Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Healthcare

Subscribe to Healthcare RSS Feed

DWT Advisory: New HIPAA Reports to Congress Shed Light on OCR Enforcement

Posted in Healthcare

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued two reports to Congress, as required by the HITECH Act. The compliance report details OCR’s enforcement activities for 2011 and 2012 and sheds light on what covered entities and business associates can expect from OCR going forward. This is not the first signal that OCR’s enforcement efforts are shifting and accelerating. The breach report summarizes the breaches affecting 500 or more individuals and offers a glimpse of what OCR is seeing for breaches affecting less than 500 individuals.

HIGHLIGHTS

OCR’s compliance report for 2011-2012

OCR has received approximately 77,000 complaints since the Privacy Rule compliance date (April 14, 2003) as of the end of 2012 and has closed 91% of these complaints. More than half of the complaints OCR receives are closed after a determination that OCR does not have jurisdiction to investigate the matter.

OCR clarifies that it opens compliance reviews for all breaches affecting 500 or more individuals. Additionally, OCR may open compliance reviews in response to notifications of breaches affecting fewer than 500 individuals or as it becomes aware of potential non-compliance (such as through media reports). Unlike complaints, OCR does not provide ... Continue Reading

Stolen Patient Information on Hospital Computer Not Considered “Medical Information” by California Appellate Court

Posted in Healthcare

The California Court of Appeal recently held that the release of an index identifying hospital patients did not constitute the release of medical information under California’s Confidentiality of Medical Information Act (CMIA), Civ. Code, § 56 et seq., because the index contained only demographic information and nothing “regarding a patient’s medical history, mental or physical condition, or treatment.”Eisenhower Medical Center v. Superior Court (Malanche), Case No. E058378 (Cal. Ct. App. May 21, 2014). The Court held that “a health care provider cannot be held liable under the relevant portions of the CMIA for the release of an individual’s personal identifying information that is not coupled with that individual’s medical history, mental or physical condition, or treatment.”

CONTINUE READING …... Continue Reading

$4.8 Million – Largest HIPAA Settlement to Date

Posted in Healthcare

On May 7, 2014, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) issued a press release announcing that two health care organizations—New York and Presbyterian Hospital (“NYP”) and Columbia University (“CU”)—agreed to resolve charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy and security rules by failing to secure thousands of patients’ electronic protected health information (“ePHI”) on their network. The monetary payments total $4.8 million, which is the largest HIPAA settlement to date. This settlement suggests that OCR is increasing its settlement amounts and expects entities to know where their ePHI is located and how it is being accessed.

CONTINUE READING …... Continue Reading

New Advisory Examining HHS’s HIPAA Guidance on Mental Health Information

Posted in Healthcare

Be sure to check out at our recent advisory discussing the latest HIPAA guidance on mental health information. It discusses how the Department of Health and Human Services addresses frequently asked questions about when it is appropriate for providers to share protected health information of a patient who is being treated for a mental health condition with family, friends, or others involved in the patient’s care. The guidance was issued in order to clarify how the HIPAA Privacy Rule operates to strike a balance between protecting individuals’ privacy of mental health information with the need to communicate information to others in order to enhance treatment and assure safety.  You can read the advisory here.... Continue Reading

FTC’s 50th Data Security Settlement Sends a Message: Be Careful with Overseas Contractors

Posted in Cyber and National Security, Healthcare, Litigation

The Federal Trade Commission (FTC) sent a message about the importance of imposing appropriate security measures on—and monitoring—vendors with access to confidential consumer information. The FTC issued a 20-year consent order with GMR Transcription Services (GMR) over its overseas contractor’s data security breach. The decision marks the FTC’s 50th information security settlement and fifth health information complaint (four of which have settled). For health care providers and business associates, the GMR settlement suggests that the FTC has higher expectations than HHS regarding management and oversight of vendors and other downstream subcontractors, especially when these vendors are outside of U.S. jurisdiction. The GMR settlement did not involve security failures by GMR itself, but by a subcontractor, Fedtrans.

