The FTC recently reported that over $650 mm worth of cryptocurrency was stolen by hackers last year. Thus far, over $320 mm in cryptocurrency has been stolen by hackers this year. Not surprisingly, this surge in crypto breaches has led to litigation. In our monthly webcast series, Ballard partners Phil Yannella, Greg Szewczyk and
The new year began with an unusual amount of activity related to the Health Insurance Portability and Accountability Act (HIPAA). Health care providers, health plans, health care clearinghouses, and business associates subject to HIPAA will need to consider three significant developments—one regulatory, one legislative, and one judicial—relating to the Privacy and Security Rules under HIPAA and the related Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
Continue Reading A Fast Start: 2021 Begins With Major HIPAA Developments
As people across the country and world try to figure out how to protect themselves against the spread of coronavirus, hackers are working hard to spread their own viruses. Indeed, various cybersecurity firms have reported that the amount of malicious emails containing the word “coronavirus” has significantly increased since the end of January.
Following on the heels of a few relatively small HIPAA settlements, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that it has imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for its failure to meet HIPAA privacy and security requirements. The OCR announcement and accompanying…
A relatively quiet year for HIPAA enforcement is ending with a small flourish. The Office of Civil Rights of the Department of Health and Human Services (HHS) has announced two settlements with covered entities within the span of eight days.
The first settlement involved Advanced Care Hospitalists (ACH), a company that provides internal medicine physicians to hospitals and nursing homes in Florida. In 2014, ACH received notice from a local hospital that individually identifiable patient information had been posted on the website of a third party billing provider. ACH reported the breach, which ultimately led to an HHS investigation. HHS found that:
- The disclosure affected 9,225 patients.
- ACH failed to enter into a business associate agreement with one or more vendors who had access to protected health information (PHI).
- ACH did not implement privacy, security, or breach notification policies and procedures until after the breach was discovered.
- ACH failed to conduct a security risk analysis until after the breach was discovered.
To settle these matters, ACH agreed to pay a $500,000 penalty and fulfill its obligations under a supervised corrective action plan that focuses on the identified failures.
The second settlement followed from a complaint lodged with HHS against Pagosa Springs Medical Center (PSMC) in Colorado. The ensuing investigation revealed:
- The impermissible disclosure of the PHI of at least 557 individuals to a former employee whose access to PSMC’s information systems was not revoked upon termination of employment.
- The impermissible disclosure of the PHI of at least 557 individuals to a business associate without an appropriate business associate agreement.
The Office of Civil Rights of the Department of Health and Human Services has announced settlements with three different Boston-area hospitals for allegedly compromising the privacy of protected health information by inviting documentary film crews on premises without first obtaining patient authorization. The three settlements call for a total of almost $1 million in penalty payments and require each of the hospitals to undertake corrective action. The corrections are not the same for each hospital and range from workforce education and communication to the establishment of specific procedures, for example, for deciding when to allow media access and for putting safeguards in place to monitor film crew activity.
Continue Reading Beware the Bright Lights
Imagine a breach in the privacy of protected health information. The violation of an individual’s HIPAA rights may be clear, but the individual cannot sue under HIPAA. Courts have consistently held that HIPAA provides no private right of action.
In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit, claiming that her HIPAA rights had been violated. When hospitalized, she had been asked to submit medical information on a computer. She alleged that the information she entered was visible to another patient at a nearby computer station. The court did not reach the question of whether the proximity of the computers resulted in a HIPAA violation. It dismissed the claim, observing that HIPAA limits enforcement actions to the U.S. Department of Health and Human Services and states’ attorneys general.
The absence of a private right of action under HIPAA significantly reduces the risks faced by covered entities and business associates, but it does not shield them against all litigation and liability. Lawsuits for the improper disclosure of personal medical information have been brought under different theories, including common law breaches of privacy and breaches of contract. Last year, Anthem Inc. settled a class action, arising from a large 2015 data breach, for $115 million. Currently, litigation is being pursued under non-HIPAA claims for disclosures that have resulted from mailing practices, including the use of window envelopes and incorrect addresses. Case law is emerging, and it is possible that courts will refer to HIPAA’s standards as setting the bar for the privacy and data security safeguards that should be implemented and followed, but individuals who sue for breaches of those safeguards will need to base their claims on something other than a HIPAA violation.
Continue Reading HIPAA Enforcement: Where’s the Action?
The Departmental Appeals Board of the Department of Health and Human Services (“Board”) has granted summary judgment against the University of Texas MD Anderson Cancer Center (“Center”) and upheld the imposition of $4.3 million dollars in penalties against the Center for violations of HIPAA’s privacy and security rules. In this case, the personal medical data of more than 33,000 individuals was exposed through the theft of a laptop and the loss of unencrypted thumb drives. None of these devices was encrypted, and the laptop was not password protected.
Continue Reading Appeals Board Upholds $4.3 Million in HIPAA Penalties Against Hospital
Filefax, Inc., a health care records moving and storage company that served as a business associate, went into receivership in 2016. But its receivership did not put an end to an OCR investigation into a HIPAA violation from 2015. Now, the receiver for Filefax has agreed to pay a fine of $100,000 and to properly store, inventory, and dispose of the medical records remaining in its possession under HHS supervision.
The investigation began with a complaint that OCR received about the exposure of a large volume of documents containing protected health information. The investigation confirmed that an individual had left medical records of approximately 2,150 patients at a shredding and recycling facility and that Fllefax had either left the PHI in an unlocked truck in the Filefax parking lot or granted permission to a person to remove the PHI from Filefax and left the PHI, unsecured, outside the Filefax facility for that person to collect.
Continue Reading Closure of Business Does Not Foreclose HIPAA Liabilities
Lyft recently confirmed that it is investigating whether its employees were accessing its customer database without appropriate authorization to obtain personal information, including rides taken by Facebook CEO Mark Zuckerberg. The investigation was announced less than six months after Uber entered into a Federal Trade Commission (FTC) consent order to resolve allegations of similar behavior by its own employees.
The investigation demonstrates the importance of revisiting internal compliance measures in the wake of legal developments that may be relevant to a particular company or industry. Companies need to maintain comprehensive privacy programs to ensure the confidentiality of the personal information that they collect. Such programs should include, at a minimum:…
Continue Reading Lyft Employees Demonstrate Need for Privacy Compliance Management