[ Friday, July 13, 2018 ]
A couple of recent data breaches
Jeff [1:11 PM]
, from MedEvolve and Premier Immediate Medical Care (involving an unprotected FTP server, VCU and Arkansas Children's (involving employees behaving badly).
[ Thursday, July 12, 2018 ]
Jeff [10:55 AM]
Miss me? Sorry, took some vacation time, then had to dig out at work before hitting the blog.
While I was away, I did get an interesting email question from a lawyer in the Kansas City area:
I advise a company that routinely enters into BAAs; in doing
so my colleagues and I try to limit reporting requirements for security
incidents that do not rise to the level of breaches of unprotected PHI,
especially security incidents consisting merely of unsuccessful pings.
I just read your post at this link -- https://hipaablog.blogspot.com/search?q=ping
-- in which you indicated, “Since reporting pings is required, I now
include it in my BAAs, but minimize the reporting to the barest minimum to
still comply with the regulations: a minimal number of reports (no more often
than quarterly), with minimal information…”
I had thought that security incidents had to be reported
within 60 days of discovery [per § 164.410 (a) as referenced by § 164.314
(a)(2)(i)(C) ] or does the 60 days “as required by § 164.410” apply only to the
last phrase -- “breaches of unsecured protected health information” – and not
to the entire sentence – “Report to the covered entity any security incident of
which it becomes aware, including breaches of unsecured protected health
information as required by § 164.410“?
If security incidents are subject to the 60 day rule,
wouldn’t quarterly reporting fall short for those security incidents that
happened within the last quarter, but more than 60 days ago? Or is my
reading missing something?
Thank you for your thoughts on this.
Well, here's my thoughts:
There are 3 different concepts
to keep in mind here, that occasionally overlap in fact and even more often
overlap in casual consideration of things HIPAA.
First, you’ve got your generic
“HIPAA breach.” That’s basically any breach of the obligations or
requirements of HIPAA. Don’t have good policies and procedures? If
you’re a covered entity, that’s a HIPAA breach. Fail to give a patient a
NoPP? HIPAA breach. Sell your patient data to a marketing company
without patient consent and appropriate disclosure? HIPAA breach.
All of HIPAA, statutes and regs, could be the basis for a HIPAA breach.
Next, you’ve got a “breach of
unsecured PHI.” These are defined in and restricted to the provisions of
Subpart D of Part 164 (i.e., 45 CFR 164.400 – 414, or “the 400 series”).
That would be an (i) improper (ii) acquisition, use, access or disclosure of
(iii) unsecured PHI that (iv) compromises security or privacy. Loss of an
unencrypted laptop, misdirected emails, or a data-stealing hack would all be
breaches of unsecured PHI (assuming that the PHI is, in fact, unsecured and the
incident does compromise the security or privacy of the PHI (i.e., there’s more
than a low probability of compromise). Selling patient data to a
marketing company is a breach of unsecured PHI (and also a HIPAA breach), but
failure to have good policies and procedures or give patients NoPPs would not
be a breach of unsecured PHI (although they would be HIPAA breaches).
Finally, you’ve got “security
incidents.” These are governed by subpart C, or the 300 series (45 CFR
164.302 -- 318), which only applies to electronic PHI. This is the
broadest definition, which is unfortunate: any attempted or successful
unauthorized access, use, disclosure, modification or destruction of
information or operation interfaces within an information system. Since
it includes “attempted,” any ping is a “security incident.” The BAA
provisions require the BAA to say that the BA will report ANY security incident.
So, a BA should be reporting every ping. It seems that any breach of
unsecured PHI, if it involved electronic PHI, would also be a security
incident, since it would be an unauthorized access or disclosure; however,
theoretically a breach of unsecured PHI involving paper records only would not
be a security incident, since the information is not electronic or in an
information system (and the Security Rule only applies to electronic PHI).
So, let’s talk about reporting
requirements. As noted, security incidents have reporting obligations
within the context of the BAA: the BA must report them to the Covered
Entity. There is also a reporting obligation with respect to breaches of
unsecured PHI, but it’s a different reporting obligation and serves a different
purpose. Security incident reports are in the context of the subservience
of the BA to the CE; breach of unsecured PHI reporting was designed to track
the “data breach reporting” obligations first instituted by California state
law on all data processors and possessors. That data breach reporting
obligation is intended to put the general public on “fair notice” if a business
suffers a data breach that actually could be more damaging to the customer
(whose data is exposed) than the business that lost it. A company
suffering a data breach could be totally blameless: it may have used the best
available security, but some bad actor committed criminal acts and got the
data. But it is still obligated to report. Thus, data breach reporting,
like security incident reporting, does not necessarily indicate that the
reporting entity did anything wrong. HIPAA breaches don’t have any
specific reporting requirements (unless they are also a security incident or a
breach of unsecured PHI), but if there’s a HIPAA breach, there almost certainly
blame. All subpart D references are
solely to breaches of unsecured PHI. Take a look at 164.410: upon
discovering a breach of unsecured PHI, the BA must report it to the CE (not to
the affected individual, not to OCR) within 60 days; the CE then carries on the
obligation to report to affected individuals. Also, note that it doesn’t
matter if the breach had anything to do with the BA. If the BA finds the
CE’s unsecured PHI being offered on the Dark Web, even though the BA had
nothing to do with it, the BA still has to report it. That tracks,
because reporting breaches of unsecured PHI is about passing along information
(ultimately to the affected individual, since that’s the next obligation once
the BA reports to the CE), not about laying blame (at least not
necessarily). Finally, note that this is only relating to breaches of
unsecured PHI, not HIPAA breaches or security incidents. Section 164.314,
on the other hand, relates to security incidents. This also requires the
BAA to include an obligation on the BA to report ANY security incident,
including a breach of unsecured PHI (presumably this only refers to breaches of
unsecured PHI that are also security incidents; however, since 410 already
requires reporting of all breaches of unsecured PHI, whether they are or aren’t
security incidents, there’s really no need for the regs to reiterate that
here). Note that the 314 reporting obligation (security incidents) does
not contain a timing requirement, whereas the 410 reporting obligation (breach
of unsecured PHI) does.