CONTINUE READING …... Continue Reading

It’s Not Enough to Notify: Don’t Forget the Policies, Risk Analyses, and Training

Posted in Healthcare

HIPAA compliance ended with a bang in 2013, with the feds issuing the first settlement involving a health provider’s failure to have breach notification policies and procedures in place. On Dec. 24, 2013, the Department of Health and Human Services Office for Civil Rights (OCR) entered into a Resolution Agreement with Adult & Pediatric Dermatology, P.C. (AP Derm) that included a settlement of $150,000 and a corrective action plan.... Continue Reading

HHS Issues Model Privacy Notices: The Good, the Bad, and the Ugly

Posted in Healthcare

By Adam Greene

Just in time for the September 23, 2013, deadline for compliance with the HIPAA Omnibus Rule, the U.S. Department of Health and Human Services (“HHS”) issued a set of model notices of privacy practices for health care providers and group health plans, available at http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.  HIPAA requires covered health care providers and health plans to post, distribute to enrollees and new patients, and make available to everyone such a notice.  Business associates of covered entities, who are subject to certain HIPAA privacy and security requirements, are not required to maintain a notice of privacy practices.  The new model notices reflect changes required by the Omnibus Rule, but their use is not required and covered entities are free to use notices that they have drafted, so long as they have been updated with changes that the Omnibus Rule requires.... Continue Reading

New Advisory Highlights How HIPAA Restricts Covered Entities’ Freedom in Responding to Media Requests and Public Complaints

Posted in Healthcare

Adam Greene has posted a new advisory discussing Shasta Regional Medical Center’s HIPAA settlement with the Department of Health and Human Services’ Office for Civil Rights, arising out of the Center’s use and disclosure of protected health information in attempting to rebut media reports of alleged Medicare fraud.  The advisory spotlights the limits that covered entities face in responding to media requests and public patient complaints.  You can access the advisory here.... Continue Reading

HHS Releases HIPAA Regulations with Updates Incorporating Omnibus Rule Changes

Posted in Healthcare

By:  Adam H. Greene

In January 2013, The U.S. Department of Health and Human Services released the HIPAA Omnibus Rule in the Federal Register, the most significant changes to the HIPAA regulations since they were first promulgated.  These changes, however, are not yet reflected in the Code of Federal Regulations.  For those of you who have been jumping back and forth between the prior codifications of the HIPAA regulations and the more recent HIPAA Omnibus Rule, there is good news.  HHS has released an updated version of the HIPAA regulations, which incorporates the recent changes from the Omnibus Rule.  The updated regulations are available here, which is the “unofficial version.”  The official version will not be available until title 45 of the Code of Federal Regulations is updated, likely in October.... Continue Reading

Analysis of New HIPAA “Omnibus Rule”

Posted in Healthcare

Be sure to spend some time with our advisory summarizing and providing guidance on the long-awaited “Omnibus Rule” amendments to the administrative simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA), which the Department of Health and Human Services (HHS) published today in the Federal Register.  The advisory explains how the Omnibus Rule implements many privacy and security provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act and significantly extends HIPAA’s reach and limits.  It expands certain HIPAA obligations to business associates and their subcontractors, modifies the breach notification standard, expands patient rights to access and to restrict disclosure of their protected health information (PHI), imposes new rules governing uses and disclosures of PHI, clarifies enforcement approaches, and addresses obligations under the Genetic Information Nondiscrimination Act of 2008 (GINA).  The advisory also offers recommendations for steps covered entities should consider in the wake of the Omnibus Rule, and discusses the steps business associates and their affiliates must now take under HIPAA.  You can access the advisory here.
 ... Continue Reading

HIPAA Omnibus Rule Released

Posted in Healthcare

By Adam Greene and Becky Williams

At long last, after much delay and speculation, the HIPAA Omnibus Rule has been placed on display at the Federal Register in preparation for formal publication.  Clocking in at 563 pages, we have to admit that we have not yet fully analyzed it, but it is expected to address:

