Sharing Cyber Threat Information

HIPAA PRIVACY ISAOsThe Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities.  Therefore, in advising their companies’ management, general counsel and others  might benefit from reviewing the FAQ’s and answers contained in the draft document that can be accessed at the link below.

Announcing the April 20 – May 5, 2017 comment period, the Standards Organization has noted the following:

Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.

With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.

To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.

The draft FAQ’s can be accessed at :  https://www.isao.org/drafts/isao-sp-8000-frequently-asked-questions-for-isao-general-counsels-v0-01/

©2017 Epstein Becker & Green, P.C. All rights reserved.

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

ransomwareOn July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

What Is Ransomware?

Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.

HIPAA Security Rule and Best Practices

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

HHS has suggested that covered entities and business associates frequently back up their documents because ransomware denies access to the covered entity’s and business associate’s data. Maintaining frequent backups and ensuring the ability to recover data from a separate backup source is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed-up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and inaccessible from their networks.

Covered entities and business associates should also install malicious software protections and educate its workforce members on data security practices that can reduce the risk of ransomware, including how to detect malware-type emails, the importance of avoiding suspicious websites and complying with sound password policies.

Lastly, each covered entity or business associate should ensure that its incident response plan addresses ransomware incidents. Many entities have crafted their policies and incident response plans to focus on other more typical daily personal information risks, such as the lost laptop or personal device. A ransomware event should expressly trigger the activities required by the incident response plan, including the requirement to activate the response team, initiate the required investigation, identify appropriate remediation, determine legal and regulatory notification obligations, and conduct post-event review.

Indications of a Ransomware Attack

Indicators of a ransomware attack could include:

  • The receipt of an email from an attacker advising that files have been encrypted and demanding a ransom in exchange for the decryption key
  • A user’s realization that a link that was clicked on, a file attachment opened or a website visited may have been malicious in nature
  • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (due to the ransomware searching for, encrypting and removing data files)
  • An inability to access certain files as the ransomware encrypts, deletes and renames and/or relocates data
  • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT personnel via an intrusion detection or similar solution)

What to Do if Subject to a Ransomware Attack?

A covered entity or business associate that is subject to a ransomware attack may find it necessary to activate its contingency or business continuity plans. Once the contingency or business continuity plan is activated, an entity will be able to continue its day-to-day business operations while continuing to respond to, and recover from, a ransomware attack. The entity’s robust security incident procedures for responding to a ransomware attack should include the following processes to:

Activate the entity’s incident response plan and follow its requirements;

  • Notify the entity’s cyber liability insurer as soon as enough information is available to indicate a possible ransomware attack and within any time period required under the applicable policy;
  • Detect and conduct an analysis of the ransomware, determining the scope of the incident and identifying what networks, systems or applications are affected;
  • Determine the origin of the incident (who/what/where/when), including how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited);
  • Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment;
  • Contain and eradicate the ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • Recover from the ransomware attack by restoring data lost during the attack and returning to “business-as-usual” operations; and
  • Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

Additionally, it is recommended that an entity infected with ransomware consult, early on, with legal counsel who can assist with reporting the incident to the extent it is a criminal matter to law enforcement. Counsel frequently have ongoing contacts within the cybercrime units of the Federal Bureau of Investigation (FBI) or the United States Secret Service that may deploy appropriate resources to address the matter and to supply helpful information. These agencies work with federal, state, local and international partners to pursue cyber criminals globally and assist victims of cybercrime. Counsel can advise on the type of information appropriate to disclose to law enforcement, while taking steps to establish and maintain the attorney-client privilege and, if appropriate, the attorney work product protection. Counsel also can assist in preparing communications (e.g., mandatory notifications and reports to senior executives and boards), advise on potential legal exposure from the incident and provide representation in connection with government inquiries or litigation.

If Ransomware Infects a Covered Entity’s or a Business Associate’s Computer System, Is It a Per Se HIPAA Breach?

Not necessarily. Whether or not the presence of ransomware would be a breach under the HIPAA Privacy Rule or HIPAA Security Rule (the HIPAA Rules) is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” A covered entity or business associate should, however, perform a risk assessment after experiencing a ransomware incident to determine if a reportable breach has occurred and to determine the appropriate mitigating action.

