[ Monday, February 04, 2019 ]


Interesting article.

Jeff [10:51 AM]

[ Wednesday, January 30, 2019 ]


Discover noted something funny that indicated that some of its cardholders' information was out on the web, indicating that there had been a breach somewhere.  Discover's notice doesn't contain much information (more on that in a bit), but does indicate that it wasn't their fault.  However, they did replace cards for affected individuals and agreed that they wouldn't be responsible for fraudulent charges (both of which would be true regardless of whether the breach was Discover's or someone else.

Two things to note.  First, many state data breach notification laws, but most importantly and particularly HIPAA, require covered entities to report breaches; the requirement isn't to report your own breach, but to report any breach you discover.  That's the duty of data holders -- if you know someone's data is breached, let them know.  Data breach reporting is not an admission of fault, and most data breaches don't result in fines or lawsuits.  The point of breach notification is not (or at least shouldn't be) to tattle on yourself, it's to help out the public whose data is leaked and who might not know about it or how to protect themselves.

Secondly, it's not surprising that Discovery's notice didn't say too much, like what they found or how they found it.  Why is that?  Because you don't want to give up your data security secrets.  If the black hats learn how you found out something, they might learn how to hide it better.  Especially if you discovered it via some clever means.

Regardless, it's an interesting notice to get in the millions of data breach notifications.

Update: Jon Drummond is no relation (as far as I know), in case you thought so.

Jeff [12:38 PM]

[ Wednesday, January 23, 2019 ]


Oregon wants to pass a law to prohibit the sale of de-identified data without the data subject's consent.  That is dumb -- de-identified data does not have a data subject.  And if it's truly de-identified, there is no downside to its being shared, at least no downside to the data subject (because, again, there is data subject if it's de-identified). 

I understand the "property rights" concept, but it really doesn't work with data.  Data isn't a thing like that; data is a fact, and you can't own a fact.  The exact same data can be possessed by multiple people at the same time, without diminution of the value to any other holder.  Plus the data may only connect to a particular subject in a particular situation.

For example, let's say my birthday is January 1, 1960.  1/1/60 is in my medical record at my doctor's office, which means that data ("1/1/60") is PHI.  Let's also say I went to my doctor today, January 23, 2019 (1/23/19), for my annual physical.  That data ("1/23/19") is also PHI.  Do I own 1/1/60 or 1/23/19?  If those data are my property, can I keep other people from using them?  How about other people who were born on the first day of 1960?  Do they own the data and I don't?  Tenants in common?

Now, I do have some interest in the connection between those two dates, me, and my doctor's office, but do I own all that data as long as it's connected?

More importantly, what if you de-identified it by HIPAA standards?  All you'd know is that some 59-year-old person went to that doctor's office in 2019.  In Oregon, I would still own that data, even though you don't know it's me.  There will be other people aged 59 who come to that doctor's office in 2019, and that data will belong to them; how can you tell which data is theirs and which is mine once it's de-identified?

Even if it's not de-identified, the doctor's office should have some right to the data in its own records.  It should not have unfettered rights to do with it whatever it wants (and it doesn't, because of HIPAA and other privacy laws), but it surely has the right to use the data to run its business. 

I shouldn't complain -- like the Illinois Biometric Privacy Law, this is good for lawyers.  But it's unnecessary and dumb.

Jeff [4:23 PM]

[ Friday, January 11, 2019 ]


A Michigan HIV/AIDS and substance abuse provider has suffered a data breach after a phishing attack.  I suspect this is more of an ID theft issue, but bad news anyway.  Interestingly, (i) no word on how many were affected, and (ii) the breach occurred in April 2018 but notification only went out recently; that could be because the breach was only discovered in the last month or two, but one wonders if the 60-day time limit in HIPAA was met.

Jeff [8:34 AM]

[ Tuesday, January 08, 2019 ]


Mintz has a good wrap-up of some of the bigger HIPAA goings-on from 2018 here.  

Jeff [8:24 AM]

[ Thursday, January 03, 2019 ]


As a bit of an analog to yesterday's post about the impact of a breach on stock price, recently breached companies tend to improve their performance against the market, which might indicate that the breach serves as a "wake-up call" for the company's leadership.  Going hand in hand with that thought, Health IT Security notes that recently breached hospitals tend to increase their advertising spend by 64% after a breach.  

Jeff [1:16 PM]

[ Wednesday, January 02, 2019 ]


It's not as big or as consistent as you might think, but it's not negligible either.  Paul Bischoff and Matthew Dolan have done some research and posted the results here

Interestingly, companies that suffer breaches tend to be underperforming companies anyway.  However, their performance improves after the breach, at least compared to market averages.  Low point tends to be about 2 weeks post-breach, but for the following 6 months, the companies tend to outperform the market.

Maybe suffering a breach serves as a wake-up call?

It's a relatively small data set, and doesn't relate much to small and non-public businesses, but it's interesting to ponder.

Jeff [3:51 PM]


First, from Kirk Nahra.

Then, from Rebecca Herold.

And from HHS itself.

Jeff [12:56 PM]

[ Friday, December 21, 2018 ]


As Baylor Scott & White-Frisco (a joint venture between BSWH and USPI) is finding out, a credit card breach is also a HIPAA breach if it's connected to a HIPAA covered entity.  The incident is similar to one that happened at Banner Health in Arizona a few years ago (reported here and here): a credit card processor vendor suffered a breach, but it involved BSW-Frisco's patients' data. 

Hat tip: Taylor Weems, CIO at Midland Health.

