“What I may see or hear in the course of the treatment …I will keep to myself” - Doctors have been repeating some version of this promise for thousands of years. Nonetheless, news stories about misuses and disclosures of "protected" health information continue to make the headlines. The latest breach - and often its back story - can usually be found at the anonymously hosted "Office of Inadequate Security" The open Security Foundation is also keeping track of breaches at dataloss.db
HIPAA and HITECH
If you're not 100% up on HIPAA, these "people on the street" interviews may help you put that in perspective.
History - Doctors, hospitals and other “covered entities” like health plans have been required since 2003 to be compliant with detailed federal requirements relating to both the privacy and security of health information arising from regulations issued by the federal Department of Health and Human Services based on authority in the Health Information Portability and Accountability Act (HIPAA) . In 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act extended those requirements to the many contractors who have to use protected health information to do work on behalf of or provide services to the covered entities. Today, these "business associate" contractors - and their subcontractors - can find themselves subject to civil and criminal penalties if they aren't following the applicable HIPAA and HITECH requirements. In 2013 a large "Omnibus" rulemaking imposed additional requirements and a "Compliance Date" of September 23, 2013.
Educational Resources - Both HIPAA and HITECH are enforced by the federal Office for Civil Rights (OCR) which maintains a robust series of web pages with educational material for patients and those subject to the privacy and security provisions. For example, the office recently began distributing series of videos called Your Health Information, Your Rights. The films are 1-3 minutes long, professionally produced, with a total run time of approximately 13 minutes. Although aimed at a general audience, they make a nice refresher for anyone on HIPAA fundamentals. These films are just one part of OCR's Awareness Strategy
Enforcement - There is no private right of action / right to sue civilly for HIPAA violations. And this has been consistently upheld by the courts as in this opinion from the United States Court of Appeals for the 8th Circuit. But state law claims arising from breaches have been and continue to be asserted.
Among its main enforcement activities, OCR runs a complaint process under which anyone can file an allegation of a privacy or security violation. As part of this process, OCR does intake on all matters and investigates cases of possible civil violations; possible criminal violations are referred to the US Department of Justice. Some investigations end up in large settlements that are then publicly reported. However not all investigations end badly for the investigated, particularly if the "covered entity" is willing to accept critique and "technical assistance" from the agency , as Walgreens did in this investigation, to resolve minor issues that are uncovered during the course of an investigation.
The State Attorneys General also have authority to enforce HIPAA violations that come to their attention.
State laws also impose additional requirements – e.g. California , Florida , Maryland , Minnesota and some of these state provisions include the right to sue for violations. Hawaii recently went the opposite way, passing a “Health Care Privacy Harmonization Act” in 2012 that provides that those acting in compliance with HIPAA requirements are "deemed" to be compliance with the 50 or so Hawaii statutes relating to health information privacy.
January 2013 brought the publication an extensive set of revisions to existing HIPAA obligations to implement the HITECH Act which was passed in 2009. Covered entities, their "business associates" and others were affected.
--- relatively - short summary of those changes. Also, for those in charge of their organization's "business associate" relationships this article provides a bit more detail on how the stakes of those have changed.
OCR has also developed a series of videos aimed at raising awareness among medical professionals about the risks of accessing patient health information via mobile devices.
Take a look at "Dr. Anderson's Office Identifies A Risk" ........
In case of breach - it's not just HIPAA
Even when they lack full fledged medical privacy laws states have been rapidly adopting their own requirements for what must be done in the event of a "breach" (variously defined) of the personal information of their residents. In some cases what must be done for HIPAA compliance is considered sufficient; in other cases there are additional notifications, additional content to be added to the written notification(s), different timelines. If data involved in a breach is from residents of multiple states several of these state provisions can be triggered.
The National Conference of State Legislatures is maintaining an online database of these provisions with links to - so far - "state" materials from forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands. The law firm Perkins Coie also published a 2013 summary of data breach laws
2011 - 2015 Breeches and Enforcement Actions:
Even in 2015, HIPAA is still far from "hardwired" in many organizations, as the settlement with Cornell Prescription Pharmacy in Denver shows. The pharmacy had paper records containing PHI in an "unlocked, open container" on its premises that came to the attention of of a local news outlet.
$4.8 Million total was paid by two covered entity hospitals - New York Presbyterian and Columbia University - for disclosing the PHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results to Internet search engines in 2010. A "lack of technical safeguards" resulted in a disabled firewall. But what's saddest about this case is who discovered the breach and brought it to attention - the partner of a deceased patient.