If the ePHI was encrypted prior to the incident in accordance with the HHS guidance, there may not be a breach if the encryption that was in place rendered the affected PHI unreadable, unusable and indecipherable to the unauthorized person or people. If, however, the ePHI is encrypted by the ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Thus, in order to determine if the information was acquired and accessed in the incident, additional analysis will be required. Unless the covered entity or business associate can demonstrate that there is a “[l]ow probability that the PHI has been compromised,” based on the factors set forth in the HIPAA breach notification rule, a breach of PHI is presumed to have occurred. If a breach has occurred, the entity must comply with the applicable breach notification provisions under HIPAA and, if applicable, state law.

Does a Ransomware Event Trigger State Data Breach Notification Obligations?

Possibly. In a majority of states, data breach notification requirements are triggered when there is both “unauthorized access” to and “acquisition” of personally identifiable information. Whether a ransomware event meets the access and acquisition elements of these statutes is, as in the HIPAA analysis, a fact-specific determination. If, for example, the hackers were able to move the personally identifiable information from the entity’s network to their own, it is clear that the hackers achieved unauthorized access to and acquisition of the information. State data breach notification laws pertaining to the affected individuals would need to be analyzed and factored into the entity’s overall notification requirements.

Ransomware though is usually designed to extort money from victim entities rather than steal personally identifiable information. If the forensics team can present credible evidence that no personally identifiable information was acquired by the hackers, then these obligations may not be triggered. The forensics team, consistent with the incident response team requirements, should document findings that support a defensible decision under these statutes, in case of a subsequent regulatory investigation or litigation, not to notify affected individuals.

In a minority of states, the data breach notification requirements are triggered when there is simply “unauthorized access” to personally identifiable information. This lower standard may mean that the entity must notify its customers of a data breach even when no personally identifiable information is acquired by a hacker. Entities that maintain personally identifiable information of residents of Connecticut, New Jersey and Puerto Rico, for example, may find themselves in the unfortunate position of having to provide data breach notifications even when the information is not acquired by a hacker.

Finally, if the entity is providing services to a business customer, it will need to determine whether it is obligated to notify the business customer (as owner of the affected personal information) of the ransomware attack, taking into account state data breach notification requirements, contractual obligations to notify the business customer and the overall value of the commercial relationship.

OCR Continues to Verify Entity Contact Info for Phase 2 HIPAA Audits

Covered Entities need to continue to check their inboxes for emails from the HHS Office for Civil Rights (“OCR”) requesting verification of contact information in connection with Phase 2 of the HIPAA Audit Program. OCR previously indicated that Covered Entities would begin to receive verification emails in May.  We understand that Covered Entities continue to receive emails requesting contact information verification this week.Inbox, Email, HIPAA Audit Notices

Emails are sent from OSOCRAudit@hhs.gov and request a response from the entity verifying its information within five days.  A sample copy of the email is available from OCR’s website.  The receipt of an email requesting contact verification does not necessarily mean that an entity will ultimately be selected for an audit.  Covered Entities can begin to prepare for the next step in the audit process by reviewing OCR’s audit pre-screening questionnaire.

For the time being, Business Associates are not being contacted.  OCR will request a list of Business Associates from Covered Entities and plans to begin contacting Business Associates selected for audit this summer.  Business Associates should use this extra time to ensure that they are ready for an audit should they be selected.   OCR has provided a sample template for Covered Entities to use to list their Business Associates.

In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

OCR Kicks Off HIPAA Audits After Issuing Two Major Settlements

HIPAAOn Monday, the HHS Office for Civil Rights (OCR) launched phase two of its much-anticipated audit program for covered entities and business associates. The announcement comes in the wake of OCR’s issuance of two major settlements—totaling more than $5 million—which highlighted the critical importance of managing the security basics, such as the business associate agreement (BAA) and the organization-wide risk analysis. These developments are summarized below, with practical tips that can help organizations mitigate related risks.

