Photo of Stephanie Gomes-Ganhão

Stephanie Gomes-Ganhão focuses her privacy practice on health care and insurance privacy matters, including counseling clients regarding compliance with HIPAA/HITECH, the federal regulations governing the confidentiality of substance use disorder patient records (42 C.F.R. Part 2), the Gramm-Leach-Bliley-Act (GLBA), the Telephone Consumer Protection Act (TCPA), and the Payment Card Industry Data Security Standard (PCI DSS).

Stephanie is also somewhat of a data breach response nerd and stays up to date on security breach trends. She regularly assists clients with establishing compliance programs for the early detection of data privacy concerns and guides clients through the data breach investigation and notification process when a breach has occurred. Stephanie’s complete biography can be found here.

On December 12, 2018, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a Request for Information (“RFI”) “to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information.” Through this RFI, OCR seeks public comment regarding whether and how the HIPAA Privacy and Security Rules could be revised to promote value-based care and care coordination without jeopardizing individuals’ rights to privacy. OCR will accept comments through February 12, 2019.

Specifically, OCR has requested comments regarding the following four topics: Continue Reading OCR Seeks Public Comment on HIPAA Reform

The Upper San Juan Health Service District d/b/a Pagosa Springs Medical Center (“PSMC”), a critical access hospital in Colorado, has agreed to a $111,400 settlement with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) to resolve a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar because PSMC failed to deactivate the former employee’s username and password following termination of employment. OCR investigated the complaint and discovered that PSMC impermissibly disclosed the protected health information (“PHI”) of 557 patients to the former employee. Moreover, OCR determined that PSMC did not have a Business Associate agreement in place with the vendor of the web-based scheduling calendar.

The Resolution Agreement also includes a two-year Corrective Action Plan. Under the Corrective Action Plan, PSMC must: (i) revise its policies and procedures relating to Business Associates and uses and disclosures of PHI; (ii) submit proposed training materials on the revised policies and procedures for OCR’s review and train workforce members in accordance with the approved training materials; (iii) develop a current Risk Analysis and submit such analysis to OCR for review; and (iv) upon OCR’s approval of the Risk Analysis, provide OCR with a risk management plan that addresses and mitigates the security risks and vulnerabilities identified in the Risk Analysis and documentation that the risk management plan is being implemented.

The Resolution Agreement and Corrective Action Plan are available here.

Our take:

HIPAA requires covered entities and business associates to terminate a workforce member’s access to all systems and databases containing PHI upon the date the workforce member’s employment, or other arrangement with the entity, ends. The PSMC settlement serves as a reminder that the electronic health record is not the only database for which access must be terminated. HIPAA entities should develop a checklist that identifies all systems and databases containing PHI to ensure all access to PHI is terminated upon a workforce member’s separation from the entity.

On December 4, 2018, New York Attorney General Barbara D. Underwood announced a $4.95 million settlement with Oath, Inc. (f/k/a AOL Inc.), a wholly-owned subsidiary of Verizon Communications, Inc., for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) as a result of its involvement with online behavioral advertising auctions. This settlement represents the largest penalty ever in a COPPA enforcement matter in U.S. history.

Through its investigation, the New York Attorney General’s Office discovered that AOL collected, used, and disclosed personal information of website users under the age of 13 without parental consent in violation of COPPA. Specifically, the company was charged with having “conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13.” The New York Attorney General found that AOL operated several ad exchanges and permitted clients to use its display ad exchange to sell ad space on COPPA-covered websites, despite the fact that the exchange was not capable of conducting a COPPA-compliant auction that involved third-party bidders. AOL was charged with having knowledge that these websites were subject to COPPA because evidence demonstrated that: (i) several AOL clients had provided AOL with notice that their websites were subject to COPPA and (ii) AOL had conducted a review of the content and privacy policies of client websites and had designated certain websites as being child-directed. Additionally, the New York Attorney General charged AOL with having placed ads through other exchanges in violation of COPPA.   Specifically, whenever AOL participated and won an auction for ad space on a COPPA-covered website, AOL ignored any information it received from an ad exchange indicating that the ad space was subject to COPPA and collected information about the website users to serve a targeted advertisement to the users. Continue Reading Oath (f/k/a AOL) Agrees to Record $5 Million COPPA Settlement

On November 2, 2018, the Office of the NJ Attorney General and the NJ Division of Consumer Affairs (collectively, the “State”) announced a $200,000 settlement with the now-dissolved ATA Consulting, LLC, which did business as Best Medical Transcription, (“Best Medical”), and its owner, Tushar Mathur. The settlement resolves allegations involving Best Medical’s role in a 2016 breach that affected more than 1,650 patients of Virtua Medical Group (“VMG”), a network of medical and surgical practices in southern New Jersey. Notably, in addition to civil penalties and reimbursement of attorneys’ fees and investigative costs, the settlement permanently bars Mathur from managing or owning a business in New Jersey.

