As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters. OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed. In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.
In non-election news, the Office for Civil Rights (OCR) at the Department of Health and Human Services recently released its November Cyber Awareness Newsletter. This month’s newsletter focuses on the topic of authentication. OCR encouraged health care companies to review and strengthen their authentication methods and other safeguards to avoid breaches of electronic protected health information (ePHI).
As reported in a recent Privacy and Security Matters post, we have updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws. The Mintz Matrix is an invaluable tool for reviewing state breach notification requirements, which may apply in addition to HIPAA in the event of a data breach. We update the Mintz Matrix on a quarterly basis, or more frequently if necessary. Continue Reading New Year, New Breach Notification Laws
Written by Kimberly Gold
Individuals who access protected health information without authorization may be found guilty of a misdemeanor even if they lack knowledge that their actions are illegal.
On May 10, the U.S. Court of Appeals for the Ninth Circuit affirmed a United States District Court information that charged Huping Zhou, a former research assistant at the University of California at Los Angeles Health System (“UHS”), with violating Section 1320d-6 (the “Wrongful Disclosure Section”) of the Health Insurance Portability and Accountability Act (HIPAA). The section provides that any person who “knowingly and in violation of this part…obtains individually identifiable health information relating to an individual” is subject to a misdemeanor punishable by a fine of not more than $50,000 and/or imprisonment for not more than one year.
Zhou was charged under subsection (a)(2) of the Wrongful Disclosure Section for “knowingly” accessing patients’ medical records with no permitted justification after he was terminated from UHS for performance-related reasons. According to a 2010 statement, Zhou illegally accessed patient records 323 times during a three-week period, including those of his immediate supervisor, co-workers, and well-known celebrities. Zhou admitted in his plea agreement to accessing patient records on four specific occasions after his termination. Zhou was the first individual convicted of, and incarcerated for, misdemeanor HIPAA offenses for accessing confidential patient records without a valid reason or authorization.
On appeal, Zhou argued that a defendant cannot be guilty of violating HIPAA if he did not know that obtaining the protected health information was illegal. The court rejected his argument, finding that it “contradicts the plain language of HIPAA.” The court held that the word “and” clearly provides that there are two elements of a Wrongful Disclosure Section violation: 1) knowingly obtaining individually identifiable health information relating to an individual; and 2) obtaining that information in violation of HIPAA.
The court stated that “the term ‘knowingly’ applies only to the act of obtaining the health information” and that the defendant need only know that he obtained individually identifiable health information relating to an individual in order to be found guilty of violating the statute.
Every provider must develop and implement policies designed to ensure that terminated employees cannot access the provider’s systems, including those with protected health information. Referencing this case in the course of employee training will further drive the point home and reinforce the importance of preventing the unauthorized access of protected health information.
Written by Kimberly Gold
The Massachusetts Office of Consumer Affairs and Business Regulation received nearly 2000 data breach notifications affecting nearly 3.2 million individuals between October 31, 2007 and September 30, 2011, according to a report released on Monday.
The health care industry experienced only 214 of the nearly 2000 breaches, but it had more affected individuals than any other industry. Of the more than 980,000 individuals subject to health care-related breaches, 800,000 came from a breach at one particular hospital in 2010. The report found that the health care industry was subject to the second largest number of data breaches during the period analyzed in the report, behind only breaches of financial data such as debit and credit card information.
The report is a product of the Commonwealth’s 2007 Data Security Breach Law, which requires all individuals and entities who own or license personal information of Massachusetts residents to provide notice of any data security breach. “Personal information” is defined as a combination of a resident’s first name and last name, or first initial and last name, and one or more items such as the individuals Social Security number, state-issued identification number, or credit or debit card number.
In addition, the Office of Consumer Affairs and Business Regulation’s Data Security Regulations, which went into effect in March 2010, require any individual or entity storing or transmitting a Massachusetts resident’s personal information to create a written security plan that details how that information will be protected from theft or loss. The regulations require that personal information is encrypted if transmitted over public networks, the Internet, or carried on portable devices such as laptops or compact discs.
Barbara Anthony, Undersecretary of Consumer Affairs and Business Regulation, indicated in a statement that a significant number of the data breaches occurred due to inadequate encryption of electronic information. Ms. Anthony noted that “encrypting data remains the key to protecting our personal and financial information.”
It is important to note that, in addition to the Massachusetts law and regulations, health care entities also have security and data breach notification obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health care entities that store or transmit personal information of Massachusetts residents should be aware of their responsibilities to maintain the security of such information in a manner that is consistent with both state and federal standards and to report any data breaches to both the Commonwealth and to the federal government, under both Massachusetts law and HIPAA.