After a quiet winter, the Department of Health and Human Services’ Office for Civil Rights (OCR) revived with the spring, issuing a set of frequently asked questions and two recent announcements.

The FAQs address the situation where an individual requests a covered entity to disclose protected health information (“PHI”) to an app. The covered entity

A relatively quiet year for HIPAA enforcement is ending with a small flourish.  The Office of Civil Rights of the Department of Health and Human Services (HHS) has announced two settlements with covered entities within the span of eight days.

The first settlement involved Advanced Care Hospitalists (ACH), a company that provides internal medicine physicians to hospitals and nursing homes in Florida.  In 2014, ACH received notice from a local hospital that individually identifiable patient information had been posted on the website of a third party billing provider.  ACH reported the breach, which ultimately led to an HHS investigation. HHS found that:

  • The disclosure affected 9,225 patients.
  • ACH failed to enter into a business associate agreement with one or more vendors who had access to protected health information (PHI).
  • ACH did not implement privacy, security, or breach notification policies and procedures until after the breach was discovered.
  • ACH failed to conduct a security risk analysis until after the breach was discovered.

To settle these matters, ACH agreed to pay a $500,000 penalty and fulfill its obligations under a supervised corrective action plan that focuses on the identified failures.

The second settlement followed from a complaint lodged with HHS against Pagosa Springs Medical Center (PSMC) in Colorado.   The ensuing investigation revealed:

  • The impermissible disclosure of the PHI of at least 557 individuals to a former employee whose access to PSMC’s information systems was not revoked upon termination of employment.
  • The impermissible disclosure of the PHI of at least 557 individuals to a business associate without an appropriate business associate agreement.

Continue Reading  A Pair of Year-End HIPAA Settlements

Imagine a breach in the privacy of protected health information.  The violation of an individual’s HIPAA rights may be clear, but the individual cannot sue under HIPAA.  Courts have consistently held that HIPAA provides no private right of action.

In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit, claiming that her HIPAA rights had been violated.  When hospitalized, she had been  asked to submit medical information on a computer.  She alleged that the information she entered was visible to another patient at a nearby computer station.  The court did not reach the question of whether the proximity of the computers resulted in a HIPAA violation.  It dismissed the claim, observing that HIPAA limits enforcement actions to the U.S. Department of Health and Human Services and states’ attorneys general.

The absence of a private right of action under HIPAA significantly reduces the risks faced by covered entities and business associates, but it does not shield them against all litigation and liability. Lawsuits for the improper disclosure of personal medical information have been brought under different theories, including common law breaches of privacy and breaches of contract.  Last year, Anthem Inc. settled a class action, arising from a large 2015 data breach, for $115 million. Currently, litigation is being pursued under non-HIPAA claims for disclosures that have resulted from mailing practices, including the use of window envelopes and incorrect addresses.  Case law is emerging, and it is possible that courts will refer to HIPAA’s standards as setting the bar for the privacy and data security safeguards that should be implemented and followed, but individuals who sue for breaches of those safeguards will need to base their claims on something other than a HIPAA violation.
Continue Reading  HIPAA Enforcement: Where’s the Action?

A celebrity collapses on stage and is rushed to the hospital. Rumors race through social media faster than the ambulance can navigate city streets. Was it exhaustion? Was it her heart? Was there a gunshot? The press broadcasts through the night outside the ER. You are a hospital administrator who has access to information about the celebrity’s medical condition and treatment. You stay past your shift until the patient’s condition is stable and the 11 p.m. news reports have finished. You exit through a side door to avoid attention, but a man comes up alongside you. You know him from some prior incidents. He is an insurance investigator for the arena where the celebrity was performing. He asks you questions, seeking to confirm facts for a preliminary report he is filing.  All of the facts that he recites about the celebrity’s condition are true. All of them have been widely reported already. You keep quiet.

You have been well trained. That is what you should do.
Continue Reading  HIPAA: Privacy Required, Even When Information Goes Public

The virtual world offers opportunities and obligations not found in nature.

For a couple of years, my wife has followed the adventures of a bonded eagle couple, Liberty and Freedom, residing in the hills near Hanover, Pennsylvania. A strategically positioned webcam offers a round-the-clock view of nesting activities. Last year the pair hatched two eggs and cared for the eaglets until they fledged.

This year, it appears as if calamity struck. Liberty has disappeared, and a new female, Lucy, has taken her place in the nest, destroying one of the eggs. Although the other egg remains in the nest, it is widely believed that the disturbance has rendered it unviable and that it will not hatch. It is possible that Lucy fought with the older Liberty and killed her.  The body has not been found.  It is also possible that Freedom and Lucy will now bond, but most viewers do not expect them to produce eggs this year.

In the virtual world, health care providers, health plans, health care clearinghouses, and their business associates have a responsibility to protect the treasured asset of individually identifiable information from predators and other dangers. But unlike eggs, which cannot be recovered if stolen or damaged, data is retrievable.
Continue Reading  Springtime for HIPAA

The Philadelphia Eagles’ Super Bowl aspirations dimmed on a late autumn afternoon when two Ram defenders hammered their star quarterback, Carson Wentz, on a run to the end zone that was called back for a penalty. Wentz stayed in the game and threw a touchdown pass, but soon disappeared into the locker room for the remainder of the game. By mid-week, the medical reports confirmed what most Eagles fans already seemed to know: Wentz had torn ligaments in his knee and was finished for the season.

In the two weeks leading to the Super Bowl, sports media filled time and space with stories about the cut on Tom Brady’s hand and Rob Gronkowski’s expected clearance to play after suffering a concussion.

How, in the world of HIPAA privacy and security was so much medical information available for public consumption?
Continue Reading  What the Super Bowl Can Teach Us About HIPAA

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) has announced its first settlement of a HIPAA breach in 2018. The settlement arose from five separate breaches by five different entities owned by Fresenius Medical Care, a large provider of kidney dialysis and other medical services. The breaches involved stolen computers, a stolen USB drive, and a missing hard drive, all occurring within a five-month span in 2012.
Continue Reading  OCR Announces HIPAA Settlement For Data Security Breaches

With the New Year comes new data breach compliance obligations! Two Mid-Atlantic states have cybersecurity related compliance statutes that have – or will soon – take effect. Are you ready?

New Year’s Day ushered into effect the amended Maryland Personal Information Protection Act, which expands the definition of “personal information,” creates a 45-day deadline for providing notice of a breach, allows for substitute service when the breach enables an individual’s e-mail to be accessed, and increases the class of information subject to Maryland’s destruction of records laws. To the customary litany of data elements comprising “personal information,” Maryland has added personal health and health insurance information, biometric data, online account credentials and passport/government ID numbers. The amended data destruction provision now applies to customer and employee/former employee records containing personal information. See our prior alert detailing the amendments here.
Continue Reading  New 2018 Data Breach Compliance Obligations Begin Going into Effect

Perhaps we have adjusted our expectations. 2015 sent shockwaves through health plan sponsors and health care providers with massive data breaches, such as the one at Anthem Blue Cross Blue Shield, and the rise of ransomware attacks, such as the one that temporarily shut down the information systems at Hollywood Presbyterian Medical Center. 2016 brought a new government audit program that awakened many covered entities and business associates to the need to review their HIPAA compliance measures and their readiness to respond to an audit request.

The 2017 year did not serve up seismic HIPAA events – it mostly provided a continuation of what we have seen in the past. This may be calming, but still leaves plenty to be concerned about.
Continue Reading  HIPAA Breaches and Enforcement: An Uneasy Calm