Back in 2008, Illinois became the first state to pass legislation specifically protecting individuals’ biometric data. Following years of legal challenges, some of the major questions about the law are about to be resolved (hopefully). Two major legal challenges, one now at the Illinois Supreme Court and another with the Court of Appeals for the Ninth Circuit, seek to clarify the foundational issues that have been a battleground for privacy litigation — standing and injury. To understand the stakes, Illinois’ Biometric Information Privacy Act requires companies who obtain a person’s biometric information to: (1) obtain a written release prior to their information being stored and collected; (2) provide notice that their information is being stored and collected; (3) state how long the information will be stored and used; and (4) disclose the specific purpose for its storage and use. The law further provides individuals with a private right of action. However, in order to trigger that private right, an individual must be “aggrieved.” Continue Reading Biometric Data Risks on the Rise
After eleven years of litigation, including two decisions by the Connecticut Supreme Court, Byrne v. Avery Center for Obstetrics and Gynecology, P.C. has finally reached a verdict. Last month, the jury awarded the plaintiff $853,000 in damages in connection with her physician practice’s 2005 release of medical records in response to a non-HIPAA compliant subpoena. The subpoena was issued in connection with a paternity suit brought by the plaintiff’s former boyfriend, a man whom the plaintiff had specifically requested her physician practice not share her medical information with.
Without speculating too much about its judicial progeny, Byrne nevertheless highlights several areas of HIPAA compliance that should be areas of heightened review for physicians and medical providers now. Please click here for a detailed analysis of this verdict and its implications for providers.
On December 12, 2018, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a Request for Information (“RFI”) “to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information.” Through this RFI, OCR seeks public comment regarding whether and how the HIPAA Privacy and Security Rules could be revised to promote value-based care and care coordination without jeopardizing individuals’ rights to privacy. OCR will accept comments through February 12, 2019.
Specifically, OCR has requested comments regarding the following four topics: Continue Reading OCR Seeks Public Comment on HIPAA Reform
The Upper San Juan Health Service District d/b/a Pagosa Springs Medical Center (“PSMC”), a critical access hospital in Colorado, has agreed to a $111,400 settlement with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) to resolve a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar because PSMC failed to deactivate the former employee’s username and password following termination of employment. OCR investigated the complaint and discovered that PSMC impermissibly disclosed the protected health information (“PHI”) of 557 patients to the former employee. Moreover, OCR determined that PSMC did not have a Business Associate agreement in place with the vendor of the web-based scheduling calendar.
The Resolution Agreement also includes a two-year Corrective Action Plan. Under the Corrective Action Plan, PSMC must: (i) revise its policies and procedures relating to Business Associates and uses and disclosures of PHI; (ii) submit proposed training materials on the revised policies and procedures for OCR’s review and train workforce members in accordance with the approved training materials; (iii) develop a current Risk Analysis and submit such analysis to OCR for review; and (iv) upon OCR’s approval of the Risk Analysis, provide OCR with a risk management plan that addresses and mitigates the security risks and vulnerabilities identified in the Risk Analysis and documentation that the risk management plan is being implemented.
The Resolution Agreement and Corrective Action Plan are available here.
HIPAA requires covered entities and business associates to terminate a workforce member’s access to all systems and databases containing PHI upon the date the workforce member’s employment, or other arrangement with the entity, ends. The PSMC settlement serves as a reminder that the electronic health record is not the only database for which access must be terminated. HIPAA entities should develop a checklist that identifies all systems and databases containing PHI to ensure all access to PHI is terminated upon a workforce member’s separation from the entity.
A few months ago we posted an update on the California Consumer Privacy Act, a mini-GDPR that contains serious privacy ramifications for the U.S. privacy landscape. Likely in response to the upcoming 2020 go-live for the California law, various groups have noticed an uptick in lobbying directed at the passage of a federal privacy law that would pre-empt the California law and help harmonize the various state laws. Pushing to the front of that effort is a new draft federal privacy law proposed by Intel.
The Intel law looks to be written specifically to pre-empt the California law, as it contains language that would pre-empt any State law with civil provisions designed to reduce privacy risk through the regulation of personal data. This pre-emption contains limited exceptions for state-data-breach, contract, consumer protection, and various other laws, but it would drive a hole through California’s law. Furthermore, Intel’s proposed law could pre-empt various specific laws such as Illinois biometric data protection law, and because it does not include any notice provision — it would be reliant on the state-breach-notification statutes to find violations in the first place.
