Search right to access

As previously discussed, the federal appeals court in San Francisco had reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) for trying to start a business that would compete with his former employer. Now, however, at the urging of the former employee’s counsel, by order dated October 27, the same court has agreed to rehear, en banc, its previous indictment reinstatement order.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against former employee David Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court had reaffirmed that employers determine what access or authorization an employee has to an employer’s computer. It also pointed to specific examples of what the employer did to limit access to and authorized uses of information, including using unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop up on each employee’s computer screen whenever the employee logs onto the company’s system.

The Ninth Circuit’s pending rehearing by the full court of the issue of unauthorized employee access to information under the CFAA puts its previous interpretation in doubt. It is clear, however, is that employers that wish to rely on the CFAA as a means of recovery against employees who steal data or take other actions to harm company computers must plan ahead. That is, employers must clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.
 

Have you hired a social media manager?  A social media guru/wizard/ninja/diva?  Each of these job "titles" are increasingly being used by companies to attract individuals who specialize in marketing a company’s brand and/or services in social media.  A recent article in the Chicago Tribune and Los Angeles Times highlights just how prevalent these job titles are becoming corporate America.  

As companies struggle to keep up with the rapidly evolving world of social media, they are turning to hiring to hiring social media managers to handle their social media presence.  However, companies should be leery of the “jump first, look second” approach.  In fact, several key questions should be asked when delving into the realm of social media and hiring a new, typically younger employee with responsibility for a company’s social media existence and, therefore, its brand

Qualifications:

  • What qualifications are you looking for?  Often companies seek a younger employee who is "tech-savy."  Traditional employment issues notwithstanding (i.e. age discrimination when an "older" employee is not hired/considered for a position), companies must also consider what their social media mission/focus will be.  For example, to the extent a company utilizes social media as a marketing tool, will you want your social media manager to have a background in marketing?  Similarly, to the extent you wish to utilize social media to handle client/customer complaints, will you want your social media manager to have a background in customer relations? Will you hire an external candidate who is perhaps unfamiliar with your company and its mission, or will you hire an internal candidate?

Responsibilities:

  • What products/services will the social media manager be responsible for discussing/marketing?
  • Will the social media manager have total freedom to explore and execute social media opportunities? 
  • What policies will the social media manager be responsible for implementing?  Will the social media manager have responsibility for implementing the company’s social media policy to employees and managers as well?

Training/Protocols

  • What training will be provided to your social media manager?  For example, will the social media manager be trained on what information he/she should or should not consider when examining posts by customers and/or employees? 
  • What policies will govern your social media manager’s employment?  Will the social media manager be permitted to “friend” employees/subordinates on social media or establish policies for employees to follow? 
  • What safety protocols will be in place?  For example, if your company has a Facebook page, will you social media manager be responsible for maintaining the password and access to same?  How will the company transition its social media presence if and when the social media manager separates from employment? 

While the above list is by no means exhaustive, it demonstrates some of the additional considerations that must be examined when a company wishes to expand into social media.   Companies are often unaware of the need to consider these questions prior to implementing a social media policy or hiring a social media manager.  However, examining these points will help ensure your company’s social media experience flows more smoothly. 

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.  

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.   

Continue Reading HIPAA Audits to Begin Early 2012

 

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published its first round of annual reports to Congress under the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 to Congress. The first report concerns HHS’s HIPAA (Health Insurance Portability and Accountability Act of 1996) enforcement activity for 2009 and 2010 and the second report focuses on reported or recorded data breaches occurring in 2009 and 2010.  

The HITECH Act contains multiple breach notification requirements for HIPAA-covered entities and their business associates. Covered entities and business associates that create unreadable or indecipherable protected health information, however, are exempt from such requirements. Covered entities must notify individuals and the Secretary of HHS of any breach of unsecured protected health information within 60 days following the discovery of the breach. For breaches involving more than 500 residents of a state, a covered entity must also notify the media in addition to the individuals and the Secretary of HHS. Business associates of covered entities under HIPAA must notify the covered entity of any breach of unsecured protected health information so the covered entity can notify affected individuals. 

