HIPAA Blog

Off topic: Question: What's the nutritional content of craft beer?  This is why people hate the government.  This is a perfect example of over-regulations.

Answer: Who cares?

I found this in my "drafts" in blogger, and should've posted this way back in May 2014 (note how this risk analysis thing just keeps coming up):

BIG HIPAA fine: NY Presbyterian Hospital and Columbia University are paying OCR $4.8 million ($3.3M from NY Pres, $1.5M from Columbia) to settle potential HIPAA violations.  Columbia Medical School physicians serve as the medical staff of NY Pres, and they share a computer network and hospital information system.  A Columbia physician attempted to remove a privately-owned server from the network, and it somehow made patient data available to internet searches.  Neither entity had done a risk analysis to identify all systems containing ePHI, and thus didn't have sufficient risk management processes.  Add to that failure to manage access authorizations and failure to comply with their own policies, and you get a big, big fine.

The lynchpin here is the failure to do a good risk analysis.  That's where it all starts.

HIPAA's Repeat Offenders Often Avoid Punitive Action, say ProPublica and NPR (in a co-produced article).  The article admits that the repeat violators (CVS and the VA get some heavy discussion, although the article notes but then ignores the fact that CVS did pay one huge penalty) tend to be large organizations with widespread operations.  That's true, but what's also true is that their workforces tend to be either low-pay/high-turnover or hard to fire, and a lot of the problems they suffer are not from intentional data thievery or "being evil" but from employees acting out of stupidity, curiosity, or greed (all of which actions are likely in direct violation of well-publicized policies of the employers).

Still, more work needs to be done.  And as has been evident over the last few months with so many big HIPAA settlements being announced, big fines and public announcements do have a ripple effect in the industry and have a tendency to "focus the attention" on fixing issues before they cause damage.

And hidden in the middle of the article is a nice little database tool from ProPublica: HIPAA Helper, which helps you figure out who the repeat offenders are.  You can search the HIPAA "wall of shame" (go to "advanced options") by name of entity, but sometimes the common name of the entity isn't its official name, either of of which could attach to the "big breach" filing.

Two points about CVS: I've actually had issues getting CVS to appropriately deal with the consequences of what they acknowledged was a serious breach of my client's PHI, although I'd say the problem was more with their counsel trying to act tough.  I do know that CVS got tagged for $2.25 million for the Indianapolis drug store dumpster-diving case that also netted Walgreens and Rite Aid $1 million fines each.  I've never been able to figure out why CVS had to pay more than twice as much as the other two drug stores, but my suspicion is that "strategic legal decision-making" might explain part of it (IYKWIMAITYD).

Second, I also know that, in connection with the $2.25 million HIPAA fine, CVS also reached a settlement agreement with the FTC over its lax security of personal information.  In connection with the HIPAA settlement, CVS had to bring in an outside agency to review their privacy and security procedures for 3 years; in connection with the FTC settlement, CVS has to report to the FTC every 2 years, for 20 years, on its privacy and security activities. 20 years is a long time. . . .

Recent Breaches Highlight Risk of Failing to Conduct Risk Analysis: The American Health Lawyers Association email alert today discussing three recent HIPAA enforcement actions (all of which I've briefly blogged about, below): Lahey Hospital and Medical Center (the hospital affiliated with Tufts Medical School), Triple S Management (a Puerto Rico insurance provider), and University of Washington Medical.  Fines for all 3 totaled $5.1 million.

Lahey involved a stolen laptop; in a twist, it was not stolen from an employee's car, but was actually connected to a piece of medical equipment in the hospital.  Lahey didn't do enough to secure the hardware, partly because it didn't do a good job of tracking the hardware it had.  Triple S had some problems with too much PHI being sent out in mailings, but the real trouble came to light in the subsequent investigation, when OCR discovered a failure to conduct a risk analysis and institute appropriate safeguards.  UW suffered a breach when an employee of a care division downloaded a computer virus; UW had conducted risk analyses (at least in connection with its "meaningful use" attestation), but didn't make sure all operations were covered and apparently didn't make sure all appropriate divisions and operating units were instituting appropriate safeguards.

As the AHLA email alert correctly notes, the unifying factor in these cases is a failure to conduct and/or implement a good risk assessment.  Triple S did no risk assessment; Lahey didn't pick up all of its hardware and ePHI uses; and UW did not ensure that its a risk assessment and safeguards reached all of its operating units.  So:

1. Do a solid risk assessment;
2. Make sure you cover all of the places you use and transmit PHI; and
3. Make sure you cover all of your business units, facilities, and operating divisions.