Beyond frustrating state attempts at personal information regulation, the law creates penalty caps that result in disproportionate punishments for smaller and mid-size security incidents and allow larger incidents, typical of a larger company, to operate on an eat-the-fine basis. For example: The Equifax breach from earlier this year affected 143 million Americans. If regulators chose to bring an action, the maximum penalties for the action could be up to $16,500 per violation — that means a maximum penalty of 2.3 trillion dollars. The penalty cap however was set at 1 billion dollars, meaning the largest data breaches will face the lowest penalty-per-impacted individual.
This proposed national privacy law would primarily serve the interests of the largest players in the tech and data industry, while providing harsher relative penalties to smaller and mid-size players. This law or something similar is likely to see serious political debate in the next few years as lobbying efforts intensify. Expect the heat to turn up as we near January 1, 2020.
On November 2, 2018, the Office of the NJ Attorney General and the NJ Division of Consumer Affairs (collectively, the “State”) announced a $200,000 settlement with the now-dissolved ATA Consulting, LLC, which did business as Best Medical Transcription, (“Best Medical”), and its owner, Tushar Mathur. The settlement resolves allegations involving Best Medical’s role in a 2016 breach that affected more than 1,650 patients of Virtua Medical Group (“VMG”), a network of medical and surgical practices in southern New Jersey. Notably, in addition to civil penalties and reimbursement of attorneys’ fees and investigative costs, the settlement permanently bars Mathur from managing or owning a business in New Jersey.
VMG had contracted with Best Medical for the provision of transcription services. Specifically, three VMG practices submitted dictations of doctors’ letters, medical notes, and other reports to Best Medical through a telephone recording service. Best Medical would then upload the recorded sound files to a password-protected File Transfer Protocol (“FTP”) site and Best Medical’s subcontractor transcribed the dictations into text documents, which were subsequently posted on the FTP site.
In January 2016, it was discovered that the FTP site was inadvertently misconfigured by Mathur during a software update, which changed the security restrictions such that the FTP site was accessible over the internet without the need for any authentication. The files had been indexed by Google, which meant that an individual conducting a Google search using search terms that happened to be included in the dictations could have obtained search results with links to access and download the exposed files. VMG learned of the incident when it received a phone call from a patient indicating that her daughter had found portions of her medical records through a Google web search. VMG had not received notice of the breach from Best Medical. Continue Reading Vendor Responsible for Breach Barred from Conducting Business in NJ
On October 18, 2018, the Food and Drug Administration (“FDA”) released draft guidance outlining its plans for the management of cybersecurity risks in medical devices. Commenters now have until March 17, 2019, to submit comments to the FDA and get their concerns on the record. More information about submitting comments can be found at the end of this post.
This FDA guidance revision will replace existing guidance released in 2014, which as you can see, includes recommendations, but does not attempt to classify devices. The recent draft guidance takes a more aggressive posture and separates devices into those with a Tier 1 “Higher Cybersecurity Risk” and those with a Tier 2 “Standard Cybersecurity Risk.”
Tier 1 devices are those that meet the following criteria:
1) The device is capable of connecting (e.g., wired, wirelessly) to another medical or non-medical product, or to a network, or to the Internet; and
2) A cybersecurity incident affecting the device could directly result in harm to multiple patients.
Tier 2 devices are any medical device that does not meet the criteria in Tier 1.
The FDA has varying guidance for devices depending on the Tier of the device. The FDA provides guidance for Tier 1 and Tier 2 devices on applying the NIST Cybersecurity Framework, providing appropriate cybersecurity documentation, and adhering to labeling recommendations.
Data breaches can be extremely costly, regardless of the size or type of organization affected. Costs include technical investigations, notifications, call center setup, legal services for regulatory compliance and defense, credit monitoring and identity theft protection services, public relations outreach, and loss of business and reputation. In fact, according to a recent study conducted by the Ponemon Institute and sponsored by IBM, the global average cost of a data breach is $3.86 million, which is a 6.4% increase from last year’s average. As a result, businesses are investing more in their IT departments and information security generally.
Ohio now rewards such businesses by providing an affirmative defense against tort claims to businesses subject to litigation stemming from data breach incidents. Specifically, Ohio recently passed a law (S.B. 220), effective November 2, 2018, that provides a “legal safe harbor” for businesses that adopt and comply with an “industry recognized cybersecurity framework.” The law sets forth the qualifying cybersecurity frameworks, which include, but are not limited to the HIPAA Security Rule and HITECH, Title V of the Gramm-Leach-Bliley Act of 1999, the Payment Card Industry (“PCI”) Data Security Standard, and certain National Institute of Standards and Technology (“NIST”) frameworks. In order to qualify for the safe harbor, a business must stay current with the identified cybersecurity framework.