Summary

2016 Audit Program Begins

In announcing the 2016 audit program launch, OCR confirmed it will contact organizations by email to verify contact information and complete a pre-audit questionnaire. Organizations selected for audit will be subject to either a desk audit, an onsite audit or potentially both. Organizations will have a short period to produce requested documents, typically 10 business days, so it is important to have HIPAA privacy and security policies, security risk assessments, breach notification documentation, BAAs, and other HIPAA documentation up-to-date and readily available. While there is a detailed audit protocol from the phase one OCR audits, that protocol has not been updated for the final rules implementing the HITECH Act. OCR has committed to issuing an updated audit protocol closer to the date the audits will be conducted, which will set forth the criteria that auditors will review. Importantly, the phase two audits will extend to business associates. Although the risk of being selected for an audit is low, organizations would be well advised to review the existing and, when available, new audit protocols, conduct a compliance gap assessment and take corrective actions as needed, as part of overall HIPAA compliance efforts. While OCR states that the audits are primarily a compliance improvement activity, enforcement may follow where a serious issue is identified.

The North Memorial Settlement – The Importance of Business Associate Agreements

In the first of two recent settlements, North Memorial Health System, a nonprofit organization, will pay $1.55 million and enter into a two-year corrective action plan to settle charges that it violated HIPAA by failing to have a written BAA with a key contractor. OCR’s investigation followed the 2011 theft of an unencrypted laptop from a contractor’s workforce member’s vehicle. The settlement notes that the laptop contained protected health information (PHI) of approximately 9,497 North Memorial patients. For its part, the contractor separately settled HIPAA violations for $2.5 million, and entered into a related 20-year FTC consent order relating to its security procedures.[1] OCR also alleged that North Memorial failed to conduct an organization-wide risk analysis that covered all of its IT infrastructure.

OCR’s investigation indicated that North Memorial failed to execute a BAA with the contractor as required by HIPAA Privacy and Security Rules. OCR asserted that North Memorial gave the contractor access to its hospital database, which stored the electronic PHI of 289,904 patients, as well as access to non-electronic PHI as it performed services on-site at North Memorial.[2] In total, OCR’s investigation found that, from March 21, 2011, to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to the contractor without obtaining a proper BAA.[3] The investigation further indicated that North Memorial failed to complete a comprehensive risk analysis to identify all potential risks and vulnerabilities to the electronic PHI (ePHI) that it maintained, accessed or transmitted across its entire IT infrastructure, as required by the HIPAA Security Rule.[4]In settling the matter, North Memorial did not concede liability.

In addition to the $1.55 million payment, North Memorial agreed to a two-year corrective action plan (CAP) that requires it to develop policies and procedures related to business associate relationships and to conduct an organization-wide risk analysis and risk management plan, as required under the HIPAA Security Rule.[5] The CAP also requires North Memorial to train appropriate workforce members on all policies and procedures newly developed or revised pursuant to the CAP.[6]

OCR has previously (and repeatedly) emphasized the importance of having an organization-wide, thorough analysis, which it reinforces here with North Memorial. In addition, this settlement highlights the importance that OCR attaches to having BAAs where required, which OCR describes as another “cornerstone” of effective security.[7] Further, the settlement illustrates that, when a breach occurs with a business associate, the impacted covered entity should expect OCR to request a copy of the underlying BAA. Where that BAA cannot be found, the covered entity and business associates should expect potential enforcement.

FIMR Settlement: Basic Compliance Required of All Covered Entities (and Business Associates)

In the second settlement, Feinstein Institute for Medical Research (FIMR), a nonprofit research institute, will pay $3.9 million and enter into a three-year corrective action plan to settle charges it violated HIPAA, following its breach when an employee’s unencrypted laptop containing patient information of 13,000 individuals was stolen. OCR’s investigation determined that FIMR’s security management process was limited, it had failed to conduct a thorough risk analysis, and lacked sufficient policies and procedures. In its press release, OCR emphasized that it expects research institutions that are covered entities to comply with the same standards as other covered entities.

OCR’s investigation of FIMR stemmed from a self-reported breach after an employee’s unencrypted laptop was stolen. Based on the resolution agreement, OCR’s investigation appears to have identified widespread non-compliance. For example, OCR alleged that FIMR: (1) failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to all of the ePHI held by FIMR, including the ePHI on the employee’s laptop; (2) failed to implement policies and procedures for granting access to ePHI by its workforce members and restricting access by unauthorized users; (3) failed to implement physical safeguards for the laptop; (4) failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility; and (5) failed to encrypt ePHI on the laptop or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent safeguard.

