An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients.  The individual made this improper access in order to send marketing materials to patients at the other practice.

The individual worked as an information technology specialist for a perinatal medical practice in Atlanta.  He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building.  He then used his home computer to hack into his former employer's patient database.  He downloaded the names, telephone numbers, and addresses of his former employer's patients and then deleted all the patient information from their system. He subsequently used the patient names and contact information to launch a direct-mail marketing campaign for the benefit of his new employer.  Even so, there was no evidence that patient medical information was accessed or misused.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In its recent Annual Report to Congress on Breaches of Unsecured Protected Health Information, the Office of Civil Rights of the Department of Health and Human Services, we see confirmation of certain trends-- bigger breaches and breaches involving theft of electronic media:

Between January 1, 2010 and December 31, 2010, breaches involving 500 or more individuals also made up less than one percent of reports, yet accounted for more than 99 percent of the more than 5.4 million individuals who were affected by a breach of their protected health information. The largest breaches in 2010, like 2009, occurred as a result of theft. However, in comparison to 2009, in 2010, the number of individuals affected by the loss of electronic media or paper records containing protected health information was greater than the number of individuals affected by unauthorized access or human error.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This report from the Office of the Inspector General for the Department of Health and Human Services reveals significant holes in Medicare contractor security.  Here's a notable excerpt:

Security Awareness Training
The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who manage, use, or operate Federal computer systems. Additionally, Federal regulations (5 C.F.R. § 930.301(a)) require that role-specific training be provided based on each user’s security responsibilities and require agencies to provide training for employees with significant information security responsibilities. The CMS Business Partners Systems Security Manual requires Medicare contractors to document and monitor information security training activities.

Sixteen of the twenty-one Medicare contractors had no identified gaps in security awareness training, while the remaining 5 had 3 to 4 gaps each. In total, 16 gaps were identified in this area, with no gaps assigned to a high-impact subcategory. Following are examples of gaps in security awareness training:

• The contractor did not formally track and monitor job-specific security training to ensure that employees received the minimal requirements stated in the policy.
• Employees did not complete security awareness refresher training.

Employees who are unaware of their security responsibilities or have not received adequate training may be at increased risk of causing or exacerbating a computer security incident. If security personnel are not provided specific job-related training, management has no assurance that these employees can effectively perform their job responsibilities. Inadequately trained employees could cause the loss, destruction, or misuse of sensitive information and information technology (IT) assets.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an article in today's New York Times, we get some real-life insight into the difficulties in responding to a data breach.  Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity.

The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee's car was broken into and a company laptop stolen.  The ramifications included:

• spending nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees;
• devoting 600 person-hours of staff time to the breach;
• hiring a crisis team of lawyers and customers and a chief security officer;
• hiring a private investigator to scour local pawnshops and Craigslist for the stolen laptop; and
• notifying some of the affected patients and offering them free credit monitoring.

The eHealth Collaborative's Executive Director, Micky Tripathi, first outlined the breach and critiques the article in his blog. 
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent Massachusetts case shows that even prisoners have a right to privacy in their medical records. In this case, Alexander v. Clark, Suffolk Superior Court, Civil Action No. 0905456-H 28 Mass. L. Rptr. No. 14, 291 (May 30, 2011), the court sided with the claim of a prisoner that her health information had been wrongfully disclosed. In particular, the prisoner, Christine Alexander, sued several correction officials because those officials had sent documents regarding her “request for Propecia for hair loss” to another inmate without her permission.   

The court found that the inmate-patient had a claim under the Massachusetts Privacy Statute, Mass. Gen L. ch. 214, § 1(b), and held that her claim was “arguably substantial and serious.” This holding came was even though “the release of information was not extensive and may have been done without malice.” The Court also held that although the inmate-plaintiff had no claim for damages, the inmate-plaintiff could sue for injunctive relief (however, since the harm has already been done, and the hair lost, it is unclear just what that injunctive relief would be).

