitate the review; and
  • A submitting firm should take formatting factors into consideration to enable the FDA to view the communications as a whole.

When finalized, the guidance will not create or confer any rights, and will not operate to bind the FDA or the public.  Rather, the guidance should be viewed as recommendations, unless specific regulatory or statutory requirements are cited.

Specific industry guidance concerning social media is not a novel idea.  In fact, the financial industry issued its own guidance late last year.  When examining your businesses social media participation, it is imperative you familiarize yourself with any applicable industry specific guidance.

The Florida District Court of Appeal, Second District quashed an order requiring the mother of a vehicle accident victim to produce copies of certain postings on her Facebook account. 

In Root v. Balfour Beatty Constr., LLC, the plaintiff, Tonia Root (“plaintiff”) filed a negligence suit against the city and its contractors following an accident where her toddler was struck by a vehicle near a construction site.  During discovery, defendants sought the production of plaintiff’s Facebook postings relating to plaintiff’s children, plaintiff’s mental health and stress, and counseling that plaintiff may have obtained before or after the accident.  Ultimately, the circuit court ordered plaintiff to produce the Facebook postings.

On review, the Florida District Court of Appeal, Second Circuit quashed the order, finding that the posts are irrelevant to plaintiff’s claims.  Specifically, the appellate court held the Facebook discovery requested did not pertain to the accident, the negligence claim or plaintiff’s claims for loss of consortium. The court characterized the discovery as a “fishing expedition.”

Ultimately, the discovery of social media content is an essential, but often precarious, undertaking which will turn on the legal precedent in your jurisdiction.  For example, states like New York, New Jersey, Indiana, and Kentucky have addressed issues of this nature to various outcomes.

The National Labor Relations Board (“NLRB”) continues to be active in its review of employer social media policies. In recent years, the NLRB’s review of social media policies has focused largely on whether an employee would reasonably construe the language of the policy as prohibiting him or her from engaging in activity protected by Section 7 of the National Labor Relations Act (“NLRA”), such as discussing terms and conditions of employment with fellow employees and engaging in strikes and other job actions.

In this case, Boch Imports, Inc. d/b/a Boch Honda, the NLRB Administrative Law Judge (“ALJ”) reviewed several provisions of an employer’s employee handbook. The employee handbook contained an extensive social media policy that included the following provisions:

1. The Company requires its employees to confine any and all social media commentaries to topics that do not disclose any personal or financial information of employees, customers or other persons, and do not disclose any confidential or proprietary information of the Company.

2. If an employee posts comments about the Company or related to the Company’s business or a policy issue, the employee must identify him/herself…

5. If an employee’s online blog, posting or other social media activities are inconsistent with, or would negatively impact the Company’s reputation or brand, the employee should not refer to the Company, or identify his/her connection to the Company… 

7. While the Company respects employees’ privacy, conduct that has, or has the potential to have a negative effect on the Company might be subject to disciplinary action up to, and including, termination, even if the conduct occurs off the property or off the clock.

8. Employees may not post videos or photos which are recorded in the workplace, without the Company’s permission.

9. If an employee is ever asked to make a comment to the media, the employee should contact the Vice President of Operations before making a statement.

10. The Company may request that an employee temporarily confine its social media activities to topics unrelated to the Company or a particular issue if it believes this is necessary or advisable to ensure compliance with applicable laws or regulations or the policies in the Employee Handbook. The Company may also request that employees provide it access to any commentary they posted on social media sites.

11. Employees choosing to write or post should write and post respectfully regarding current, former or potential customers, business partners, employees, competitors, managers and the Company. Employees will be held responsible for and can be disciplined for what they post and write on any social media. However, nothing in this Policy is intended to interfere with employees’ rights under the National Labor Relations Act.

12. Managers and supervisors should think carefully before “friending,” “linking” or the like on any social media with any employees who report to them.

The ALJ found “It requires little discussion to find that a number of these provisions clearly violate the [NLRA] as employees would reasonably construe these provisions as preventing them from discussing their conditions of employment with their fellow employees, radio and television stations, newspapers or unions, or limiting the subjects that they could discuss.” [emphasis added.]

Many employers maintain social media policies similar to the one at issue in this case. This decision highlights that employers, regardless of whether their employees are represented by a union, must be mindful of the NLRA when crafting social media policies.

Ricardo Rivera Cardona of the Puerto Rico Health Insurance Administration, intending to send a message by imposing the largest penalty to date ($6.8 million) arising out of a breach of protected health information under HIPAA, as reported by Infomation Security Media Group, is quoted as saying:

We are sending a message that we are here to enforce…There are no exceptions, no matter how big or small an institution is. ASES will make sure patients have access to medical services, and that their patient information is also protected. We are adamant about this.

The incident apparently did not involve a hi-tech hacking, theft of data or even the more popular lost laptop. It is reported to have resulted from a mailing error by Triple S Salud, a local insurer and division of Triple-S Management Corp., to approximately 13,000 individuals that displayed the individuals’ Medicare health insurance claim number. Note that many believe that information is not PHI unless it includes sensitive medical information about an individual, such as the individual’s diagnosis. That is simply not the case.