Jeff [1:13 PM]

[ Thursday, December 13, 2018 ]


CMS has asked for public comment on how HIPAA should be changed.  Personally, I'm a "Chesterton's Fence" kinda guy, but I actually think it works pretty darned well as is.  But I'll be interested in seeing the public commentary.  

Jeff [3:55 PM]


When a hospital fails to cut off PHI access to a former employee, it can be a HIPAA violation.  In this case, a relatively inexpensive one (relative being the key word, it's still a lot of money). 

Jeff [3:40 PM]

[ Friday, December 07, 2018 ]


This continues to be the experience of many clients of mine, directly or indirectly in the healthcare field.   Of course, my advice from over 2 years ago is still applicable: patch, isolate, backup, and train (although today I think I'd change the batting order to backup, patch, train and isolate).

Jeff [12:43 PM]

[ Thursday, December 06, 2018 ]


This may or may not be a HIPAA breach, but NY's data breach notification law is likely implicated.  It's unclear whether the agency would be a HIPAA covered entity; it's described as a health provider, but if it doesn't conduct HIPAA-regulated transactions in electronic format, technically it might not be a HIPAA "covered entity." 

Jeff [10:44 AM]

[ Wednesday, December 05, 2018 ]


Here's a case similar to Raleigh Orthopaedic case: Advanced Care Hospitalists hired a guy who they thought worked for Doctor's First Choice Billing to help them with their billing and coding.  Apparently, the guy was a fraud.  But that's not important: what's important is that ACH didn't get a BAA with First Choice, and PHI ended up exposed on the First Choice website.  ACH notified OCR that at least 400 and as many as 9000 patients potentially had their data exposed. 

The breach notification led to an OCR investigation, which revealed a lack of BAA (and, in fact, a lack of a policy to get BAAs).  Upon further review, OCR also found out that ACH had never done a risk assessment either.

Net result: a $500,000 fine.  And a big black eye. 

If ACH had policies and procedures, a decent HIPAA compliance program, and had entered into a BAA with the guy in the first place, but still got snookered because the guy was a fake, they would've still had a reportable breach, but I'm pretty certain they'd be half a million bucks richer (not to mention what they probably spent on lawyers dealing with this, plus the PR hit).  

Jeff [12:59 PM]

[ Friday, November 30, 2018 ]


This is important, and in my (personal, non-legal) opinion an important piece of news relative to one of the biggest issues affecting HIPAA covered entities.

The FBI has gotten specific about one of the current strains of ransomware that is plaguing the healthcare industry.  Of specific importance to note in the HIPAA arena is the fact that this variant apparently simply encrypts the data it finds, and does not extract, view, or send out the data.  That's very important to a ransomware victim, since despite what OCR's guidance has been to date, if there's no viewing or outside transmission of the data, there is not a "breach" as defined in the Breach Notification Rule (45 CFR 164, part D). 

To be a "breach," there must be acquisition, access, use, or disclosure.  In this type of ransomware, the bad actor inserts virus software onto the computer system of the actor, but the bad actor does not access the data.  Any access only happens within the victim's computer system, by the software that is now part of that computer system.  If the virus then send out some of that data that includes PHI to a third party, THEN you'd have acquisition by the third party, access by the third party, and disclosure to the third party, all of which WOULD be a breach.  Likewise, if the virus opens up a door that allows outside third parties to enter the system, and third parties do enter the system, you'd have access and disclosure, which would likely lead to acquisition and use.  However, if the virus does not exfilitrate or allow outside access, then you do not have acquisition, access, use or disclosure.

This is an important distinction.

This is also not legal advice.

Jeff [12:20 PM]

[ Tuesday, November 27, 2018 ]


A patient had a complaint about Allergy Associates of Hartford (CT); he took his complaint to the local TV news station.  The reporter called the practice to ask for a response, and the doctor in question spoke with the reporter (despite the fact that his privacy officer told him to say "no comment" or not respond at all).  That conversation with the reporter disclosed patient PHI in a manner not permitted by HIPAA.  And now, OCR has fined the practice $125,000. 

It's not fair: the patient told the reporter all of his information already, it's in the public domain, he put it in the public record, he publicized it, he started it.  Yes, all that's true.

But it doesn't matter.  The covered entity has the obligation not to use or disclose PHI unless the use or disclosure is permitted by HIPAA.  The fact that the information is already public knowledge doesn't matter, even if the patient himself put it out there.

That doesn't mean the provider can't respond to the reporter at all.  At the least, the practice should let the reporter know that it can't respond with respect to any specific patient due to the prohibitions of HIPAA (and can't even acknowledge that the patient is a patient), unless the patient specifically authorizes the disclosure.  Additionally, the practice can give general information about the practice that doesn't disclose anything about any individual patient.  For example, if the patient falsely complains that it took 20 office visits in 2 months to fix the issue, the practice can state that it researched its records for the last 5 years and did not locate any patient with 20 visits scheduled in a 2-month period (since that doesn't provide any information on any particular patient, it's not PHI).  But you can't say "this patient didn't have 20 visits" because that is PHI.

The playing field is tilted against providers when it comes to patient complaints.  But don't make it worse by responding in a way that violates HIPAA.

UPDATES (other law firms picking up the thread):
Holland & Knight: Eddie Williams III
Drinker Biddle: Sumaya Noush

Jeff [12:46 PM]


Mercy Medical Center-North Iowa in Mason City has notified about 2000 patients of a potential data breach.  Looks like an employee behaving badly. . . . 

Jeff [11:16 AM]

[ Tuesday, November 20, 2018 ]


Ohio has decided to issue a standardized form to authorize of the release of PHI.  The Texas AG did the same thing a few years ago (as a result of what was then called HB 300).  The Ohio regulation is specifically intended to comply both with HIPAA and with the more restrictive "Part 2" rules applicable to federally-supported substance abuse treatment facilities.  The form can be found here; hat tip to Dinsmore & Shohl for the article.