Thus, if it’s a security
incident, it must be reported by the BA to the CE, but there’s no timing
obligation; if it’s a breach of unsecured PHI, then it must be reported by the
BA to the CE within 60 days. If it’s both, then presumably both reporting
requirements apply, and thus the 60-day notice requires. I don’t see how an unsuccessful
security incident could be a breach of unsecured PHI (if it’s the latter, it
must’ve been successful). Thus, requiring reporting of unsuccessful
security incidents without a timeline would be OK, because it would meet the
obligations under 314 while not being subject to the obligations of 410. Let me know if you disagree.
[ Monday, May 28, 2018 ]
Jeff [1:56 PM]
[ Friday, May 25, 2018 ]
Aetna HIV Mailing Case Update:
Jeff [11:51 AM]
I reported on this case
back in March, but it keeps getting more and more interesting. At least the blame game does.
To recap, Aetna send out mailings to beneficiaries with HIV, and the mailing came in window envelopes that allowed the HIV diagnosis to be viewed without opening the envelope. The mailing was actually part of a legal settlement. Having already sued its own mailing company (which responded by blaming Aetna's law firm), Aetna has now decided to sue the plaintiff's firm
that brought the cases that resulted in the settlement. For good measure, they've also sued the nonprofit entity that helped the plaintiffs put the lawsuit together in the first place.
Sweetest part: the underlying settlement was over a Aetna policy that required HIV patients to use mail-order pharmacies. The plaintiffs objected because, due to the specific nature of the drugs, the mail delivery could expose that the plaintiffs were HIV patients. So the underlying case was over an objection about improper disclosure of PHI.
[ Wednesday, May 23, 2018 ]
Jeff [12:58 PM]
Obviously, this blog focuses on HIPAA breaches, which can cause big fines but rarely result in the payment of any actual damages by the parties who suffer the breach. That's because the patients rarely suffer financial loss.
When there's a breach involving theft of credit card data (like Target or Home Depot), most individuals whose card data is stolen don't suffer damages, because they can simply dispute the fraudulent credit card charges. It's either the vendor or the credit card company who gets stuck with the loss.
However, the credit card companies push potential responsibility for those liabilities back onto the vendors, in the form of the PCI DSS: that's the Payment Card Industry Data Security Standards. Every vendor who takes credit cards signs an agreement with the credit card company to meet these standards; if they don't, and there's a breach due to the vendor's failure, the credit card company can then recover its losses (fraudulent charges as well as costs of replacing cards) from the faulty vendor.
That's what is happening here
. Or at least that's what Chase and Paymentech are trying to do. Apparently Landry's is contesting either their own wrongdoing in the hack, or Chase and Paymentech's willingness to let the credit card companies themselves push the losses onto them. Will be interesting to see how this one plays out. And a good lesson for healthcare providers (and anyone else) who takes credit cards -- be careful out there, and make sure you meet PCI DSS.
LifeBridge Health (Maryland): Not a whole lot of information here,
Jeff [12:41 PM]
but apparently hackers got into the patient registration and billing system, and went undetected for about 6 months. Likely identity theft and potentially medical identity theft too. If you're one of the victims, take them up on the credit monitoring. And if you're not, check your own credit anyway. Always good advice.
[ Sunday, May 20, 2018 ]
Jeff [10:42 AM]
Off Topic: This is too bad
. While it bodes ill for "the academy" generally, this is just the type of thing I ask my students to consider: the other side of policy issues. No sane person has a strongly held belief that they also know is wrong. If someone has a strongly held belief that is different from yours, you should at least try to understand why they have that belief. Unless you do so, you'll never be able to have a fruitful discussion with them. And you'll never convince someone they are wrong unless you understand why they think what they think.
This is exactly the way I try to teach my policy students, because if you want to understand public policy, much less try to impact or enact it, you need to understand all sides of the issue.
The Trump election gave me the opportunity to have my first class look at why the country is so divided; I think it was good for them, because I think many simply never tried to look at why the other side might feel differently than they do. And the feedback I got from them seemed to indicate that it worked.
[ Thursday, May 17, 2018 ]
Victims Sharing HIPAA Fines:
Jeff [12:36 PM]
At long last, it looks like HHS is finally getting around to drafting the regulations for victims of HIPAA violations to get a share of the fines levied against them
. This concept was first floated in the HITECH Act in 2009, as one of several changes intended to spur enforcement by giving affected breach victims more incentive to pursue covered entities that violated HIPAA: it's sort of like a whistleblower or Qui Tam statute for HIPAA. However, given that OCR has gotten to keep all the fines so far, it's understandable that they wouldn't rush to start handing out that money to affected individuals.