This should not be news to you.

To Tweet, or not to Tweet: or blog, or Facebook, or Instagram, etc.  Social media can be great; keep individually-identifiable information out of it (and remember, if someone knows enough data points - who the speaker is, where they work, dates or time frames - seemingly de-identified data is actually identifiable).  General information is OK, but specific patient communication can easily fall on the wrong side of the line.  Even emailing or texting patients is problematic, unless you're using some encrypted format, and even then you have the "authentication" issue of someone picking up someone else's phone.

100 Million Health Records Hacked.  While the greatest number of breach incidents are still carelessness and stupidity (lost or stolen laptops, phones, flash drives, etc., and employee greed or curiosity), the rise of the medical data hack is what's pushed the number of affected individuals so high.

Hackers gonna hack, and you don't need to be a particularly big player to become a target, so you better have (i) protections in place to keep hackers out in the first place (perimeter security) and (ii) a means to determine if they are in already (usage and activity monitoring).  Nobody expects you to be perfect, and if you can prove that you took reasonable precautions (and are definitely able to "show your work"), you're much more likely to avoid a fine.  

Can a Business Associate be Liable for a HIPAA Breach When Its Client Isn't a Covered Entity?

That may be the hidden question in what seems like an otherwise unsatisfying medical record breach problem that seems immune from official action by OCR because the medical provider who originally generated the PHI is not an actual HIPAA covered entity.

Here's the case.  Basically, a New Jersey psychology office has filed a lot of collection actions against patients for past-due bills.  The legal filings, which are public records and can be obtained by anyone who asks the court and pays copying costs, include patient bills and other documentation.  The bills include the patient name (of course, which presumably is in the style of the case as well), but also include CPT codes (which define the type of services provided) and diagnosis codes.  These codes are just numbers, but it's easy to look them up on the internet and see what they stand for.  In other words, when the practice sued the patients, it filed with the court, in public records, the psychological evaluation of the patient.  Frightening, no?

The psychology practice needs to file documentation to prove the debt, so the bills generally are appropriate filings.  But the diagnosis information is not needed prove the debt; therefore, including it is probably beyond the "minimum necessary" restriction of HIPAA's Privacy Rule, which says that even though a use or disclosure is allowed, it must be limited to the minimum necessary (unless it's a use or disclosure for treatment, in which case there's no minimum necessary restriction).

Sounds like a HIPAA violation, right?  Not so fast.

HIPAA only applies to "covered entities" (the whole enchilada) and "business associates" (most all of the Security Rule and the parts of the Privacy Rule that derive from the HITECH Act).  "Covered entities" include healthcare clearinghouses, health plans, and healthcare providers who conduct electronic transactions for which HIPAA establishes standards.  Almost every healthcare provider in the country is a HIPAA covered entity, but not all -- if a healthcare provider never conducts an electronic transaction, or only conducts electronic transactions that are not HIPAA transactions (most payment, enrollment, and eligibility transactions), it isn't covered by HIPAA, so it can't breach HIPAA.

Most HIPAA experts believe that if an entity conducts a single HIPAA transaction electronically, it's a covered entity and subject to HIPAA, not only with regard to the patient for which it did the one electronic transaction, but for all patients.  In other words, once a CE, always a CE.  And if you are a covered entity, HIPAA says you shall not use or disclose PHI unless it is an allowed use or disclosure; any PHI, not just the PHI of your patients.  If you are a doctor and hear about a celebrity's health problem, and you then discuss the celebrity's health issue with your friends, you are technically violating HIPAA.  The celebrity isn't your patient?  The health data is public knowledge?  That doesn't matter.  HIPAA says thou shall not.

Apparently, the Short Hills psychology practice is not a HIPAA covered entity, as determined by OCR when a patient complained about the legal filings.  End of story, right?

Not necessarily.  First, the practice may have other privacy obligations, under state law or other regulations like Gramm-Leach-Bliley.  And even though the psychology practice isn't a covered entity, there may be other parties involved in the litigation on the practice's side that could be covered by HIPAA, not as covered entities but as business associates.  I'm thinking specifically of the collection agency and the law firm, but there could be others.

A vendor that provides a service for a covered entity that involves the creation, receipt, maintenance or transmission of PHI is by definition a "business associate."  HITECH made most of the HIPAA Security Rule directly applicable to business associates, and parts of the Privacy Rule as well.  Just providing a service to a healthcare provider usually makes you a business associate, but not always: if the provider one of those rare providers that isn't a HIPAA covered entity, then the vendor providing services to the provider isn't a business associate.