Jeff [9:08 AM]

[ Monday, November 19, 2018 ]


Which is worse, theft and improper disclosures of PHI, or hackers?  Most HIPAA data breaches are the result of either theft (often done by employees) or simple improper disclosures, such as sending data to the wrong location.  While we should all be vigilent against hackers, as far as the number of breaches, they are way fewer.

However, on the other hand, when a hacker hits, he (or she) usually gets a lot more records than your average thief or other recipient of an improper disclosure.

So, quantity of breaches, or quantity of files? 

Jeff [3:57 PM]

[ Wednesday, November 14, 2018 ]


Jeff [3:32 PM]

[ Monday, October 22, 2018 ]


I'm not sure whether this is a HIPAA issue: is Healthcare.gov, the website that facilitates the federally-run state insurance exchanges, a covered entity or business associate?  It's not a plan or provider, and I don't think it's a clearinghouse because it's not involved in transmitting data in connection with transactions.  As far as I can tell, it assists the plans (which are CEs) that sell insurance on the exchanges, so in theory, if it creates, receives, maintains, or transmits PHI in connection with that service, it's a BA.  But does it enter into BAAs with those insurers, or is it somehow exempt because it's a governmental entity?  HIPAA doesn't include any sort of governmental exemption (Medicare and Medicaid are clearly CEs), but did the ACA or its implementing regulations include any exemption? 


Jeff [11:17 AM]

[ Monday, October 15, 2018 ]


It was the biggest HIPAA breach ever, one of the biggest of any sort of breach involving personally-identifiable information: hackers got access to the medical records of almost 80 million people.  While it's still unclear what damage was done, OCR has finally weighed in with how much it'll cost Aetna: $16 million.  That's almost 3 times the previous record of $5.5 million. 

Update: AP story is here.

Jeff [9:44 PM]

[ Sunday, October 14, 2018 ]


Latest development: Aetna pays the NJ Attorney General $365,000 as a fine for the data breach involving the use of window envelopes to send notices to beneficiaries receiving HIV medications.  As noted earlier, the window envelopes allowed the potential disclosure of PHI to unintended recipients.

Update: Aetna also has settled with the AGs of Connecticut, Washington State, and DC.

Jeff [5:06 PM]

[ Monday, October 01, 2018 ]


The SEC has announced an action against a broker-dealer for a data breach that exposed customer financial data.  Not a HIPAA breach, but it's similar in effect and enforcement activities.  The $1 million fine is considered "small."

Jeff [2:06 PM]

[ Monday, September 24, 2018 ]


Apparently, 2 employees of UMass Memorial Health Care improperly accessed PHI of patients, and UMass has been fined $230,000 by the Massachusetts Attorney General for violating HIPAA.  Not a whole lot more information there, but it's interesting for 2 points: it's the state AG enforcing the federal HIPAA statute (along with the state Consumer Protection Act and Data Security Law); and it's yet another example of "employees behaving badly" resulting in a big fine for a covered entity.

Jeff [2:12 PM]


I'm sure there are synergies here, but have to agree with the regulators here.  It's not safe to run a microbrewery within the same space as a clinical lab.  

Jeff [1:37 PM]

[ Friday, September 21, 2018 ]


Three facilities involved in the production of the "Boston Med" television show have settled with OCR for just under $1 million over charges that they improperly disclosed patient identity and health information in the course of producing and airing the show.  This is a similar situation to a NY hospital drama called NY Med, in which a patient's identity was accidentally disclosed.  The show blurred the man's face to de-identify him, but the nature of his injuries made his identity evident to his family, and when they saw the show, they sued ABC and the hospital, NY Presbyterian; NY Pres ended up paying a $2 million HIPAA fine to OCR.  On the other hand, Children's Medical Center in Dallas ran a summer-long television series filmed on location at the hospital, and did not violate HIPAA by doing so.  How?  Solid patient authorizations, including making sure nobody walked through the background in any of the filming sessions, and a healthy bit of HIPAA training for the film crew.  Of course, Children's had some pretty good counsel in setting that all up. . . .

Jeff [1:07 PM]

[ Thursday, August 16, 2018 ]


Great article by a great pediatrician.  Not exactly on topic, but important.

Jeff [2:17 PM]


Interesting question: did the Oklahoma Department of Veterans Affairs breach HIPAA when they allowed staffers to use their smartphones to access patient records during an internet outage?  Possibly, but I doubt it, and I could certainly argue that, while allowing that type of open access is often improper, in the right circumstance it would not only be proper, but would be the right thing to do.  The basis of HIPAA is the imposition of reasonable restrictions to protect privacy and security, while not interfering with the provision of care.  If HIPAA is harming patient care, you aren't doing it right.  Is there a better, more secure way of doing this?  If so, it should have been done.  But in an emergency, and when patient care demands it, privacy must give way.  

Jeff [12:04 PM]

[ Tuesday, August 14, 2018 ]


A transcription vendor for Orlando Orthopaedic Center left PHI exposed for two months after a software update -- perhaps an unsecure FTP server issue?  Secondary issue will be that it appears OOC failed to notify within the 60-day notice period.  

Jeff [11:02 AM]

[ Thursday, August 02, 2018 ]


It's another phishing attack.  UnityPoint had an earlier one that only affected 15,000, whereas this one got to 1.4 million patients.  No medical records were accessed in the second breach, but social security numbers might've been exposed.

