In Case You Missed It: U.S. Major party platforms address cybersecurity. The two major parties have released their 2016 election platforms, both of which include cybersecurity planks. The Republican platform’s perspective of cybersecurity is an element of national security and international relations. The platform called for harsh responses to cyber-attacks against American businesses, institutions, and government, applauded the Cybersecurity Information Sharing Act of 2015, and pledged to “explore the possibility of a free market for Cyber-Insurance.” The Democratic platform is largely as a continuation of President Obama’s cybersecurity policies. It promises to “build on the Obama… More
Category Archives: Healthcare Industry Spotlight
HHS OCR Guidance on Ransomware Attacks: They Constitute a “Security Incident” and Are Likely a Data Breach
On July 11, 2016, the HHS Office of Civil Rights (OCR) released guidance on HIPAA covered entities’ responsibilities in a ransomware attack, a type of cyber-attack that has targeted the health care sector extensively in recent months. This guidance comes in the wake of a June 20, 2016 “Dear Colleague” letter from HHS Secretary Sylvia Burwell highlighting ransomware issues. The most notable of OCR’s statements is that ransomware attacks often constitute breaches subject to the HIPAA Breach Notification Rule.
Ransomware as Security Incident
OCR’s guidance states that the presence of ransomware on a covered entity’s or business… More
In Case You Missed It: Court certifies class in suit against Apple. On July 15, 2016, U.S. District Judge Jon S. Tigar certified a class of users of the mobile app Path, who allege that Apple facilitated the app’s access their contacts without their knowledge. In the same decision, Judge Tigar denied certification to a proposed class of consumers who downloaded the app, but never had their contacts uploaded. Apple and Path are just two defendants named in a consolidated suit relating to questions concerning whether Apple’s mobile operating system, iOS, unlawfully uploads and disseminates users’ personal information (e.g.,… More
Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), a HIPAA business associate, has agreed to pay the Department of Health and Human Services Office of Civil Rights (“OCR”) $650,000 in connection with a data breach involving the nursing homes to which it provides management and IT services.
The underlying breach occurred in February 2014 (which suggests a significant backlog at OCR in resolving open matters). The breach itself was relatively insignificant compared to those we often see today involving millions of records: this was the theft of an unsecured iPhone with health information of 412 nursing home patients.
In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017. The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account. The definition is also expanded to include medical and health insurance information. However, if a company already complies with the data security elements of HIPAA and HITECH, then it will be deemed to comply with the Illinois law. Illinois’ amendments… More
The FBI recently released an article discussing the spate of ransomware attacks on a variety of different entities, including hospitals. In the article, the FBI warned that ransomware attacks and the cybercriminals carrying them out are growing increasingly sophisticated. The FBI opposes paying a ransom when hit by a ransomware attack, saying that doing do incentivizes more ransomware attacks, can inadvertently fund other illegal activity, and does not always result in the restoration of access. The FBI recommends that entities focus on prevention efforts like employee training, patching operating systems and software, and restricting access to files, directories, and/or… More
The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services.
The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics… More
Unfortunately, health care providers are the perfect mark for theft and extortion because they have huge amounts of sensitive information and maintain such information in computer databases at risk of infiltration. On May 17, Foley Hoag presented a webinar discussing the ongoing crime sprees involving theft of patients’ identities and health information; ransomware involved in these crimes; related data security issues affecting health care providers; and how they implicate law enforcement and the criminal law aspects of HIPAA.
To download a copy of the presentation, click here.
Watch a recording of the webinar:
Written by Elizabeth Snell | This article was originally published on HealthITSecurity.com
The recently announced OCR HIPAA audits are not a cause for panic, according to experts, especially of organizations have proper documentation.
With the most recent round of OCR HIPAA audits announced just last month, many healthcare organizations are working to ensure that they are prepared should they be called for investigation.