• The breach notification harm threshold
• Direct liability for business associates
• Covered entity liability for business associates who are agents
• Sale of “protected health information” or “PHI”
• Use and disclosure of PHI for marketing purposes
• Use and disclosure of PHI for fundraising
• Enforcement where noncompliance is due to “willful neglect”
• Use of compound authorizations for research and authorization of future research
• Restrictions on disclosure of PHI to health plans when patient pays out of pocket
• Use and disclosure of genetic information for underwriting purposes by health plans
• Disclosure of student immunization records to schools

We will provide more information in a DWT alert and can address your particular issues after we have had an opportunity to review and analyze the rule.
 ... Continue Reading

Small Data Breach Leads to $50,000 HHS Settlement for Hospice

Posted in Healthcare

By Adam H. Greene, JD, MPH

In what HHS declares as “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals,” the Office for Civil Rights (OCR) reached a $50,000 settlement and two-year corrective action plan with the Hospice of Northern Idaho regarding the theft of a hospice laptop containing health information of 441 patients. (Only in the world of HIPAA can you have “unprotected … protected” information.) OCR’s press release, continuing a recent trend, emphasized the importance of encrypting mobile devices, conducting a risk analysis, and implementing policies and procedures to address mobile device security.

The press release also emphasizes that OCR is willing to take aggressive actions against entities of any size that fail to safeguard patient information. The $50,000 resolution amount, though, is far below the average of approximately $900,000, suggesting that the size of the organization will play a much larger role than the nature of the incident when determining settlement amounts. For example, OCR recently reached a settlement of $100,000 with a small physician practice for an allegedly widespread lack of information security safeguards, while it reached a $1.5 million settlement with a larger hospital over a ... Continue Reading

HHS Creates Mobile Device Privacy and Security Website: High Expectations for Mobile Device Security

Posted in Healthcare

By Adam H. Greene, JD, MPH

The U.S. Department of Health and Human Services recently posted a website focusing on mobile devices and health information privacy and security at http://www.healthit.gov/mobiledevices.  The website includes five videos on mobile device security, tip sheets and frequently asked questions and answers on mobile device security, a five-step process for addressing mobile devices within a healthcare organization, and downloadable posters promoting mobile security.... Continue Reading

New Advisory on HIPAA De-Identification Guidance

Posted in Healthcare

Check out our recent advisory describing the New HIPAA Guidance on De-Identifying Health Information.  In it, Adam Greene explains that the HHS Office for Civil Rights released guidance on how health information may be de-identified, which allows covered entities and business associates to reduce their exposure to HIPAA and expand their use of health data.  The guidance teaches two key lessons – specifically, that health information generally is considered individually identifiable unless certain stringent requirements are met, and that using an appropriate expert can provide ways to de-identify information while retaining important properties that otherwise might be lost through other methods of de-identification.  The advisory can be accessed here.... Continue Reading

Three New Major HIPAA Announcements

Posted in Healthcare

By Adam Greene

The past week has brought a number of developments with respect to HIPAA.  The long-awaited finalization of a number of modifications to HIPAA remains on hold as the Office of Management and Budget posted that it has extended its review of the draft regulations.  The HHS Office for Civil Rights (“OCR”), which administers and enforces HIPAA, published the audit protocol that is being used in OCR’s current privacy and security audits.  The protocol includes the key areas of the audits, the types of questions that will be asked, and the types of documentation that will be reviewed.  The protocol leaves a lot of ambiguity, however, by failing to provide much detail about the standards against which audited entities are judged.  Finally, OCR announced a $1.7 million settlement against Alaska’s Medicaid agency.  The investigation was triggered by the theft of a portable hard drive that may have contained protected health information, but led to OCR finding allegedly widespread noncompliance with the Security Rule.  It shows that no covered entities are immune from a sizable settlement under HIPAA, and that relatively small breaches may unearth large HIPAA problems during the subsequent investigation.  More information about these developments are available ... Continue Reading

Business Associates Beware: First HIPAA Enforcement Action Against a Business Associate