The text of S.B. 220 is available here.
Due to the large costs associated with data breaches, businesses should ensure that their cybersecurity frameworks conform to the most recent version of all applicable cybersecurity frameworks. Although most states have not enacted a law providing an affirmative defense against tort claims for businesses that implement and maintain a meaningful cybersecurity framework, the compliance risks and costs associated with data breach investigation and response should be sufficient incentives to do so.
Last week, four different settlement agreements were announced with four different Massachusetts hospitals to settle claims that they had violated HIPAA and state consumer protection and data security laws, by either not obtaining proper patient authorizations before allowing a television documentary to be filmed in the hospital or failing to investigate reports of inappropriate access to medical records by employees. Three hospitals entered settlement agreements and agreed to corrective action plans with the Department of Health and Human Services Office for Civil Rights (“OCR”), while the fourth hospital and an associated medical group entered into a settlement agreement with the Massachusetts Attorney General. OCR initiated its review of the three hospitals it settled with after reading news stories about the hospitals allowing a TV documentary to film inside those hospitals. In one instance, the news story OCR cited as launching its investigation was actually posted on one of the hospital’s websites by the hospital itself. OCR’s investigation revealed that while the hospitals had taken some precautions by, for example, conducting a HIPAA training with the filming crew, the hospitals nevertheless failed to obtain proper authorizations from patients. Collectively, the three hospitals settled with OCR for $999,000.
The settlement with the Massachusetts AG stemmed from two employees of the hospital and medical group inappropriately accessing information on more than 15,000 Massachusetts residents while employed with the settling organizations, ultimately opening cell phone and credit card accounts with the information they improperly obtained. Although the AG alleges that the hospital and medical group were informed of these employees’ misconduct by an inside informant, its complaint further alleged that the hospital and group failed to properly investigate those complaints, verify its information was safeguarded, or discipline the employees in question. The providers did eventually perform a sufficient investigation, but not until after a deceased patient’s widow complained that her husband’s information had been fraudulently used. The AG’s office alleged violations of the Massachusetts consumer Protection Act, Data Security Law, and HIPAA in its complaint filed simultaneously with the consent decree, which included a payment of $230,000.
Despite what any of us might be feeling or inclined to think to the contrary, HIPAA enforcement is alive and well, both at the federal and state levels. Although there is some indication that OCR has been selective in its enforcement, and is focusing on pursuing large dollar value settlements, the Massachusetts AG settlement demonstrates that state attorneys general can and do enforce HIPAA violations of all sizes, either standing alone or as part of an enforcement action for a state data privacy or data breach law, the latter of which all 50 states now have. These settlements also show on the one hand how regulators will bring enforcement actions and levy fines even in the absence of a patient complaint or when a provider believes it is doing everything right, and how regulated entities need to take reports of unauthorized access or use of PHI seriously, including investigating and reprimanding employees involved, subject to whistleblower protections.
Just last month, the National Institute of Standards and Technology (“NIST”), in concert with the National Cybersecurity Center of Excellence (“NCCoE”), jointly published a behemoth guide to securing Electronic Health Records (“EHR”) on mobile devices.
The guide is a reaction to the growing number of issues with EHR in the mobile application context, as healthcare organizations often have poor EHR integration with their mobile apps. Mobile devices have so many obvious benefits from patient communication to care coordination that organizations are going with the implement first, secure later approach, creating major headaches down the road when the inevitable security incident occurs. In their guide, NIST and NCCoE provide a full analysis of provider side access risks where the provider adds patient information into an EHR system through a mobile device and that same EHR data is accessed elsewhere by another provider via a separate mobile device.
The guide provides a roadmap for healthcare organizations that:
- maps security characteristics to standards and best practices from NIST and other standards organizations, and to the HIPAA Security Rule
- provides a detailed architecture and capabilities that address security controls
- facilitates ease of use through automated configuration of security controls
- addresses the need for different types of implementation, whether in-house or outsourced
- provides a how-to for implementers and security engineers seeking to re-create or reference design in whole or in part
We recommend reviewing the guide during the planning phase of any EHR-related mobile application implementation. For a quick overview of the guide, see the one page fact sheet here.
The guide provides a timely and valuable starting point for CIOs and Privacy Officers that are considering a mobile app implementation. At a high level, §8’s Risk Questionnaire (page 216) provides a great resource for those organizations looking to understand the types of questions they need to ask when selecting a cloud-based EHR vendor. The tables that follow these questionnaires will help an engaged leader to understand the universe and severity of the risks that come with the move to mobile.