Curiously, given the nature of the claim, the inmate-plaintiff sued in her own name (not an alias) and the decision was apparently issued without any consideration of redacting her name, thereby compounding her original concern about her loss of privacy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265.  This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed.  Given that the last reported date of breach on the OCR's list is May 8, there are surely over 300 breaches that have now been reported.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules.  This follows on the heels of Massachusetts General Hospital's $1 million settlement with OCR.

The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without legitimate reasons looked at the electronic protected health information of these patients. OCR's subsequent investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.  

The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years.  All in all, a very expensive proposition for UCLAHS.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As promised in our earlier entry, here is our detailed discussion of  the Supreme Court's decision in Sorrell v IMS Health, Inc.,written by Colin J. Zick, Pat A. Cerundolo, Tad Heuer 

On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining” activities. Justice Kennedy’s opinion in the closely-watched case of Sorrell v. IMS Health Inc. held that the Vermont statute was an unconstitutional regulation of commercial speech. In so doing, the Court found that the sale, disclosure, and use of redacted pharmacy records containing physician prescribing information constituted “speech in aid of pharmaceutical marketing” and therefore enjoyed First Amendment protection. This case is an important victory for the pharmaceutical, medical device, biotechnology, and related sectors, The following summarizes this ruling and its potential consequences to those involved in these industries.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Tad Heuer, Esq.

The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy's opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.

The first paragraph of Justice Kennedy's opinion provides a brief summary of the posture of the case and of the Court's decision:

Vermont law restricts the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of individual doctors. Vt. Stat. Ann., Tit. 18, §4631 (Supp. 2010). Subject to certain exceptions, the information may not be sold, disclosed by pharmacies for marketing purposes, or used for marketing by pharmaceutical manufacturers. Vermont argues that its prohibitions safeguard medical privacy and diminish the likelihood that marketing will lead to prescription decisions not in the best interests of patients or the State. It can be assumed that these interests are significant. Speech in aid of pharmaceutical marketing, however, is a form of expression protected by the Free Speech Clause of the First Amendment. As a consequence, Vermont’s statute must be subjected to heightened judicial scrutiny. The law cannot satisfy that standard.

We will be publishing a more extensive analysis shortly; watch this space for a link to it.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

The case of Dr. Alexandra Thran should cure any physician of the desire to discuss a patient on Facebook.  Dr. Thran has been reprimanded by her state's Medical Board and lost her emergency room privileges. Although the posting in question did not list the patient’s name, Dr. Thran provided enough details so that at least one other person could identify the patient. The result was irreparable damage to her career. 

In an article in the most recent Annals of Internal Medicine discussing this case, the author referred to Facebook as the “new elevator.”  Those familiar with hospitals will recall the ever present signs reminding health care providers to take care about what they say on elevators.  Whether you are in health care or in another industry, it is important to remind employees that what they say online is not private and that even when they do not name people by name, dots can be connected and that repercussions of doing so can be significant.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I give my perspective on issues of physician privacy in this video from The HealthCare Channel, including:

• Can physicians challenge online review sites such as Health Grades or Vitals.com to have critical patient comments removed?
• The Supreme Court will rule soon on the case against the State of Vermont and the law banning the sale of prescription data to companies for use in marketing to those physicians.  
• Is there a downside to doctors moving to electronic medical records, particularly extra monitoring and restriction of medical practice due to state and federal monitoring?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR's website.  It's safe to expect these figures will continue to climb for the foreseeable future.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies:  How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health information.  According to California regulators, these servers appear to contain the data of 1.9 million people nationwide:

The company announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare.. 

Since this is the second incident in two years for the company (see "Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit"), it will be interesting to see what  kind of penalty Health Net could face from the federal government.  In that regard, consider that the loss of 192 records just cost Massachusetts General Hospital $1 million.  If a penalty in the same proportion were applied to this breach, Health Net could face a penalty of over $9 billion.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement  and Corrective Action Plan with the Department of Health and Human Services' Office of Civil Rights.  This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals."  There was, however, no indication that any of the PHI was ever used in any way.