Settlements with the Massachusetts Eye and Ear Infirmary and its physician group, State of Alaska, Blue Cross and Blue Shield of Tennessee and Phoenix Cardiac Surgery Associates each got a press release and resulted in a resolution agreement and settlement payment by the covered entity.
The first settlement of 2013 was with Idaho State University, which paid $400,000 after systematic failures in its security efforts resulted in a disabled firewall that went unnoticed for more than 10 months. Others have involved the intentional disclosure of a patient's information to defend against fraud allegations (Shasta Regional Medical Center - $275,000) and another failure to maintain appropriate technical safeguards case (Wellpoint $1.7M)
Sutter Health in California lost information in 2011 relating to 3.3 million patients as the result of the theft of an unencrypted computer from its physician foundation. After the health system made the individual and public notifications required by federal and state law, the class action law suit was not far behind. Unfortunately in 2013 Sutter learned of another breach - after the information of approximately 5,000 of its patients turned up at the scene of a drug related arrest.
Two major health systems (Mass General and UCLA ) and their physicians found themselves paying substantial sums and entering into multi-year “Resolution Agreements” with OCR regarding their privacy and information security practices.
A physician owned clinic in Maryland received a $4.3 Million dollar civil monetary penalty for not providing patients access to their records.
Despite having its auditors involved in significant information breaches during 2009 (Dept of Homeland Security) and 2010 (Newark Beth Israel and St. Barnabas Medical Centers) KPMG received a $9.2 million dollar contract to conduct 150 audits of covered entities and their business associates during 2012. (Booze Allen received a separate, smaller award to develop an “OCR HIPAA Audit Candidate Identification” methodology.) The results of those audits and the protocol that was used are available.
In its first annual (required) report to Congress OCR advised that 11 million individuals had been the victims of “breaches” of these obligations in 2009 and 2010 through lost or stolen laptops, unencrypted information, non-conformance with policies and procedures and other failures.
OCR has a rich collection of "Case Examples" , sortable by the type of entity involved or the type of issue, which can provide ideas for compliance reviews and training before OCR contacts you with a complaint in hand. Let the missteps of others keep your practices on the right path.
The National Institute for Standards in Technology (NIST) and OCR have begun hosting an annual conference on Privacy and Security in Washington DC and on the web. Presentation materials from the May 2013 and September 2014 NIST / OCR conference are available on the NIST website, including a review of results from the HIPAA Privacy and Security Audits and OCR's take on Business Associate obligations going forward.
In OCtober 2014 OCR and Wedi presented a series of four free webinars on topics related to HIPAA and HITECH compliance - and has made the recordings available for free on the Wedi site.
Risk Assessment / Analysis
Many of the events triggering OCR investigations and settlements have been traced faulty or incomplete "Risk Assessments". Since completing such an assessment is a requirement under the HIPAA regulations OCR and its federal partners have published a downloadable Security Risk Assessment tool and videos on how to do a risk assessment.
A more detailed (600 question) assessment tool developed by the National Institute for Standards in Technology (NIST) is also available.
HIPAA Crimes
A "former hospital employee" was indicted by a grand jury in Texas for allegedly criminal "wrongful disclosure of protected health information".
Dr. Huping Zhou, a former research assistant at UCLA. also provided a good teaching moment with the appeal of his criminal conviction for accessing patient information without authorization. Dr. Zhou's actions had no purpose other than curiosity and he contended on appeal that his criminal access was not "knowing" because he didn't know that it was illegal. The US Court of Appeals for the Ninth Circuit disagreed, holding that "knowing" you are accessing individually identifiable health information is sufficient to constitute the criminal act.
An employee of Florida Hospital was arrested and charged by the FBI with accessing and passing on, for cash, the protected health information of accident victims. This affidavit describes the scheme and how it was uncovered. Mr. Munroe has pled guilty and was recently sentenced to one year and one day in federal prison. His coconspirator , Sergei Kusayakov, received a four year sentence. Katrina Munroe, who also participated in the scheme, at last report was still awaiting sentencing. An attempted class action filed in federal court on behalf of the patients whose identities were accessed as part of the conspiracy was dismissed for lack of federal subject matter jurisdiction. The suit was refiled in state court.
A hospital patient scheduler in Boca Raton, Florida was sentenced to 18 months in prison and her coconspirator got 40 months for stealing patient information and using it to file false tax return claims.
It's not "just"about Compliance -
A 2011 survey shows that patients postpone care they need, choose their provider based at least in part of its reputation for for privacy and will travel to seek care elsewhere because of privacy concerns. It also contained the interesting finding that patients were three times more likely to leave a provider if they heard about a privacy breach through the media instead of directly from the provider. Read the full report for more thoughts about how your organization's reputation for privacy can prove an asset - or a liability.