Jeff [10:02 AM]

[ Friday, July 27, 2018 ]


We're definitely seeing more of these types of cases.  I'm not sure what happened in the Kalina case (the indictment just says she disclosed the PHI with intent to cause "malicious harm," but doesn't say what the harm is.  Usually, if the number of affected individuals is large, it's for ID theft of some sort; if it's small, it's usually targeted snooping, such as an ex-lover or family member; if it's in between (like this case, a little over 100 files), it's either generalized snooping (bad but not necessarily malicious) or for barratry (ambulance chasing, more annoying -- and illegal or unethical for the lawyer -- than malicious).

Jeff [12:05 PM]


Ever move and not be able to find things?  It can be frustrating.  Looks like misplaced paper records for the County Health Department, but it also looks like this would be pretty close to "low probability of compromise," since (i) it's unlikely anyone would steal 49 boxes of paper records and (ii) given the regular record destruction procedure, the most likely explanation is that they were destroyed early. 

It it was me, before I reported this, I'd sure want to know a little more about just how likely that alternative explanation might be.  If the answer is "we can't prove it but there's just no other likely explanation," I might come to the conclusion that it's not a reportable breach; however, I'd probably report it to the individuals anyway and offer them ID theft protection, just to be on the safe side.  But that's just me.

Jeff [11:45 AM]


I got this from my AHLA daily headline email (would send you directly to Congressional Quarterly but I'm not a subscriber) (also, that's AHLA's typo, not mine; don't @ me):

Congressional Quarterly (7/26, McIntire, Subscription Publication) reports that on Thursday, HHS Secretary Alex Azar said his department intends “to begin rewriting federal health care privacy regulations in the coming months.” HHS will “release requests for comment on three laws, including the anti-kickback statute and Health Insurance Portability and Accountability Act, better known as HIPPA, in the ‘coming months,’ Azar said during a speech at the conservative Heritage Foundation.” He added, “Following those requests for information, we will be taking regulatory action to reform these rules.” Azar explained that “the laws are decades-old and revamping them will help in the health care sector’s ongoing transition from paying for volume to value.” HHS Deputy Secretary Eric Hargan will lead this effort.

Jeff [11:32 AM]

[ Thursday, July 26, 2018 ]


This article initially just caught me as strange news, someone complaining that "male enhancement" supplements contain actual erectile disfunction drugs.  But the cherry on top is that the complaint is from an entity called "Outlaw Laboratory."  Who's the real outlaw now, huh?

Jeff [4:50 PM]

[ Thursday, July 19, 2018 ]


There's definitely an increase in criminal actions based on improper use and disclosure of PHI in violation of HIPAA, usually in identity theft cases.  Not all of these are specifically HIPAA cases, since the same actions are usually violations of several different data protection laws, most of which are easier to prosecute than HIPAA.

Jeff [1:03 PM]


There's an interesting article in USA Today on the seeming trend in doctors and hospitals suing individuals who post bad reviews on Yelp and other physician-rating sites, or on other social media.  If the review is factually false, threatening, or otherwise problematic, there may be grounds for a lawsuit by the medical provider.  However, even if the review is false, the medical provider still cannot disclose PHI in responding to the bad review, unless the patient consents.  Even though the patient may disclose the same information already, the provider's hands are tied by HIPAA: he/she cannot use or disclose PHI except for a permitted purpose, and responding to a complaint or even a defamatory statement is not a permitted purpose.

Jeff [12:16 PM]

[ Friday, July 13, 2018 ]


A couple of recent data breaches, from MedEvolve and Premier Immediate Medical Care (involving an unprotected FTP server, VCU and Arkansas Children's (involving employees behaving badly).

Jeff [1:11 PM]

[ Thursday, July 12, 2018 ]


Miss me?  Sorry, took some vacation time, then had to dig out at work before hitting the blog.

While I was away, I did get an interesting email question from a lawyer in the Kansas City area:

Mr. Drummond,

I advise a company that routinely enters into BAAs; in doing so my colleagues and I try to limit reporting requirements for security incidents that do not rise to the level of breaches of unprotected PHI, especially security incidents consisting merely of unsuccessful pings.

I just read your post at this link -- https://hipaablog.blogspot.com/search?q=ping  -- in which you indicated, “Since reporting pings is required, I now include it in my BAAs, but minimize the reporting to the barest minimum to still comply with the regulations: a minimal number of reports (no more often than quarterly), with minimal information…”

I had thought that security incidents had to be reported within 60 days of discovery [per § 164.410 (a) as referenced by § 164.314 (a)(2)(i)(C) ] or does the 60 days “as required by § 164.410” apply only to the last phrase -- “breaches of unsecured protected health information” – and not to the entire sentence – “Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410“?

If security incidents are subject to the 60 day rule, wouldn’t quarterly reporting fall short for those security incidents that happened within the last quarter, but more than 60 days ago?  Or is my reading missing something?