While the $1 million penalty is an attention-grabber, the elements of the Corrective Action Plan are also likely to be at least as costly and will be very burdensome.  They include:

• three (3) years of reporting obligations from MGH to OCR;
• adoption of new policies that OCR must review and approve;
• training on these new policies that OCR must review and approve;
• retention of a monitor who will conduct:
  • unannounced site inspections of MGH’s locations/departments/practices;
  • interviews with any members of the workforce who use PHI; 
  • interviews with any members of the workforce involved in implementing the safeguards required by the CAP;
  • inspection of a sample of laptops and USB flash drives that contain ePHI and are under the control of workforce members to ensure that such devices satisfy all applicable requirements of the Policies and Procedures; and
  • inspection of relevant documents and interviews with workforce members for the purpose of confirming consistent training, implementation, and enforcement of the Policies and Procedures among workforce members.
• submission of semi-annual monitor reports;
• self-reporting of any "significant violations" of the CAP;
• submission of an implementation report after 120 days of the CAP; and
• annual reports to the monitor, which will be passed on to OCR.

This is a pretty heavy burden to carry around for three years.   In fact, the CAP looks much more like a Corporate Integrity Agreement of the type entered into by a pharmaceutical manufacturer after a health care fraud settlement.  I suspect that is precisely the message that OCR wanted to send.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up.  The American Bar Association's suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case:  "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies, the American Osteopathic Association and the Medical Society of the District of Columbia, and joined by 26 national medical specialty societies, will now formally end."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent article in the Journal of Medical Internet Research, the strength of passwords in clinical trials was analyzed. In all cases that were examined, "the recovered passwords were poorly constructed, with names of local locations (e.g., “ottawa”), names of animals (e.g., “cobra”), car brands (e.g., “nissan”), and common number sequences (e.g., “123”)." 

This result comes as no real surprise.  These conclusions build on prior studies which have repeatedly shown that password strength is weak.  It is perhaps the easiest and cheapest way to increase IT security and yet it continues to receive short shrift.

The study also noted that "the files in [the] sample used the default weak encryption methods. Therefore, an adversary had two different ways to extract the PHI: by attacking the weak algorithm itself or by attacking the weak password."

The study's recommendations?  Fairly simple:  "use the built-in password protection capabilities available in tools for common file formats (such as WinZip and Microsoft Office) and then transmit the encrypted files" and "using PGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions)."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS imposed a civil money penalty (CMP) of $4.3 million for the violations, representing what OCR said was "the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule."  The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

According to the HHS press release, in a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations was$1.3 million.

HHS also concluded that during the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010.  On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations was $3 million.
 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged:  the Office of Civil Rights does not have the resources to review all reported breaches of health information.  In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:

Current OCR practice is to validate, post to the HHS website, and
subsequently investigate all breach reports that impacted more than 500 individuals.
Breach reports that impacted fewer than 500 individuals are compiled for future reporting
to Congress; however they are treated as discretionary and only investigated if resources
permit.

While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed.  According to that same budget report, "[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals)."  That's a mere 2% of all breaches that have OCR's full attention.  The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health. 

The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World Privacy Forum.  They allege (in 144 pages, complete with web page screen-shots) that:

"Digital marketing raises many distinct consumer protection and privacy issues, including an overall lack of transparency, accountability and personal control, which consumers should have over data collection and the various interactive applications used to track, target, and influence them online (including on mobile devices).  The use of these technologies by pharmaceutical, health product, and medical information providers that directly affect the public health and welfare of consumers requires immediate action."

Any business that has a web presence should read this complaint; it will show you what these (and other) advocacy groups are complaining about.  While I do not expect the FTC to jump into action based on this complaint alone, it would not surprise me to see an increase in the discussion of regulation and enforcement in this patch of cyberspace during 2011. It is only a matter of time until a consumer health web site has a significant data breach.  Traditionally, such breaches bring increased inforcement activity.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The American Medical Association recently published a policy on "Professionalism in the Use of Social Media," in an apparent attempt to address growing concerns about patient confidentiality and privacy in various internet settings. 

