Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Pilot Program

OCR has stated that the initial 150 audits will be of covered entities that range in type and size and include: health services providers; health plans providers; and health care clearinghouses. OCR is expected to implement the pilot program in three phases. The first is the development of the audit protocols. Second, OCR will conduct initial audits of 20 covered entities, and that small sample should expect an OCR notification letter by the end of December 2011. An OCR draft notification letter is available here. OCR expects that the initial audits will be completed by April 2012, and that OCR will use the information gathered from these audits to review and adjust audit protocols. Lastly, OCR will conduct the remainder of the 130 audits with expected completion by December 2012.

Audit Process

OCR anticipates that each covered entity will receive a notification letter 30 to 90 days prior to the audit with contact information for the auditor, an explanation of the audit process and an initial request for documents. It is expected that the initial request for documents will include request for copies of the covered entity’s privacy policies and procedures, security policies and procedures, security risk assessment, and the covered entity’s data breach notification policies and procedures. Covered entities will have up to 10 days to respond. Once on site, OCR expects that the audits will take approximately 3 to 10 days, and within 30 days of the completion of the on site audit, OCR will issue an audit report. The report is expected to include a description of any deficiencies and recommendations for best practices for the covered entity. If OCR finds significant deficiencies it may initiate additional proceedings which may lead to civil monetary penalties.
Although this initial audit is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

Although this initial audit is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

HHS news release, part of the penalty stems from Cignet’s denying 41 patients their right to access their medical records when requested between September 2008 and October 2009. Under HIPAA, a covered entity must provide access to a patient who requests such access to his or her medical record within 30 days of the request, subject to various exceptions and limited rights to extend such time period. (Numerous state laws include similar obligations that health care providers provide a patient with access to his or her own records, often within shorter time frames than is required by HIPAA.) Thirty-eight separate complaints of such denial of access had been filed with OCR, pursuant to which OCR began its investigation of Cignet. HHS has indicated that $1.3 million of the $4.3 million penalty is attributable to this denial of access to a patient’s records.  

Notably, out of the over 50,000 complaints of alleged HIPAA Privacy Rule violations that OCR has resolved, the denial of a patient’s access to his or her own records has been the third most cited reason for such a complaint every year since 2003, when compliance with the Privacy Rule was first legally required. But every other such complaint of denial of access was informally resolved with OCR. According to various news reports, Cignet never attempted to informally resolve the complaints with OCR.

In Cignet’s case, $3 million of the penalty is attributable to OCR finding that Cignet repeatedly failed to respond to various requests from OCR for more than a year (March 17, 2009 to April 4, 2010), resulting in per-day penalties, up to the maximum permissible penalties per year pursuant to applicable enforcement rules. Under HIPAA, covered entities are required to cooperate with HHS investigations. Even after Cignet finally produced the applicable patient records to HHS (in response to a federal court order), Cignet’s cooperation was limited in that it produced records relating to thousands of patients in addition to the 41 at issue. In various communications from OCR during the course of the investigation and the initial proposal of penalties, Cignet was notified of its rights to offer defenses and mitigating factors, and subsequently, of its rights of appeal. Cignet never exercised any of its rights.

The lesson to be learned from Cignet is that if you violate the HIPAA Privacy Rule, be prepared to pay, but if you fail to cooperate with OCR investigations into such violations, be prepared to pay even more (potentially 200% more). The question remains as to whether or not the extent of this fine is a true example of a new approach to enforcement of HIPAA, or whether Cignet’s ignoring official inquiries, failing to pursue informal resolution and not exercising its rights under HIPAA warranted unusual measures.

This settlement resulted from the first ever attorney general action under the HITECH Act, as a result of the loss by Health Net, a health insurer, of a computer disk drive that contained unencrypted protected health information such as claims forms, health plan appeals information, and other sensitive data relating to approximately 1.5 million health plan participants (approximately one-third of whom resided in Connecticut). The Connecticut AG focused upon the several month delay by Health Net in reporting the loss to law enforcement officials. 

As part of the settlement, Health Net has agreed to pay $250,000 to the state, offer two years of credit monitoring for affected participants, obtain $1 million of identity theft insurance, and reimburse affected individuals for security freezes. An additional contingent payment of $500,000 will need to be paid, under specified circumstances, in the event that the lost information is actually accessed and misused. Further, Health Net has agreed to a corrective action plan that includes various privacy and security measures to heighten protections for health information as well as other sensitive data, regular monitoring, and reporting to the attorney general’s office. Many of the steps that Health Net agreed to undertake relate to the handling of portable media and the encryption of sensitive data, such as encryption of hard drives, including those on desktop computers, as well as to the improvement of security training and awareness for personnel. 

While many commentators have understandably focused on the security breach notification provisions of the HITECH Act, the provision of the Act that authorizes state attorneys general to bring civil actions for violations of HIPAA also warrants attention. The inclusion of this provision adds an additional avenue for enforcement of privacy and security violations by HIPAA-covered entities, although the Connecticut action is the only action that has been brought to date since HITECH Act was enacted in February 2009.

