[ Thursday, June 30, 2016 ]
Mass General Dental Data Breach: a dental vendor to the hospital, Patterson Dental Supply,
suffered a breach of its servers hosting the Mass General dental patient data.
Jeff [12:52 PM]
[ Wednesday, June 29, 2016 ]
Jamie Knapp: Analysis Update: A couple of folks (@LaClason and @PogoWasRight) pointed out that, in regard to
my earlier post this morning, HITECH did add a change to the actual HIPAA statute that is intended to be used (and has been used) to prosecute employees or third parties for acts that would be violations if they were covered entities, mainly to avoid the anomaly that rogue employees or other bad actors are free from HIPAA criminal liabilities because they aren't the actual covered entity.
Prior to HITECH, Section 1320d-6(a) had one sentence, that says: "A person who knowingly and in violation of this part (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section." HITECH added a second sentence: "For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization." The copy of 42 USC 1320d-6 that I pulled up online didn't have the added language, which explains my miss of it.
However, it did give me an opportunity to re-review the new statutory language, and in fact I maintain my opinion: Knapp (and Chelsea Stewart in an earlier case) should not have been convicted, because their acts were not in violation of HIPAA. That's because the HITECH-added language, which is intended to make them criminally liable (and pursuant to which they were held criminally liable), is deficient from a statutory construction standpoint.
The added language says “for purposes of the previous sentence,” which would be fine to change something within the construct of the previous sentence. (Example: "It is a violation of fashion law to wear white after Labor Day. For purposes of the preceding sentence, white shall include bone, ecru, ivory, eggshell, and taupe.") But the preceding sentence still says the obtaining or disclosing must be “in violation of this part.” It doesn’t change the definition of a covered entity or put obligations onto anyone other than a covered entity.
And you can’t change the meaning of “in violation of this part” by such a passing reference. In other words, you can’t change the definition of “in violation of this part” to simply mean any obtaining or disclosing of IIHI “if the information is maintained by a covered entity . . . and the individual obtained or disclosed such information without authorization.” If that’s the case, then any obtaining or disclosing of IIHI that is (i) “maintained by a covered entity” and (ii) “without authorization” would be a violation. And if that’s the case, every obtaining or disclosing of hospital-held PHI for treatment, payment, or healthcare operations (i.e., uses and disclosures for which an authorization is not required) would be a HIPAA violation.
HITECH was a hastily- and sloppily-written statute. But it’s also another example of the pure lawlessness of the current federal government. If we are to live under the rule of law, laws must apply equally to all. They must be clearly written so citizens can know exactly what conduct is prohibited and what is allowed. Words have meaning, and the meaning of words has consequences. When it comes to criminal law, where one’s property or liberty can be removed by the state, there cannot be a “well, you know what I mean” quality to it. Criminal statutes in particular MUST be clearly and precisely written. If there is any ambiguity (and there certainly is here), the benefit of the doubt must go to the accused.
Congress had the opportunity to fix this loophole by changing the definition of Covered Entity or by specifying a new and separate violation (i.e., “a person violates this part if . . . “ or “It is a violation of this part if a person . . . “), but they didn’t do so.
I hope the next person who is charged under this provision challenges it on these grounds. I don’t object at all to holding employees and other non-covered-entities criminally liable for these types of breaches. I think this is a loophole that should be and needs to be closed. But the law should be written to make these types of breaches actual violations of the law, and what is written doesn't do that. Have some respect for the rule of law.
Jeff [3:24 PM]
Jamie Knapp: another HIPAA criminal conviction: a respiratory therapist who accessed PHI of patients she was not seeing
has been convicted, apparently of violating HIPAA, by an Ohio federal jury. I'm still trying to figure out how a respiratory therapist employee of a hospital, who by herself is not a covered entity, was convicted of violating HIPAA. Not every health care provider is a covered entity; you must also conduct electronic transactions that are HIPAA regulated. Generally, an employee will not be conducting those transactions. And while the officers and directors of a company may be held liable for their activities as decision-makers of their companies (in other words, they can't hide behind the company for their own acts if the company is responsible as well), I don't see how a low-level employee is bootstrapped into being the covered entity itself.
Jeff [8:32 AM]
[ Tuesday, June 28, 2016 ]
Tex. Health & Human Services Commission Breach: The HHSC's records vendor, Iron Mountain,
lost some boxes with records of 600 people who applied for benefits with HHSC.
In case you didn't know, the HITECH and Omnibus Rule changes to HIPAA's definition of "business associate" make clear that anyone who "creates, receives, maintains or transmits" PHI for a covered entity is a business associate. "Maintains" includes storage, so wherever a covered entity stores its PHI, whether it's a cloud-based server or Uncle Bob's Self Storage, the storage company is a business associate. Of course, self-storage places, that never intend to access the records in storage and don't even know what people keep in their storage lockers, really don't want to be BAs, and they sure don't want to sign BAAs. But have you ever seen the TV show Storage Wars? Stuff in self-storage facilities sometimes gets disclosed to the general public. Unfortunately, if you are a covered entity and you're using a self-storage facility, you must get them to sign a BAA, or find another facility.
There are facilities that will sign BAAs, and Iron Mountain is one of them. This is the first breach I've heard of involving Iron Mountain; hopefully it will be the last.