Of course, the covered entity can appeal the penalty. However, the federal Office for Civil Rights also can decide to take enforcement action, although that agency has not decided what, if any, action it will take.  We know that OCR has tried to send a message similar to the Puerto Rico enforcement authority concerning enforcement regardless of the size of the covered entity. In remains to be seen how vigorous enforcement will be given the lack of resources at these agencies, however, these enforcement actions certainly should spur covered entities and business associates to review their level of compliance.

Written by Jeffrey M. Schlossberg

When does a medical clinic’s employee’s unauthorized texting of patient confidential health information result in liability to the clinic? The answer; it depends.

In Doe v. Guthrie Clinic, Ltd., the Second Circuit Court of Appeals dismissed a patient’s claim against a medical corporation for alleged breach of fiduciary duty based on a non-physician employee’s unauthorized disclosure of confidential medical information. It did so because the New York State Court of Appeals answered the following certified question in the negative: “Whether, under New York law, the common law right of action for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information may run directly against medical corporations, even when the employee responsible for the breach is not a physician and acts outside the scope of her employment.”

In Doe, John Doe was treated at a clinic for a sexually transmitted disease (“STD”). A nurse, who knew Doe’s girlfriend, texted the girlfriend to let her know of Doe’s STD. Her texts were unrelated in any way to Doe’s treatment. After Doe learned of the texts, he complained to the clinic. The nurse was fired. The clinic acknowledged that Doe’s confidential information had been improperly accessed and disclosed and that appropriate disciplinary action had been taken. Doe then commenced a federal diversity action.

In analyzing the certified question presented, the State’s highest court declined to hold the clinic responsible under a claim of breach of fiduciary duty. Generally, a medical corporation might be vicariously liable for the wrongful acts of its employees, but under the doctrine of respondeat superior, liability extends only if those acts were committed in furtherance of the employer’s business. In Doe, the nurse’s conduct was not within the scope of her employment.

However, health care employers must still take caution. Despite the ruling in the case, the court did state that a medical corporation “may also be liable in tort for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train their employees to properly discharge their duties under those policies and procedures.” A health care practice that complies with the privacy and security regulations under HIPAA and applicable state law will be in a good position to avoid this kind of liability. Of course, inadequate policies addressing the protection of confidential patient information could expose the practice to damages in these kinds of suits, as well as penalties under HIPAA.

DPD

In honor of National Data Privacy Day, we provide the following “Top 14 for 2014.”  While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2014.

  1. Location Based Tracking.  As the utilization of GPS enable devices becomes more and more prevalent, employers are often faced with the difficult decision of just how much information they may obtain about an employee’s whereabouts.  This is particularly true when an employee is absent from work, is traveling for business, or makes a representation as to their location which the employer questions for one reason or another.  The case law in this area is evolving rapidly, and both the public and private sector can expect to face this issue in the near future.
  2. Bans On Requesting Social Media Passwords. As we have previously discussed numerous states have passed legislation prohibiting employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. 16 states introduced measures in 2013 and it is expected that many of these measures will be passed in 2014.
  3. Disaster Recovery Plans. Protecting information and technology assets from natural disasters and other emergencies is often an afterthought. This is especially relevant given the numerous weather difficulties faces by businesses through 2013, from floods to fires, to subzero temperatures.  However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
  4. BYOD. More and more businesses are realizing the risks of allowing employees to utilize their own electronic devices in the workplace and are turning to Bring Your Own Device (“BYOD”) programs to diminish some of these risks.  Businesses considering BYOD should review our comprehensive BYOD issues outline.
  5. User Generated Health Data.  The transformation of health information into electronic format has been well documented and will continue into the future.  However, one of the newest concerns for 2014 is health data which an individual voluntarily provides to track or chart their own health or fitness.  Devices such as Nike Fuelband, Fitbits, or similar devices or applications are allowing individuals to enter more and more health information about themselves electronically.  However, the privacy or security of this information is largely up for debate.
  6. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be considered by any organization which maintains personal information.
  7. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business’ critical information assets must be the first step, and is perhaps the most important step to tackling information risk. It is logically impossible to adequately safeguard something you are not aware exists. In fact, failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
  8. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state (as it is in MA, MD, TX, CT, etc.), having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees.
  9. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will not only aid in defending any potential breach of privacy claim that may be asserted against the company, but also may prevent a potential breach from occurring.
  10. HHS/OCR Investigations.  The Office of Civil Rights has recently stepped up its efforts to enforce the HIPAA Security Rule.  As we previously discussed, these enforcement activities are likely to increase in 2014 following a recent report from the Office of the Inspector General which concluded the OCR did not meets its federal requirements for oversight and enforcement.
  11. Develop a Plan for Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Failing to respond appropriately could result in significant liability.  This is true even when the number of individuals affected is relatively small.  Developing a breach response plan is not only prudent but also may be required under federal or state law.
  12. Investigating Social Media.  Social media continues to grow on a global scale, and the content available on a user’s profile or account is often being sought in connection with litigation.  In fact, failure to preserve relevant information in social media may have dire consequences.  Further, while public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow.
  13. New Technologies. As anyone who has purchased a phone or television in the last year has seen, technology is evolving extremely rapidly and a product which may be the “latest and greatest” today if often outdated 6 months down the road.  Staying familiar with these types of technologies and their capabilities will only allow businesses to better address any potential issues or concerns which may be implicated, including how those technologies address information risk.
  14. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