While the announcement should not come as a total surprise, several healthcare legal experts explain that covered entities that maintain thorough documentation of… More
The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies. For example:
data controllers (companies collecting and using personal information) will have a wide range of new obligations, including: data breach notification; implementation of the right to be forgotten; appointment of a data protection officer; privacy impact assessment before processing data; and implementation… More
Hospitals are increasingly the target of hackers, particularly in the form of “ransomware.” What follows is a primer on ransomware and how to avoid being a target of it.
What is ransomware?
Ransomware is a type of malware that limits users’ access to their computer systems. It functions by locking a user’s system and/or encrypting its files. Once ransomware gains access to a single workstation, it can “travel across [a] network and encrypt any files located on… More
You have seen all the hysterical headlines — “The HIPAA audits are coming, the HIPAA audits are coming….” But when you really think about it, what is the big deal? If you are a HIPAA covered entity, you surely know by now what you are supposed to be doing. And you probably have been doing it– so just check around to make sure before you get the dreaded letter from HHS OCR. And if you are a HIPAA business associate, you are probably a bit behind the covered entities, but again, it’s not a secret what you need… More
EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield
What follows below is the EU’s press release regarding the agreement on a replacement for the EU-US Safe Harbor. We are working to get details and will schedule a webinar on the new framework shortly.
The European Commission and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.
Today, the College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. This new framework will protect the fundamental rights of Europeans where their… More
On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).
CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.
CISA: An Optional Opportunity
CISA does not require non-federal entities (private entities and state,… More
On January 22, 2016, I had the pleasure to present to the Massachusetts Health Information Management Association’s Winter Meeting, to discuss “Compliance Beyond HIPAA.” The presentation slides from the program are available here, and reflect discussion of:
recent HHS OCR guidance on “Individuals’ Right under HIPAA to Access their Health Information 45 CFR §164.524” a new HHS OCR FAQ on EHR incentives and their interaction with HIPAA; amendment of the HIPAA Privacy Rule to address release of mental health information for firearm background checks; charges for copying of records (especially involving attorneys); a new HHS OIG… More
HIPAA Privacy Regulations Amended to Allow Disclosures of Mental Health Information for Firearm Background Checks
On January 4, 2016, the Department of Health and Human Services (HHS) modified the HIPAA Privacy Rule to expressly permit certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, for mental health reasons, already are prohibited by Federal law from having a firearm. According to HHS, “This modification better enables the reporting of the identities of prohibited individuals to the background check system and is… More
The scaffolding of the FTC’s powers in the realm of cybersecurity continues to be built. On Monday, the FTC’s Chief Administrative Law Judge D. Michael Chappell issued an initial decision in the FTC’s closely watched enforcement action against LabMD. The case involves a 2008 incident in which a data security company (Tiversa Holding Co.) discovered a LabMD document containing personal information of 9,300 patients was available on a P2P file sharing network. … More
Cybersecurity and Risk Management: “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers”
A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks. At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention, developing action plans, legal and regulatory challenges, the internet of things, and building readiness… More
The FTC’s Broad Authority and FTC v. Wyndham: Thinking about the Future of Data Privacy Regulations
What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses is its shape-shifting structure in the face of rapidly changing technology. The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the European Union and the U.S. handle questions of data privacy: whereas, generally speaking, in the EU data privacy standards are relatively uniform, in the U.S. there are as many different sets of regulations as there… More
A key distinguishing feature of U.S. data privacy laws is their patchwork nature. There are industry-specific data privacy laws at the federal level (think HIPAA or the GLBA), yet there are no comprehensive federal standards that governs an entity’s obligations in the event of a data breach like the EU’s Data Privacy Directive. For data breach response, in addition to the possible application of an industry-specific law or regulation, companies doing business in the U.S. must look to… More
This seminar was presented by Foley Hoag LLP and and a panel of industry experts on ISO 27018, the new international standard governing the processing and protection of personal information by public Cloud Service Providers (CSPs). Even though this new standard is voluntary, it is widely expected to become the benchmark for CSPs going forward.
