Over the past year, the Office of Civil Rights (“OCR”) has taken a more aggressive stance in enforcing the provisions of the Health Insurance Portability and Accountability Act (HIPAA). The largest settlement for a data breach to date was just announced earlier this year between OCR and New York Presbyterian Hospital and Columbia University. However, high civil penalties are not the only concern anymore – individuals who commit a breach are also subject to criminal prosecutions. Continue reading
Tag Archives: HIPAA
The House of Representatives has grown increasingly skeptical of the Office of the National Coordinator for Health Information (“ONC”) and its plans to expand its programming and reach. House members have questioned whether the ONC has the authority to make changes it has recently proposed.
In a June 3, 2014, letter to the Office of the National Coordinator for Health Information Technology (“ONC”), the United States House Committee on Energy and Commerce (“Committee”) asked the agency to explain its presumed authority to implement new regulatory measures in the realm of Health Information Technology (“Health IT”). The letter, signed by Chairman Fred Upton (R-MI), Vice Chairman Marsha Blackburn (R-TN), Subcommittee on Health Chairman Joseph R. Pitts (R-PA), and Subcommittee on Communications and Technology Chairman Greg Walden (R-OR), asked ONC to respond to a number of questions, including “When the authorization for the Medicare and Medicaid Incentive program expires, under what statutory authority does ONC believe it is able to regulate Health IT and electronic health records, particularly in (but not limited to) non-Meaningful Use areas?” Continue reading
“I Might Be Injured, Someday…Maybe?” Courts Question Plaintiffs’ Standing in HIPAA Breach Suits Alleging Future Harm
Illinois courts have now dismissed two class action law suits against Advocate Health and Hospitals Corporation (“Advocate”), stemming from a July 2013 breach of personal health information (“PHI”) when four unencrypted laptop computers were stolen from Advocate’s administrative offices. The computers collectively contained the PHI, including names, addresses, dates of birth, Social Security Numbers, diagnoses, medical record numbers, the identity of treating physicians or departments, and health insurance data, of over 4 million Advocate consumers.
In both suits, the plaintiff class alleged the breach was a direct result of Advocate’s negligence, in violation of the Illinois Consumer Fraud and Deceptive Business Practices Act and the Illinois Personal Information Protection Act, as well as an invasion of privacy and an intentional infliction of emotional distress. Continue reading
The Federal Trade Commission (“FTC”) is urging Congress to ensure the data brokerage industry becomes more transparent and accountable, which could change the way consumers’ personal, health-related information is gathered and shared. These recommendations may change the landscape of the HIPAA regulations to better ensure protection of sensitive health information.
On May 27, 2014, the FTC released a report based upon its comprehensive study of nine data brokers, ranging in size and prominence in the community. Data brokers make millions of dollars each year collecting and disseminating massive amounts of personal, sensitive information they have obtained from consumers. This affects nearly every consumer in the United States, and the current laws in place do not effectively regulate data brokers or their access to consumer information, especially when it comes to individuals’ health-related information. Continue reading
A Massachusetts dermatology practice, APDerm, has agree to make a $150,000 payment and enter into a corrective action plan with the U.S. Department of Health and Human Services’ Office for Civil Rights in order to settle potential violations of HIPAA Privacy, Security, and Breach Notification Rules. According to HHS, this is the first settlement entered into by an entity for a failure to have breach notification policies and procedures in place under the HITECH Act.
According to the press release, an unencrypted thumb drive containing electronic protected health information (“ePHI”) of over 2,200 people was stolen from the vehicle of an APDerm employee in October 2011. After HHS was notified of the situation, its investigation revelaed that APDerm did not conduct an adequate risk assessment of the vulnerabilities to the confidentiality of the ePHI it maintained prior to the loss of the thumb drive. HHS also determined that APDerm did not qualify with the Breach Notification Rule by failing to have written policies and procedures in place to address such breaches, and by failing to train workers regarding the requirements of this rule. HHS also found that the failure to safeguard the unencrypted thumb drive amounted to an impermissible disclosure of ePHI when it was stolen from the APDerm employee’s car.
The corrective action plan entered into by APDerm requires it to perform a risk analysis, develop breach notification policies and procedures, and establish an implementation plan for those procedures, each of which must be reviewed and approved by HHS.
The HHS press release is available here: http://www.hhs.gov/news/press/2013pres/12/20131226a.html
The Resolution Agreement is here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf
The managed care company WellPoint Inc. has reached a Resolution Agreement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to settle allegations that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. WellPoint agreed to pay $1.7 million in connection with this settlement. The OCR enforces federal standards governing the privacy of individually identifiable health information, including the standards that cover the security of electronic individually identifiable health information. Continue reading
This afternoon, the Department of Health and Human Services posted a long-awaited, 563-page omnibus final rule under HIPAA, which will be published in the Federal Register on January 25, 2013, and which makes a variety of modifications to HIPAA’s Privacy, Security, Breach Notification, and Enforcement Rules. According to the executive summary of the rule, these modifications are necessary “to strengthen the privacy and security protections . . . for individual’s health information maintained in electronic health records and other formats. This final rule also makes changes to the HIPAA rules that are designed to increase flexibility for and decrease burden on the regulated entities, as well as to harmonize certain requirements with those under the Department’s Human Subjects Protections regulations.”
