Health Insurance Portability and Accountability Act (HIPAA)

On February 7, 2019, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services published the resolution agreement for its final HIPAA settlement of 2018.  The resolution agreement cited two breach notifications that OCR received from the parent of several hospitals in California.  In 2013, the provider notified OCR of a breach that occurred when one of its contractors removed electronic security protections from a server.  This breach affected more than 50,000 individuals.  In 2015, the provider submitted notice of a second breach, this one resulting from an employee’s activation of the wrong website, affecting more than 11,000 individuals.
Continue Reading

A relatively quiet year for HIPAA enforcement is ending with a small flourish.  The Office of Civil Rights of the Department of Health and Human Services (HHS) has announced two settlements with covered entities within the span of eight days.

The first settlement involved Advanced Care Hospitalists (ACH), a company that provides internal medicine physicians to hospitals and nursing homes in Florida.  In 2014, ACH received notice from a local hospital that individually identifiable patient information had been posted on the website of a third party billing provider.  ACH reported the breach, which ultimately led to an HHS investigation. HHS found that:

  • The disclosure affected 9,225 patients.
  • ACH failed to enter into a business associate agreement with one or more vendors who had access to protected health information (PHI).
  • ACH did not implement privacy, security, or breach notification policies and procedures until after the breach was discovered.
  • ACH failed to conduct a security risk analysis until after the breach was discovered.

To settle these matters, ACH agreed to pay a $500,000 penalty and fulfill its obligations under a supervised corrective action plan that focuses on the identified failures.

The second settlement followed from a complaint lodged with HHS against Pagosa Springs Medical Center (PSMC) in Colorado.   The ensuing investigation revealed:

  • The impermissible disclosure of the PHI of at least 557 individuals to a former employee whose access to PSMC’s information systems was not revoked upon termination of employment.
  • The impermissible disclosure of the PHI of at least 557 individuals to a business associate without an appropriate business associate agreement.


Continue Reading

The Office of Civil Rights of the Department of Health and Human Services has announced settlements with three different Boston-area hospitals for allegedly compromising the privacy of protected health information by inviting documentary film crews on premises without first obtaining patient authorization.  The three settlements call for a total of almost $1 million in penalty payments and require each of the hospitals to undertake corrective action.  The corrections are not the same for each hospital and range from workforce education and communication to the establishment of specific procedures, for example, for deciding when to allow media access and for putting safeguards in place to monitor film crew activity.
Continue Reading

Imagine a breach in the privacy of protected health information.  The violation of an individual’s HIPAA rights may be clear, but the individual cannot sue under HIPAA.  Courts have consistently held that HIPAA provides no private right of action.

In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit, claiming that her HIPAA rights had been violated.  When hospitalized, she had been  asked to submit medical information on a computer.  She alleged that the information she entered was visible to another patient at a nearby computer station.  The court did not reach the question of whether the proximity of the computers resulted in a HIPAA violation.  It dismissed the claim, observing that HIPAA limits enforcement actions to the U.S. Department of Health and Human Services and states’ attorneys general.

The absence of a private right of action under HIPAA significantly reduces the risks faced by covered entities and business associates, but it does not shield them against all litigation and liability. Lawsuits for the improper disclosure of personal medical information have been brought under different theories, including common law breaches of privacy and breaches of contract.  Last year, Anthem Inc. settled a class action, arising from a large 2015 data breach, for $115 million. Currently, litigation is being pursued under non-HIPAA claims for disclosures that have resulted from mailing practices, including the use of window envelopes and incorrect addresses.  Case law is emerging, and it is possible that courts will refer to HIPAA’s standards as setting the bar for the privacy and data security safeguards that should be implemented and followed, but individuals who sue for breaches of those safeguards will need to base their claims on something other than a HIPAA violation.
Continue Reading