While the policy mostly consists of "considerations" that physicians should "weigh" when maintaining an online presence (none of which are new or earth-shattering), there was one notable exception -- a snitch rule: 

"When physicians see content posted by colleagues that appears unprofessional they have a responsibility to bring that content to the attention of the individual, so that he or she can remove it and/or take other appropriate actions. If the behavior significantly violates professional norms and the individual does not take appropriate action to resolve the situation, the physician should report the matter to appropriate authorities." 

(Emphasis added.)

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

I shared some of my initial thoughts about the new HITECH/HIPAA regulations with Melissa Klein Aguilar for her blog, "The Filing Cabinet," in today's on-line edition of Compliance Week.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, the Department of Health and Human Services announced proposed modifications to the HIPAA Privacy Rules, calling them the most significant changes in HIPAA since 2003, when the HIPAA Security Rules were adopted.  The propose changes include:

• provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities;
   
• establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
   
• prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans; and
   
• expanding HIPAA’s enforcement provisions to business associates.

HHS intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s standards (but apparently that additional time does not extend to its proposed enforcement provisions).

The public is invited to comment on the provisions of the proposed rule for 60 days following publication in the Federal Register at Regulations.gov.

We are still reviewing the 234 pages of proposed regulations and will have more to say about them shortly.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In late June, the Centers for Medicare & Medicaid Services (“CMS”) proposed new rules for hospitals that would entitle  patients to choose their own visitors during a hospital stay, including visitors who are same-sex domestic partners. These proposed rules stem from the April 15, 2010 Presidential Memorandum on Hospital Visitation issued to the Secretary of Health and Human Services. 

The proposed rules would require every hospital to have written policies and procedures detailing patients’ visitation rights, as well as instances when the hospital may restrict patient access to visitors based on reasonable clinical needs. A key provision of the proposed rules specifies that visitors chosen by the patient (or his or her representative) must be able to enjoy visitation privileges that are no more restrictive than those for immediate family members:

    (h) Standard: Patient visitation rights. A hospital must have written policies and procedures regarding the visitation rights of patients, including those setting forth any clinically necessary or reasonable restriction or limitation that the hospital may need to place on such rights and the reasons for the clinical restriction or limitation. A hospital must--

(1) Inform each patient (or representative, where appropriate) of his or her visitation rights, including any clinical restriction or limitation on such rights, when he or she is informed of his or her other rights under this section.

(2) Inform each patient (or representative, where appropriate) of the right, subject to his or her consent, to receive the visitors whom he or she designates, including, but not limited to, a spouse, a domestic partner (including a same-sex domestic partner), another family member, or a friend, and his or her right to withdraw or deny such consent at any time.

(3) Not restrict, limit, or otherwise deny visitation privileges on the basis of race, color, national origin, religion, sex, sexual orientation, gender identity, or disability.

(4) Ensure that all visitors designated by the patient (or representative, where appropriate) enjoy visitation privileges that are no more restrictive than those that immediate family members would enjoy.

Comments on these proposed regulations are due by August 27, 2010.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the  Federal Trade Commission (FTC) to delay enforcement of the FTC's Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association.  The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf), filed in the lawsuit initiated by the AMA and other medical associations to exclude doctors and other medical professionals from the application of the Red Flags Rule. 

The key issue in the case is whether medical practices should be considered "creditors" under the Red Flags Rule and the Fair and Accurate Credit Reporting Act (FACTA or the FACT Act).  The case follows lawsuits filed beginning in 2009 by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA) to exclude lawyers and accountants from the scope of the new rules.  In October 2009, Judge Walton ruled that lawyers were not "creditors" subject to the Red Flags Rule.  The FTC has appealed the order and the Unites States Court of Appeals for the District of Columbia Circuit is expected to issue a decision clarifying the scope of the law.

In the recently approved stipulation, the AMA and the FTC have agreed to stay their dispute until the Court of Appeals issues its opinion.  The FTC has also agreed to delay enforcement of the Red Flags Rule for 90 days after the Appeals Court issues its ruling.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010.  The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.  The FTC announcement states:

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, the American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed a complaint that seeks to block the application of the Federal Trade Commission's Red Flags Rule to their members.  