As reported by HHS, between September 23, 2009 and December 31, 2010, the HHS Office of Civil Rights received 45 reports of breaches affecting 500 individuals or more in 2009 and 207 reports in 2010, resulting in notification of 7.8 million affected individuals. 

The general causes of breaches of unsecured protected health information included, first and foremost, theft.  27 of the 45 large 2009 incidents involved theft and 17 of those incidents occurred on the premises of a covered entity or its business associates. Likewise, 99 of the 207 incidents in 2010 involved theft, primarily of electronic or paper records, affecting some 2,979,121 people. Types of theft noted by HHS included theft of back-up tapes transported by a vendor of a medical facility, of laptops or desk-top computers at covered entity sites, and of smart phones or flash drives. Other causes of breaches generally involved loss of electronic media or paper records containing protected health information, unauthorized access to, use of or disclosure of protected health information, human error, and improper disposal. Notably, loss of portable electronic devices is a major factor in the loss of electronic media.

With respect to complaints and compliance with HIPAA’s Privacy Rule, HHS reports that from April 14, 2003, the date HIPAA-covered entities were to comply with the Privacy Rule, through December 31, 2010, it received 57,375 complaints and resolved 91% of them.   Through the same time period, HHS investigated 19,161 complaints, achieved corrective action in 66% of them and found no violation in 34%. 

HHS further reports that between April 20, 2005, and December 31, 2010, it investigated 289 complaints of the 803 it received related to HIPAA’s Security Rule, resolving 77% of them and finding no violation in 48%. 

The compliance issues related to the Privacy Rule most investigated included impermissible uses and disclosures of protected health information, lack of safeguards, and denial of individual access. HHS Security Rule investigations focused on a covered entity’s failures to demonstrate adequate policies and procedures to address response or reporting of security incidents, security training, access controls and workstation security.  

The two HHS reports to Congress show a marked improvement in compliance with HIPAA’s Privacy Rule. However, the reports also highlight a continuing vulnerability for covered entities that rely on electronic devices and employee accountability for elements of their privacy and security compliance programs under HIPAA (as we have touched on in previous posts). As noted by HHS, remedial actions for violations include revising policies and procedures; improving physical security; training or retraining workforce members; adopting encryption technologies; changing passwords; performing new risk assessments; and revising business associate agreements to specify required confidentiality protections. The HHS reports remind covered entities and their business associates to review and place appropriate limits on employee access to protected health information and incorporate HHS’s remedial measures into their best practices.

Prior to the Health Information Technology for Economic and Clinical Health (HITECH) Act becoming law, the HIPAA Privacy Rule required covered entities to provide individuals with an accounting of certain disclosures of their protected health information (PHI). HITECH enhances these accounting rules and requires that individuals be able to know who has accessed their electronic PHI. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is proposing changes to the Privacy Rule to implement these new requirements and is seeking comments from the public to help shape the law so as to provide the greatest transparency for individuals with respect to access to and disclosures of their PHI, while minimizing the burden on covered entities and business associates. Remember, under HITECH, business associate are subject to nearly all of the requirements under the HIPAA Privacy and Security Rules as covered entities. The discussion below touches on some of the key proposals.

HHS’ Notice of Proposed Rulemaking would enhance the rules concerning the obligation to provide an accounting of certain disclosures of PHI and fleshes out the right of individuals to get a report on who has electronically accessed their PHI. These two rights, to an accounting of disclosures and to an access report, would be distinct but complementary. The right to an access report would provide information on who has accessed electronic PHI in a designated record set (including access for purposes of treatment, payment, and health care operations), while the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations). The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information.  In contrast, the intent of the accounting of disclosures is to provide more detailed information (a “full accounting”) for certain disclosures that are most likely to impact the individual.