This HHS guidance also is to be used to render identifiable health information unusable, unreadable, or indecipherable for purposes of the temporary breach notification requirements that apply to vendors of PHRs, the requirements for which are to be administered by the Federal Trade Commission (which in turn issued proposed regulations, on April 16, 2009, addressing consumer notice for breaches of electronic health information by PHRs).

The HHS guidance provides two methods of securing information for the purposes of the HITECH Act: destruction and encryption. Destruction may secure information that was found in either paper format or in electronic media. In order to satisfy the destruction method, the paper or other hard copy media must be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed. Electronic media must be cleared, purged, or destroyed in accordance with the specifications set forth in National Institute of Standards and Technology (NIST) Special Publication 800-88. 74 Fed. Reg. at 19010.

According to the guidance, the effectiveness of encryption depends on the strength of the algorithm and the security of the decryption key or process. PHI is not secure if the decryption key or process has been breached. Encryption only secures PHI if, in accordance with the HIPAA Security Rule, an algorithm “transform[s] data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key.” 45 C.F.R. § 164.304. Accordingly, the HHS guidance only specifies encryption processes that have been tested and approved by NIST. Data at rest, which is filed or stored in a database, should be encrypted according to the processes outlined in NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Encryption processes for data in motion, including that being transmitted or moving through a network, should comply with Federal Information Processing Standards (FIPS) 140-2. Some examples of conforming processes for data in motion are outlined in NIST Special Publications 800-52 (relating to Transport Layer Security (TLS) Implementations); 800-77 (addressing IPsec VPNs); and 800-113 (SSL VPNs), and may include others which are FIPS 140-2 validated.

Since the technologies and methodologies in the guidance are intended to be exhaustive, the Secretary of HHS sought comments regarding additional technologies or methodologies for inclusion in future guidance. HHS also requested comments on various other related issues, including instances when specified technologies and methodologies would fail to secure information, how the federal notice requirements affect existing state law requirements, and whether and how limited data sets (created in accordance with the HIPAA Privacy Rule) could be included in this guidance. This HHS guidance will be closely watched not only as it relates to federal law, but also as to how it informs state law interpretations. Encryption remains undefined under state law, and the HHS guidance provides a potentially important source of interpretation.

This guidance will apply to breaches that occur at least thirty days after publication by HHS of the interim final regulations on breach notification (which have not yet been issued). Any modifications to this guidance based on comments received are expected to be made prior to or concurrent with those regulations.

Proskauer summer associate Katrina McCann contributed to this post.

The HIPAA Privacy Rule currently does not contain a requirement that individuals be notified in the event of such as breach. However, some covered entities interpret the existing HIPAA Privacy Rule requirement that covered entities mitigate harmful effects of uses or disclosures of health information in violation of either the Privacy Rule or the entity’s policies and procedures as suggesting that such notice be given, and many covered entities currently provide such notification.

Section 13402, "Notification in the Case of Breach," is just one of a number of privacy-related provisions contained in Subtitle D – Privacy of the HITECH Act. The major provisions of §13402, as well as the temporary breach notification provisions applicable to vendors of personal health records in §13407, are outlined below.

What kind of information is covered?

The notification of breach provisions apply to "protected health information" (PHI) that is "unsecured." Section 13402(a) provides that a "covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information" shall notify each individual whose information has been subject to a breach." The applicable definition provision, §13400(12), incorporates by reference the definition of "protected health information" that is currently contained in the HIPAA Privacy Rule at 45 C.F.R. § 160.103. Thus, "individually identifiable health information" as defined in the Rule that is "unsecured" is subject to the breach notification provisions.

The term "unsecured" portion of the definition is to be addressed in regulations issued by the Secretary of Health and Human Services within 180 days of the enactment of the legislation (i.e., no later than August 17, 2009 (August 16 being a Sunday)). §13402(h)(1)(A). However, the legislation goes on to define the term in the event that the required regulations are not timely issued. §13402(h)(1)(B).The "backstop" definition of the term provides that it shall mean:

protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

What is a "breach" - ?

The term "breach" is defined as "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information." §13400(1)(A).
In addition to the exception language in the above portion of the definition, there is a further exception for certain circumstances involving inadvertent acquisition, access or use of PHI by employees and agents of covered entities or business associates where the information is not further acquired, accessed, used or disclosed. §13400(1)(B)

Timing and nature of notification

Notice of the breach must be given "without unreasonable delay" and in no event later than 60 days after the date of discovery of the breach. §13402(d). Notice must be given to the individual whose PHI was subject to a breach, or to the next of kin in the case of a deceased person, to the last known address of the person or the next of kin. E-mail notice may be given only if the individual specified e-mail notice "as a preference." §13402(e)(1).