As part of an extensive three-year CAP, FIMR must conduct an organization-wide risk analysis and develop a corresponding risk management plan, develop a process for evaluating environmental or operational changes to the security of ePHI, revise its policies and procedures for privacy and security, and provide extensive training and reporting.

Tips to Mitigate Risks

Covered entities and business associates can enhance HIPAA compliance, and reduce audit risk, by taking a number of practical steps outlined below.

Business Associate Risks:

  1. train workforce (at onboarding and at least annually thereafter) to recognize situations where a BAA (or subcontractor BAA) is required and understand how to activate the organization’s process for securing one;

  2. conduct periodic audits of existing outside service relationships to ensure that all necessary BAAs (or subcontractor BAAs) are, in fact, in place;

  3. periodically audit BAAs (and subcontractor BAAs) on file to ensure they are fully compliant (including as to the final HITECH rule content requirements), in full force and effect, and readily retrievable; and

  4. retain records of training and audits conducted for at least six years.

This also is an excellent time for covered entities and business associates to re-examine the effectiveness of their processes for conducting initial diligence and periodic audits of the security compliance of their key business associates and subcontractors.

Risk Analysis:

While not a new point, it remains critical for covered entities and business associates to conduct and document the requisite security risk analysis on a regular basis, and take prompt corrective action to manage identified risks. It is particularly important to ensure that the risk analysis covers all ePHI maintained, accessed or transmitted across the organization’s entire IT infrastructure, including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. This can be a challenge—particularly in light of the pace of developments and acquisitions/consolidations in the health care industry—but is essential. Organizations should develop a complete inventory of all electronic equipment data systems, and applications controlled by, administered or owned by the organization and its workforce that contain or store ePHI, including personally owned devices. Organizations should make sure their process includes equipment purchased outside of standard procurement processes.

Audit Preparation Tips:

  1. Confirm that all required HIPAA privacy and security policies and procedures are implemented and up-to-date;

  2. Make sure a through, organization-wide security risk analysis as described above has recently been conducted, and that resulting corrective actions have been taken;

  3. Confirm that BAAs are fully up-to-date and accessible, and follow the steps above to further reduce business associate risks;

  4. Use the audit protocols to conduct a gap assessment;

  5. Be prepared to provide documentation showing that breach notices have been provided as required by HIPAA; and

  6. Covered entities should ensure their notices of privacy practices are up-to-date and provided as required.

Other Basics:

  1. Encryption: Encryption of laptops, thumb drives and other mobile devices remains a critical risk mitigation strategy. HIPAA does not require encryption of ePHI in all cases “per se”; however, it does require organizations to specifically address, as part of their required risk analysis, whether encryption is a reasonable and appropriate safeguard (and if so, it requires organizations to encrypt; if not, it requires organizations to document why encryption is not reasonable and appropriate, and adopt an alternative safeguard ). However, encryption per the HHS guidance provides a “safe harbor” from breach notification under HIPAA and generally obviates the need to make state law data breach notifications as well, in the event of loss of encrypted data. Further, because encryption will, in fact, be “reasonable and appropriate” in many cases, often it is effectively required.

  2. Training: The scope and frequency of training also should be regularly reviewed to ensure training covers key aspects of privacy and security policies. In addition, training should address current and emerging threats and risk areas. For example, in light of the significant role of phishing attacks and malware in cyber-breaches, training should include employee awareness of how to identify and respond to these types of attacks.


[1] The related 2012 settlement by business associate Accretive Health with the Minnesota attorney general for violations of the HIPAA rules and state law was widely touted within the industry as the first HIPAA enforcement action against a business associate. See Settlement Agreement, Release, and Order, 12-cv-00145, ECF No. 90 (July 30, 2012). Because the breach occurred prior to the issuance of final rules implementing the HITECH Act’s extension of direct liability for HIPAA violations to business associates, OCR—the primary federal HIPAA enforcement agency—had indicated it would not enforce the HITECH Act changes against business associates until issuance of the final rules. However, this did not prevent the Minnesota attorney general from proceeding to enforce HIPAA, using newly expanded enforcement authority granted to state attorneys general under the HITECH Act. Accretive Health also entered into a related, 20-year consent order with the FTC, pursuant to which no fine or penalty was paid but in which Accretive Health agreed to establish and maintain a comprehensive information security program, and to periodic evaluations of that program. See Press Release, FTC approves final consent order settling charges that Accretive Health failed to adequately protect consumers’ personal information (Feb. 24, 2014).