As the first and only international privacy standard for the cloud, ISO 27018 addresses the means of keeping… More
We welcome this guest blog by Gene Fry, Compliance Officer, Scrypt, Inc.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. This means that any covered entity (CE) or business associate (BA) that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. The HIPAA Privacy Rule addresses the storage, accessing and sharing of PHI, whereas the HIPAA Security Rule outlines the security standards which protect health data created, received, maintained or transmitted electronically; known as electronic protected health… More
Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part III: Five Key Lessons for Business
Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.
Here are five takeaways for companies large and small:
Companies are only as secure as their most vulnerable employee. In the course of the panel discussion, Mike George, CEO of QVC, elaborated on how training and constant vigilance were at the… More
Medical Billing Provider and its Former CEO Settle FTC Charges That They Misled Consumers About Collection of Personal Health Data
In an age when many of us briskly scroll through website terms and conditions and check, “I agree” without thinking, how should businesses design their websites to obtain proper authorization to access users’ sensitive information? The announcement of the settlement of a pair of recent FTC complaints against PaymentsMD, a medical billing services provider and its former CEO, and the resulting settlement, provide some important guidance, at least with regard to health information practices. In that settlement, the Atlanta-based health billing company and its former CEO settled charges that they misled thousands of consumers who signed up for… More
Our friends at Co3Systems and IOD recently produced a webinar, “Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits” that provides a succinct overview of what is coming down the pike for HIPAA covered entities.
It’s been a while, but we have another HIPAA deadline just around the corner: September 23, 2014.
September 23, 2014 is the date by which all HIPAA business associate agreements need to be in compliance with the current HIPAA regulations (often called the Omnibus Rule). The current rules went into effect on March 26, 2013, but certain then-existing HIPAA BAAs were grandfathered and did not have to be updated immediately. The grandfathering ends and up-to-date BAAs must be in place starting September 23, 2014.
Specifically, compliance was required 180 days following the HIPAA Omnibus Rule’s effective date (3/26/13); that initial deadline was… More
Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach. Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach.
The penalty, which also is described in a securities filing, is based a breach involving 13,336 of Triple-S’s Dual Eligible Medicare beneficiaries. This penalty dwarfs the previous record fine of $4.3 million, which was related to non-cooperative behavior after a breach by Cignet Health in 2011.
On February 20, the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) released new guidance explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family members and others to enhance treatment and assure safety.
The guidance is essentially a set of answers to frequently asked questions. Set out below is a highly truncated version of those FAQs (please view the entire Q&A for the full position and explanation of… More
A recent article in Law360 discusses how “technical problems plaguing the Affordable Care Act’s online insurance marketplace could expose vast amounts of personal data to theft….” I noted in that article that while these concerns were valid, they are simply expanded versions of existing exposures in payor databases:
“Will breaches and improper disclosures happen as part of the new federal and state exchanges? I wouldn’t bet against it,” said Foley Hoag LLP privacy and data security practice co-chair Colin Zick. “But it’s not a new world — just an expansion of the existing one.”
So far, the simple access… More
HHS OCR Issues HIPAA Guidance on Refill Reminders, Decedent Information, Disclosure of Proof of Student Immunications and Delays CLIA Lab Enforcement
Late last night, HHS OCR issued its anticipated guidance on “The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual.” A new “Fact Sheet” and corresponding “Frequently Asked Questions” attempt to explain how the refill reminder exception to the marketing rule works, and seek to address both the scope of communications that fall within the exception, as well as the types of third party payments that are considered “reasonable” under the statute and regulations for making such communications. In addition, the Secretary has decided not to enforce the… More
You may have seen the recent lawsuit alleging that HIPAA’s marketing regulations are unconstitutional. In that case, the plaintiff is a company that “provides a refill reminder service and other adherence messaging services,” Adheris, Inc.