Cybersecure: Your Medical Practice is a web based game from the National Coordinator for Health Information Technology. It focuses on "privacy and security challenges in a typical small medical practice". There is a little humor involved as well
The California Attorney General maintains a database of breach letters sent, pursuant to the state's "personal information" breach requirements, to individuals and submitted to the AG by businesses and agencies.
HIPAA Policies
NYU's Langone Medical Center has many of its HIPAA policies and its 2013 Business Associate Agreement forms available on the web.
More worried about Security than Privacy practice? The Security Awareness Toolbox, a UK site, contains a large number of materials that can be used to measure and promote information security awareness.
HIPAA on Health Information and the Law (The George Washington University’s Hirsh Health Law and Policy Program 2012)
“What I may see or hear in the course of the treatment …I will keep to myself” - Doctors have been repeating some version of this promise for thousands of years. Nonetheless, news stories about misuses and disclosures of "protected" health information continue to make the headlines. The latest breach - and often its back story - can usually be found at the anonymously hosted "Office of Inadequate Security" The open Security Foundation is also keeping track of breaches at dataloss.db
HIPAA and HITECH
If you're not 100% up on HIPAA, these "people on the street" interviews may help you put that in perspective.
History - Doctors, hospitals and other “covered entities” like health plans have been required since 2003 to be compliant with detailed federal requirements relating to both the privacy and security of health information arising from regulations issued by the federal Department of Health and Human Services based on authority in the Health Information Portability and Accountability Act (HIPAA) . In 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act extended those requirements to the many contractors who have to use protected health information to do work on behalf of or provide services to the covered entities. Today, these "business associate" contractors - and their subcontractors - can find themselves subject to civil and criminal penalties if they aren't following the applicable HIPAA and HITECH requirements. In 2013 a large "Omnibus" rulemaking imposed additional requirements and a "Compliance Date" of September 23, 2013.
Educational Resources - Both HIPAA and HITECH are enforced by the federal Office for Civil Rights (OCR) which maintains a robust series of web pages with educational material for patients and those subject to the privacy and security provisions. For example, the office recently began distributing series of videos called Your Health Information, Your Rights. The films are 1-3 minutes long, professionally produced, with a total run time of approximately 13 minutes. Although aimed at a general audience, they make a nice refresher for anyone on HIPAA fundamentals. These films are just one part of OCR's Awareness Strategy
Enforcement - There is no private right of action / right to sue civilly for HIPAA violations. And this has been consistently upheld by the courts as in this opinion from the United States Court of Appeals for the 8th Circuit. But state law claims arising from breaches have been and continue to be asserted.
Among its main enforcement activities, OCR runs a complaint process under which anyone can file an allegation of a privacy or security violation. As part of this process, OCR does intake on all matters and investigates cases of possible civil violations; possible criminal violations are referred to the US Department of Justice. Some investigations end up in large settlements that are then publicly reported. However not all investigations end badly for the investigated, particularly if the "covered entity" is willing to accept critique and "technical assistance" from the agency , as Walgreens did in this investigation, to resolve minor issues that are uncovered during the course of an investigation.
The State Attorneys General also have authority to enforce HIPAA violations that come to their attention.
State laws also impose additional requirements – e.g. California , Florida , Maryland , Minnesota and some of these state provisions include the right to sue for violations. Hawaii recently went the opposite way, passing a “Health Care Privacy Harmonization Act” in 2012 that provides that those acting in compliance with HIPAA requirements are "deemed" to be compliance with the 50 or so Hawaii statutes relating to health information privacy.
January 2013 brought the publication an extensive set of revisions to existing HIPAA obligations to implement the HITECH Act which was passed in 2009. Covered entities, their "business associates" and others were affected.
Here is a
Knutson - Final Rule Summary.pdf
- Details
- Download
- 430 KB
CT_0413_Knutson.pdf
- Details
- Download
- 710 KB
The most recent changes are available in a combined version of all the HIPAA rules published by OCR. For those who want even more, the entire 163 page 2013 "Omnibus" rule makes great bedside reading. For the true HIPAA "geek" there's also a 70 page side by side comparison detailing each change made by the January 2013 rule. Our maybe you'd prefer this video version, also from OCR.
Just need to sort out who is - and who isn't - a business associate? Here's a checklist
BA or Not a BA Checklist.pdf
- Details
- Download
- 472 KB
Mobile Device Privacy and Security
OCR has also developed a series of videos aimed at raising awareness among medical professionals about the risks of accessing patient health information via mobile devices.