In general, designated record sets include the medical and health care payment records maintained by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals. See the definition of “designated record set” at 45 CFR § 164.501. An example of PHI that is outside the designated record set are transcripts of customer calls that are used only for purposes of customer service review, rather than to make decisions about the individual.

HHS believes the access report requirement will not present an unreasonable burden on covered entities and business associates because by limiting the access report to information maintained in an electronic designated record set, the report will include information that a covered entity is already required to collect under the HIPAA Security Rule. That is, under §§ 164.308(a)(1)(ii)(D) and 164.312(b) of the HIPAA Security Rule, a covered entity is required to record and examine activity in information systems and to regularly review records of such activity. Access reports would cover a three-year period, and would provide the individual with information about who has accessed the individual’s electronic PHI held by a covered entity or business associate. They would not distinguish between “uses” and “disclosures,” and thus, would apply when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the covered entity. The report would be required to identify the date, time, and name of the person (or name of the entity if the person’s name is unavailable) who accessed the information, and potentially a description of the protected health information that was accessed and the user’s action, if that information is available.

The right to an accounting of disclosures would encompass disclosures of both hard copy and electronic PHI that is maintained in a designated record set. It would cover a three-year period (down from the current six year period), and would require a covered entity and its business associates to account for the disclosures of PHI believed to be of most interest to individuals. That is, the proposed rule explicitly lists the types of disclosures that are subject to the accounting requirement, rather than the previous approach of listing the types of disclosures for which an accounting was not required. In general, the proposed rule would continue to include in the accounting requirement, without limitation, disclosures for public health activities (except those involving reports of child abuse or neglect), for judicial and administrative proceedings, for law enforcement activities, to avert a serious threat to health or safety, for military and veterans activities, for the Department of State’s medical suitability determinations, to government programs providing public benefits, and for workers’ compensation.  Also, covered entities will continue to be required to account for disclosures that are impermissible under the Privacy Rule, even if those disclosures did not amount to a "breach" under the Breach Notification Rule at § 164.404.

While the proposed rules referenced above may vary when made final, they will require covered entities to re-examine their current practices to comply with the new rules. In addition, covered entities and business associates may need to make modifications to business associate agreements (as well as agreements with subcontractors and other vendors).  The Notice of Privacy Practices also will require modification to explain to individuals these new and modified rights concerning their PHI.

In regard to when action is needed, the rules propose that covered entities (including small health plans) and business associates comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication). As for the right to an access report, the rules propose that covered entities and business associates be prepared to make this available beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.

In a report issued earlier this week, the Office of Inspector General found that the Center for Medicare and Medicaid Services’ (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the HIPAA Security Rule.

OIG’s recommendation: Continue the compliance review process (audits) that began in 2009 and implement procedures for conducting compliance reviews to ensure that HIPAA Security Rule controls are in place and operating as intended to protect ePHI at covered entities.

To reach this conclusion, OIG audited 7 hospitals throughout the country (locations in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas).  These audits focused primarily on:

  1. wireless electronic communications network or security measures the security management staff implemented in its computerized information systems (technical safeguards);
  2. the physical access to electronic information systems and the facilities in which they are housed (physical safeguards); and
  3. the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI (administrative safeguards).

Significant vulnerabilities identified. The audits identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. A high vulnerability refers to one that

may result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury.

The report noted that outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge. Although each of the seven hospitals had implemented some controls, policies, and procedures to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule. Clearly, mediocre compliance is not sufficient.  

Some of the more significant vulnerabilities found related to (i) wireless access; (ii) access controls, and (iii) integrity controls. In the case of wireless access problems, the report identified vulnerabilities including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, the inability to detect rogue devices intruding on the wireless network, and no procedures for continuously monitoring the wireless networks. Access control problems included inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI, and excessive access to root folders. According to the OIG, these conditions could have led to unauthorized individuals viewing or altering ePHI data on nonclinical workstations that were not automatically logged off after a period of inactivity; ePHI being compromised on lost or stolen unencrypted laptops; and unauthorized users circumventing system controls and harming system files.