I'll let you know when they actually write something; for right now, they're looking for comments. If you think you know how OCR should share their fines, feel free to provide a comment.
[ Thursday, May 03, 2018 ]
More Bornstein: OK, let's not get out over our skis, particularly if we are medical ethicists! Forbes quotes "Dr. Arthur Caplan, the founding director of the Division of Medical Ethics at the NYU Langone Medical Center in New York and one of the nation’s most prominent bioethicists." as saying Bornstein "absolutely should lose his license" for saying he's written a letter that he now says Trump dictated.
Jeff [11:22 AM]
First of all, letting someone else do the initial draft is not unethical. If the party requesting the letter wants it to say something specific, there's no harm (ethical, legal, or otherwise) letting them make those suggestions, even if it's providing the actual words. Now, the doctor is morally, legally and ethically obligated at that point to closely review the wording and change anything that is not 100% in alignment with the doctor's own opinions. He can't sign it sight unseen, he can't skim and sign, and he can't let anyone sign under his name (or stamp his signature for him); that would be at least unethical if not outright illegal. But simply letting someone else draft the wording that you agree with 100% before you sign is just not problematic.
The doctor disclosing Trump's medical information is problematic: whether it's the Propecia leak, or the letter itself, it needs to have Trump's authorization (or be directed by Trump) before it can be released. I would assume the letter was authorized or directed by Trump, but not the Propecia. However, I can't make that determination without more facts, which I don't have. Likewise, Dr. Caplan shouldn't be making such "absolute" judgments without all the fact. In hindsight, I suspect he'd agree that he overstated the case, at least based on the facts he had in hand at the time.
Ultimately the problem is that where Trump in concerned, the press, the pundits, and the chattering classes, as well as many institutional leaders (such as prominent bioethicists), seem to have no problem abandoning all pretext of objectivity or sobriety. Look, I get it that you think Trump is a clown and a buffoon (frankly, I couldn't agree more, and often speak -- and have spoken -- much more harshly of the man); personally, I don't like the man. But I try not to let my personal feelings direct my professional interpretations, and the press (and Dr. Caplan) should try to do the same.
OK, I'm going off topic (if you're looking for HIPAA stuff, you can stop here):
"WANT MORE TRUMP? THIS IS HOW YOU GET MORE TRUMP."
Trump is President. Get over it. Governing-wise, he's going to do some things that are good and some things that are bad (IMHO, tax cuts and Gorsuch fall into the former category, tariffs in the latter). He's also going to say outrageous things just to get folks agitated and distracted -- it gins up his supporters as much as it infuriates his opponents. Much of this will be outright lies, almost always about stupid and inconsequential things (such as how many people were at his inauguration, or whether he's the healthiest man ever to be President). This is intentional. Why?
Trump is President. Think about it. How did that happen? How did he get that much support? I would posit that a large portion of that support is not support of Trump, but an active and energized low-to-middle class cohort substantially energized by furious opposition to what they view as an arrogant ruling class of elites. They believe that the elites hate them. Why do they feel that way? Largely by the unhinged reaction of this elite class to everything and anything Trump says or does, no matter how trivial. Particularly when compared to the actions of others similarly situated (this entire Bornstein incident stems from the press' overreaction to Trump's braggadaccio about his health, while Hillary's health issues were not only not reported, but actively covered up by the mainstream press). And even more particularly when the ultimate results end up substantially different from what actually happened ("thousands" didn't "die" from the tax cuts, in fact, people got more money and the economy improved; Trump's juvenile rhetoric didn't get us into a nuclear war with North Korea, in fact, the opposite has occurred).
Trumps antics, particularly his Twitter account, are distractions, and when Trump's opponents jump on them, it only helps Trump. Trump's twitter is a laser pointer, and the press and pundits are a bunch of cats chasing around a red dot on the floor.
More importantly, the elites and the press have spent all the powder they should've been saving. They've cried "wolf" (or perhaps "Michael Wolff") so many times, if and when Trump does something really outrageous, their reaction won't have any effect on the public who just might have otherwise turned against Trump.
Now, personally, I greatly enjoy watching the press and the elites beclown themselves, so this entire post is an "argument against interest." Jon Stewart, whoever replaced him, John Oliver, Seth Meyers, Steven Colbert, that Carrot-Top lookalike chick at the WHCD, all those people who "DESTROYED" Trump or Sarah Huckabee Sanders or whomever for stupid and trivial matters like how they look, all toil in totally un-self-aware service of the Trump 2020 campaign.
Look, I thought the "my nuclear button is bigger" Tweetstorm was a stupid provocation of a reckless lunatic. But I also recognize that it may well have worked. Then again, I thought Reaganomics was "voodoo economics" and the Laffer curve was a joke. I'm not always right, but I do try to learn from my mistakes and not double down on them.
And look, I wish it weren't Trump. I wish there were someone classy and erudite who was nominating Gorsuch and passing tax cuts. I wish we didn't live in such boorish and stupid times. But we do. And unless a lot of other folks start figuring out WHY things are this way, we're just going to keep getting more of things this way.
