Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Pilot Program

OCR has stated that the initial 150 audits will be of covered entities that range in type and size and include: health services providers; health plans providers; and health care clearinghouses. OCR is expected to implement the pilot program in three phases. The first is the development of the audit protocols. Second, OCR will conduct initial audits of 20 covered entities, and that small sample should expect an OCR notification letter by the end of December 2011. An OCR draft notification letter is available here. OCR expects that the initial audits will be completed by April 2012, and that OCR will use the information gathered from these audits to review and adjust audit protocols. Lastly, OCR will conduct the remainder of the 130 audits with expected completion by December 2012.

Audit Process

OCR anticipates that each covered entity will receive a notification letter 30 to 90 days prior to the audit with contact information for the auditor, an explanation of the audit process and an initial request for documents. It is expected that the initial request for documents will include request for copies of the covered entity’s privacy policies and procedures, security policies and procedures, security risk assessment, and the covered entity’s data breach notification policies and procedures. Covered entities will have up to 10 days to respond. Once on site, OCR expects that the audits will take approximately 3 to 10 days, and within 30 days of the completion of the on site audit, OCR will issue an audit report. The report is expected to include a description of any deficiencies and recommendations for best practices for the covered entity. If OCR finds significant deficiencies it may initiate additional proceedings which may lead to civil monetary penalties.
Although this initial audit is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

Although this initial audit is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

HHS news release, part of the penalty stems from Cignet’s denying 41 patients their right to access their medical records when requested between September 2008 and October 2009. Under HIPAA, a covered entity must provide access to a patient who requests such access to his or her medical record within 30 days of the request, subject to various exceptions and limited rights to extend such time period. (Numerous state laws include similar obligations that health care providers provide a patient with access to his or her own records, often within shorter time frames than is required by HIPAA.) Thirty-eight separate complaints of such denial of access had been filed with OCR, pursuant to which OCR began its investigation of Cignet. HHS has indicated that $1.3 million of the $4.3 million penalty is attributable to this denial of access to a patient’s records.  

Notably, out of the over 50,000 complaints of alleged HIPAA Privacy Rule violations that OCR has resolved, the denial of a patient’s access to his or her own records has been the third most cited reason for such a complaint every year since 2003, when compliance with the Privacy Rule was first legally required. But every other such complaint of denial of access was informally resolved with OCR. According to various news reports, Cignet never attempted to informally resolve the complaints with OCR.

In Cignet’s case, $3 million of the penalty is attributable to OCR finding that Cignet repeatedly failed to respond to various requests from OCR for more than a year (March 17, 2009 to April 4, 2010), resulting in per-day penalties, up to the maximum permissible penalties per year pursuant to applicable enforcement rules. Under HIPAA, covered entities are required to cooperate with HHS investigations. Even after Cignet finally produced the applicable patient records to HHS (in response to a federal court order), Cignet’s cooperation was limited in that it produced records relating to thousands of patients in addition to the 41 at issue. In various communications from OCR during the course of the investigation and the initial proposal of penalties, Cignet was notified of its rights to offer defenses and mitigating factors, and subsequently, of its rights of appeal. Cignet never exercised any of its rights.

The lesson to be learned from Cignet is that if you violate the HIPAA Privacy Rule, be prepared to pay, but if you fail to cooperate with OCR investigations into such violations, be prepared to pay even more (potentially 200% more). The question remains as to whether or not the extent of this fine is a true example of a new approach to enforcement of HIPAA, or whether Cignet’s ignoring official inquiries, failing to pursue informal resolution and not exercising its rights under HIPAA warranted unusual measures.

In addition to the HHS resolution agreement, Rite Aid has entered into a separate, but related settlement with the FTC to resolve the FTC’s allegations that the company failed to live up to promises made in its privacy policy that it would protect customers’ sensitive medical information. The FTC settlement will require Rite Aid to implement a comprehensive information security program and obtain independent audits of the program for twenty years.

The Rite Aid settlement marks the second time HHS and the FTC have joined forces for an investigation into alleged violations of individuals’ information privacy. The agencies began investigating Rite Aid after news media captured footage of employees at a number of pharmacies, not limited to Rite Aid, tossing sensitive medical information into insecure trash containers. According to HHS and the FTC, this practice demonstrated Rite Aid’s failure to implement, teach and enforce appropriate policies regarding the disposal of sensitive information.

So will [insert name of your pharmacy here] be the agencies’ next target? We hope not!

The HIPAA Privacy Rule currently does not contain a requirement that individuals be notified in the event of such as breach. However, some covered entities interpret the existing HIPAA Privacy Rule requirement that covered entities mitigate harmful effects of uses or disclosures of health information in violation of either the Privacy Rule or the entity’s policies and procedures as suggesting that such notice be given, and many covered entities currently provide such notification.

Section 13402, "Notification in the Case of Breach," is just one of a number of privacy-related provisions contained in Subtitle D – Privacy of the HITECH Act. The major provisions of §13402, as well as the temporary breach notification provisions applicable to vendors of personal health records in §13407, are outlined below.

What kind of information is covered?

The notification of breach provisions apply to "protected health information" (PHI) that is "unsecured." Section 13402(a) provides that a "covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information" shall notify each individual whose information has been subject to a breach." The applicable definition provision, §13400(12), incorporates by reference the definition of "protected health information" that is currently contained in the HIPAA Privacy Rule at 45 C.F.R. § 160.103. Thus, "individually identifiable health information" as defined in the Rule that is "unsecured" is subject to the breach notification provisions.

The term "unsecured" portion of the definition is to be addressed in regulations issued by the Secretary of Health and Human Services within 180 days of the enactment of the legislation (i.e., no later than August 17, 2009 (August 16 being a Sunday)). §13402(h)(1)(A). However, the legislation goes on to define the term in the event that the required regulations are not timely issued. §13402(h)(1)(B).The "backstop" definition of the term provides that it shall mean:

protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

What is a "breach" - ?