Take a look at "Dr. Anderson's Office Identifies A Risk" ........
In case of breach - it's not just HIPAA
Even when they lack full fledged medical privacy laws states have been rapidly adopting their own requirements for what must be done in the event of a "breach" (variously defined) of the personal information of their residents. In some cases what must be done for HIPAA compliance is considered sufficient; in other cases there are additional notifications, additional content to be added to the written notification(s), different timelines. If data involved in a breach is from residents of multiple states several of these state provisions can be triggered.
The National Conference of State Legislatures is maintaining an online database of these provisions with links to - so far - "state" materials from forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands. The law firm Perkins Coie also published a 2013 summary of data breach laws
2011 - 2015 Breeches and Enforcement Actions:
Even in 2015, HIPAA is still far from "hardwired" in many organizations, as the settlement with Cornell Prescription Pharmacy in Denver shows. The pharmacy had paper records containing PHI in an "unlocked, open container" on its premises that came to the attention of of a local news outlet.
$4.8 Million total was paid by two covered entity hospitals - New York Presbyterian and Columbia University - for disclosing the PHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results to Internet search engines in 2010. A "lack of technical safeguards" resulted in a disabled firewall. But what's saddest about this case is who discovered the breach and brought it to attention - the partner of a deceased patient.
Settlements with the Massachusetts Eye and Ear Infirmary and its physician group, State of Alaska, Blue Cross and Blue Shield of Tennessee and Phoenix Cardiac Surgery Associates each got a press release and resulted in a resolution agreement and settlement payment by the covered entity.
The first settlement of 2013 was with Idaho State University, which paid $400,000 after systematic failures in its security efforts resulted in a disabled firewall that went unnoticed for more than 10 months. Others have involved the intentional disclosure of a patient's information to defend against fraud allegations (Shasta Regional Medical Center - $275,000) and another failure to maintain appropriate technical safeguards case (Wellpoint $1.7M)
Sutter Health in California lost information in 2011 relating to 3.3 million patients as the result of the theft of an unencrypted computer from its physician foundation. After the health system made the individual and public notifications required by federal and state law, the class action law suit was not far behind. Unfortunately in 2013 Sutter learned of another breach - after the information of approximately 5,000 of its patients turned up at the scene of a drug related arrest.
Two major health systems (Mass General and UCLA ) and their physicians found themselves paying substantial sums and entering into multi-year “Resolution Agreements” with OCR regarding their privacy and information security practices.
A physician owned clinic in Maryland received a $4.3 Million dollar civil monetary penalty for not providing patients access to their records.
Despite having its auditors involved in significant information breaches during 2009 (Dept of Homeland Security) and 2010 (Newark Beth Israel and St. Barnabas Medical Centers) KPMG received a $9.2 million dollar contract to conduct 150 audits of covered entities and their business associates during 2012. (Booze Allen received a separate, smaller award to develop an “OCR HIPAA Audit Candidate Identification” methodology.) The results of those audits and the protocol that was used are available.
In its first annual (required) report to Congress OCR advised that 11 million individuals had been the victims of “breaches” of these obligations in 2009 and 2010 through lost or stolen laptops, unencrypted information, non-conformance with policies and procedures and other failures.
Breach reporting to OCR continues to provide potential investigation targets for OCR and others since a database of reports of breaches involving the data of 500 or more individuals is available for review.
Staying ahead of HIPAA and HITECH enforcement
OCR has a rich collection of "Case Examples" , sortable by the type of entity involved or the type of issue, which can provide ideas for compliance reviews and training before OCR contacts you with a complaint in hand. Let the missteps of others keep your practices on the right path.
The National Institute for Standards in Technology (NIST) and OCR have begun hosting an annual conference on Privacy and Security in Washington DC and on the web. Presentation materials from the May 2013 and September 2014 NIST / OCR conference are available on the NIST website, including a review of results from the HIPAA Privacy and Security Audits and OCR's take on Business Associate obligations going forward.
In OCtober 2014 OCR and Wedi presented a series of four free webinars on topics related to HIPAA and HITECH compliance - and has made the recordings available for free on the Wedi site.
Risk Assessment / Analysis
Many of the events triggering OCR investigations and settlements have been traced faulty or incomplete "Risk Assessments". Since completing such an assessment is a requirement under the HIPAA regulations OCR and its federal partners have published a downloadable Security Risk Assessment tool and videos on how to do a risk assessment.
A more detailed (600 question) assessment tool developed by the National Institute for Standards in Technology (NIST) is also available.
HIPAA Crimes
A "former hospital employee" was indicted by a grand jury in Texas for allegedly criminal "wrongful disclosure of protected health information".
