HIPAA/Privacy & Security

In less than 10 days, the European Union will begin enforcing its General Data Protection Regulation (GDPR) which will apply to any company that collects, processes, or uses EU-origin personal data, regardless of where the company is located. Though many of our readers are focused on HIPAA, some engage engage in activities that may trigger the GDPR, or they may have future aspirations to expand their business into the EU. Fortunately for our readers, our colleague Cynthia Larose has been relentlessly covering the GDPR at Privacy & Security Matters, and recently published a refresher list of webinars on GDPR issues related to contracts, human resources data, data transfer and more.

Back in late 2015, we blogged about the interesting twist in the $125 million Warner Chilcott settlement that a Massachusetts physician had been criminally charged with violating the Health Insurance Portability and Accountability Act (HIPAA).   See HERE for that previous post.

That physician has now been convicted of the HIPAA violation, as well as an unrelated charge of obstructing a federal health care investigation.  The US Attorney’s Office in Boston made the announcement late last month.

The Warner Chilcott settlement involved illegal drug promotion.  Specifically, sales reps were accused of flagging patient medical records with product brochures and filling out the provider’s prior authorization forms in advance for specific patients.  All of this required impermissible access to patient records.  The physician’s criminal liability stems from providing these sales reps with access to her patients’ records.  In some cases, the reps were even allowed to take the records home with them!

We are often reminded through settlements with the HHS Office for Civil Rights that HIPAA violations are taken seriously and can include hefty fines and corrective action plans (see HERE, HERE and HERE for just a few examples).  This case serves as fair warning that intentional misuse of protected patient information can lead to jail time.  When this physician is sentenced, she could be looking at up to a year in prison, a $50,000 fine, and a year of supervised release.  If you picture a sales rep combing through your personal health issues in his or her living room to determine whether you might be a sales target, it shouldn’t be so surprising that this conduct can rise to the level of criminal liability.

On Tuesday, May 8th, the House held three hearings related to combating the opioid epidemic. The first hearing came out of the Energy and Commerce (E&C) Subcommittee on Oversight and Investigations, which examined opioid distribution and diversion by the pharmaceutical industry. The second hearing came out of the E&C Subcommittee on Health, which examined the current statutory restrictiveness on the medical profession’s ability to coordinate substance use disorder (SUD) treatment due to prohibitions on certain patient information disclosure. The third hearing came out of the House Judiciary Committee and examined best practices in international and domestic enforcement on drug traffickers in curbing the supply of opioids across the U.S. Continue Reading Congress Holds Hearings and Proposes Legislation to Combat Vexing Opioid Crisis

Mintz Levin has updated the Mintz Matrix, a comprehensive summary of the data breach notification laws that now exist in all 50 states (South Dakota and Alabama finally caved and enacted their own laws).  It’s critical that HIPAA-regulated entities monitor these state laws because they apply simultaneously, and often conflict with, HIPAA.  In the event of a data breach, regulated entities must fulfill HIPAA’s breach notification requirements and the requirements of applicable state law.  Large-scale data breaches, affecting individuals from multiple states, require the rapid analysis of multiple state laws along with HIPAA requirements.  But don’t wait for a crisis to review the Matrix.   HIPAA covered entities and business associates should use it to familiarize themselves with the breach notification requirements of the states in which they do business, and use the Matrix to inform incident response planning activities.  The Matrix is also useful for monitoring patterns and trends among state laws in this area.  For example, state data breach notification laws have historically been implicated by the loss of information that could be used for identity theft, such as name coupled with social security, debit or credit card numbers.  However, many states now require breach notification when health care information is used or disclosed without authorization, even if it is not associated with a social security number and even if HIPAA does not apply. You can learn more about the Matrix and download a copy on our Privacy and Security Matters blog.

Earlier this week, Mintz Levin’s Privacy & Security Matters blog posted an update that Alabama has become the 50th state to enact a data breach notification law.

Although HIPAA is often a key focus, healthcare organizations must not lose sight of the various state reporting requirements applicable to their business.  For those healthcare organizations that store data about Alabama residents, take a look here for some key provisions of the newly minted “Alabama Data Breach Notification Act of 2018,” such as scope, notice requirements, and potential penalties.