[2] See North Memorial Resolution Agreement and Corrective Action Plan, I.2.A, (Mar. 16, 2016).

[3] See id. at I.2.B.

[4] See id. at I.2.C.

[5] See id. at I.V.A-C.

[6] See id. at I.V.D.

[7] See Press Release, $1.55 million settlement underscores the importance of executing HIPAA business associate agreements (Mar. 16, 2016).

More Than Family Affair: Six-Figure HIPAA Penalty Upheld for Unrepentant Home Care Agency due to PHI Access by Spurned Spouse of Employee

HIPAAIntroduction

The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations promulgated thereunder (“HIPAA”) should be now well-known to health care providers and health plans.  Under HIPAA’s “Privacy Rule,” covered entities must take steps to “reasonably safeguard” protected health information (“PHI”) from any “intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements” of the Privacy Rule.  What is also becoming painfully clear is the growing financial and reputational risks to covered entities (and business associates) from a breach of HIPAA’s Privacy or Security Rules stemming from unauthorized access or disclosure of PHI.

A recent ruling by a U.S. Department of Health and Human Services Administrative Law Judge (“ALJ”) in the case of Director of the Office for Civil Rights v. Lincare, Inc., (Decision No. CR4505, Jan. 13, 2016), underscores the substantial penalties that a health care provider can face, even for relatively small-scale HIPAA violations, particularly if the provider determines to not settle with the Office of Civil Rights (“OCR”) and instead contests the claimed violations.  In Lincare, a home care agency was found to have violated the Privacy Rule when an unauthorized person (the husband of a home health employee) was able to access patient records after the employee had removed records from the agency and taken them into the field as part of her job.  Specifically, the ALJ upheld a civil monetary penalty (“CMP”) of $239,800 imposed by OCR – only the second time the OCR has sought CMPs for violations of HIPAA’s Privacy Rule.  In a unique twist, OCR was alerted to the improper disclosures when the “estranged husband” of an employee of the home care agency complained to OCR that his wife allowed him to access documents containing PHI when she moved out of the marital home and left patient records behind.

Background

Lincare Home Care Agency.  The respondent Lincare, Inc., d/b/a United Medical (“Lincare”) supplies respiratory care, infusion therapy, and medical equipment to patients in their homes.  Lincare operates more than 850 branch locations in 48 states.  As Lincare explained, because its employees provide services in the homes of patients, they often remove patient records containing PHI from its branch locations.  Additionally, according to Lincare, managers of the various Lincare branch offices are required to maintain in their vehicles copies of Lincare’s “Emergency Procedures Manual,” which contains PHI of Lincare patients, so that employees could access patient contact information if an office was destroyed or otherwise inaccessible.

PHI at Issue.  Faith Shaw was a Lincare branch manager in Wynne, Arkansas from October 2005 until July 2009 and maintained the “Emergency Procedures Manual,” with PHI of 270 Lincare patients, as well as patient-specific documents of eight Lincare patients.  The patient records and Manual were apparently hard copies, and not electronically secured through encryption or authentication.

Disclosure of the PHI.  Ms. Shaw kept the records containing PHI in her car and in her marital home, where her husband lived.  After a falling out with her husband Richard in August 2008, Ms. Shaw moved out of the marital home and left the documents containing the PHI behind in her home and car.  In November of 2008, Mr. Shaw, who was concededly not authorized to access the Lincare PHI, reported to Lincare and OCR that he had in his possession the Emergency Procedures Manual and the eight patient files left behind by his wife.