Dr. Huping Zhou, a former research assistant at UCLA. also provided a good teaching moment with the appeal of his criminal conviction for accessing patient information without authorization. Dr. Zhou's actions had no purpose other than curiosity and he contended on appeal that his criminal access was not "knowing" because he didn't know that it was illegal. The US Court of Appeals for the Ninth Circuit disagreed, holding that "knowing" you are accessing individually identifiable health information is sufficient to constitute the criminal act.
An employee of Florida Hospital was arrested and charged by the FBI with accessing and passing on, for cash, the protected health information of accident victims. This affidavit describes the scheme and how it was uncovered. Mr. Munroe has pled guilty and was recently sentenced to one year and one day in federal prison. His coconspirator , Sergei Kusayakov, received a four year sentence. Katrina Munroe, who also participated in the scheme, at last report was still awaiting sentencing. An attempted class action filed in federal court on behalf of the patients whose identities were accessed as part of the conspiracy was dismissed for lack of federal subject matter jurisdiction. The suit was refiled in state court.
A hospital patient scheduler in Boca Raton, Florida was sentenced to 18 months in prison and her coconspirator got 40 months for stealing patient information and using it to file false tax return claims.
It's not "just"about Compliance -
A 2011 survey shows that patients postpone care they need, choose their provider based at least in part of its reputation for for privacy and will travel to seek care elsewhere because of privacy concerns. It also contained the interesting finding that patients were three times more likely to leave a provider if they heard about a privacy breach through the media instead of directly from the provider. Read the full report for more thoughts about how your organization's reputation for privacy can prove an asset - or a liability.
Privacy and Security Resources on the Web:
Government Resources
The Federal Trade Commission has a collection of Health Privacy Resources
Cybersecure: Your Medical Practice is a web based game from the National Coordinator for Health Information Technology. It focuses on "privacy and security challenges in a typical small medical practice". There is a little humor involved as well
Guide to Privacy and Security of Health Information (National Coordinator for Health Information Technology 2012)
NIST HIPAA Security Toolkit (2011)
OCR Resources, including a listserv notification service, for Covered Entities
OCR's Model Notice of Privacy Practices
OCR's Description of its Auditing Methodology
HIPAA Enforcement Training provided to State's Attorneys General by OCR (2011)
The California Attorney General maintains a database of breach letters sent, pursuant to the state's "personal information" breach requirements, to individuals and submitted to the AG by businesses and agencies.
HIPAA Policies
NYU's Langone Medical Center has many of its HIPAA policies and its 2013 Business Associate Agreement forms available on the web.
HIPAA Policy and Procedure Manual (AHCA)
Contracted Provider and Business Associate Privacy Reporting Requirements (Partnership Health Plan of California)
HIPAA Training
HIPAA and Chuck Norris (2014)
HIPAA for Lawyers: Countdown to Compliance (McAfee & Taft 2013)(video)
Privacy and Confidentiality: Orientation for Residents and Fellows (Yano-Fong UCSF 2013)
Computing Security / Safety (Slaughter UCSF)
California Privacy Rules (Memorialcare)
HIPAA Training Video (U of Nebraska Medical Center and others 2012)(video)
HIPAA Hip Hop Rap Song (Central Vermont Medical Center 2012)(video)
HIPAA Basics Seminar (HITECH Associates 2012)(video)
HIPAA, FERPA and Disclosure - a campus health center orientation (2012) (video)
HIPAA Training (Wilmington Health 2012) (video)
HIPAA 101 (Electronic Transactions and Code Sets) (CMS 2011)(video)
HIPAA Happens (Clinical Simulation Center of Las Vegas 2010) (video)
Confidentiality Matters (Buncombe County Health Services 2010))
HIPAA Training (Medisav Homecare Pharmacies 2009)
Indiana University has a detailed training materials for HIPAA Liaisons on various units
Johns Hopkins' Department of Nursing has "Everything You Always Wanted to Know About HIPAA" (2005)
Other Resources
More worried about Security than Privacy practice? The Security Awareness Toolbox, a UK site, contains a large number of materials that can be used to measure and promote information security awareness.
HIPAA on Health Information and the Law (The George Washington University’s Hirsh Health Law and Policy Program 2012)
HIPAA: What Is It and Why Do We Care? (Emory School of Law 2011)
Survey of State Confidentiality Laws paid for by the Centers for Disease Control and others
Georgetown University's Center on Medical Record Rights and Privacy
The True Cost of Compliance (Poneman 2011)
Shared by Toolbox members:
< Click "edit" above and start typing here>