[ Wednesday, May 02, 2018 ]
Trump's Medical Records:
Jeff [3:57 PM]
If you follow me on Twitter (and you should; I'm easy to find @JeffDrummond), you've seen a couple of jabs at the whole matter involving Trump's crazy doctor's latest public proclamations. Harold Bornstein, who was Donald Trump's doctor for many years, recently told NBC News
that in February 2017 Trump's bodyguard, lawyer, and a third man conducted a "raid" on his office, without notice, and took all of Trump's medical records. Bornstein also indicated that he felt "raped, frightened, and sad" when the Trump aides came for his records. Apparently, Bornstein had told the press a few days earlier that he had prescribed a drug to Trump to treat hair loss, and because of that, he was dumped from the Trump Train.
NBC News reports, "Bornstein said he was not given a form authorizing the release of the records and signed by the president known as a HIPAA release — which is a violation of patient privacy law." As with virtually everything else about that story, that's not actually correct.
So, what's legally required for an associate/friend to retrieve a patient's medical records?
Well, let's start here: HIPAA requires "covered entities" to limit uses and disclosure of "protected health information" (or "PHI") to certain permitted uses/disclosures (the "HIPAA Rules"), and grants patients certain enumerated rights to their PHI (the "HIPAA Rights"). Most healthcare providers are covered entities, unless they never ever conduct electronic transactions. Most billing is done electronically, so only those providers who operate in a paper-only environment are not covered by HIPAA. It's rare, especially for a physician (psychologists and counselors, and others who operate on a cash only or non-insurance basis, are more easily excluded), but possible.
It's possible Bornstein isn't a "covered entity" and HIPAA doesn't even apply to him. If that's the case, there are still state law requirements, which generally require a provider to meet community standards and ethical obligations regarding patient privacy. Given the broad reach and scope of HIPAA, it's usually hard to argue that, even if you aren't a covered entity, you aren't ethically required to follow HIPAA (or something pretty close to it) anyway. So let's assume HIPAA applies.
Bornstein give the PHI to Trump's agents? Must
he? Is he prohibited
from giving the PHI up if the agents don't have a signed "HIPAA release"? (OK, let's nip this one in the bud -- it's not a "HIPAA release," it's a patient "authorization" that is HIPAA compliant.)
The HIPAA Rules allow disclosures to the patient.
They also allow disclosures to two types of persons connected to the patient: the patient's "personal representative" and persons who are "involved in the care" of the patient. The "personal representative" is someone with the power to make healthcare decisions on behalf of the patient; basically, to be a personal representative, you need to have the authority to agree to surgery for the patient. Thus, the prototypical "personal representative" is a parent of a minor child, or a court-appointed guardian for someone who is not competent to make decisions on their own behalf. Clearly, Trump's bodyguard, lawyer, and whoever that third guy was [Ted Cruz's father?] were not personal representatives, but might be considered to be "involved in the care" of Trump. Someone "involved in the care" is usually a friend or family member who helps the patient out in some way, but really could be anyone; it's up to the patient. This issue came up prior to the court cases requiring states to recognize gay marriage: there were reported cases where a patient wanted his/her gay lover to be involved in the decision-making process, but the hospital was requiring that only family members could be so involved.
The HIPAA Rights require the covered entity to grant the patient access to his/her PHI.
In other words, if you ask your doctor for a copy of your records, he must
give them to you (with very few exceptions, none of which are conceivably applicable here). HIPAA does not require the provider to give up all copies of the information, and usually the provider merely gives over copies and keeps the originals. And if the patient has the right to receive the PHI, the patient also has the right to make the provider give it not only to the patient, but to whomever the patient asks the provider to give it.
Thus, if the patient asks for his PHI, the provider may
give it to him (under the HIPAA Rules) and must
give it to him under the HIPAA Rights. But what if it's not the patient asking, but someone else? If that someone else is a "personal representative," it's as if the patient himself asked, and the provider must
give up the PHI. If it's someone "involved in the care," the provider may
give up the PHI, as long as the disclosure is limited to the involvement of the third party in the patient's care. Generally speaking, if the patient asks the provider to give the PHI to the third party, that's pretty clear evidence that the third party is "involved in the care" at least to the extent of being the recipient of the PHI.
Now, since in this case it's a "may
" disclose situation, not a "must
" disclose situation (i.e., it's a person "involved in the care," not a "personal representative"), the provider might want to obtain some protection against the patient later saying, "no, I didn't want you to give that PHI to my lawyer." In that case, and certainly whenever there's any doubt about whether the patient approves, it's generally good advice to the provider to refuse to give up the PHI unless there is a HIPAA-compliant authorization (which must be signed by the patient). However, that's not a requirement.
So, what about this situation?
If Bornstein had good reason to believe that these were Trump's attorney and bodyguard, and that Trump wanted the records delivered to them, Bornstein would be permitted to disclose the PHI to them under HIPAA. But he could refuse, and demand a HIPAA-compliant authorization. He also could have contacted Trump by phone for additional confirmation. Could Trump report Bornstein for disclosing PHI to the bodyguard and attorney? Possibly, but it would only be a violation if Bornstein knew or should have known that those three weren't "involved in the care" to a sufficient level to be able to get copies of the records in that situation; I can't see any reviewer of the facts finding that to be the case.