OCR’s Investigation and Action.  Following its investigation, OCR determined that Ms. Shaw:  (a) kept the PHI either in her vehicle or home, to which Mr. Shaw had access; (b) maintained the PHI without proper safeguards, (c) knew or reasonably should have known that the manner in which she kept the PHI did not reasonably safeguard such PHI, and (d) knew or reasonably should have known that Mr. Shaw had ready access to the PHI.  While acknowledging that the provision of home care services may require providers to remove PHI from their offices, OCR found that Lincare’s policies and procedures did not adequately instruct its employees how to maintain PHI taken off the premises in a safe and secure manner and that Lincare did not properly record or track removed PHI.  Unlike the majority of HIPAA violations cited by OCR against providers, Lincare did not settle with OCR and instead determined to contest OCR’s charges.

In the absence of a settlement, OCR cited the following “aggravating” factors for imposing a substantial CMP against Lincare:

  • The length of time Lincare allowed employees to transport PHI away from the office without appropriate and reasonable safeguards; and

  • Lincare’s failure to promptly review and enhance its HIPAA policies for safeguarding PHI taken off premises even after it was notified of the improper disclosure.

Accordingly, OCR sought to impose a CMP totaling 239,800 for Lincare’s alleged violations of HIPAA’s Privacy Rule, broken down as follows:

  • Impermissibly disclosing PHI:  OCR determined that Lincare had improperly disclosed PHI of 278 patients in November of 2008, which then carried a penalty of $100 per patient.  OCR imposed a penalty of $25,000 – the maximum penalty that could be applied in the 2008 calendar year.

  • Failure to safeguard PHI:  OCR determined that the failure to safeguard the PHI lasted from February 1, 2008 through November 17, 2008, which carried a penalty of $100 per day.  OCR imposed an additional penalty of $25,000 – the maximum penalty that could be applied in the 2008 calendar year.

  • Failure to implement policies and procedures to ensure compliance with the Privacy Rule:  OCR determined that Lincare’s failure continued from (a) February 1, 2008 through December 31, 2008, at a penalty of $100 per day, with a maximum of $25,000 per calendar year, (b) January 1, 2009 through February 17, 2009, at a penalty of $100 per day, which totaled $4,800, and (c) from February 18, 2009 through July 28, 2009, during which time, penalty amounts were increased pursuant to the adoption of the HITECH Act, and which OCR determined to be $1,000 per day, totaling $160,000.

Significantly, in effectively stacking CMPs for separate HIPAA violations, one on top of another—although arising from the same breach or continued breach—OCR was able to multiply the aggregate size of penalties to $239,800.  At the same time, OCR determined that there was no basis to waive the imposition of the CMP because there was no evidence that the payment of a CMP would be excessive relative to the violations that it found.

Lincare appealed OCR’s determination before an ALJ.  OCR moved for summary judgment, arguing that there was no genuine issue of material fact concerning the HIPAA violations and that it was entitled to impose the aggregate CMP as a matter of law.

The ALJ’s Analysis

The ALJ granted OCR’s motion for summary judgment, finding that the evidence established that Lincare had violated HIPAA, and upheld the CMP of $239,800.

Theft is No Defense to Improper Disclosures:  In its defense, Lincare claimed that it was not responsible for the improper disclosure because it was the victim of a theft.  Specifically, Lincare claimed that Mr. Shaw “stole” the PHI from his wife and “attempted to use it as leverage to induce his estranged wife to return to him.”  The ALJ rejected this argument, concluding that Lincare was obligated to take “reasonable steps to protect its PHI from theft.”  The ALJ explained that Lincare violated this obligation when Ms. Shaw took documents out of the office and left them in in her car or home, allowing her husband to access them; and then completely abandoned them.

Lincare’s Policies Did Not Properly Address the Removal of PHI:  The ALJ also found that Lincare’s privacy policy failed to properly address the security of records removed from the office for use in the field, and monitor removed records to ensure their return.  When asked about specific guidelines for safeguarding PHI taken out of its offices, Lincare’s Corporate Compliance Officer replied that Lincare personnel “considered putting a policy together that said thou shalt not let anybody steal your protected health information.”  The ALJ did not “consider this a serious response.”

Key Takeaways

Consider Settling with OCR to Avoid a CMP:  The OCR’s imposition of a CMP, and the ALJ’s decision to affirm this penalty, represents only the second time a CMP has been imposed for a violation of the HIPAA Privacy Rule, and the first one in which an ALJ ruled on the merits.  Typically, OCR attempts to resolve HIPAA violations informally, but could not reach such a resolution with Lincare in this case.  Had a resolution been reached, the OCR would likely not have sought and secured such a substantial CMP based on “aggravating factors,” with the resultant fine likely to have been significantly lower.