Hat tip:
Virginia Mimmack
Jeff [4:00 PM]
[ Monday, June 27, 2016 ]
Is the theft of NFL Players' medical records from a Redskins' trainer a HIPAA violation? Almost certainly not. But it is likely a violation of some state data protection laws, and almost certainly raises a data breach notification obligation.
A Redskins trainer left a backpack containing paper medical records, as well as a laptop with electronic medical records, of current and former NFL players in a locked car; the car was burgled and the backpack (and its contents) stolen. The laptop was password-protected, but the electronic data was not encrypted. This is not good. But it's also unlikely to be a HIPAA violation, mainly because it's unlikely there is a HIPAA covered entity involved.
No breach without a CE or BA: The NFL itself, and the Washington Redskins specifically, are not health plans, health care providers, or health care clearinghouses. Therefore, they are not "covered entities" (or CEs) under HIPAA. The trainer is most likely a health care provider, which would make him/her a CE if he/she engages in electronic transactions of the sort regulated by HIPAA. These would be submitting billing to insurance, checking for insurance coverage and benefits, tracking payments, etc. I would be extremely surprised if he/she did so, since I assume he/she is paid by the Redskins for services provided.
It also does not seem likely that the NFL, the Washington Redskins, or the trainer were acting as a "business associate" (or BA) of some other CE in connection with the lost data. Without a CE or a BA, there can't be a HIPAA breach.
One possible caveat: the Players Association is all over this story. It is possible that the Players Association is structured in such a way that it (or a component of it) is a CE by virtue of being a health plan. I doubt that, since I doubt the PA pays or provides for medical care; I assume the teams pay for their own players' medical care. But that unlikely event is the only way I see HIPAA being involved here.
Employment records aren't PHI: Even if there was a BA or CE involved here somehow, there's still the question of whether the data lost was "protected health information" (or PHI) under HIPAA's definition. The definition of PHI is extremely broad, and it's likely that this information could be PHI, but the definition does have an exception that might be applicable here. Namely, "employment records held by a covered entity in its role as employer" are specifically excluded from the definition of PHI. We don't know for sure, but it seems like the lost data might be "employment records."
Encryption is not required: The article states, "Storage of data on unencrypted devices does not adhere to both local and federal medical privacy standards, including HIPAA, making the breach a potentially costly one for the NFL." Not true. Don't get me wrong; encryption is best practice, and I highly recommend it, not the least because HIPAA's breach notification provisions are inapplicable if the lost data is encrypted. But encryption is not required, and therefore storing data on unencrypted does not fail to meet a standard under HIPAA. Some states (MA for sure) have state-level encryption requirements, but it's impossible to tell from the article whether those state statutes would be implicated, or if the state regulators would be able to commence an enforcement action.
State laws may apply: Depending on where the theft occurred, the states of residents of the affected individuals, the location of the responsible parties (are the Redskins actually in DC or in Maryland or Virginia?), and the location of the theft (Indianapolis), various state laws may be impacted. Some states have laws requiring reasonable security for personally-identifiable information; most have laws requiring the notification of individuals whose data has been breached. Those laws vary greatly, but it's pretty safe to say some would be implicated by this situation. Some do not require notification if there is little or no risk of harm from the breach, and it's possible that the NFL and the Redskins could come to that conclusion based on the fact that the data was password-protected; that wouldn't cure the problem with the paper data, though. Regardless, that's a fact-specific matter based on the reasonable conclusion of the parties involved. I would expect the NFL and/or the Redskins to notify all individuals involved, regardless of whether it's legally required or not.
Jeff [5:50 PM]
[ Monday, June 06, 2016 ]
(wrote this back in April, don't know why it didn't post):
NY Med HIPAA Fine: NY Med was a reality TV show filmed in NY hospitals. It's relatively famous because NY Presbyterian Hospital and ABC are being sued by the family of a man who was hit by a garbage truck and was dying in the hospital; the film crew filmed his plight, without his authorization. The show pixilated the man's face and included no identifying information, but some family members were able to determine that it was him, and they're now suing the hospital and ABC. It's unlikely that anyone would have been able to determine who the dying man was if not for his family's publicizing the case by filing suit. I believe that ABC has been released from the suit, but the suit goes on against the hospital.
OCR has now fined NY Presbyterian 2.2 million dollars for this case and for a similar issue involving another individual.
University of New Mexico Hospital breach: A change in software led to
invoice information on about 3,000 patients being sent to 18 incorrect addresses. Definitely PHI included in the improper disclosures, but none of the traditional identity theft markers like social security numbers.
Jeff [11:17 AM]
ProMedica Michigan breaches: Two hospitals in Michigan operated by ProMedica are under investigation by HHS for breaches apparently involving employee snooping. Seven employees were involved; 3 were fired, the other 4 disciplined. About 3500 patients were impacted. None of the files were printed, which makes large-scale identity theft less likely (of course they could've been saved to a flash drive, but I'm assuming they ruled that out too). That makes it more likely to either be pure nosy snooping (although the number is pretty high -- can't imagine that each snooper would know 500 people in the hospital), improperly-restrained curiosity, or some less-nefarious intend, such as wanting to see if hospital policies are being applied evenly.
Jeff [10:57 AM]
Jeff [10:47 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