Was Bornstein required to give up the originals? No, and probably shouldn't have. But he could have been ordered to do so, particularly given these circumstances, where the patient had another treating physician and was apparently seeking to sever ties with his former physician. A physician does not automatically have a right to retain a patient's personal information; if a patient accused a physician of raping her and demanded the physician turn over all records, a court would likely require the physician to turn over the records (although might require they be turned over to a third party so they would be available in case the physician needed them to defend himself).
In this case, it appears that Bornstein violated Trump's medical privacy rights, and almost certainly violated HIPAA (OK, maybe Trump signed a HIPAA-compliant authorization, but I sincerely doubt it), by reporting on his Propecia prescription, as well as other disclosures that were not specifically approved by Trump. Even though he "can't believe anybody was making a big deal out of a drug to grow his hair that seemed to be so important," it's not Bornstein's decision to make, and there's really no "no harm, no foul" rule when it comes to whether a disclosure is permitted or not (determining if it's a breach, that's another story). With that background, I think it would be fairly easy for Trump to sue Bornstein to give up all copies of his records. Additionally, I think the Secret Service could also come in and take them; there's a whole category of "permitted" uses and disclosures related to the military, prisons, and the Secret Service that come into play here. Of course, it doesn't look like the Secret Service was involved, but if they were, there would be even more avenues to explore.
Should Bornstein have allowed Trump's aides unfettered access to his office? Certainly not. The best policy would have been to have office personnel determine the appropriate files, make copies, and give them to Trump's representatives. To the extent the trio of Trumpsters improperly accessed or saw any other patient's data, that's Bornstein's fault, not the Trump crew.
So, is Trump or his crew in trouble here? I can't see how. Is Bornstein in trouble? Not for delivering Trump's records to Trump's crew. He could be (and really should be) in trouble for disclosing the Propecia information, and anything else he discussed without the President's permission.
[ Monday, April 30, 2018 ]
Jeff [3:11 PM]
As you may know (I posted on it
at the beginning of the month), a large NJ physician practice paid a $400,000 fine
as a result of a transcription company's use of an unsecured FTP server (NOT discovered by Justin Shafer, though). Edward McKinney, CISO of Floyd Medical Center in Rome, Georgia alerted me about Virtua, and wondered: is this the beginning of Covered Entities being held liable for the sins of their Business Associates?
Maybe. First, keep in mind this is a state AG action, not an OIG action, so the effect on HIPAA enforcement is a little more tenuous. But also, it's pretty easy to read the AG's statements as directly damning Virtua for not minding its own privacy and security matters (insufficient risk analysis, insufficient security training), not for it's inability to sniff out the vendor's shortcomings.
We could be entering an era where the sins of the vendors are visited upon the covered entities, especially if the covered entity failed to properly vet the vendor (like a negligent credentialing claim). But I'm not ready to make that leap -- I think there's sufficient direct blame here that you don't need to pin it on indirect blame. A covered entity with great risk analysis and training might still be guilty of hiring a bad vendor due to the fact that it didn't kick the tires hard enough, and there's a conceptual HIPAA violation in that scenario. But I really think, unless the vetting was unconscionably bad, you'll not see that as a violation. Rather, you still much more likely to see a failure to do sufficient first-party risk analysis (as well as missing policies and procedures).
[ Friday, April 27, 2018 ]
A handful of new breaches: including
Jeff [2:01 PM]
the Metroplex's own Texas Health Physician Group, which apparently suffered an email system intrusion of some sort.
[ Wednesday, April 25, 2018 ]
Jeff [7:45 PM]
[ Wednesday, April 18, 2018 ]
Jeff [10:59 AM]
Jeff [10:56 AM]
Of course, I see this
and wonder if it's a HIPAA violation. Well, that and a couple of jokes that pretty much write themselves.
[ Thursday, April 12, 2018 ]
Insiders Cause Most Health Industry Breaches:
Jeff [3:05 PM]
Not really surprising, but most data breaches in the health industry are cause by insiders
. That's not surprising, given the highly labor-intensive nature of healthcare, the presence of so many low-wage employees (who might be more likely to either intentionally (theft) or unintentionally (accident) cause a breach), and the fact that sensitive identifiable data is involved in every aspect of the business.
I don't agree with the headline's premise, that healthcare is worse than anyone else at preventing insider actions; that assumes that the number of healthcare data breaches is comparatively high compared with other industries. Rather, I think the number of breaches is comparatively low, but it's just that the percentage of the (lower number of) breaches attributable to insiders appears high due to the low denominator.
[ Tuesday, April 10, 2018 ]
Old dogs, new tricks?
Jeff [10:55 AM]
OK, not exactly, but I did actually learn something new about HIPAA today. It confirmed my understanding in the area (which coincidentally I was discussing with someone within the last few days), but I wasn't aware that there was such an explicit outlining of the matter by HHS already.
Someone asked me what their HIPAA obligations are, as a covered entity, to investigate their business associates' HIPAA compliance activities. Lots of larger CEs have extensive requirements they pass down to their BAs, forcing them to answer questionnaires, provide documentation, and agree to inspections or reviews, so that the CE can determine whether the BA is adequately protecting PHI. This is a good thing in theory, but can be a monstrous pain in the neck for the BA, especially if it's a small shop with a more, shall we say, informal HIPAA compliance plan ("Shhh.").