Consider Encryption or other Means for Accessing PHI Remotely:  Employees of home care agencies often need to access PHI in the field when providing services.  However, the provider should consider restricting access only through electronic devices, with appropriate encryption and user authentication, to prevent unauthorized users from accessing these records.

Update Policies and Procedures:  Policies and procedures should detail for employees when patient records can be removed from the office and taken into the field, and under what circumstances; and identify how such records containing PHI should be safeguarded from disclosure.

Implement a System to Track Removed PHI:  Similarly, a system should be implemented to record and track the removal of records containing PHI so as to allow the health care provider to account for and maintain oversight over removed documents.

Regularly Train Employees:  Having detailed policies and procedures is not enough; all employees should be regularly trained on the HIPAA Privacy and Security Rules, and the agency’s corresponding HIPAA policies and practices.  To reinforce training, to the extent any PHI is removed from the premises, employees should be continually reminded not to allow unauthorized persons—including a spouse or other family or friends—to access the records.

HHS Issues Final Rule on HIPAA and Firearm Background Check Reporting

On January 6, as part of President Obama’s executive action to combat gun violence, HHS promulgated a final regulation modifying the HIPAA Privacy Rule to allow certain HIPAA covered entities to disclose limited information to the National Instant Criminal Background Check System (NICS).

Background:  The NICS, maintained by the Federal Bureau of Investigation (FBI), is the national database used to conduct background checks on persons who may be disqualified from receiving firearms based on federal or state law.  Federal law identifies several categories of potential disqualifiers, known as “prohibitors” including a federal mental health prohibitor.  By statute, the federal mental health prohibitor applies to individuals who have been committed to a mental institution or adjudicated as a mental defective.  The Department of Justice has promulgated regulations that defines these categories to include the following individuals:

  • individuals committed to a mental institution for reasons such as mental illness or drug use;

  • individuals found incompetent to stand trial or not guilty by reason of insanity, or

  • individuals who have been otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease.

However, there is currently no federal law that requires state agencies to report data to the NICS, including the identity of individuals who are subject to the mental health prohibitor.  HHS believes that HIPAA poses a potential barrier to such reporting. Under current law, HIPAA only permits covered entities (e.g., state mental health agencies) to disclose such information to the NICS in limited circumstances: when the entity is a “hybrid” entity under HIPAA (and the Privacy Rule does not apply to these functions) or when state law otherwise requires disclosure, and thus disclosure is permitted under HIPAA’s “required by law” category.

Final Rule:  HHS finalized its proposed rule without any substantive changes. Under the final rule, a new section 164.512(k)(7) of the HIPAA Privacy Rule expressly permits certain covered entities to disclose information relevant to the federal mental health prohibitor to the NICS.

The permitted disclosure applies only to those covered entities that function as repositories of information relevant to the federal mental health prohibitor on behalf of a State or are responsible for ordering the involuntary commitments or the adjudications that would make someone subject to the prohibitor.  Thus, most treating providers may not disclose protected health information about their own patients to the NICS, unless otherwise permitted by the HIPAA Privacy Rule.  HHS also clarifies that individuals who seek voluntary treatment are not subject to the prohibitor.

The rule limits disclosure only to the NICS or an entity designated by the State to report data to the NICS.  And only that information that is “needed for purposes of reporting to the NICS” may be disclosed, though HHS gives States the flexibility to determine which data elements are “needed” to create a NICS record (consistent with requirements of the FBI, which maintains the NICS).  At present, the required data elements for the NICS are: name; date of birth; sex; and codes identifying the relevant prohibitor, the submitting state agency, and the supporting record.  The NICS also allows disclosure of certain optional data elements (e.g., social security number and identifying characteristics).  HHS notes that applicable covered entities may disclose such optional data elements “to the extent necessary to exclude false matches.”

HHS declined many commenters’ suggestion to expand the rule to permit the disclosure of information about individuals who are subject to state-only mental health prohibitors. HHS fears that expanding the scope of the permitted disclosure would disrupt the careful balance between public safety and encouraging patients to seek mental health care.