Posted in Healthcare

By Adam H. Greene and Rebecca L. Williams

Over at our Learning Center, be sure to check out the new advisory on the first formal enforcement action against a business associate, Accretive Health, Inc., for alleged violations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which was brought by Minnesota’s Attorney General under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  The enforcement action comes after the theft of an unencrypted laptop computer containing approximately 23,500 patients’ records, and offers stark reminders both that the HITECH Act’s provisions for business associates currently are in effect, and that state attorneys general and the federal Department of Justice are not bound by the U.S. Department of Health and Human Services’ still-effective forbearance from enforcing the HITECH Act in cases like that of Accretive Health.  You can read more here.... Continue Reading

Supreme Court Considers Damages for Privacy Violation’s Emotional Harm

Posted in Healthcare, Marketing and Consumer Privacy

By Adam H. Greene

On Nov. 30, 2011, the U.S. Supreme Court held oral arguments in Federal Aviation Administration v. Cooper, No. 10-1024. At issue in the case is whether the plaintiff is entitled to damages under the Privacy Act of 1974 for emotional distress caused by the government’s disclosure of his HIV status, including “sleeplessness, loss of appetite, physical tension, agitation, isolation from friends and anxiety.”... Continue Reading

Enforcement Trends in Health Care with Adam Greene

Posted in Healthcare

Nov. 10, 2011, 1:00pm:  Enforcement Trends in Health Care with Adam Greene

Over the past couple of years, we have seen a significant increase in enforcement of health care privacy laws at both the federal and state level. On November 10th at 1:00 pm EST, Davis Wright Tremaine’s Adam Greene will be presenting on this topic on a webinar of the International Association of Privacy Professionals.  More information, including registration, is available at https://www.privacyassociation.org/events_and_programs/web_conferences/.... Continue Reading

HHS Text4Health Task Force Makes Texting Recommendations to Secretary

Posted in Healthcare

By Adam H. Greene

On Sept. 19, 2011, the U.S. Department of Health and Human Services (HHS) announced recommendations from an internal Text4Health Task Force on ways in which HHS can best utilize text messaging to improve population health. One of the issues raised by the Task Force is the need for further research and guidance on the privacy and security of health text messaging.... Continue Reading

HHS Appoints New Director of Office for Civil Rights–Will Heightened HIPAA Enforcement Continue?

Posted in Healthcare

By Adam H. Greene

On Sept. 12, 2011, HHS announced the appointment of Leon Rodriguez as the Director of the Office for Civil Rights, the agency responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, and breach notification rules. Mr. Rodriguez is coming from the Department of Justice Civil Rights Division, where he served as the Deputy Assistant Attorney General and chief of staff. He has extensive experience as a prosecutor at Department of Justice, a defense attorney in private practice, and as the county attorney for Montgomery County, Maryland.... Continue Reading

Update on HIPAA Privacy and Security Audits

Posted in Healthcare

This posting has been modified as of Sept. 8, 2011. Audit contracts are now available here.

By Adam H. Greene

In July 2011, DWT issued an advisory on HHS’ recent awarding of a contract to KPMG to conduct HIPAA privacy and security audits, available here. Since that time, we have obtained copies of the audit contracts, available here, and heard from the HHS Office for Civil Rights, shedding some additional light on what covered entities can expect:

• Audits that uncover major violations may lead to formal enforcement;
• The audits will focus on general privacy and security compliance;
• The contractor is expected to precede site visits with advanced requests for documentation, thereby providing some level of advanced notice;
• Audit teams are expected to consist of three to five persons and site visits are expected to last two to five days; and
• Pilot testing of the audit protocol is likely to begin later this year and proceed through January 2012, with the full round of audits occurring through the remainder of the year.... Continue Reading

Fourth HIPAA Settlement in a Year Highlights Increasing Enforcement Trend

Posted in Healthcare

HHS has announced its fourth HIPAA formal settlement agreement in less than a year (which does not even include $4.3 million civil money penalty that was also imposed). Adam Greene discusses this new level of HIPAA enforcement, highlights some of the lessons learned from the first settlements, and points to the government’s upcoming enforcement opportunities that could bring a new wave of HIPAA headlines. To read more, click here.... Continue Reading