As I told my interlocutor, the HIPAA regs themselves do not require any sort of active engagement by the CE over its BAs, only the entering into of a BAA and the downstreaming of the specified obligations in 164.504(e). Most BAAs contain more than is required, and those that contain active monitoring of the BA certainly do. While it seems to be becoming an industry trend, and may be a "best practice" for a larger CE, it's certainly not a requirement.
As an aside, I would note that a BA should be very careful about agreeing to provide the CE with a copy of its risk assessment: once an organization has determined what it's greatest weaknesses are, it's not a good idea to show that to anyone outside the organization. If the outside entity does not keep that information secure, it's like giving potential hackers a road map to the best way into your data. I passed this advice along as well.
Anyway, Lexology today led me to this article
by Adam Green's crew at Davis Wright Tremaine. It turns out, there is specific language
in the December 2000 Privacy Final Rule that removed a more active monitoring requirement in the proposed regs from 1999 (the regs I famously read on the beach in Destin, Florida in June of 2000). The 2000 Final Rule says, "In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate
and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate’s material violation of the contract. . . . [T]his standard relieves the covered entity of the need to actively monitor its business associates
. . . ."
As the article also notes, OCR officials indicated a year ago at a HIPAA Summit that they do expect CEs to conduct a certain level of due diligence with respect to their BAs. While this "guidance" is helpful, and I would always encourage CEs to exceed the requirements of HIPAA where it's reasonable to do so, it is still just that: guidance. As with the OCR "ransomware = breach" guidance, it is not the law and it is not a regulation, and should not be enforced as such. The Administrative Procedures Act exists for a reason, and if HHS wants to draft binding regulations, there's a way to do so, and HHS should follow the rules.
[ Thursday, April 05, 2018 ]
State Data Breach Notification Laws:
Jeff [2:47 PM]
Well, in late March South Dakota made it 49
, and effective June 1, Alabama will be the 50th
state with a data breach notification law. There's still talk about a national law, but personally, I think this is something we should let the states handle on their own.
Remember, if you have an incident that might be a HIPAA breach, you also need to consult state law; an incident could be either a HIPAA breach or a state breach, or both, or neither. The analysis is similar, but not the same.
UPDATE: Shoulda given a hat tip to Ron Holtsford in Alabama for the heads up; I missed them both in the flurry that was the end of March.
Virtua (NJ) Breach:
Jeff [2:42 PM]
a bad server setup by a transcription company business associate resulted in a $400,000 state fine for a New Jersey medical group
[ Tuesday, March 20, 2018 ]
Which will leave South Dakota: Alabama
Jeff [1:35 PM]
is about to be the 49th state with a data breach reporting statute.
[ Thursday, March 08, 2018 ]
Not slowing down:
Jeff [4:56 PM]
The seeming slowdown of OCR prosecutions of HIPAA breaches is just that: seeming. At least that's what OCR is saying
Jeff [4:54 PM]
the NY insurer conducted a mailing that exposed beneficiaries' social security numbers, and were fined $575,000. Not by OCR, but by the NY Attorney General. EmblemHealth has not been punished by OCR (at least not yet). What to make of this? Kirk Nahra has some thoughts.
[ Tuesday, March 06, 2018 ]
Forecast for HIPAA Enforcement in 2018:
Jeff [10:10 AM]
a little bit of navel-gazing
by David P. Saunders of Jenner & Block. I don't disagree, but however you slice it, the sample size is just too small. One thing that won't change -- the size of the fines: they'll still stay huge, at least for entities that can afford them (that's my prediction, for what it's worth).
[ Friday, March 02, 2018 ]
Aetna HIV Mailing Case (and the missing BAA):
Jeff [1:15 PM]
I was just reviewing the complaint
in the countersuit filed by the mail service vendor, KCC, against Aetna (in preparation for my HIPAA breach presentation at the UT Health Law Conference in Houston April 6-8 [y'all come; tell me you read this, and I'll buy you a drink!]), and found something interesting on page 15. As you may recall, Aetna hired KCC to send a mailing to a bunch of HIV patients, and the letters went out in "window" envelopes, so that some of the print on the content of the letters (presumably the patient name and address) shows through the celophane window. However, the mailing was poorly configured because instead of simply the patient name and address showing, information relating to the patient's HIV status also showed through. Well, it looks like Aetna did NOT
have a BAA in place with KCC.
That could be huge.
[ Monday, February 26, 2018 ]
Good: Hospital terminates snooping employees
Jeff [8:03 AM]
. The best way to keep employees from snooping and otherwise violating HIPAA is to make an object lesson out of those who get caught. Insidious little transgressions tend not to be repeated if it's known that you'll get fired for it.
[ Wednesday, February 14, 2018 ]
Jeff [1:10 PM]
a bankrupt company
can still be stuck with a HIPAA fine, as Filefax found out.
[ Thursday, February 08, 2018 ]
Aetna HIV mailings:
Jeff [1:13 PM]
When the sh*t hits the fan, it splatters everywhere
. Aetna agreed to about $20 million in fines and damages, sued its claims administrator KCC, who in turn counterclaimed against Aetna, claiming that Aetna's attorneys, Gibson Dunn & Crutcher, bear responsibility too.