Thank you for your thoughts on this.
Well, here's my thoughts:

There are 3 different concepts to keep in mind here, that occasionally overlap in fact and even more often overlap in casual consideration of things HIPAA.
First, you’ve got your generic “HIPAA breach.”  That’s basically any breach of the obligations or requirements of HIPAA.  Don’t have good policies and procedures?  If you’re a covered entity, that’s a HIPAA breach.  Fail to give a patient a NoPP?  HIPAA breach.  Sell your patient data to a marketing company without patient consent and appropriate disclosure?  HIPAA breach.  All of HIPAA, statutes and regs, could be the basis for a HIPAA breach.
Next, you’ve got a “breach of unsecured PHI.”  These are defined in and restricted to the provisions of Subpart D of Part 164 (i.e., 45 CFR 164.400 – 414, or “the 400 series”).  That would be an (i) improper (ii) acquisition, use, access or disclosure of (iii) unsecured PHI that (iv) compromises security or privacy.  Loss of an unencrypted laptop, misdirected emails, or a data-stealing hack would all be breaches of unsecured PHI (assuming that the PHI is, in fact, unsecured and the incident does compromise the security or privacy of the PHI (i.e., there’s more than a low probability of compromise).  Selling patient data to a marketing company is a breach of unsecured PHI (and also a HIPAA breach), but failure to have good policies and procedures or give patients NoPPs would not be a breach of unsecured PHI (although they would be HIPAA breaches).
 Finally, you’ve got “security incidents.”  These are governed by subpart C, or the 300 series (45 CFR 164.302 -- 318), which only applies to electronic PHI.  This is the broadest definition, which is unfortunate: any attempted or successful unauthorized access, use, disclosure, modification or destruction of information or operation interfaces within an information system.  Since it includes “attempted,” any ping is a “security incident.”  The BAA provisions require the BAA to say that the BA will report ANY security incident.  So, a BA should be reporting every ping.  It seems that any breach of unsecured PHI, if it involved electronic PHI, would also be a security incident, since it would be an unauthorized access or disclosure; however, theoretically a breach of unsecured PHI involving paper records only would not be a security incident, since the information is not electronic or in an information system (and the Security Rule only applies to electronic PHI).
So, let’s talk about reporting requirements.  As noted, security incidents have reporting obligations within the context of the BAA: the BA must report them to the Covered Entity.  There is also a reporting obligation with respect to breaches of unsecured PHI, but it’s a different reporting obligation and serves a different purpose.  Security incident reports are in the context of the subservience of the BA to the CE; breach of unsecured PHI reporting was designed to track the “data breach reporting” obligations first instituted by California state law on all data processors and possessors.  That data breach reporting obligation is intended to put the general public on “fair notice” if a business suffers a data breach that actually could be more damaging to the customer (whose data is exposed) than the business that lost it.  A company suffering a data breach could be totally blameless: it may have used the best available security, but some bad actor committed criminal acts and got the data.  But it is still obligated to report.  Thus, data breach reporting, like security incident reporting, does not necessarily indicate that the reporting entity did anything wrong.  HIPAA breaches don’t have any specific reporting requirements (unless they are also a security incident or a breach of unsecured PHI), but if there’s a HIPAA breach, there almost certainly blame. All subpart D references are solely to breaches of unsecured PHI.  Take a look at 164.410: upon discovering a breach of unsecured PHI, the BA must report it to the CE (not to the affected individual, not to OCR) within 60 days; the CE then carries on the obligation to report to affected individuals.  Also, note that it doesn’t matter if the breach had anything to do with the BA.  If the BA finds the CE’s unsecured PHI being offered on the Dark Web, even though the BA had nothing to do with it, the BA still has to report it.  That tracks, because reporting breaches of unsecured PHI is about passing along information (ultimately to the affected individual, since that’s the next obligation once the BA reports to the CE), not about laying blame (at least not necessarily).  Finally, note that this is only relating to breaches of unsecured PHI, not HIPAA breaches or security incidents.  Section 164.314, on the other hand, relates to security incidents.  This also requires the BAA to include an obligation on the BA to report ANY security incident, including a breach of unsecured PHI (presumably this only refers to breaches of unsecured PHI that are also security incidents; however, since 410 already requires reporting of all breaches of unsecured PHI, whether they are or aren’t security incidents, there’s really no need for the regs to reiterate that here).  Note that the 314 reporting obligation (security incidents) does not contain a timing requirement, whereas the 410 reporting obligation (breach of unsecured PHI) does.
Thus, if it’s a security incident, it must be reported by the BA to the CE, but there’s no timing obligation; if it’s a breach of unsecured PHI, then it must be reported by the BA to the CE within 60 days.  If it’s both, then presumably both reporting requirements apply, and thus the 60-day notice requires. I don’t see how an unsuccessful security incident could be a breach of unsecured PHI (if it’s the latter, it must’ve been successful).  Thus, requiring reporting of unsuccessful security incidents without a timeline would be OK, because it would meet the obligations under 314 while not being subject to the obligations of 410.
Let me know if you disagree.

Jeff [10:55 AM]

[ Monday, May 28, 2018 ]


Due to the Friday commencement of the new GDPR rules, this website has adopted a new privacy policy:

Jeff [1:56 PM]

[ Friday, May 25, 2018 ]


Aetna HIV Mailing Case Update: I reported on this case back in March, but it keeps getting more and more interesting.  At least the blame game does.

To recap, Aetna send out mailings to beneficiaries with HIV, and the mailing came in window envelopes that allowed the HIV diagnosis to be viewed without opening the envelope.  The mailing was actually part of a legal settlement.  Having already sued its own mailing company (which responded by blaming Aetna's law firm), Aetna has now decided to sue the plaintiff's firm that brought the cases that resulted in the settlement.  For good measure, they've also sued the nonprofit entity that helped the plaintiffs put the lawsuit together in the first place. 

Sweetest part: the underlying settlement was over a Aetna policy that required HIV patients to use mail-order pharmacies.  The plaintiffs objected because, due to the specific nature of the drugs, the mail delivery could expose that the plaintiffs were HIV patients.  So the underlying case was over an objection about improper disclosure of PHI.

Crazy, man.

Jeff [11:51 AM]

[ Wednesday, May 23, 2018 ]


Obviously, this blog focuses on HIPAA breaches, which can cause big fines but rarely result in the payment of any actual damages by the parties who suffer the breach.  That's because the patients rarely suffer financial loss.