The Departmental Appeals Board of the Department of Health and Human Services (“Board”) has granted summary judgment against the University of Texas MD Anderson Cancer Center (“Center”) and upheld the imposition of $4.3 million dollars in penalties against the Center for violations of HIPAA’s privacy and security rules.  In this case, the personal medical data of more than 33,000 individuals was exposed through the theft of a laptop and the loss of unencrypted thumb drives.  None of these devices was encrypted, and the laptop was not password protected.
Continue Reading

A celebrity collapses on stage and is rushed to the hospital. Rumors race through social media faster than the ambulance can navigate city streets. Was it exhaustion? Was it her heart? Was there a gunshot? The press broadcasts through the night outside the ER. You are a hospital administrator who has access to information about the celebrity’s medical condition and treatment. You stay past your shift until the patient’s condition is stable and the 11 p.m. news reports have finished. You exit through a side door to avoid attention, but a man comes up alongside you. You know him from some prior incidents. He is an insurance investigator for the arena where the celebrity was performing. He asks you questions, seeking to confirm facts for a preliminary report he is filing.  All of the facts that he recites about the celebrity’s condition are true. All of them have been widely reported already. You keep quiet.

You have been well trained. That is what you should do.
Continue Reading

The virtual world offers opportunities and obligations not found in nature.

For a couple of years, my wife has followed the adventures of a bonded eagle couple, Liberty and Freedom, residing in the hills near Hanover, Pennsylvania. A strategically positioned webcam offers a round-the-clock view of nesting activities. Last year the pair hatched two eggs and cared for the eaglets until they fledged.

This year, it appears as if calamity struck. Liberty has disappeared, and a new female, Lucy, has taken her place in the nest, destroying one of the eggs. Although the other egg remains in the nest, it is widely believed that the disturbance has rendered it unviable and that it will not hatch. It is possible that Lucy fought with the older Liberty and killed her.  The body has not been found.  It is also possible that Freedom and Lucy will now bond, but most viewers do not expect them to produce eggs this year.

In the virtual world, health care providers, health plans, health care clearinghouses, and their business associates have a responsibility to protect the treasured asset of individually identifiable information from predators and other dangers. But unlike eggs, which cannot be recovered if stolen or damaged, data is retrievable.
Continue Reading

In March, we reported that the Oregon legislature was considering amending its data breach notification and information security laws. That legislation has now passed the Oregon legislature and been signed into law by Oregon’s governor.  A copy of the new law is available here. The most notable changes are as follows:

Continue Reading

Filefax, Inc., a health care records moving and storage company that served as a business associate, went into receivership in 2016.  But its receivership did not put an end to an OCR investigation into a HIPAA violation from 2015. Now, the receiver for Filefax has agreed to pay a fine of $100,000 and to properly store, inventory, and dispose of the medical records remaining in its possession under HHS supervision.

The investigation began with a complaint that OCR received about the exposure of a large volume of documents containing protected health information.  The investigation confirmed that an individual had left medical records of approximately 2,150 patients at a shredding and recycling facility and that Fllefax had either left the PHI in an unlocked truck in the Filefax parking lot or granted permission to a person to remove the PHI from Filefax and left the PHI, unsecured, outside the Filefax facility for that person to collect.
Continue Reading

The Philadelphia Eagles’ Super Bowl aspirations dimmed on a late autumn afternoon when two Ram defenders hammered their star quarterback, Carson Wentz, on a run to the end zone that was called back for a penalty. Wentz stayed in the game and threw a touchdown pass, but soon disappeared into the locker room for the remainder of the game. By mid-week, the medical reports confirmed what most Eagles fans already seemed to know: Wentz had torn ligaments in his knee and was finished for the season.

In the two weeks leading to the Super Bowl, sports media filled time and space with stories about the cut on Tom Brady’s hand and Rob Gronkowski’s expected clearance to play after suffering a concussion.

How, in the world of HIPAA privacy and security was so much medical information available for public consumption?
Continue Reading