VMG had contracted with Best Medical for the provision of transcription services. Specifically, three VMG practices submitted dictations of doctors’ letters, medical notes, and other reports to Best Medical through a telephone recording service. Best Medical would then upload the recorded sound files to a password-protected File Transfer Protocol (“FTP”) site and Best Medical’s subcontractor transcribed the dictations into text documents, which were subsequently posted on the FTP site.

In January 2016, it was discovered that the FTP site was inadvertently misconfigured by Mathur during a software update, which changed the security restrictions such that the FTP site was accessible over the internet without the need for any authentication. The files had been indexed by Google, which meant that an individual conducting a Google search using search terms that happened to be included in the dictations could have obtained search results with links to access and download the exposed files. VMG learned of the incident when it received a phone call from a patient indicating that her daughter had found portions of her medical records through a Google web search. VMG had not received notice of the breach from Best Medical. Continue Reading Vendor Responsible for Breach Barred from Conducting Business in NJ

In a recent letter to the Federal Trade Commission (“FTC”), Senators Edward J. Markey (D-Mass) and Richard Blumenthal (D-Conn), expressed their concern regarding a recent study, which “indicates that numerous apps directed at children have been accessing geolocation data and transmitting persistent identifiers without parental consent” in violation of the Children’s Online Privacy Protection Act of 1998 (“COPPA”). In addition, the senators voiced concerns that parents are being misled by app developers, the advertising companies they work with, and app stores because such apps are placed in the “kids” or “families” sections of app stores. In other words, these apps should not be marketed as appropriate for children if they are engaging in activity that violates COPPA. The senators urged the FTC to review the extent to which app developers, advertising companies, and app stores are complying with COPPA. The senators requested a response from the FTC by October 31.

The study referenced in the senators’ letter comprised of a review of 5,855 “child-friendly” apps for compliance with COPPA. The researchers found that approximately 57% of these apps were engaging in activity prohibited by COPPA. For example, the researchers concluded that over 1,000 of the apps analyzed shared persistent identifiers with third parties. Furthermore, they found that 235 of the apps analyzed accessed geolocation information without verifiable parental consent, with a number of apps also sharing this information with advertising companies.

A copy of the senators’ letter to the FTC can be found here.

Our take

COPPA was designed to protect children under the age of 13 from overreaching by marketers by providing parents control over what information is collected from their young children online. This increased scrutiny by lawmakers of the data collection and use practices of child-friendly apps should serve as a reminder for app developers to review their products, and the terms of their agreements with the advertising companies they work with, for compliance with COPPA.

Data breaches can be extremely costly, regardless of the size or type of organization affected.  Costs include technical investigations, notifications, call center setup, legal services for regulatory compliance and defense, credit monitoring and identity theft protection services, public relations outreach, and loss of business and reputation.  In fact, according to a recent study conducted by the Ponemon Institute and sponsored by IBM, the global average cost of a data breach is $3.86 million, which is a 6.4% increase from last year’s average.  As a result, businesses are investing more in their IT departments and information security generally.

Ohio now rewards such businesses by providing an affirmative defense against tort claims to businesses subject to litigation stemming from data breach incidents.  Specifically, Ohio recently passed a law (S.B. 220), effective November 2, 2018, that provides a “legal safe harbor” for businesses that adopt and comply with an “industry recognized cybersecurity framework.”  The law sets forth the qualifying cybersecurity frameworks, which include, but are not limited to the HIPAA Security Rule and HITECH, Title V of the Gramm-Leach-Bliley Act of 1999, the Payment Card Industry (“PCI”) Data Security Standard, and certain National Institute of Standards and Technology (“NIST”) frameworks.  In order to qualify for the safe harbor, a business must stay current with the identified cybersecurity framework.

The text of S.B. 220 is available here.

Our take

Due to the large costs associated with data breaches, businesses should ensure that their cybersecurity frameworks conform to the most recent version of all applicable cybersecurity frameworks.  Although most states have not enacted a law providing an affirmative defense against tort claims for businesses that implement and maintain a meaningful cybersecurity framework, the compliance risks and costs associated with data breach investigation and response should be sufficient incentives to do so.

In its August Cyber Security Newsletter, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued “Considerations for Securing Electronic Media and Devices.” In this guidance document, OCR reminds HIPAA covered entities and business associates that they are required, under the HIPAA Security Rule, to implement policies and procedures that: (1) limit physical access to the organization’s electronic information systems and the facilities in which they are housed and (2) govern the receipt and removal of hardware and electronic media containing electronic PHI (“ePHI”) into and out of an organization’s facility and their movement within a facility.