Adheris sued the Department of Health and Human Services because HIPAA’s regulations threaten to put it out of business. In particular, HIPAA now requires patient authorizations for its kind of patient reminders. As described by Adheris:
39. In the final regulations, HHS excepted from the definition of “marketing” those communications made “[t]o provide refill reminders or otherwise communicate about a… More
The revised HIPAA regulations were formally published today in the Federal Register. In this form, they only take up 138 pages!
Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes. While I’m not sure I agree with the quote that “This is a paradigm shift in the privacy world,” I do agree that this is “definitely something for all businesses to pay attention to.” Similarly, I agreed that “now that the starting gun has sounded, it’s a race to get ready by the Sept. 23 compliance… More
On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations.
In the 563 pages of the regulations and related regulatory comments, there are many substantive and technical changes. However, we distilled two major themes in these revisions:
Extension of HIPAA generally, and in particular the direct extension of HIPAA to business associates and their subcontractors, so that now… More
Nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major revisions to HIPAA’s privacy and security regulations.
While we are still making our way through all 563 pages of the regulations and related regulatory comments (and will have a more detailed analysis shortly in this space), here are some of the highlights we (and the HHS press release) have noted so far:
Many of HIPAA’s privacy and security requirements will now directly apply to business associates; Business associates may also be liable… More
Massachusetts Attorney General Secures $140,000 Settlement of Claims that Patient Information Was Left in a Town Dump
The Massachusetts Attorney General announced today that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000 to settle allegations that medical records and patient billing information for “tens of thousands of Massachusetts patients were improperly disposed of at a public dump.” Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.
The Attorney General alleged that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated Massachusetts data security… More
The Department of Health and Human Services’ Office for Civil Rights (“HHS OCR“) announced today that it was, for the first time, entering into a monetary HIPAA settlement for a breach involving less than 500 patients: the Hospice of North Idaho (HONI) has agreed to pay HHS OCR $50,000 to settle potential HIPAA security rule violations.
HHS OCR began its investigation after HONI reported to it that an unencrypted laptop computer containing the electronic protected health information (“ePHI”) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of… More
Today’s Law360 addresses “HHS Data-Scrubbing Guidance” with quotes from me and others on the subject:
Clarifying the types of data that need to be removed from data sets can also help companies maximize the value of the information that they hold as the value of and ability to use this data for research and public health purposes increases, Foley Hoag LLP security and privacy practice co-chair Colin Zick added.
“The guidance answers discrete questions that people have come across in operational circumstances, like can you list parts of a ZIP code,” he said. “The answers to… More
On November 26, HHS OCR released guidance regarding methods for de-identification of protected health information in accordance with the HIPAA Privacy Rule. This guidance fulfills the American Recovery and Reinvestment Act of 2009 (ARRA) mandate that HHS issue such guidance.
Following the passage of ARRA, OCR collected research and views regarding de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns. The guidance synthesizes these diverse perspectives. It provides particularly helpful insight into the use of experts to confirm de-identification:
It was a pleasure to be on a panel with members of the Massachusetts Office of the Attorney General last week at the Massachusetts Medical Society to talk about how physicians can protect health information in our presentation entitled: “Protecting Health Information: Health Data Security Training.” We covered the latest in federal law (HIPAA, HITECH) and Massachusetts law.
Another Massachusetts Health Care Provider Hit with Big HIPAA Settlement: Massachusetts Eye and Ear Infirmary Pays $1.5 Million
Late yesterday, the HHS Office for Civil Rights (“OCR”) announced that it had reached a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (“MEEI“) to settle potential HIPAA Security violations. As part of the settlement, MEEI also agreed to a Corrective Action Plan to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.
OCR’s investigation followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the 2010 theft of an unencrypted personal laptop containing the electronic protected health information of MEEI patients and research subjects while… More
A recent Harris Interactive survey of 2,625 adult Americans reveals some interesting attitudes towards employer confidential information, including significant variations depending on an employee’s age:
– 68% of 18-34 year olds responded that it is acceptable to remove confidential information from their place of employment. This contrasts with just half (50%) of those 55 years old or older believing such behavior is acceptable.