When there's a breach involving theft of credit card data (like Target or Home Depot), most individuals whose card data is stolen don't suffer damages, because they can simply dispute the fraudulent credit card charges.  It's either the vendor or the credit card company who gets stuck with the loss.

However, the credit card companies push potential responsibility for those liabilities back onto the vendors, in the form of the PCI DSS: that's the Payment Card Industry Data Security Standards.  Every vendor who takes credit cards signs an agreement with the credit card company to meet these standards; if they don't, and there's a breach due to the vendor's failure, the credit card company can then recover its losses (fraudulent charges as well as costs of replacing cards) from the faulty vendor.

That's what is happening here.  Or at least that's what Chase and Paymentech are trying to do.  Apparently Landry's is contesting either their own wrongdoing in the hack, or Chase and Paymentech's willingness to let the credit card companies themselves push the losses onto them.  Will be interesting to see how this one plays out.  And a good lesson for healthcare providers (and anyone else) who takes credit cards -- be careful out there, and make sure you meet PCI DSS.

Jeff [12:58 PM]


LifeBridge Health (Maryland): Not a whole lot of information here, but apparently hackers got into the patient registration and billing system, and went undetected for about 6 months.  Likely identity theft and potentially medical identity theft too.  If you're one of the victims, take them up on the credit monitoring.  And if you're not, check your own credit anyway.  Always good advice.

Jeff [12:41 PM]

[ Sunday, May 20, 2018 ]


Off Topic: This is too bad.  While it bodes ill for "the academy" generally, this is just the type of thing I ask my students to consider: the other side of policy issues.  No sane person has a strongly held belief that they also know is wrong.  If someone has a strongly held belief that is different from yours, you should at least try to understand why they have that belief.  Unless you do so, you'll never be able to have a fruitful discussion with them.  And you'll never convince someone they are wrong unless you understand why they think what they think. 

This is exactly the way I try to teach my policy students, because if you want to understand public policy, much less try to impact or enact it, you need to understand all sides of the issue. 

The Trump election gave me the opportunity to have my first class look at why the country is so divided; I think it was good for them, because I think many simply never tried to look at why the other side might feel differently than they do.   And the feedback I got from them seemed to indicate that it worked.  

Jeff [10:42 AM]

[ Thursday, May 17, 2018 ]


Victims Sharing HIPAA Fines: At long last, it looks like HHS is finally getting around to drafting the regulations for victims of HIPAA violations to get a share of the fines levied against them.  This concept was first floated in the HITECH Act in 2009, as one of several changes intended to spur enforcement by giving affected breach victims more incentive to pursue covered entities that violated HIPAA: it's sort of like a whistleblower or Qui Tam statute for HIPAA.  However, given that OCR has gotten to keep all the fines so far, it's understandable that they wouldn't rush to start handing out that money to affected individuals.

I'll let you know when they actually write something; for right now, they're looking for comments.  If you think you know how OCR should share their fines, feel free to provide a comment.

Jeff [12:36 PM]

[ Thursday, May 03, 2018 ]


More Bornstein: OK, let's not get out over our skis, particularly if we are medical ethicists!  Forbes quotes "Dr. Arthur Caplan, the founding director of the Division of Medical Ethics at the NYU Langone Medical Center in New York and one of the nation’s most prominent bioethicists." as saying Bornstein "absolutely should lose his license" for saying he's written a letter that he now says Trump dictated.

First of all, letting someone else do the initial draft is not unethical.  If the party requesting the letter wants it to say something specific, there's no harm (ethical, legal, or otherwise) letting them make those suggestions, even if it's providing the actual words.  Now, the doctor is morally, legally and ethically obligated at that point to closely review the wording and change anything that is not 100% in alignment with the doctor's own opinions.  He can't sign it sight unseen, he can't skim and sign, and he can't let anyone sign under his name (or stamp his signature for him); that would be at least unethical if not outright illegal.  But simply letting someone else draft the wording that you agree with 100% before you sign is just not problematic.

The doctor disclosing Trump's medical information is problematic: whether it's the Propecia leak, or the letter itself, it needs to have Trump's authorization (or be directed by Trump) before it can be released.  I would assume the letter was authorized or directed by Trump, but not the Propecia.  However, I can't make that determination without more facts, which I don't have.  Likewise, Dr. Caplan shouldn't be making such "absolute" judgments without all the fact.  In hindsight, I suspect he'd agree that he overstated the case, at least based on the facts he had in hand at the time.

Ultimately the problem is that where Trump in concerned, the press, the pundits, and the chattering classes, as well as many institutional leaders (such as prominent bioethicists), seem to have no problem abandoning all pretext of objectivity or sobriety.  Look, I get it that you think Trump is a clown and a buffoon (frankly, I couldn't agree more, and often speak -- and have spoken -- much more harshly of the man); personally, I don't like the man.  But I try not to let my personal feelings direct my professional interpretations, and the press (and Dr. Caplan) should try to do the same.

OK, I'm going off topic (if you're looking for HIPAA stuff, you can stop here):


Trump is President.  Get over it.  Governing-wise, he's going to do some things that are good and some things that are bad (IMHO, tax cuts and Gorsuch fall into the former category, tariffs in the latter).  He's also going to say outrageous things just to get folks agitated and distracted -- it gins up his supporters as much as it infuriates his opponents.  Much of this will be outright lies, almost always about stupid and inconsequential things (such as how many people were at his inauguration, or whether he's the healthiest man ever to be President).  This is intentional.  Why?