OCR sets forth the following considerations for covered entities and business associates to take into account when developing policies and procedures regarding device and media controls:

  • “Is there a record that tracks the location, movement, modifications or repairs, and disposition of devices and media throughout their lifecycles?”
  • “Does the organization’s record of device and media movement include the person(s) responsible for such devices and media?”
  • “Are workforce members (including management) trained on the proper use and handling of devices and media to safeguard ePHI?”
  • “Are appropriate technical controls, for example, access controls, audit controls, and encryption, in use?”

OCR explains that an organization should use its risk analysis and risk management processes to identify and implement appropriate electronic device and media controls. Moreover, an organization should consider the following factors when determining what security measures to implement: (1) “[i]ts size, complexity, and capabilities;” (2) “[i]ts technical infrastructure, hardware, and software security capabilities;” (3) “[t]he costs of security measures;” and (4) “[t]he probability and criticality of potential risks to ePHI.”

Finally, OCR notes that an organization that has implemented an electronic asset inventory and tracking system will be better positioned to identify and manage risks associated with such devices and media and to respond to and recover from security incidents and breaches.

OCR’s August Cyber Security Newsletter can be found here.

Our take

Healthcare organizations use a variety of different electronic devices and media, including laptops, tablets, smartphones, and USB drives, in their day-to-day activities. Without appropriate processes in place to track and safeguard these devices, organizations are at greater risk of experiencing loss, theft, and the potential breach of PHI. Therefore, such organizations should review their existing electronic devices and media security policies and procedures while taking into account the various considerations set forth above.

On August 30, 2018, in honor of the 22nd anniversary of the introduction of HIPAA, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) released a blog post entitled “HIPAA & Health Information Portability: A Foundation for Interoperability.” This blog post outlines the initiatives HHS and its components, including the Centers for Medicare & Medicaid Services (“CMS”) and the National Institutes for Health (“NIH”), have recently taken to improve individual access to health information and to promote the secure portability of health information. For example, OCR and ONC have initiated a campaign to encourage individuals to “get, check, and use” their health information and to take advantage of their right to access their health information as a means of taking greater control over their health care decisions. These resources for individuals are available here. Moreover, OCR and ONC have issued guidance and training resources about the HIPAA right of access for health care providers. The training module for health care providers about patients’ right of access is available here.

Additionally, CMS has asked for comment on whether CMS should make interoperability a requirement for providers that participate in the Medicare program. See “Speech: Medicare Remarks by CMS Administrator Seema Verma at the Commonwealth Club of California” available here. Furthermore, NIH has established a research program that will require the portability of health information.

The HHS blog post is available here.

Our take

This guidance suggests that HHS is cracking down on violations of the HIPAA individual right of access. Therefore, health care organizations must be cognizant of the importance of providing individuals with access to their health information within 30 days (and no later than 60 days) of the individual’s request.

Members of Shipman & Goodwin’s Privacy and Data Protection team join their health law colleagues in explaining how health centers can protect their client data as health care transforms with the use of tools like patient portals and telemedicine in the breakout session The Digital Era: Ensuring Data Privacy in the Age of Transformation.

For more information, please click here.

When: September 14, 2018
2:30 PM – 3:15 PM EDT
Where: Toyota Oakdale Theatre, 95 S Turnpike Road, Wallingford, CT 06492

Although the legislation has not yet been formally introduced, sponsors, Representative Blaine Luetkemeyer (R-Missouri) and Representative Carolyn Maloney (D-New York), released a draft of the “Data Acquisition and Technology Accountability and Security Act” for public consideration on February 16, 2018.  This draft bill would establish a federal security and breach notification regime enforced by the Federal Trade Commission and state attorneys general.

The draft bill would apply to “covered entities,” which are defined as “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”  In addition to requiring covered entities to develop, implement, and maintain security safeguards appropriate to the particular entity’s size, activities, and the sensitivity of the personal information maintained, the draft bill sets forth a federal standard for data breach response.  Notably, the draft bill would require that a covered entity conduct a preliminary investigation and determine whether there has been an unauthorized acquisition of personal information and whether there is a “reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss to the consumers to whom the personal information involved in the incident relates.”  If this standard is met, a covered entity would be required to notify certain government agencies, such as the Secret Service or the FBI, and other agencies, such as payment card networks and consumer reporting agencies (depending on the type of breach), but only in the event the breach involves the personal information of 5,000 or more consumers.  Furthermore, a covered entity’s obligation to notify affected consumers is triggered only if the covered entity determines that “there is a reasonable risk that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumer . . . .”  Notice to relevant agencies and affected consumers must be provided “immediately” and “without unreasonable delay.”  Finally, the draft bill exempts insurers and expressly preempts state data security and breach notification laws.  As further described below, this proposed breach response regime is much less stringent in comparison to existing state breach notification laws. Continue Reading Is a Federal Data Breach Notification Regime Forthcoming?