[ Friday, February 02, 2018 ]
HIPAA and Law Enforcement:
Jeff [11:07 AM]
I recently recorded a webinar
on the impact of HIPAA on police efforts to obtain medical information. HIPAA doesn't prevent the administration of justice or prohibit the police from doing their job, but it does set out parameters and rules. It's wise for both the law enforcement community and the medical community to be aware of those rules.
If you click on the link
to register, I think you get a 50% discount.
[ Thursday, February 01, 2018 ]
Jeff [1:44 PM]
The dialysis provider had a bad year in 2012: 5 different data breaches from lost or stolen computers and hard drives. What links 5 separate breaches? Bad risk analysis, naturally. The result? A $3.5 million fine
. And think, barely 500 individuals were affected. Could've been a lot worse
[ Tuesday, January 30, 2018 ]
Jeff [10:07 PM]
So, after a weekend of DissentDoe and me talking about how a ransomware attack should not be automatically considered a reportable breach, OCR releases a Cyber Extortion Newsletter
, and doesn't repeat that ransomware is presumably a breach. Maybe they've been listening. . . .
[ Monday, January 29, 2018 ]
Jeff [2:15 PM]
[ Friday, January 26, 2018 ]
Allscripts Ransomware Update:
Jeff [12:57 PM]
Now, a class action lawsuit
has been filed. This class action might actually hold water -- Allscripts' 1,500 customers apparently did suffer delays and business interruptions, for which actual damages might be fairly easily provable. In most breach class action cases, most members of the "class" can't show any actual monetary damages: if nobody steals your identity or ruins your credit, even though they might have tried or had the ability to do so, you've got no damages. It's hard to maintain a class action if you can't show damages across the whole class of plaintiffs.
The damages in the Allscripts case might, though, be "consequential," rather than direct. If so, then the Allscripts customer contract might contain a liability limitation that would keep those damages from being recoverable. But that's all just guesswork on my part.
[ Friday, January 19, 2018 ]
Jeff [12:33 PM]
This time a bigger target (Allscripts)
, but apparently not a big impact. Presumably that's because Allscripts was prepared for it.
Take this as a reminder: if you haven't prepared for a ransomware attack, be prepared to be asked why if it happens and you suffer a HIPAA breach. At this point, the possibility of a ransomware attack should be part of your risk analysis.
[ Wednesday, January 17, 2018 ]
Your 2018 Privacy and Security "To Do" List:
Jeff [4:57 PM]
This is a great little checklist
from Kirk Nahra at Wiley Rein. There will be few if any businesses that will have to address each item on this list, but virtually every business will have to deal with at least one of them. And pay particular attention to the passages in italics, which are most important and nearly universal.
Jeff [1:42 PM]
[ Monday, January 15, 2018 ]
Ransomware in Indiana: Hancock Regional Hospital
Jeff [2:27 PM]
in Indiana was hit by encryption ransomware. No word yet on how they are recovering, or what the ransom amount was (the didn't pay, so presumably they were able to recover from backups). More here
UPDATE: Apparently, they did pay: $55,000
Jeff [2:23 PM]
Oklahoma State's Center for Health Sciences in Tulsa got hacked,
resulting in about 280,000 names and a limited amount of other information. Not likely a big risk to those involved.
[ Friday, January 12, 2018 ]
Coplin Health (West Virginia): Another stolen laptop, another breach notification
Jeff [1:34 PM]
to 43,000 patients. They don't even know if the laptop had any PHI on it (it might not have). And it was password protected, reducing the likelihood of harm even further. BUT, it was not encrypted. Hence the report and the bad publicity.
Jeff [10:45 AM]
The CT Supreme Court has established, for the first time in the state, a physician's common law obligation to protect the confidentiality of patient records
. Most states have either a common law right to confidentiality or a statutory one, but a lower court noted that neither had been established in Connecticut until now.
The case involves a HIPAA violation, and a patient's lawsuit against an Ob/Gyn practice for disclosing the patient's records to a probate court pursuant to a subpoena. HIPAA does allow disclosures of PHI under subpoena in certain circumstances, and it's not entirely clear here whether all of the HIPAA requirements were met; however, the plaintiff's claims for a HIPAA violation were immediately tossed out because there is no private cause of action for a HIPAA breach. In other words, even if a medical practice blatantly breaches HIPAA and discloses the patient's data, the patient cannot sue the medical practice for the HIPAA breach.
The patient can potentially sue the medical practice under some other grounds, specifically for failure to comply with state statutory or common law privacy obligations. In this case, the lower court correctly noted that there is no established privacy obligation in Connecticut; the supreme court, however, reset the table.
No, this isn't exactly right
. Connecticut citizens cannot sue for HIPAA breaches. They can sue for breach of confidentiality of medical records. There is overlap between those two things, but they are not contiguous or equal.
[ Wednesday, January 10, 2018 ]
Florida Medicaid Agency Data Breach:
Jeff [4:19 PM]
apparently someone at the Florida Medicaid
agency, the Florida Agency for Health Care Administration, got phished, and data for 30,000 Floridians was exposed.
New Privacy Officer at ONC: After a week or so of news highlighting how long the job has been vacant and whether it's even relevant any more, HHS' Office of the National Coordinator for Health IT has announced Kathryn Marchesini as their new Chief Privacy Officer.