 

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced a $100,000 settlement with a company that is no longer in business. Filefax, Inc. (Filefax) was an Illinois company that provided storage and delivery services for medical records held by covered entities. OCR had been investigating Filefax since 2015 for allegedly leaving medical records containing PHI of approximately 2,150 patients in an unlocked vehicle in a Filefax parking lot and/or allowing an unauthorized person to remove the files from the facility.

A court-ordered receiver liquidated Filefax’s assets in 2016.  As part of the settlement with OCR, the receiver agreed to pay $100,000 and properly dispose of all medical records and PHI remaining in Filefax’s possession. The settlement amount may be small, but the circumstances are striking. OCR’s pursuit of a settlement against a defunct company serves as a lesson to other health care companies that no one is off limits to HIPAA enforcement actions.

OCR’s press release about the settlement is available here.

As we look back on 2017, one message is clear: don’t be a Scrooge when it comes to HIPAA compliance. With ever-evolving security threats and unrelenting enforcement, regulated entities must maintain a spirit of compliance that lasts the whole year through.  It is in that spirit – and with apologies to Charles Dickens – that our HIPAA year in review is brought to you by the ghosts of HIPAA Past, HIPAA Present and HIPAA Yet to Come.

The Ghost of HIPAA Past

2017 continued to be haunted by large-scale data breaches.  As reported by our Privacy & Security colleagues, Equifax announced one of the largest breaches in US history in September, which involved highly sensitive information such as social security numbers and birth dates.  The Equifax breach didn’t involve health information, but in July, OCR sent a clear message regarding the importance of health information security and ratcheted up the fear factor associated with its HIPAA Breach Reporting Tool (HBRT), commonly referred to as the HIPAA “Wall of Shame.” The updates make it easier to search and view information about data breaches and make it harder for offenders to hide in the aftermath of a breach.  Continue Reading Bah, Humbug! HIPAA Compliance Isn’t Getting Any Easier

A draft bill recently introduced in the U.S. Senate serves as a good reminder that compliance with data breach reporting requirements is critical. This bill follows significant, high-profile data breaches by Uber and Equifax, both of which involved millions of individuals (87 million and 145 million, respectively) and both of which went unreported for a significant period of time following discovery by the companies. Equifax took more than a month to notify the public, while Uber took more than a year. Continue Reading Proposed Law Would Criminalize Failures to Report Data Breaches

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released its October Cybersecurity Newsletter last week with a focus on mobile devices. Given the amount of work conducted on mobile devices (odds are that at least some of you are reading this on a smart phone), the newsletter is practical for many in the health care industry. It is also timely in light of the increasing development and use of health apps. (For those developers interested in HIPAA and mobile devices, see our recent post here.)

The key HIPAA risk faced by those in the health care sector using mobile devices is the compromise of electronic protected health information (ePHI); a risk that is compounded by the portability and lack of robust security on these devices. In its newsletter, OCR advises organizations to take some important steps to ensure that ePHI is well-protected on mobile devices. According to OCR, organizations should:

  • Ensure that mobile devices are properly configured before accessing/storing ePHI
  • Train employees on the secure use of mobile devices and the risks of malware infecting mobile devices
  • Implement policies and procedures for mobile devices
  • Take certain IT-related precautions such as:
    • Automatic lock/logoff
    • Logon authentication
    • Regular software/security patch updates
    • Encryption, anti-virus and remote wipe capabilities
    • Use ONLY secure Wi-Fi connections
    • Use Virtual Private Networks (VPNs)
    • Limit downloads to only verified third-party apps

Depending on the size of your organization, some of these recommendations might sound a bit involved, but any efforts now can go a long way to saving you from a data breach. This is particularly true when considering that a breach involving health records can cost upwards of $350 per record.

The newsletter also contains links to much more detailed guidance and information for how to minimize cybersecurity risk on mobile devices.

Irma over the Southeastern U.S. – Courtesy of NOAA

As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters.  OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.

Continue Reading In the Wake of Harvey and Irma, OCR Reminds Providers of HIPAA Rules