According to its press release, the AMA filed this suit because it unfairly treats physician practices like "banks, credit card companies and mortgage lenders,” according to AMA President-elect Cecil B. Wilson, M.D. He added, “The extensive bureaucratic burden of complying with the red flags rule outweighs any benefit to the public.”

Given the impending June 1 deadline, it is somewhat curious that these groups have not sought an injunction to stop the FTC from applying the rule to their members (as it is unlikely their complaint will be resolved by June 1).  It would appear that these groups are going to let the American Bar Association and its earlier challenge do the heavy lifting here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As part of the settlement of a federal court action, the State of Texas has agreed to destroy more than 5 million blood samples taken from babies without parental consent and stored indefinitely for the purpose of scientific research.  The Texas Department of State Health Services announced earlier this week that it would destroy the samples in connection with the settlement of a federal lawsuit filed in March 2009 by the Texas Civil Rights Project on behalf of five parents of children whose blood was being held for use in research without their consent. 

The parents' complaint alleged that the state’s failure to ask parents for permission to store and possibly use the blood - originally collected lawfully in order to screen for birth defects - violated constitutional protections against unlawful search and seizure. The parents also expressed fears that their children’s private health data could be misused and that the disclosure of that data could lead to discrimination against them later in life.  Under the settlement, the blood samples collected without parental consent must be destroyed by early next year.  State authorities estimated that some 5.3 million samples would be destroyed as part of this process.  The State of Texas also is required to publish a list of all research projects that used the blood specimens.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In Mercier v. Courtyard Nursing Care Center, 2009 WL 1873746 (Mass. Super. Ct. Jun. 11, 2009), a resident of a nursing home sued the home in Massachusetts Superior Court for negligence after being assaulted by another resident.  The injured resident moved to obtain medical records maintained by the home regarding the resident who had allegedly committed the assault.  The home contended that disclosure of the records would violate both HIPAA’s prohibition on disclosure of medical records without a patient’s authorization and Mass. Gen. L. ch. 93A, the Massachusetts unfair and deceptive practices statute.

The court, however, held HIPAA permitted disclosure of medical records “in the course of a judicial proceeding,” including in response to a court order, subpoena or discovery request. The court further observed that, although a Massachusetts regulation states that unauthorized release of a patient’s personal or medical record violates ch. 93A, the regulation contains a specific exception for disclosures “required by law.”  The court held that disclosure pursuant to a court order requiring production of records constituted such a disclosure.  The court also held that the sought-after records were likely to lead to admissible evidence regarding defendant’s knowledge of the alleged propensity for violence of the resident who had committed the assault and therefore ordered production of the records.  [Thanks to Foley Hoag's Eric Haskell for this entry.]

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Incident 1: UNC Data Breach Exposes Information On Over 100,000 Women Listed In Mammogram Registry

The University of North Carolina at Chapel Hill recently disclosed a data breach that exposed information on 160,000 women, including the Social Security Numbers of 114,000.  Original reports estimated that more than 200,000 women were affected.  The source of the breach was a computer intrusion into a server housing the Carolina Mammography Registry, which is "a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina."

Evidently, the breach was discovered in July, but it may have occurred over two years ago.  According to Matt Mauro, chairman of the UNC Department of Radiology, traces of computer viruses were found on a UNC School of computer server dating back to 2007 were found on the server.  The school delayed in notifying those affected while it conducted a forensic investigation to determine exactly who was affected.  To this point, however, the school still does not know who committed the breach or where the attack originated from, how the server (which had all required security measures) was breached, or whether any data was actually downloaded.

Links:

• Ferreri, Eric, "Hacker breaks into research study data," Charlotte Observer, September 29, 2009.
• "UNC says hacker got into fewer files than reported," The News & Observer, October 1, 2009.