The list goes on and on.

The Office of Civil Rights (OCR), the arm of HHS now charged with enforcing the HIPAA security regulations, may be listening. As reported here earlier, OCR appears to be taking steps to improve its enforcement efforts, which likely will include increasing the number of compliance reviews/audits at hospitals and health care providers around the country. These efforts include a request by the agency to increase its budget for 2012 by $5.6 million, or 13.6%, to be aimed at enforcement. 

Because HIPAA now applies to business associates, it would not be surprising to see business associates on an audit list. Accordingly, covered entities and business associates should be taking steps now to ensure compliance.

The federal appeals court in San Francisco has reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) in trying to start a business that would compete with his former employer. .

The indictment in United States v. Nosal, which a lower court dismissed, alleged that the employee, David Nosal, “knowingly and with intent to defraud” exceeded his authorized access to his employer’s computer system for the purpose of setting up a competing business. Nosal was an executive at Korn/Ferry and subject to a non-competition agreement. After leaving the company, he started a competing business, soliciting the help of three Korn/Ferry employees to provide him with source lists, names, and contact information from a Korn/Ferry proprietary and confidential database. Employee access to the database was specifically restricted, except for legitimate Korn/Ferry business.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court reaffirmed that employers determine what access or authorization an employee has to an employer’s computer, and pointed to specific examples of steps the employer in this case took to limit access to and authorized uses of information. These examples include the use of unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop-up on each employee’s computer screen whenever the employee logged on to the company’s system.

Joining the Fifth and Eleventh Circuits, the Court ruled that as long as an employee has knowledge of an employer’s limitations on authorized use of a computer system, the employee will exceed authorized access under the CFAA whenever he or she violates those limitations or goes beyond his or her authorized access with an “intent to defraud” by an action that “furthers the intended fraud and obtains anything of value. It is as simple as that.”
The message to employers from this case is that if you want to be able to effectively use the CFAA as a means of recovery when employees steal data or take other actions to harm company computers or data, you will need to plan ahead. That is, employers will need to clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.

When considering the proper use or disclosure of patient data, most health care providers look immediately to the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rules. But that may not be enough. As the plaintiff in Isidore Steiner, DPM, PC dba Family Foot Center v. Marc Bonanni learned, state law also must considered. In general, a state law will be applied instead of HIPAA if the state law is more stringent and protective of patients’ protected health information (PHI).

In Bonanni, the Family Foot Center, a HIPAA-covered entity, was seeking to enforce a non-compete agreement with its former employee, a physician. Believing the former employee was soliciting its patients in violation of the agreement, the Center requested its former employee’s patient lists as part of pre-trial discovery. The physician objected on the ground that HIPAA and Michigan law on physician-patient privilege protected information of non-party patients from disclosure without their consent. The Center filed a motion to compel the disclosure.

The trial court denied the motion, reasoning that the names, addresses, and phone numbers of non-party patients were privileged under Michigan law. The Center appealed.

Under HIPAA, a covered entity generally may not use or disclose an individual’s PHI without a written authorization or providing the individual the opportunity to agree or object. However, it may do so for example, when responding to a subpoena or discovery request, upon satisfying certain conditions. 45 CFR 164.512(e). Nevertheless, HIPAA further provides that even this limited exception can be trumped by a more stringent state law that prohibits such use or disclosure of PHI.