The term "breach" is defined as "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information." §13400(1)(A).
In addition to the exception language in the above portion of the definition, there is a further exception for certain circumstances involving inadvertent acquisition, access or use of PHI by employees and agents of covered entities or business associates where the information is not further acquired, accessed, used or disclosed. §13400(1)(B)

Timing and nature of notification

Notice of the breach must be given "without unreasonable delay" and in no event later than 60 days after the date of discovery of the breach. §13402(d). Notice must be given to the individual whose PHI was subject to a breach, or to the next of kin in the case of a deceased person, to the last known address of the person or the next of kin. E-mail notice may be given only if the individual specified e-mail notice "as a preference." §13402(e)(1).

If the contact information of an individual is insufficient or out of date, "a substitute form of notice" must be provided; if the information is insufficient or out of date for 10 or more persons, such substitute notice must be given in the media and on the Web site of the covered entity, as further provided in the Act and under regulations to be adopted by the Secretary of HHS. In a case in which "urgency" is required "because of possible imminent misuse" of unsecured PHI, the covered entity may provide notice "by telephone or other means, as appropriate." §13402(e)(1)(C).

If the breach involves unsecured PHI of 500 or more individuals, both media notice and notice to the Secretary of HHS must be given. Covered entities must also report to the Secretary of HHS on an annual basis as to any breaches that have occurred, even if reporting to the Secretary was not otherwise required (i.e., the breach involved the unsecured PHI of less than 500 individuals). §13402(e)(3).

Similarly to most, if not all, state data security breach notification statutes, there is an exception to the timing requirement if requested by law enforcement officials. §13402(g).

Application to "business associates"

The notice provisions require a "business associate" (as such term is defined in the administrative simplification regulations promulgated under HIPAA) that "accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses" unsecured PHI of a covered entity to notify the covered entity in the event of a breach in the security of such information. §13402(b). The notice must include, among other things, “the identification of each individual whose unsecured protected health information” was breached. Id.

Although the HIPAA Privacy Rule and Security Rule currently mandate that covered entities include in their contracts with business associates provisions requiring that the business associate notify the covered entities of: a) uses and disclosures of protected information not provided for by its contract, and b) "security incidents" (as defined in the HIPAA Security Rule), the new law now directly imposes notification obligations on the business associate. Because the obligation on business associates to report such breaches to covered entities will now be statutory, failure to comply will be more than just a breach of contract - now business associates could be subject to civil and criminal penalties. See §13401 and §13404.

Application to "vendors of personal health records"

Section 13407 contains a separate set of "temporary" breach notification provisions that target enterprises that offer services to individuals to store their health information online as well as their service providers. The provisions reflect concerns that such vendors are not subject to the HIPAA Privacy Rule, even as the Medicare program itself is implementing programs to encourage beneficiaries to use such private services to maintain their personal health records.

These provisions are designated as "temporary" because they will lapse in the event that Congress enacts new data security breach legislation applicable to non-HIPAA entities. §13407(g).

A "vendor of personal health records" is defined in §13400(18) as "an entity, other than a covered entity [under HIPAA], that offers or maintains a personal health record." Such vendors, as well as a list of other entities involved in providing various services related to personal health records (see §13407(a), cross-referencing entities enumerated in §13424(b)(1)(A)(ii), (iii and (iv)) are required to provide notice of a breach in the security of "unsecured PHR [i.e., “personal health record”] identifiable health information that is a personal health record maintained or offered by such vendor" or other such entity. "PHR identifiable health information" is defined as “identifiable health information” that is “provided by or on behalf of the individual” and that “identifies the individual or with respect to which there is a reasonable basis to belief that the information can be used to identify the individual.” The definition of "unsecured" will be established in the regulations to be adopted by the Secretary of HHS with respect to the provisions applicable to covered entities and business associates in §13402. See §13407(f)(3).

The notice must be provided to the individual whose information was "acquired by an unauthorized person," as a result of a breach, as well as to the Federal Trade Commission. §13407(a)(1) & (2). A "breach of security" is defined broadly as the "acquisition of unsecured PHR identifiable health information … without the authorization of the individual." §13407(f)(1). Violations of the data security breach provisions are defined as an unfair or deceptive act or practice under the FTC Act, and the FTC is tasked with adopting regulations and enforcing the provisions of this section. §13407(e).

Preemption

With respect to preemption of state law, the HITECH Act references the provisions in the Social Security Act that set forth the general rule preempting contrary state laws, but excepting from that general rule a state law that "relates to the privacy of individually identifiable health information." §13421(a). The HITECH Act data breach provisions themselves are contained in Subtitle D – Privacy of the Act and the legislative history is replete with references to the provisions as protective of patient privacy, so it would be difficult to argue that state data security breach laws that apply to health information do not also "relate to the privacy of health information." Therefore, to the extent that a state security breach law similarly pertains to health information and is more protective of such information than the new federal provisions, it would appear not to be preempted by the security breach provisions in the HITECH Act, and business associates and covered entities, to the extent that they are covered by both federal and state laws, would be required to comply with both laws.

When are these provisions effective?

The effective date of the breach notification provisions depends upon when the Secretary of HHS issues implementing regulations. The legislation directs the Secretary to issue interim final regulations within 180 days of enactment of the legislation, i.e., no later than August 17, 2009. §13402(j). The notification of breach provisions (both those applicable to "covered entities" and "business associates") as well as the temporary provisions that apply to vendors, become effective 30 days following the issuance of the regulations and apply to breaches discovered on or after that date. Under that scheme the effective date should be no later than September 16, 2009.