Incident 2: Massachusetts Inmate Pleads Guilty to Charges that He Hacked Prison Computer While Incarcerated, Accessed Personal Information On 1,100 Correctional Officers

On September 14, 2009, Francis G. Janosko pled guilty to charges that he hacked a legal research computer provided to inmates in the Plymouth County Correctional Facility.  A highly restricted computer terminal was provided to inmates for the sole purpose of allowing them access to legal research resources.  Janosko apparently circumvented security measures restricting the computer to legal research tools and obtained accessed the administrator's username and password, the prison's internal network, and a report listing the names, birthdays, Social Security Numbers and contact information for 1,100 current and former prison personnel.  He also used the computer to send email and download publicly-available photographs and videos.

A grand jury in Boston indicted Janosko for these activities about a year ago in a sealed indictment (.pdf).  In the plea agreement (.pdf) recently reached with the U.S. Attorney's Office in Boston, federal prosecutors have agreed to dismiss the original charge of aggravated identity theft in exchange for Janosko's guilty plea to charges under the Computer Fraud and Abuse Act.  Janosko has agreed to accept an additional incarceration of 18 months for the hack.  Sentencing in the case is scheduled for December 15th.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

This week, the U.S. Attorney's Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital's computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.

McGraw had given his one week notice to hospital security contractor, United Protective Services, and was scheduled to depart on July 3, 2009.  His intrusion into hospital systems was allegedly made in preparation for a larger attack on July 4th, a day he referred to as "Devil's Day."  The story behind the arrest is laid out in the criminal complaint and supporting affidavit filed in federal court (.pdf); however, a number of other details have emerged over time that demonstrate how vulnerable many institutions may be to insiders.

• Email This
• Print
• Comments (5)
• Trackbacks
• Share Link

In this, the third and final part of Security, Privacy and the Law’s interview with M. Eric Johnson (Part 1 may be found here and Part 2 is here), Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also talks about the specific problems associated with data security on peer-to-peer file sharing networks.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In this, the second part of Privacy, Security and the Law’s three part interview with M. Eric Johnson (begun here), Dr. Johnson talks about why he thinks the healthcare sector is uniquely vulnerable to security breaches and what special problems that vulnerability poses.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

A recent article from Computerworld reports that, according to a new study conducted by researchers from MIT and the University of Virginia, "EMR [Electronic Medical Record] adoption is often slowest in states with strong regulations for safeguarding the privacy of medical records."   According to the study, in states with "strong privacy laws", the number of hospitals using EMR systems is up to 30% lower than in states with "less stringent privacy requirements."  The study, "which looked at EMR adoption in 19 states over a 10-year period", concludes that the reason for the disparity is that "privacy rules often made it harder and more expensice for hospitals to exchange and transfer patient information, thereby reducing the value of an EMR system."  According to the article, one of the study's authors, Catharine Tucker, stated that "[p]olicy-makers are going to have to choose how much EMR adoption they want and at what cost to patient privacy.

It is worth noting that the study's methodology has been subject to some criticism.  According to the article, Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, said that "the study was based on old data and didn't consider all of the factors that a health care organization would typically look at when deciding whether to adopt an EMR system."  Instead, according to McGraw, the study "looked at whether a state has a medical privacy law and then looked at EMR adoption in that state to draw its conclusions."  Deborah Peel, chair of the Patient Privacy Rights Foundation in Austin, Texas, also criticized the studies conclusions.

Links:

• April 14, 2009 Computerworld article by Jaikumar Vijayan: "Privacy rules hamper adoption of electronic medical records, study says"
• Link to page where the study, "Privacy Protection and Technology Diffusion: The Case of Electronic Medical Records" can be downloaded (Note: you must pay to download the study)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I recently had the chance to sit down with M. Eric Johnson, Director of Tuck’s Glassmeyer/McNamee Center for Digital Strategies and Professor of Operations Management at the Tuck School of Business, Dartmouth College, to talk about his recent paper “Data Hemorrhages in the Health-Care Sector” (.pdf).   The results of Dr. Johnson’s study were startling.  For instance, his finding that a great deal of personal patient information is openly available on Peer-to-Peer (P2P) file sharing networks resulted in a great deal of media attention from publications dealing with privacy like SC Magazine, technology publications like Wired, and general interest publications like USA Today.  We are thrilled that Dr. Johnson agreed to do a full interview with Security, Privacy, and The Law.