Finally, in the preamble, HHS defended its statutory authority to make this change, despite the fact that Congress did not address HIPAA in recent legislation to strengthen the NICS.  HHS explained that the “HIPAA statute confers broad authority on the Department to specify the permitted uses and disclosures of PHI by HIPAA covered entities.”

© 2015 Covington & Burling LLP

Gun Control: HIPAA Final Rule Targets Background Checks and Mental Health Reporting

President Obama has announced plans to tighten gun control regulations, including applying the background check requirement to dealers at gun shows and on websites.  Federal law already requires that those “engaged in the business” of selling guns must have a Federal Firearms License (FFL) and conduct background checks at the time of every purchase.  Some sellers assert they are not gun dealers but collectors or hobbyists who do not sell regularly and, therefore, are not “engaged in the business” of selling firearms and not required to have a FFL and conduct background checks.  The Obama administration has clarified that people who claim to be hobbyists may be engaged in the business if, for example, they operate an online gun store, frequently sell guns in their original packaging, or pass out business cards.  The Bureau of Alcohol, Tobacco and Firearms (“ATF”) issued Guidance to help individuals understand when a FFL is required.

Consistent with this initiative, the Office for Civil Rights (“OCR”) released a Final Rule modifying the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to permit certain covered entities to disclose identifying information on persons subject to a “Federal mental health prohibitor “ to the National Instant Criminal Background Check System (“NICS”).

Intersection of NICS and HIPAA

As background, the NICS is a national system mandated by the Brady Handgun Violence Prevention Act of 1993.  Maintained by the FBI since November 1998, NICS is used by Federal Firearms Licensees to instantly determine whether an individual seeking to buy firearms is eligible to do so.  Federal law provides that it is unlawful for certain categories of persons to ship, transport, possess, or receive a firearm.  These categories are referred to as “prohibitors.” Among them  are the following mental health prohibitors, which provide that it is unlawful for the following individuals to possess a firearm:

  • individuals who have been involuntarily committed to a mental institution, for reasons such as mental illness or drug use;

  • individuals found incompetent to stand trial or not guilty by reason of insanity; or

  • those otherwise determined by a court, board, commission or other lawful authority to be a danger to themselves or unable to manage their own affairs as a result of marked subnormal intelligence, or mental illness, incompetency, condition or disease.

Many of the records qualifying an individual for a Federal mental health prohibitor are maintained by the criminal justice system, which does not generally include HIPAA covered entities.  However, some qualifying information may be housed within HIPAA covered entities that are either (i) involved in involuntary commitments or mental health adjudications; or (ii) have been designated by states to serve as repositories to collect applicable mental health data and report it to the NICS.

In balancing individuals’ privacy with public safety, the Final Rule modifies HIPAA to permit the disclosure of select demographic information to the NICS by covered entities that either (i) function as repositories of information relevant to the Federal mental health prohibitor on behalf of the state; or (ii) are responsible for ordering the involuntary commitments or other adjudications.  The Final Rule limits disclosure to demographic and other information needed for purposes of reporting to the NICS, and disclosure of diagnostic or clinical information is not permitted.

Potential Impact on Mental Health Legislation

This Final Rule is one aspect of a multi-faceted approach the Obama administration is taking on gun control.  An open question remains as to whether Congress will act with respect to gun control and mental health, and if so, how?  Certain Republicans are already looking for ways to halt President Obama’s actions, while, others in Congress do not believe that the actions go far enough and seek additional gun control measures.

At a minimum, the President’s decision to take action related to gun controls is certain to have an impact on mental health legislation.  Congressional Republicans have been discussing improving the nation’s mental health system since 2013.  Many see this focus on mental health as an effort to redirect the conversation away from gun control.  As such, the President’s recent actions propose adding $500 million to increase access to mental health care.

The combination of Republicans seeking to dismantle the recent executive actions, while redirecting the conversation to mental health may place Senate Democrats in a tough position.  The President’s action increases the likelihood that gun control measures may be attached to mental health legislation.  The issue is whether Senate Democrats are willing to filibuster mental health legislation in order to keep the focus on gun control and prevent the unraveling of some of the President’s executive actions.

©1994-2015 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.