If the contact information of an individual is insufficient or out of date, "a substitute form of notice" must be provided; if the information is insufficient or out of date for 10 or more persons, such substitute notice must be given in the media and on the Web site of the covered entity, as further provided in the Act and under regulations to be adopted by the Secretary of HHS. In a case in which "urgency" is required "because of possible imminent misuse" of unsecured PHI, the covered entity may provide notice "by telephone or other means, as appropriate." §13402(e)(1)(C).

If the breach involves unsecured PHI of 500 or more individuals, both media notice and notice to the Secretary of HHS must be given. Covered entities must also report to the Secretary of HHS on an annual basis as to any breaches that have occurred, even if reporting to the Secretary was not otherwise required (i.e., the breach involved the unsecured PHI of less than 500 individuals). §13402(e)(3).

Similarly to most, if not all, state data security breach notification statutes, there is an exception to the timing requirement if requested by law enforcement officials. §13402(g).

Application to "business associates"

The notice provisions require a "business associate" (as such term is defined in the administrative simplification regulations promulgated under HIPAA) that "accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses" unsecured PHI of a covered entity to notify the covered entity in the event of a breach in the security of such information. §13402(b). The notice must include, among other things, “the identification of each individual whose unsecured protected health information” was breached. Id.

Although the HIPAA Privacy Rule and Security Rule currently mandate that covered entities include in their contracts with business associates provisions requiring that the business associate notify the covered entities of: a) uses and disclosures of protected information not provided for by its contract, and b) "security incidents" (as defined in the HIPAA Security Rule), the new law now directly imposes notification obligations on the business associate. Because the obligation on business associates to report such breaches to covered entities will now be statutory, failure to comply will be more than just a breach of contract - now business associates could be subject to civil and criminal penalties. See §13401 and §13404.

Application to "vendors of personal health records"

Section 13407 contains a separate set of "temporary" breach notification provisions that target enterprises that offer services to individuals to store their health information online as well as their service providers. The provisions reflect concerns that such vendors are not subject to the HIPAA Privacy Rule, even as the Medicare program itself is implementing programs to encourage beneficiaries to use such private services to maintain their personal health records.

These provisions are designated as "temporary" because they will lapse in the event that Congress enacts new data security breach legislation applicable to non-HIPAA entities. §13407(g).

A "vendor of personal health records" is defined in §13400(18) as "an entity, other than a covered entity [under HIPAA], that offers or maintains a personal health record." Such vendors, as well as a list of other entities involved in providing various services related to personal health records (see §13407(a), cross-referencing entities enumerated in §13424(b)(1)(A)(ii), (iii and (iv)) are required to provide notice of a breach in the security of "unsecured PHR [i.e., “personal health record”] identifiable health information that is a personal health record maintained or offered by such vendor" or other such entity. "PHR identifiable health information" is defined as “identifiable health information” that is “provided by or on behalf of the individual” and that “identifies the individual or with respect to which there is a reasonable basis to belief that the information can be used to identify the individual.” The definition of "unsecured" will be established in the regulations to be adopted by the Secretary of HHS with respect to the provisions applicable to covered entities and business associates in §13402. See §13407(f)(3).

The notice must be provided to the individual whose information was "acquired by an unauthorized person," as a result of a breach, as well as to the Federal Trade Commission. §13407(a)(1) & (2). A "breach of security" is defined broadly as the "acquisition of unsecured PHR identifiable health information … without the authorization of the individual." §13407(f)(1). Violations of the data security breach provisions are defined as an unfair or deceptive act or practice under the FTC Act, and the FTC is tasked with adopting regulations and enforcing the provisions of this section. §13407(e).

Preemption

With respect to preemption of state law, the HITECH Act references the provisions in the Social Security Act that set forth the general rule preempting contrary state laws, but excepting from that general rule a state law that "relates to the privacy of individually identifiable health information." §13421(a). The HITECH Act data breach provisions themselves are contained in Subtitle D – Privacy of the Act and the legislative history is replete with references to the provisions as protective of patient privacy, so it would be difficult to argue that state data security breach laws that apply to health information do not also "relate to the privacy of health information." Therefore, to the extent that a state security breach law similarly pertains to health information and is more protective of such information than the new federal provisions, it would appear not to be preempted by the security breach provisions in the HITECH Act, and business associates and covered entities, to the extent that they are covered by both federal and state laws, would be required to comply with both laws.

When are these provisions effective?

The effective date of the breach notification provisions depends upon when the Secretary of HHS issues implementing regulations. The legislation directs the Secretary to issue interim final regulations within 180 days of enactment of the legislation, i.e., no later than August 17, 2009. §13402(j). The notification of breach provisions (both those applicable to "covered entities" and "business associates") as well as the temporary provisions that apply to vendors, become effective 30 days following the issuance of the regulations and apply to breaches discovered on or after that date. Under that scheme the effective date should be no later than September 16, 2009.