Note that while the effective date of the final rules is March 26, 2013, covered entities have until September 23, 2013, to achieve compliance.
We will have further analysis on this final rule in the coming days.
The U.S. Department of Health and Human Services (HHS) initiated a compliance investigation after the Hospice of North Idaho (HONI) reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen.
Pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), if a breach of unsecured PHI involves less than 500 impacted individuals, a log of the unauthorized disclosure must be maintained and submitted to HHS on an annual basis.
As a result of the investigation, the HHS Office for Civil Rights (OCR) discovered that HONI had not conducted a risk analysis to safeguard ePHI, and did not have written policies or procedures to address mobile device security as required by the HIPAA Security Rule. The HONI agreed to pay the HHS $50,000 to settle the potential violations.
The settlement confirms that the OCR may conduct a compliance investigation in response to these required “self” disclosures.
This post is contributed by Charles Dunham.
An Indianapolis oncology group has disclosed that data concerning about 55,000 patients was stored on a stolen laptop computer. A backup copy of the Cancer Care Group’s server was stored on the computer, which was stolen from a locked car. Among the data stored on the device were patient names, addresses, Social Security Numbers, medical record numbers, and insurance information. Several employees’ personal information was stored on the compromised device as well.
When HIPAA Investigations Broaden To Scrutinize Unrelated Business Practices: The Settlement between the State of Minnesota and Accretive Health
Prosecutions involving breaches of protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”) are becoming more frequent; we have noted recent civil settlements involving providers in Massachusetts and Alaska, as well as a criminal prosecution in California. The latest prosecution, and resulting settlement, illustrates a new twist: the focus of a data breach investigation can broaden beyond the data breach and expose providers to liability for business practices unrelated to the data breach.
Late last month, the Minnesota Attorney General’s Office announced a settlement with Accretive Health, Inc., a Chicago-based debt collector that had been managing the revenue collection operations of several Minnesota hospitals. Under the settlement, Accretive must cease all operations in Minnesota and pay $2.5 million to a restitution fund. Minnesota had been investigating Accretive after it had learned that a laptop, containing the protected health information of over 23,000 patients of two Minnesota hospitals, was stolen from the rental car of an Accretive employee in July 2011. The information on the laptop not only contained protected health information, such as the patients’ names, addresses, and Social Security numbers, but it also included Accretive’s proprietary analysis of each patient’s medical condition and likelihood of hospitalization. It was also revealed that another Accretive laptop, containing similar information from a Minnesota hospital, was stolen under similar circumstances a year earlier in July 2010, although Accretive did not report that theft to the Minnesota hospitals. The hospitals only learned of the first theft through anonymous tips received after the second theft was reported. The Attorney General filed a lawsuit in federal court claiming violations of HIPAA, and the Minnesota Health Records Act (Minn. Stat. § 144.291 et seq.). The lawsuit also claimed that Accretive violated Minnesota’s debt collection and consumer protection statutes for an alleged failure to disclose its status as a debt collector to patients.
While the Attorney General was probing Accretive’s data security practices, the office learned that Accretive was in the debt collection business and immediately broadened its investigation to those practices. As a result of this fresh investigation, the Attorney General amended the lawsuit to include allegations that Accretive engaged in illegal aggressive collection practices in hospital emergency rooms. Sworn affidavits from about 60 patients alleged that Accretive, or others acting under its control or supervision, asked patients, most of whom had insurance coverage, to pay money in the hospital emergency room before being treated. According to the Attorney General’s press release, affidavits were obtained from:
- “A mother who was taken from the side of her teenage daughter who tried to overdose on a bottle of pills, made to give a credit card in the middle of the night and pay $500 before she could return to her daughter’s bedside.”
- “A mother who had just given birth who was told that her newborn baby could not be discharged from the hospital unless she coughed up a credit card and paid $800. As it turns out, the mother overpaid and had to fight for months to get the $800 back.”
- “A pregnant mother who was asked to pay money in the emergency room in the midst of miscarrying her first baby.”
Accretive’s settlement, which has been approved by the federal district court, requires it to pay $2.5 million to the State of Minnesota for a fund providing restitution to affected patients, with any remainder going to the State’s treasury. Accretive must also cease its operations in Minnesota, return to its client hospitals all health information, and hire an independent auditor, approved by the Attorney General, to confirm that it has done so. Finally, the Minnesota Attorney General noted that since it cannot enforce the federal Emergency Medical Treatment and Active Labor Act (“EMTALA”)—which requires a hospital to treat and stabilize a patient experiencing a medical emergency before asking for payment—it has referred the patient affidavits to the U.S. Centers for Medicare and Medicaid Services.
While the nature of the data breach in the Accretive case underscores the need for providers to remain diligent in monitoring their responsibility to secure the protected health information of their patients, the case also demonstrates how data breach investigations become broader inquiries into practices that are unrelated to data security.