Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

On January 19, 2012, Minnesota Attorney General Lori Swanson exercised her authority under the HITECH Act by filing a lawsuit against a business associate for the failure to protect protected health information (PHI) and for the failure to disclose the extent to which PHI was utilized. The case alleges that Accretive Health, Inc., a debt collection agency, lost a laptop containing unencrypted PHI of approximately 23,500 Minnesota patients. This represents the first case brought by a state attorney general under HIPAA. 

Accretive Health was formed as a “portfolio company” of Accretive, LLC, a private equity fund, and acts as a business associate to two Minnesota hospitals by providing debt collection, treatment coordination and revenue cycle operations management services. In this capacity, Accretive Health gathers PHI and quantifies 22 various medical conditions, including mental health conditions, HIV status and heart disease, to model patient behavior in an attempt to identify areas for cost-reduction. Accretive Health also assists one Minnesota hospital with Quality and Total Cost of Care services, in addition to revenue cycle operations management services. Accretive Health provides contract negotiation assistance with insurance companies, whereby, the hospitals will receive incentive payments for reductions in health care costs and Accretive Health receives a portion as well for the management of the overall process. 

The complaint alleges violations of HIPAA and various Minnesota state consumer protection laws. Specifically, the complaint alleges that in July 2011, an Accretive Health employee left an unencrypted laptop in a rental car overnight, and the laptop was then stolen. The laptop ultimately contained PHI about 23,531 patients. The complaint alleges that Accretive Health failed to initially identify and disclose the names of all of the patients whose PHI was contained on the lost laptop as approximately 6,000 additional affected individuals were disclosed only after one of the hospitals retained an independent forensic investigator. The complaint further alleges that Accretive Health violated HIPAA and the HITECH Act by failing to:

 

• Implement policies and procedures to detect, contain and correct security violations;
• Implement policies and procedures that address workforce member access to PHI;
• Train agents and independent contractors as to how to respond to a data breach and how to properly handle PHI;
• Identify, respond to and mitigate the harmful effects of a security incident;
• Implement policies and procedures related to portable devices;
• Implement technical policies and procedures for electronic information systems that maintain electronic PHI and limit access to workforce members;
• Implement policies and procedures to comply with the HIPAA Security Rule. 

Attorney General Swanson is seeking a permanent injunction against Accretive Health as well as statutory damages for violations of HIPAA and various other Minnesota state laws. The penalties may range from $100 per violation to $50,000 per violation. Although the HITECH Act includes per violation caps, Accretive Health may be facing hundreds of thousands of dollars in potential statutory penalties. 

HHS news release, part of the penalty stems from Cignet’s denying 41 patients their right to access their medical records when requested between September 2008 and October 2009. Under HIPAA, a covered entity must provide access to a patient who requests such access to his or her medical record within 30 days of the request, subject to various exceptions and limited rights to extend such time period. (Numerous state laws include similar obligations that health care providers provide a patient with access to his or her own records, often within shorter time frames than is required by HIPAA.) Thirty-eight separate complaints of such denial of access had been filed with OCR, pursuant to which OCR began its investigation of Cignet. HHS has indicated that $1.3 million of the $4.3 million penalty is attributable to this denial of access to a patient’s records.  

Notably, out of the over 50,000 complaints of alleged HIPAA Privacy Rule violations that OCR has resolved, the denial of a patient’s access to his or her own records has been the third most cited reason for such a complaint every year since 2003, when compliance with the Privacy Rule was first legally required. But every other such complaint of denial of access was informally resolved with OCR. According to various news reports, Cignet never attempted to informally resolve the complaints with OCR.

In Cignet’s case, $3 million of the penalty is attributable to OCR finding that Cignet repeatedly failed to respond to various requests from OCR for more than a year (March 17, 2009 to April 4, 2010), resulting in per-day penalties, up to the maximum permissible penalties per year pursuant to applicable enforcement rules. Under HIPAA, covered entities are required to cooperate with HHS investigations. Even after Cignet finally produced the applicable patient records to HHS (in response to a federal court order), Cignet’s cooperation was limited in that it produced records relating to thousands of patients in addition to the 41 at issue. In various communications from OCR during the course of the investigation and the initial proposal of penalties, Cignet was notified of its rights to offer defenses and mitigating factors, and subsequently, of its rights of appeal. Cignet never exercised any of its rights.

The lesson to be learned from Cignet is that if you violate the HIPAA Privacy Rule, be prepared to pay, but if you fail to cooperate with OCR investigations into such violations, be prepared to pay even more (potentially 200% more). The question remains as to whether or not the extent of this fine is a true example of a new approach to enforcement of HIPAA, or whether Cignet’s ignoring official inquiries, failing to pursue informal resolution and not exercising its rights under HIPAA warranted unusual measures.

This HHS guidance also is to be used to render identifiable health information unusable, unreadable, or indecipherable for purposes of the temporary breach notification requirements that apply to vendors of PHRs, the requirements for which are to be administered by the Federal Trade Commission (which in turn issued proposed regulations, on April 16, 2009, addressing consumer notice for breaches of electronic health information by PHRs).

The HHS guidance provides two methods of securing information for the purposes of the HITECH Act: destruction and encryption. Destruction may secure information that was found in either paper format or in electronic media. In order to satisfy the destruction method, the paper or other hard copy media must be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed. Electronic media must be cleared, purged, or destroyed in accordance with the specifications set forth in National Institute of Standards and Technology (NIST) Special Publication 800-88. 74 Fed. Reg. at 19010.

According to the guidance, the effectiveness of encryption depends on the strength of the algorithm and the security of the decryption key or process. PHI is not secure if the decryption key or process has been breached. Encryption only secures PHI if, in accordance with the HIPAA Security Rule, an algorithm “transform[s] data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key.” 45 C.F.R. § 164.304. Accordingly, the HHS guidance only specifies encryption processes that have been tested and approved by NIST. Data at rest, which is filed or stored in a database, should be encrypted according to the processes outlined in NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Encryption processes for data in motion, including that being transmitted or moving through a network, should comply with Federal Information Processing Standards (FIPS) 140-2. Some examples of conforming processes for data in motion are outlined in NIST Special Publications 800-52 (relating to Transport Layer Security (TLS) Implementations); 800-77 (addressing IPsec VPNs); and 800-113 (SSL VPNs), and may include others which are FIPS 140-2 validated.

Since the technologies and methodologies in the guidance are intended to be exhaustive, the Secretary of HHS sought comments regarding additional technologies or methodologies for inclusion in future guidance. HHS also requested comments on various other related issues, including instances when specified technologies and methodologies would fail to secure information, how the federal notice requirements affect existing state law requirements, and whether and how limited data sets (created in accordance with the HIPAA Privacy Rule) could be included in this guidance. This HHS guidance will be closely watched not only as it relates to federal law, but also as to how it informs state law interpretations. Encryption remains undefined under state law, and the HHS guidance provides a potentially important source of interpretation.

This guidance will apply to breaches that occur at least thirty days after publication by HHS of the interim final regulations on breach notification (which have not yet been issued). Any modifications to this guidance based on comments received are expected to be made prior to or concurrent with those regulations.

Proskauer summer associate Katrina McCann contributed to this post.