Privacy and data security issues and concerns do not stop at the water’s edge. Companies needing to share personal information, even when the sharing will take place inside the same “company,” frequently run into challenges when that sharing takes place across national borders. In some ways, the obstacles created by the matrix of federal and state data privacy and security laws in the U.S. are dwarfed by the matrix that exists internationally. Most countries regulate to some degree the handling of data, from access, to processing, to disclosure and destruction. And, the law continues to develop rapidly, sometimes due to unexpected events.

Take, for example, the U.S. Safe Harbor program that was designed to facilitate the transfer of personal data of individuals in the European Union (EU) to the United States. Because the EU believes that the law in some countries, including the U.S., fails to provide “adequate safeguards,” the general rule is that personal data of EU persons cannot be sent to the U.S. unless an exception applies. One exception is based on a negotiated deal between the EU and the U.S., commonly known as the U.S. Safe Harbor, a program which currently is in some jeopardy due to the recent reports of NSA monitoring, Snowden, etc.

Currently, to meet the Safe Harbor, a company must take certain steps, including (i) appointing a privacy ombudsman; (ii) reviewing and auditing data privacy practices; (iii) establishing a data privacy policy that addresses the following principles: notice, choice, onward transfer of data, security, integrity, access and enforcement; (iv) implementing privacy and enforcement procedures; (v) obtaining consents and creating inventory of consents for certain disclosures; and (vi) self-certifying compliance to the U.S. Department of Commerce.

A recent statement from Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, quoted in The Guardian, October 17, 2013, signals some changes may be in store for the Safe Harbor:

The Safe Harbour may not be so safe after all. It could be a loophole because it allows data transfers from EU to US companies, although US data protection standards are lower than our European ones,” said Reding. “Safe Harbour is based on self-regulation and codes of conduct. In the light of the recent revelations, I am not convinced that relying on codes of conduct and self-regulation that are not policed in a strict manner offer the best way of protecting our citizens.

At the same time, the EU continues to update and strengthen its protections for personal data. Companies that operate globally need to be sensitive to not only complying with the laws specific to activities within a jurisdiction, but also to activities between jurisdictions. Common business decisions such as deciding where data will be stored, setting up global databases for employees medical, personnel and other information, arranging for enterprise-wide employee benefits or monitoring programs, can face significant obstacles relating to the interplay of the data privacy and security laws of the countries involved.

The Driver’s Privacy Protection Act ("DPPA"), 18 U.S.C. Section 2721, et seq, was enacted by Congress in 1994 after the highly-publicized murder of actress Rebecca Schaeffer by a stalker who obtained her unlisted address from the California Department of Motor Vehicles. ("DMV").  The Act restricts state DMVs from disclosing personal information contained in motor vehicle records except for specific governmental and business purposes. In addition, the statute provides that is "unlawful for an person knowingly to obtain or disclose personal information from a motor vehicle record" for any use not permitted under 18 U.S.C. Section 2722(a).

In January of this year, the Minnesota Department of Natural Resources ("DNR") sent a letter to more than 5,000 individuals stating that it had discovered that one of its former employees, John Hunt, had improperly accessed their motor vehicle record data approximately nineteen thousand times. Hunt is no longer employed by the Minnesota DNR.

Attorneys for some of the recipients of the breach notification letter filed a total of five class action lawsuits under the DPPA, which were consolidated in U.S. District Court for the District of Minnesota under the caption Kiminski, et al v. Hunt, et al, No. 13-185.  Plaintiffs named a number of supervisors and commissioners of the DNR and the Minnesota Department of Public Safety as defendants in their personal capacities, along with Hunt. In addition to claims under the DPPA, plaintiffs asserted claims under 42 U.S.C. Section 1983, a catch-all cause of action allowing claims against state actors for denying someone their rights under a law or the Constitution.

On September 20, 2013, District Judge Joan N. Ericksen issued an order granting a motion to dismiss all of the state-affiliated employees, leaving only Hunt himself as a defendant. Judge Ericksen held that plaintiffs had not stated a cause of action as to the dismissed defendants because none of them obtained or disclosed information for improper purposes, even though Hunt allegedly did so under their watch. The court dismissed the Section 1983 claim because she interpreted the DPPA as including an express private means of redress that precludes a more expansive remedy under Section 1983.

Minnesota has been the land of 10,000 privacy leaks lately, as the State grapples with negative publicity from the disclosure that an employee of the state’s new on-line health insurance exchange, MNsure, accidentally distributed confidential information, including Social Security numbers, of insurance agents who had participated in training on the system. State officials are concerned that the leak will erode the public’s confidence in the system which is scheduled to go live in October. Minnesota’s Legislative Auditor is currently investigating MNsure’s data security practices.