At least with respect to that particular provider.  The vendor could provide services to another provider that IS a covered entity, in which case the vendor is a business associate, and must comply with the Security Rule and parts of the Privacy Rule.  Must a business associate comply with the Security Rule and applicable parts of the Privacy Rule with respect to the non-covered entity client's PHI as well as the covered entity clients?  I can't say absolutely, but I don't see how you can avoid it.

If I, as a lawyer, provide services to a covered entity involving PHI, I'm obligated under HIPAA as a business associate.  At that point I need policies and procedures, and all the safeguards required by the Security Rule.  Those safeguards address how I must protect PHI; it doesn't by definition limit that to PHI I receive from a covered entity, but seems to apply to all PHI.  Might some health data be PHI and other data not?  I don't think so.  That doesn't mean all health data must be equally protected, and perhaps similar data from different clients can be treated differently, but the policies and procedures (including any differences) must be rational and reasonable.

So, the question now is this: is there a collection agency involved here?  Does the collection agency also serve covered entities?  If so, the collection agency is a business associate, and therefore subject to parts of HIPAA: most of the Security Rule, some of the Privacy Rule.  I don't think a business associate is subject to the minimum necessary rule per se (that's in the Privacy Rule, and predates HITECH), but should it be addressed in the business associate's policies and procedures (that are required by the Security Rule)?  If it is addressed there, did the business associate collection agency violate its HIPAA policies?

Same with the law firm.  I suspect the law firm and the collection agency both have some clients who are HIPAA covered entities, thus making each of them a business associate.  Which could be problematic.

As I noted on Twitter earlier today, this is a bit of a gray area, and you'd really have to tease out the facts and run these theories to their logical conclusions.  And, as always, #TINLA ("this is not legal advice").  But, it does raise some interesting angles:

1. If you can't un-become a covered entity, you probably can't un-become a business associate either (in other words, you only get to lose your HIPAA virginity once).
2. If you're covered for this but not for that, you may actually be covered for that too.
3. The fact that you might be able to treat PHI you got from one source differently than PHI you got from another source doesn't mean you should (especially since it's probably not true anyway).

And who said HIPAA was dull?

3 Tips for HIPAA-Social Media compliance: from Fierce Health.

Attack of the Health Hackers: Hacking has overtaken theft/loss/carelessness as the health industry's primary HIPAA breach concern.  

University of Washington Medicine: An employee downloads an email attachment that contains malware, and the PHI of 90,000 patients is exposed (including Social Security Numbers of 15,000 people).  The covered entity has policies and procedures requiring the business units to have up-to-date risk assessments and safeguards, but doesn't check to make sure the business units are taking appropriate precautions.  If you're the University of Washington Medicine, that failure gets you a $750,000 fine.  Wow.

Key take-away: You must do a risk analysis, and the risk analysis must be system-wide if you're more than a single entity.  The more complicated your corporate structure, the more complex your risk analysis should be (or at least make sure you cover all your relevant risk areas/entities).

Identity Theft: This is probably still the greatest threat to PHI at healthcare entities: simple identity theft by employees.  Considering that a third of healthcare patients may be hacked next year, that's a lot of potential trouble.

Snooping: The urge to snoop is strong.  Covered entities must put stronger restrictions in place, and vigorously punish those who can't resist the temptation.  

In Hacking News: MaineGeneral Health has been hacked, patients being notified.

"It's Skyrocketing." A report on the current state of medical identity theft.

Off Topic: this may also explain why I run.  

Rochester, NY: Small fine for a small breach.  Brought by the NY Attorney General, a Rochester, NY hospital was fined $15,000 for a breach that occurred when a nurse practitioner left the hospital and joined a private practice neurology group, and brought the records of some 3,000 patients with her to her new employer.

UPDATE: Adam Greene weighs in, as does Cooley LLP.  Texas is different; Texas Medical Board Rule 165 requires the departing physician to notify patients of the physician's departure and tell the patients where their medical records will be.  The rule states that the obligation falls on the departing physician, although obviously it can be fulfilled by the practice the physician is leaving.  While most physician employment agreements state that the medical records belong to the practice, there's no prohibition on allowing the physician employee to retain ownership of records relating to patients he cares for, and taking those records when he leaves, and therefore no prohibition on the departing physician notifying "his" patients of "his" new address, any more than the practice would be prohibited from notifying the patients if it moved offices.  I suspect there was more going on in Rochester, although the fine is small enough it could just be a nuisance settlement.