– 86% of those 55 years old and over believe someone should be fired for taking confidential information, while 74% of those younger than 55 years old think the same.
– 40% of adults believe it… More
With relatively little fanfare, Massachusetts Governor Deval Patrick signed S.2158, into law on April 27, 2012, making HIV testing possible with simply verbal consent, as opposed to written consent. The legislation amends Mass. Gen. L. ch. 111, section 70F; its aim is to increase screening for HIV and I believe it will have that effect.
Will the change in the law have an impact on health information management? I believe it will. If there are more HIV tests, there will be more HIV records. And if there are more HIV tests, there will be more requests for HIV… More
As you may recall, the Health Information Technology for Clinical and Economic Health (HITECH) Act gives state Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. Some states, like Massachusetts, have already started to use this authority to bring and settle cases.
To advance state enforcement, HHS OCR has developed HIPAA Enforcement Training modules, designed to help State Attorneys General and their staff understand and use their new authority to enforce the HIPAA Privacy and Security Rules.
The very same training materials being used by your state AG… More
Data Breaches Continue To Be A Problem For Health Care Providers: South Shore Hospital (Massachusetts) Pays $750,000 To Settle Data Breach Charges
An aptly-timed article from Mass High Tech Business News noted earlier today that: “Data Breaches [Are] a Growing Problem in Health Care.” This article focused on a recent breach at Boston Children’s Hospital involving the records of 2,000 patients.
The article was prescient, as this afternoon, the Massachusetts Attorney General announced a $750,000 settlement with suburban Boston’s South Shore Hospital, relating to a 2010 data breach.
According to the Attorney General’s press release:
South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the personal and confidential health information of… More
ONC (“Office of the National Coordinator for Health Information Technology”) Issues Guide to Privacy and Security of Health Information
The Office of the National Coordinator for Health Information Technology (“ONC”) has issued a Guide to Privacy and Security of Health Information Guide to Privacy and Security of Health Information. The guide is targeted at smaller health care providers and their administrative staff members. The 47 pages contain five chapters:
Chapter 1: What Is Privacy & Security and Why Does It Matter? Chapter 2: Privacy & Security and Meaningful Use Chapter 3: Privacy & Security 10-Step Plan for Meaningful Use Chapter 4: Integrating Privacy and Security into Your Practice Chapter 5: Privacy and Security Resources
At first glance,… More
In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords. But despite the efforts of these researchers, the article’s conclusion is a gloomy one:
The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple. While that tension persists, the hacker will always get through.
A recent issue of the Journal of the American Medical Association takes on the issue of physician medical identify theft; here’s the abstract:
It took several months for one physician to learn that she was a victim of medical identity theft. This realization occurred after patients reported that her name was on their Medicare Summary Notices although they had never seen her. A fraudulent clinical practice had enrolled in Medicare using her name without her knowledge. Another physician had retired from clinical practice but decided to work part-time. Nearly 2 years after sending out job applications, he… More
$1.5 Million Settlement of First HIPAA Enforcement Action Resulting from HITECH Breach Notification Rule
The trend toward increasingly large health information breach settlements has continued with yesterday’s announcement thatBlue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA’s Privacy and Security Rules, HHS’s Office of Civil Rights. BCBST also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the HITECH Act’s Breach Notification Rule.
The investigation started with a notice submitted by BCBST to HHS reporting… More
An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients. The individual made this improper access in order to send marketing materials to patients at the other practice.