The appellate court held that under Michigan’s physician-patient privilege, MCL 600.2157, the right to waive the privilege rests solely with the patient. Further, unlike HIPAA, the privilege did not contain exceptions for disclosing patient information in judicial proceedings. The Court concluded that Michigan’s physician-patient privilege conflicted with HIPAA and provided more stringent protections for the PHI at issue. Therefore, the state’s privilege law trumped HIPAA. The Court affirmed the denial of the Center’s discovery motion. In reaching this result, it rejected the Center’s plea that it could not proceed with its non-compete action without the requested information. The Court stated:

To this, we say that it is not our role to address either the wisdom of a physician’s efforts to restrict with whom a patient may consult or the appropriate business or legal means by which a corporation can effectively protect its practice. Instead, our limited role is to decide whether the names, addresses and telephone numbers of non-party patients are protected from disclosure by law.

Health care providers receive requests for PHI in many different contexts, not just in connection with litigations. This ruling makes clear that when making disclosures of PHI, considering only HIPAA could be risky. Because this analysis is not limited to Michigan (see, for example, recent Ohio decisions, Turk v. Oiler and Grove v. Northeast Ohio Nephrology Associates, Inc.), providers should undertake a detailed analysis of the applicable federal, state and local laws and regulations prior to making any disclosure.

In a case addressing the Family Medical Leave Act (FMLA) that directly implicates the privacy rules under the Health Insurance Portability and Accountability Act (HIPAA), Pacosa v. Kaiser Foundation Health Plan of the Northwest, the Portland Division of the United States District Court of Oregon awarded summary judgment against a physician assistant who claimed he was discharged in retaliation for taking FMLA leave. While the court primarily focused on the boundaries of what constitutes FMLA retaliation, the case serves as a good example of the limits healthcare companies can place on employee access to available protected health information and enforcement mechanisms for addressing violations of such access.

Frank Pacosa was a physician assistant for Kaiser Foundation Health Plan of the Northwest in Portland, Oregon. He alleged that he took intermittent leave under the FMLA for a period of 2001 to 2008 for purposes of caring for his wife’s clinical depression. While employed, Pacosa signed a number of confidentiality agreements, which prohibited him from accessing his own health records or those health records of his family or friends on Kaiser Permanente’s proprietary medical records system unless he had specific authorization from the patient and the access was approved. An additional confidentiality policy that he signed and had training on prohibited him, as an employee, from accessing any protected health information records except where related to his job.

In 2008, Kaiser Permanente’s Compliance Department received a series of phone calls from Pacosa’s wife, who informed it that Pacosa had accessed her medical records without authorization and that he was using the information to obtain a restraining order against her. The Compliance Department’s investigation revealed that Pacosa had accessed his wife’s records without authorization, and further accessed and edited his daughter’s records as if he was the treating medical provider, all while he was on alleged FMLA leave.

Kaiser Permanente determined that Pacosa, who at one time served on the Confidentiality Committee and Health Information Management Committee, improperly and with intent of personal gain, accessed the protected health information of his wife and daughter, violating its confidentiality policies. Kaiser Permanente terminated Pacosa’s employment on October 30, 2008.

Pacosa sued Kaiser Permanente in Oregon District Court, alleging multiple state and federal statutory violations, including that his termination interfered with his leave rights under the FMLA. The Oregon District Court granted summary judgment on each of Pacosa’s claims, determining that there was no issue of material fact that Pacosa violated confidentiality policies, which was the reason for his termination rather than any FMLA violation.

As we have touched upon in previous posts, the chance of a data breach or information misuse rises with the use of electronic data and employee access to that data. Of course, the advent of the electronic medical record is both a result of developing technology and required under HIPAA, but as Mr. Pacosa’s termination illustrates, the portability of electronic records make it easy to view or misuse a patient’s private health information.

Kaiser Permanente’s repeated distributions of confidentiality policies and the obligations to secure and limit access to protected health information by employees illustrates a best practice and minimum necessary compliance obligation that covered entities have under HIPAA’s privacy rule and recent changes to it in the American Recovery and Reinvestment Act of 2009 (“ARRA”). The Pacosa case serves as another reminder to covered entities to review and place appropriate limits on employee access to protected health information.