In its most recent Cybersecurity Newsletter, OCR focuses on the intersection of HIPAA and information security. To be sure, HIPAA requires covered entities and business associates to address their organizations’ information security. This obligation stems from HIPAA’s requirement that covered entities and business associates assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of their electronic protected health information. This is referred to as a “risk assessment” or “risk analysis” and is a core element of HIPAA’s Security Rule. But it is not enough to simply assess or analyze the risk; HIPAA requires that the risks be mitigated. This is particularly important when it comes to information security risk. As OCR states in its newsletter: Continue Reading HIPAA, Security Vulnerabilities and Patching
Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA developments.
New Colorado Data Breach Law
Our Privacy and Security colleagues recently blogged about a new Colorado law that imposes strict requirements on entities that maintain, own, or license personal identifying information of Colorado residents. The law broadly defines “personal identifying information” as a Social Security number; a person identification number; a password or passcode; a driver’s license or identification card number; a passport number; biometric data; an employer, student, or military identification number; or a financial transaction device. In addition, the law requires entities to report breaches of such data within 30 days of discovery.
Earlier this week, I moderated a panel discussion at an event hosted by the New York chapter of the Health Information and Management Systems Society (HIMSS). The panel was comprised of private sector health information technology and security experts and was tasked with discussing challenges related to the interoperability and security of health information systems. I started off by asking the panelists how these challenges have evolved over the years, anticipating that the conversation would soon turn to the challenges faced by newer technologies such as cloud computing and artificial intelligence. But it was the panelists’ opinion that many in the health care space continue to struggle with the basics, including basic HIPAA compliance. Continue Reading HIPAA Tips from the Trenches
The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security. The HIPAA Security Rule requires covered entities and business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”
In less than 10 days, the European Union will begin enforcing its General Data Protection Regulation (GDPR) which will apply to any company that collects, processes, or uses EU-origin personal data, regardless of where the company is located. Though many of our readers are focused on HIPAA, some engage engage in activities that may trigger the GDPR, or they may have future aspirations to expand their business into the EU. Fortunately for our readers, our colleague Cynthia Larose has been relentlessly covering the GDPR at Privacy & Security Matters, and recently published a refresher list of webinars on GDPR issues related to contracts, human resources data, data transfer and more.
Back in late 2015, we blogged about the interesting twist in the $125 million Warner Chilcott settlement that a Massachusetts physician had been criminally charged with violating the Health Insurance Portability and Accountability Act (HIPAA). See HERE for that previous post.
That physician has now been convicted of the HIPAA violation, as well as an unrelated charge of obstructing a federal health care investigation. The US Attorney’s Office in Boston made the announcement late last month.
The Warner Chilcott settlement involved illegal drug promotion. Specifically, sales reps were accused of flagging patient medical records with product brochures and filling out the provider’s prior authorization forms in advance for specific patients. All of this required impermissible access to patient records. The physician’s criminal liability stems from providing these sales reps with access to her patients’ records. In some cases, the reps were even allowed to take the records home with them!
We are often reminded through settlements with the HHS Office for Civil Rights that HIPAA violations are taken seriously and can include hefty fines and corrective action plans (see HERE, HERE and HERE for just a few examples). This case serves as fair warning that intentional misuse of protected patient information can lead to jail time. When this physician is sentenced, she could be looking at up to a year in prison, a $50,000 fine, and a year of supervised release. If you picture a sales rep combing through your personal health issues in his or her living room to determine whether you might be a sales target, it shouldn’t be so surprising that this conduct can rise to the level of criminal liability.
On Tuesday, May 8th, the House held three hearings related to combating the opioid epidemic. The first hearing came out of the Energy and Commerce (E&C) Subcommittee on Oversight and Investigations, which examined opioid distribution and diversion by the pharmaceutical industry. The second hearing came out of the E&C Subcommittee on Health, which examined the current statutory restrictiveness on the medical profession’s ability to coordinate substance use disorder (SUD) treatment due to prohibitions on certain patient information disclosure. The third hearing came out of the House Judiciary Committee and examined best practices in international and domestic enforcement on drug traffickers in curbing the supply of opioids across the U.S. Continue Reading Congress Holds Hearings and Proposes Legislation to Combat Vexing Opioid Crisis
Mintz Levin has updated the Mintz Matrix, a comprehensive summary of the data breach notification laws that now exist in all 50 states (South Dakota and Alabama finally caved and enacted their own laws). It’s critical that HIPAA-regulated entities monitor these state laws because they apply simultaneously, and often conflict with, HIPAA. In the event of a data breach, regulated entities must fulfill HIPAA’s breach notification requirements and the requirements of applicable state law. Large-scale data breaches, affecting individuals from multiple states, require the rapid analysis of multiple state laws along with HIPAA requirements. But don’t wait for a crisis to review the Matrix. HIPAA covered entities and business associates should use it to familiarize themselves with the breach notification requirements of the states in which they do business, and use the Matrix to inform incident response planning activities. The Matrix is also useful for monitoring patterns and trends among state laws in this area. For example, state data breach notification laws have historically been implicated by the loss of information that could be used for identity theft, such as name coupled with social security, debit or credit card numbers. However, many states now require breach notification when health care information is used or disclosed without authorization, even if it is not associated with a social security number and even if HIPAA does not apply. You can learn more about the Matrix and download a copy on our Privacy and Security Matters blog.
Earlier this week, Mintz Levin’s Privacy & Security Matters blog posted an update that Alabama has become the 50th state to enact a data breach notification law.
Although HIPAA is often a key focus, healthcare organizations must not lose sight of the various state reporting requirements applicable to their business. For those healthcare organizations that store data about Alabama residents, take a look here for some key provisions of the newly minted “Alabama Data Breach Notification Act of 2018,” such as scope, notice requirements, and potential penalties.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced a $100,000 settlement with a company that is no longer in business. Filefax, Inc. (Filefax) was an Illinois company that provided storage and delivery services for medical records held by covered entities. OCR had been investigating Filefax since 2015 for allegedly leaving medical records containing PHI of approximately 2,150 patients in an unlocked vehicle in a Filefax parking lot and/or allowing an unauthorized person to remove the files from the facility.
A court-ordered receiver liquidated Filefax’s assets in 2016. As part of the settlement with OCR, the receiver agreed to pay $100,000 and properly dispose of all medical records and PHI remaining in Filefax’s possession. The settlement amount may be small, but the circumstances are striking. OCR’s pursuit of a settlement against a defunct company serves as a lesson to other health care companies that no one is off limits to HIPAA enforcement actions.
OCR’s press release about the settlement is available here.