The individual worked as an information technology specialist for a perinatal medical practice in Atlanta. He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building. He then used his home computer to hack into his former employer’s patient database. He downloaded the names, telephone numbers, and addresses… More
In its recent Annual Report to Congress on Breaches of Unsecured Protected Health Information, the Office of Civil Rights of the Department of Health and Human Services, we see confirmation of certain trends– bigger breaches and breaches involving theft of electronic media:
Between January 1, 2010 and December 31, 2010, breaches involving 500 or more individuals also made up less than one percent of reports, yet accounted for more than 99 percent of the more than 5.4 million individuals who were affected by a breach of their protected health information. The largest breaches in 2010, like 2009,… More
Security Awareness Training The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who manage, use, or operate Federal computer systems. Additionally, Federal regulations (5 C.F.R. § 930.301(a)) require that role-specific training be provided based on each user’s security responsibilities and require agencies to provide training for employees with significant information security responsibilities. The CMS… More
“Once More Unto the Breach, Dear Friends, Once More”: The Increasing Recognition of Complexity in Data Breach Response and Reporting
In an article in today’s New York Times, we get some real-life insight into the difficulties in responding to a data breach. Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity.
The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee’s car was broken into and a company laptop stolen. The ramifications included:
spending nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees; devoting 600 person-hours of staff time to the breach; hiring a crisis team of lawyers and customers and a chief security officer; hiring… More
A recent Massachusetts case shows that even prisoners have a right to privacy in their medical records. In this case, Alexander v. Clark, Suffolk Superior Court, Civil Action No. 0905456-H 28 Mass. L. Rptr. No. 14, 291 (May 30, 2011), the court sided with the claim of a prisoner that her health information had been wrongfully disclosed. In particular, the prisoner, Christine Alexander, sued several correction officials because those officials had sent documents regarding her “request for Propecia for hair loss” to another inmate without her permission.
The court found that the inmate-patient had a claim under the Massachusetts Privacy… More
When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265. This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed. Given that the last reported date of breach on the OCR’s list is May 8, there are surely over 300 breaches that have now been reported.
In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital’s $1 million settlement with OCR.
The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints… More
On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining” activities. Justice Kennedy’s opinion in the closely-watched case of Sorrell v. IMS Health Inc. held that the Vermont statute was an unconstitutional regulation of commercial speech. In so doing, the Court found that the sale, disclosure,… More
The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.
The first paragraph of Justice Kennedy’s opinion provides a brief summary of the posture of the case and of the Court’s decision:
The case of Dr. Alexandra Thran should cure any physician of the desire to discuss a patient on Facebook. Dr. Thran has been reprimanded by her state’s Medical Board and lost her emergency room privileges. Although the posting in question did not list the patient’s name, Dr. Thran provided enough details so that at least one other person could identify the patient. The result was irreparable damage to her career.
In an article in the most recent Annals of Internal Medicine discussing this case, the author referred to Facebook as the “new elevator.” Those familiar with hospitals will recall the ever present signs reminding health care… More
I give my perspective on issues of physician privacy in this video from The HealthCare Channel, including:
Can physicians challenge online review sites such as Health Grades or Vitals.com to have critical patient comments removed? The Supreme Court will rule soon on the case against the State of Vermont and the law banning the sale of prescription data to companies for use in marketing to those physicians. Is there a downside to doctors moving to electronic medical records, particularly extra monitoring and restriction of medical practice due to state and federal monitoring?
When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR’s website. It’s safe to expect these figures will continue to climb for the foreseeable future.
Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies: How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.
On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health information. According to California regulators, these servers appear to contain the data of 1.9 million people nationwide:
The company announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare..
Since this is the… More
As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights. This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the… More
While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up. The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case: "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies, the American Osteopathic Association and the Medical Society of the District of Columbia, and joined by 26 national medical specialty societies, will now formally end."
You Call That a Password? Passwords Used to Protect Personal Health Information in Clinical Trials Are Cracked More Than 90% of the Time
In a recent article in the Journal of Medical Internet Research, the strength of passwords in clinical trials was analyzed. In all cases that were examined, "the recovered passwords were poorly constructed, with names of local locations (e.g., “ottawa”), names of animals (e.g., “cobra”), car brands (e.g., “nissan”), and common number sequences (e.g., “123”)."