Jeff [2:21 PM]
Costs of Producing Medical Records:
Jeff [1:04 PM]
A medical record document production company
has sued HHS to challenge its rules on the ability of a healthcare provider to charge patients for copies of their medical records. It will be interesting to see how this plays out.
Charles River Medical Associates (Massachusetts):
Jeff [9:11 AM]
This radiology group lost a hard drive
containing the bone density scan PHI of almost 10,000 people. Where'd it go? Who knows. Will the data fall into the wrong hands (and if it did, would it harm anyone)? Unlikely. Will CRMA get fined? Maybe (especially if, "upon further review," it becomes clear that the group didn't have good HIPAA policies and procedures and didn't do a good risk analysis). Would we even know about this if the drive was encrypted? Nope.
Folks, encrypt data at risk. Is it required? No. Then why should you do it? To save yourself a report and a fine, not to mention better protecting your patients' data. Aren't you here to serve them?
Am I asking too many questions?
[ Thursday, January 04, 2018 ]
EHR News: eClinicalWorks sued again:
Jeff [2:12 PM]
Another class action lawsuit
has been filed against EMR provider eClinicalWorks. This suit claims that eClinicalWork's EMR system fails to meet the requirements for "meaningful use." CMS pays providers such as medical practices and hospitals financial benefits if they adopt and implement electronic medical records and other technology in such a manner that the provider becomes a "meaningful user" of electronic medical record technology. The providers must attest to CMS that they have done the things necessary to meet the "meaningful use" standards. In this case, the providers claim that eClinicalWorks does not provide all of the necessary services to meet the "meaningful use" standard. eClinicalWorks paid a $155 million fine last year when the Department of Justice sued directly for its EMR shortcomings.
The earlier class action lawsuit claims that eClinicalWorks' EMR failed to accurately portray a patient's medical record, and the patient died because of the EMR's failure.
[ Wednesday, January 03, 2018 ]
SSM Employee Acting Badly:
Jeff [1:52 PM]
A customer service employee
at SSM Health accessed about 29,000 patient records, apparently looking for St. Louis-area patients who had narcotic prescriptions. Presumably, he's use those patient's data to get drugs him/herself, either for personal use or for resale. Clever, really. But obviously illegal.
[ Tuesday, January 02, 2018 ]
21st Century Oncology:
Jeff [10:57 AM]
An oncology practice with offices in 17 states and 7 Latin American countries has paid $2.3 million for HIPAA violations
. The FBI found their patient files on the dark web; apparently someone was able to access their SQL database remotely and extracted data on 2,213,597 patients, including social security numbers. Not sure if the breach was the cause, but 21st Century Oncology filed for bankruptcy back in May.
What's the actual HIPAA breach? Lack of a good risk assessment, failure to implement proper safeguards, no regular review of audit logs, and failure to have appropriate BAAs. The first and last are by far the most common causes of HIPAA breaches, and the 2nd and 3rd could have been prevented in the first had been done reasonably well.
When was your last serious risk assessment?
[ Friday, December 22, 2017 ]
Chilton (NJ) Medical Center:
Jeff [4:58 PM]
Employee steals hard drive
and sells it on the internet. 4,600 people impacted.
Banner (Arizona) Breach:
Jeff [4:56 PM]
You may recall a year and a half ago, Banner Health's Arizona facilities suffered a mostly-non-HIPAA data breach: specifically, hackers got into Banner's point-of-sale payment card processing system at its snack bars and cafeterias. The hackers eventually got into some Banner servers containing PHI. But it was really more a Home Depot type breach than an Anthem type breach.
A class action lawsuit was filed against Anthem, based on a handful of causes of action, including breach of contract by Banner for failing to provide protections of employee data as described in Banner's employee handbook. The class action judge has just thrown out several of those claims
, including the employee handbook claims. But she has let the class action continue of unjust enrichment (Banner didn't spend as much on data security as it should have, and that savings unjustly enriched Banner at the expense of the victims of the hack), negligence (Banner had a duty to protect the data, failed at that duty, and caused damages), and violation of Arizona's Consumer Fraud Act.
The judge did find that at least 2 plaintiffs did suffer damages that "would not have happened but-for" Banner's inadequate data security." However, the class-action plaintiffs are not out of the woods yet. Will all the class participants have similar damages? Are they all similarly situated? Is the heightened risk of identity theft actual harm, if the identity theft never occurs? I would guess we will have to have the Supreme Court determine that.
Some Good Breach News:
Jeff [3:35 PM]
The number of data breaches in the healthcare sector continued to rise in 2017 over prior years, but the number of records impacted fell
. Thus, fewer overall individuals were impacted, and fewer of the massive breaches we've seen in prior years.
[ Wednesday, December 13, 2017 ]
Jeff [7:22 AM]
The city had some sort of program providing services to citizens with HIV, and after the program terminated, the city shared information on 200 HIV patients with the University of Southern Maine to help determine if there were gaps in the way it provided the services, or if it could have operated the program better.
The city claims the data sharing did not violate HIPAA because it was for research purposes,
and it may be right, but probably only if USM had an independent review board determine that the university program had enough protections in place that patient authorization was not required.
Nevertheless, the city has apologized. Perhaps not illegal, but perhaps not a good idea either.
Blogger: HIPAA Blog - Edit your Template