Because the interview is long and covers a number of important topics of interest, we will post the interview in three parts.  The first installment of the interview follows below.  In this part of the interview, Dr. Johnson discusses how he came to be interested in information security, how he conducted his research, and his findings about just how much personal health information is available on P2P networks.
 

• Email This
• Print
• Comments
• Trackbacks (2)
• Share Link

As outlined in April 2’s Boston Globe, a Massachusetts physician who lost his license to practice is still causing problems for his patients. He left his office and records, and now his patient records are about to be destroyed unless the patients come to claim them. The state authorities claim they don’t have the resources to maintain the records, or to help find the patients. The auction company just wants them gone. 

Normally, when a physician closes a practice, patient records are placed with another physician; if they are placed in storage, prepayment of storage fees or a bond is usually required. Wouldn’t it be interesting if there were some criminal charges under HIPAA in cases like this -- after all, HIPAA has fines of up to $250,000 and penalties up to 10 years in prison for disclosing or obtaining health information with the intent to transfer it for commercial advantage, personal gain or malicious harm?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It seems an inevitable consequence of modern celebrity: when you go to the hospital, hospital workers will look at your records (even though they have no medical reason to). The latest example of this involved the infamous mother of octuplets, Nadya Suleman. It resulted in the firing of 15 hospital workers at Kaiser Permanente’s hospital in Bellflower, California. All these violations have been reported by Kaiser to the California Department of Public Health. 

But this isn’t really news. The hospital records of other celebrities (like Britney Spears, Farrah Fawcett and Gianni Versace) also have been improperly accessed in recent years. The real issue raised by these events is: what lesson do we take away for compliance purposes to prevent it from happening in the future? The vigilant CIO sends these examples around to his/her staff to remind them of these pitfalls. And when you learn of celebrity in your midst, you should specifically warn staff not to pursue the records of individuals for matters that do not concern them on a professional basis; you might even consider special additional security precautions. There will always be more of these types of breaches, but it doesn’t have to happen at your company if you continually remind people about their obligations to maintain confidentiality. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” -- the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you -- then they probably do.  In this post, we will recap the FTC's recent guidance on who should be complying with the Rules.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

For all their problems, Veterans Affairs medical centers across the country are at the vanguard of the implementation of electronic health records. As such, there is a lot to learn from the problems that the VA system has experienced in this area. According to an article in the March 4, 2009 Journal of the American Medical Association, the problems experienced by the VA include mixed-up patient names and missing medication orders. These types of problems are probably endemic in any EHR system.  (This very point was made by Drs. Jerome Groopman and Pamela Hartzband in their March 12, 2009 Wall Street Journal op-ed.) Given these built-in weaknesses, frequent auditing of records, with strong and persistent audit trails, are a vital component to any EHR system.  Also, communications between all levels of workers in the care setting are important, to provide similar feedback.  The VA has adopted these mechanisms as part of its EHR systems. VA health care workers are encouraged to report problems with the electronic medical record systems, and those reports are closely monitored. Ironically, this may be why we hear so much about the VA’s issues – they are finding problems that others have in their data systems, but do not yet know about.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations to non-HIPAA-covered vendors of personal health records and their business partners.

If you are hoping that federal lawmakers have used the HITECH Act to finally set a national standard for patient medical information, however, you will be disappointed.

The HITECH Act, like HIPAA, preempts any contrary state laws, but leaves intact any state laws and regulations that impose stricter requirements on the handling of patient information. As a practical matter, this means that if you are covered by HIPAA and the HITECH Act you must meet new minimum standards while continuing to monitor and comply with the ever-increasing patchwork of laws governing patient information in every state in which you operate.

What follows is a more detailed discussion of the provisions of the HITECH Act and how it attempts to provide additional security for patients' health information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link