This result comes as no real surprise. These conclusions build on prior studies which have repeatedly shown that password strength is weak. It is perhaps the easiest and cheapest way to increase IT security and yet it continues to receive short shrift.
The study also noted that "the files… More
Earlier today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS imposed a civil money penalty (CMP) of $4.3 million for the violations, representing what OCR said was "the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule." The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the… More
500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR
In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged: the Office of Civil Rights does not have the resources to review all reported breaches of health information. In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:
Current OCR practice is to validate, post to the HHS website, and subsequently investigate all breach reports that impacted more than 500 individuals. Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and… More
In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health.
The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World Privacy Forum. They allege (in 144 pages, complete with web page screen-shots) that:
"Digital marketing raises many distinct consumer protection and privacy… More
The American Medical Association recently published a policy on "Professionalism in the Use of Social Media," in an apparent attempt to address growing concerns about patient confidentiality and privacy in various internet settings.
While the policy mostly consists of "considerations" that physicians should "weigh" when maintaining an online presence (none of which are new or earth-shattering), there was one notable exception — a snitch rule:
"When physicians see content posted by colleagues that appears unprofessional they have a responsibility to bring that content to the attention of the individual, so that he or she can remove it and/or… More
On July 8, 2010, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking (“NPRM” or “proposed rule”)1 modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Enforcement Rules2 pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which was enacted February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5.
HHS Issues a Notice of Proposed Rulemaking to Modify the HIPAA Privacy, Security, and Enforcement Rules
Earlier today, the Department of Health and Human Services announced proposed modifications to the HIPAA Privacy Rules, calling them the most significant changes in HIPAA since 2003, when the HIPAA Security Rules were adopted. The propose changes include:
provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities; establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes; prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information… More
In late June, the Centers for Medicare & Medicaid Services (“CMS”) proposed new rules for hospitals that would entitle patients to choose their own visitors during a hospital stay, including visitors who are same-sex domestic partners. These proposed rules stem from the April 15, 2010 Presidential Memorandum on Hospital Visitation issued to the Secretary of Health and Human Services.
The proposed rules would require every hospital to have written policies and procedures detailing patients’ visitation rights, as well as instances when the hospital may restrict patient access to visitors based on reasonable clinical needs. A key provision of the proposed rules… More
On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the Federal Trade Commission (FTC) to delay enforcement of the FTC’s Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association. The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf), filed in the lawsuit initiated by the AMA and other medical associations to exclude doctors and other medical professionals from the application… More
Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.
Earlier today, the American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed a complaint that seeks to block the application of the Federal Trade Commission’s Red Flags Rule to their members.
According to its press release, the AMA filed this suit because it unfairly treats physician practices like “banks, credit card companies and mortgage lenders,” according to AMA President-elect Cecil B. Wilson, M.D. He added, “The extensive bureaucratic burden of complying with the red flags rule outweighs any benefit to the public.”
Given the impending June 1 deadline, it is… More
As part of the settlement of a federal court action, the State of Texas has agreed to destroy more than 5 million blood samples taken from babies without parental consent and stored indefinitely for the purpose of scientific research. The Texas Department of State Health Services announced earlier this week that it would destroy the samples in connection with the settlement of a federal lawsuit filed in March 2009 by the Texas Civil Rights Project on behalf of five parents of children whose blood was being held for use in research without their consent.
The parents’ complaint alleged… More
Massachusetts Court Holds Disclosure of Patient Records Does Not Violate HIPAA or State Consumer Statute
In Mercier v. Courtyard Nursing Care Center, 2009 WL 1873746 (Mass. Super. Ct. Jun. 11, 2009), a resident of a nursing home sued the home in Massachusetts Superior Court for negligence after being assaulted by another resident. The injured resident moved to obtain medical records maintained by the home regarding the resident who had allegedly committed the assault. The home contended that disclosure of the records would violate both HIPAA’s prohibition on disclosure of medical records without a patient’s authorization and Mass. Gen. L. ch. 93A, the Massachusetts unfair and deceptive practices statute.