Trump is President.  Think about it.  How did that happen?  How did he get that much support?  I would posit that a large portion of that support is not support of Trump, but an active and energized low-to-middle class cohort substantially energized by furious opposition to what they view as an arrogant ruling class of elites.  They believe that the elites hate them.  Why do they feel that way?  Largely by the unhinged reaction of this elite class to everything and anything Trump says or does, no matter how trivial.  Particularly when compared to the actions of others similarly situated (this entire Bornstein incident stems from the press' overreaction to Trump's braggadaccio about his health, while Hillary's health issues were not only not reported, but actively covered up by the mainstream press).  And even more particularly when the ultimate results end up substantially different from what actually happened ("thousands" didn't "die" from the tax cuts, in fact, people got more money and the economy improved; Trump's juvenile rhetoric didn't get us into a nuclear war with North Korea, in fact, the opposite has occurred).

Trumps antics, particularly his Twitter account, are distractions, and when Trump's opponents jump on them, it only helps Trump.  Trump's twitter is a laser pointer, and the press and pundits are a bunch of cats chasing around a red dot on the floor.

More importantly, the elites and the press have spent all the powder they should've been saving.  They've cried "wolf" (or perhaps "Michael Wolff") so many times, if and when Trump does something really outrageous, their reaction won't have any effect on the public who just might have otherwise turned against Trump. 

Now, personally, I greatly enjoy watching the press and the elites beclown themselves, so this entire post is an "argument against interest."  Jon Stewart, whoever replaced him, John Oliver, Seth Meyers, Steven Colbert, that Carrot-Top lookalike chick at the WHCD, all those people who "DESTROYED" Trump or Sarah Huckabee Sanders or whomever for stupid and trivial matters like how they look, all toil in totally un-self-aware service of the Trump 2020 campaign. 

Look, I thought the "my nuclear button is bigger" Tweetstorm was a stupid provocation of a reckless lunatic.  But I also recognize that it may well have worked.  Then again, I thought Reaganomics was "voodoo economics" and the Laffer curve was a joke.  I'm not always right, but I do try to learn from my mistakes and not double down on them. 

And look, I wish it weren't Trump.  I wish there were someone classy and erudite who was nominating Gorsuch and passing tax cuts.  I wish we didn't live in such boorish and stupid times.  But we do.  And unless a lot of other folks start figuring out WHY things are this way, we're just going to keep getting more of things this way.  

Jeff [11:22 AM]

[ Wednesday, May 02, 2018 ]


Trump's Medical Records: If you follow me on Twitter (and you should; I'm easy to find @JeffDrummond), you've seen a couple of jabs at the whole matter involving Trump's crazy doctor's latest public proclamations.  Harold Bornstein, who was Donald Trump's doctor for many years, recently told NBC News that in February 2017 Trump's bodyguard, lawyer, and a third man conducted a "raid" on his office, without notice, and took all of Trump's medical records.  Bornstein also indicated that he felt "raped, frightened, and sad" when the Trump aides came for his records.  Apparently, Bornstein had told the press a few days earlier that he had prescribed a drug to Trump to treat hair loss, and because of that, he was dumped from the Trump Train.

NBC News reports, "Bornstein said he was not given a form authorizing the release of the records and signed by the president known as a HIPAA release — which is a violation of patient privacy law."  As with virtually everything else about that story, that's not actually correct.

So, what's legally required for an associate/friend to retrieve a patient's medical records?  Well, let's start here: HIPAA requires "covered entities" to limit uses and disclosure of "protected health information" (or "PHI") to certain permitted uses/disclosures (the "HIPAA Rules"), and grants patients certain enumerated rights to their PHI (the "HIPAA Rights").  Most healthcare providers are covered entities, unless they never ever conduct electronic transactions.  Most billing is done electronically, so only those providers who operate in a paper-only environment are not covered by HIPAA.  It's rare, especially for a physician (psychologists and counselors, and others who operate on a cash only or non-insurance basis, are more easily excluded), but possible.

It's possible Bornstein isn't a "covered entity" and HIPAA doesn't even apply to him.  If that's the case, there are still state law requirements, which generally require a provider to meet community standards and ethical obligations regarding patient privacy.  Given the broad reach and scope of HIPAA, it's usually hard to argue that, even if you aren't a covered entity, you aren't ethically required to follow HIPAA  (or something pretty close to it) anyway.  So let's assume HIPAA applies.

Now, can Bornstein give the PHI to Trump's agents?  Must he?  Is he prohibited from giving the PHI up if the agents don't have a signed "HIPAA release"?  (OK, let's nip this one in the bud -- it's not a "HIPAA release," it's a patient "authorization" that is HIPAA compliant.)

The HIPAA Rules allow disclosures to the patient.  They also allow disclosures to two types of persons connected to the patient: the patient's "personal representative" and persons who are "involved in the care" of the patient.  The "personal representative" is someone with the power to make healthcare decisions on behalf of the patient; basically, to be a personal representative, you need to have the authority to agree to surgery for the patient.  Thus, the prototypical "personal representative" is a parent of a minor child, or a court-appointed guardian for someone who is not competent to make decisions on their own behalf.  Clearly, Trump's bodyguard, lawyer, and whoever that third guy was [Ted Cruz's father?] were not personal representatives, but might be considered to be "involved in the care" of Trump.  Someone "involved in the care" is usually a friend or family member who helps the patient out in some way, but really could be anyone; it's up to the patient.  This issue came up prior to the court cases requiring states to recognize gay marriage: there were reported cases where a patient wanted his/her gay lover to be involved in the decision-making process, but the hospital was requiring that only family members could be so involved.