The court, however, held HIPAA permitted… More
Incident of the Week: in our first double feature, we report on the recent breach announced at the University of North Carolina and the plea agreement reached with one Massachusetts inmate who hacked the prison computer system while still behind bars.
Incident of the Week: FBI Arrests Hacker Posing as Security Guard Who Infiltrated Texas Hospital Days Before “Devil’s Day” Attack
This week, the U.S. Attorney’s Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital’s computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.
In this, the third and final part of Security, Privacy and the Law’s interview with M. Eric Johnson (Part 1 may be found here and Part 2 is here), Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also talks about the specific problems associated with data security on peer-to-peer file sharing networks.
In this, the second part of Privacy, Security and the Law’s three part interview with M. Eric Johnson (begun here), Dr. Johnson talks about why he thinks the healthcare sector is uniquely vulnerable to security breaches and what special problems that vulnerability poses.
A recent article from Computerworld reports that, according to a new study conducted by researchers from MIT and the University of Virginia, "EMR [Electronic Medical Record] adoption is often slowest in states with strong regulations for safeguarding the privacy of medical records." According to the study, in states with "strong privacy laws", the number of hospitals using EMR systems is up to 30% lower than in states with "less stringent privacy requirements." The study, "which looked at EMR adoption in 19 states over a 10-year period", concludes that the reason for the disparity is that "privacy rules often made it harder… More
Security, Privacy, and The Law recently had the chance to sit down with Dr. M. Eric Johnson to talk about his recent paper “Data Hemorrhages in the Health-Care Sector.” Dr. Johnson’s study has been in the news lately because many were startled by his finding that a great deal of patient healthcare information is available on peer-to-peer (P2P) file sharing networks. We are thrilled that Dr. Johnson agreed to do a interview with Security, Privacy, and The Law and we will be posting the full interview with Dr. Johnson in several parts.
First the Bad News, Your Doctor’s Lost His License; Now the Really Bad News: No One’s Taking Care of Your Records
As outlined in April 2’s Boston Globe, a Massachusetts physician who lost his license to practice is still causing problems for his patients. He left his office and records, and now his patient records are about to be destroyed unless the patients come to claim them. The state authorities claim they don’t have the resources to maintain the records, or to help find the patients. The auction company just wants them gone.
Normally, when a physician closes a practice, patient records are placed with another physician; if they are placed in storage, prepayment of storage fees or a bond is usually required. Wouldn’t… More
It seems an inevitable consequence of modern celebrity: when you go to the hospital, hospital workers will look at your records (even though they have no medical reason to). The latest example of this involved the infamous mother of octuplets, Nadya Suleman. It resulted in the firing of 15 hospital workers at Kaiser Permanente’s hospital in Bellflower, California. All these violations have been reported by Kaiser to the California Department of Public Health.
The FTC Strikes Back: (Essentially) Everyone Should Be Complying With Red Flags Rules, Especially The Healthcare Industry
In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” — the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you — then they probably do. In this post, we will recap the FTC’s recent guidance on who should be complying with the Rules.
For all their problems, Veterans Affairs medical centers across the country are at the vanguard of the implementation of electronic health records. As such, there is a lot to learn from the problems that the VA system has experienced in this area. According to an article in the March 4, 2009 Journal of the American Medical Association, the problems experienced by the VA include mixed-up patient names and missing medication orders. These types of problems are probably endemic in any EHR system. (This very point was made by Drs. Jerome Groopman and Pamela Hartzband in their March 12, 2009 Wall Street… More
Adding to the Patchwork: HITECH Act Sets New “Floor” for Data Breach Notification of Certain Patient Information
On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations… More