The HIPAA Rights require the covered entity to grant the patient access to his/her PHI.  In other words, if you ask your doctor for a copy of your records, he must give them to you (with very few exceptions, none of which are conceivably applicable here).  HIPAA does not require the provider to give up all copies of the information, and usually the provider merely gives over copies and keeps the originals.  And if the patient has the right to receive the PHI, the patient also has the right to make the provider give it not only to the patient, but to whomever the patient asks the provider to give it.

Thus, if the patient asks for his PHI, the provider may give it to him (under the HIPAA Rules) and must give it to him under the HIPAA Rights.  But what if it's not the patient asking, but someone else?  If that someone else is a "personal representative," it's as if the patient himself asked, and the provider must give up the PHI.  If it's someone "involved in the care," the provider may give up the PHI, as long as the disclosure is limited to the involvement of the third party in the patient's care.  Generally speaking, if the patient asks the provider to give the PHI to the third party, that's pretty clear evidence that the third party is "involved in the care" at least to the extent of being the recipient of the PHI.

Now, since in this case it's a "may" disclose situation, not a "must" disclose situation (i.e., it's a person "involved in the care," not a "personal representative"), the provider might want to obtain some protection against the patient later saying, "no, I didn't want you to give that PHI to my lawyer."  In that case, and certainly whenever there's any doubt about whether the patient approves, it's generally good advice to the provider to refuse to give up the PHI unless there is a HIPAA-compliant authorization (which must be signed by the patient).  However, that's not a requirement.

So, what about this situation?  If Bornstein had good reason to believe that these were Trump's attorney and bodyguard, and that Trump wanted the records delivered to them, Bornstein would be permitted to disclose the PHI to them under HIPAA.  But he could refuse, and demand a HIPAA-compliant authorization.  He also could have contacted Trump by phone for additional confirmation.  Could Trump report Bornstein for disclosing PHI to the bodyguard and attorney?  Possibly, but it would only be a violation if Bornstein knew or should have known that those three weren't "involved in the care" to a sufficient level to be able to get copies of the records in that situation; I can't see any reviewer of the facts finding that to be the case.

Was Bornstein required to give up the originals?  No, and probably shouldn't have.  But he could have been ordered to do so, particularly given these circumstances, where the patient had another treating physician and was apparently seeking to sever ties with his former physician.  A physician does not automatically have a right to retain a patient's personal information; if a patient accused a physician of raping her and demanded the physician turn over all records, a court would likely require the physician to turn over the records (although might require they be turned over to a third party so they would be available in case the physician needed them to defend himself).

In this case, it appears that Bornstein violated Trump's medical privacy rights, and almost certainly violated HIPAA (OK, maybe Trump signed a HIPAA-compliant authorization, but I sincerely doubt it), by reporting on his Propecia prescription, as well as other disclosures that were not specifically approved by Trump.  Even though he "can't believe anybody was making a big deal out of a drug to grow his hair that seemed to be so important," it's not Bornstein's decision to make, and there's really no "no harm, no foul" rule when it comes to whether a disclosure is permitted or not (determining if it's a breach, that's another story).  With that background, I think it would be fairly easy for Trump to sue Bornstein to give up all copies of his records.  Additionally, I think the Secret Service could also come in and take them; there's a whole category of "permitted" uses and disclosures related to the military, prisons, and the Secret Service that come into play here.  Of course, it doesn't look like the Secret Service was involved, but if they were, there would be even more avenues to explore.

Should Bornstein have allowed Trump's aides unfettered access to his office?  Certainly not.  The best policy would have been to have office personnel determine the appropriate files, make copies, and give them to Trump's representatives.  To the extent the trio of Trumpsters improperly accessed or saw any other patient's data, that's Bornstein's fault, not the Trump crew.

So, is Trump or his crew in trouble here?  I can't see how.  Is Bornstein in trouble?  Not for delivering Trump's records to Trump's crew.  He could be (and really should be) in trouble for disclosing the Propecia information, and anything else he discussed without the President's permission.

Jeff [3:57 PM]

[ Monday, April 30, 2018 ]


About Virtua: As you may know (I posted on it at the beginning of the month), a large NJ physician practice paid a $400,000 fine as a result of a transcription company's use of an unsecured FTP server (NOT discovered by Justin Shafer, though).  Edward McKinney, CISO of Floyd Medical Center in Rome, Georgia alerted me about Virtua, and wondered: is this the beginning of Covered Entities being held liable for the sins of their Business Associates?

Maybe.  First, keep in mind this is a state AG action, not an OIG action, so the effect on HIPAA enforcement is a little more tenuous.  But also, it's pretty easy to read the AG's statements as directly damning Virtua for not minding its own privacy and security matters (insufficient risk analysis, insufficient security training), not for it's inability to sniff out the vendor's shortcomings. 

We could be entering an era where the sins of the vendors are visited upon the covered entities, especially if the covered entity failed to properly vet the vendor (like a negligent credentialing claim).  But I'm not ready to make that leap -- I think there's sufficient direct blame here that you don't need to pin it on indirect blame.  A covered entity with great risk analysis and training might still be guilty of hiring a bad vendor due to the fact that it didn't kick the tires hard enough, and there's a conceptual HIPAA violation in that scenario.  But I really think, unless the vetting was unconscionably bad, you'll not see that as a violation.  Rather, you still much more likely to see a failure to do sufficient first-party risk analysis (as well as missing policies and procedures).

Jeff [3:11 PM]

[ Friday, April 27, 2018 ]


A handful of new breaches: including the Metroplex's own Texas Health Physician Group, which apparently suffered an email system intrusion of some sort.  

Jeff [2:01 PM]

[ Wednesday, April 25, 2018 ]



Jeff [7:45 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template