Tag: HIPAA

HIPAA Enforcement Continues Under Right of Access Initiative

On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.

The Right of Access Initiative was launched by OCR in 2019 “to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule” as explained by OCR. In the March 28 announcement, OCR indicated its continuing commitment to enforce compliance with the HIPAA Rules, including the “foundational” Right of Access provision. With the two most recent cases, there have now been 27 investigations and settlements under the Right of Access Initiative (see full chart below).

Nearly all of the investigations in the Right of Access Initiative involve a single individual unable to obtain a copy of some or all of their protected health information from a health care provider or to do so within the timeframe required or in accordance with fees permitted by the HIPAA Privacy Rule. In some cases, additional issues found during the investigation, such as failure to have conducted a HIPAA risk assessment or lack of HIPAA policies, are part of the settlement.  In all cases, in addition to the monetary penalty, the settlement has included a Corrective Action Plan imposing various obligations, such as policy development, training, and mandatory reporting to OCR.

The Right of Access Initiative remains one of the most active areas of HIPAA enforcement. In its most recent Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, OCR noted that right of access was the third most common issue of complaints resolved. Moreover, the Right of Access Initiative coordinates with the ONC 2020-2025 Federal HIT Strategic Plan and the goal of “Providing patients and caregivers with more robust health information.” It is a core tenant of the Federal HIT Strategic Plan that access to health information will “better support person-centered care and patient empowerment.”

Article By Allen R. Killworth and Zeina Abu-Hijleh of Epstein Becker & Green, P.C.

For more health law legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

CARES Act Brings Changes to Federal Substance Use Disorder Privacy Law

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act), enacted March 27, 2020, rewrote significant portions of 42 U.S.C. § 290dd-2, the federal statute governing the confidentiality of substance use disorder (SUD) records that is more commonly known by its implementing regulations at 42 C.F.R. Part 2 (Part 2). Among other changes, the CARES Act revises the permissible uses and disclosures of SUD records to more closely align with the HIPAA Privacy Rule, 45 C.F.R. § 164.500, et seq., when a Part 2 program obtains the patient’s prior written consent.

Historically, Part 2 programs have been restricted in their ability to share SUD records by the Part 2 regulations, which require written patient consent for each disclosure of SUD records and prohibit re-disclosure of such SUD records except in limited circumstances. The CARES Act directs the Secretary of the U.S. Department of Health and Human Services (HHS), in consultation with appropriate federal agencies (which may include the Substance Abuse and Mental Health Services Administration (SAMHSA)) to revise the Part 2 regulations as necessary to implement and enforce the statutory revisions contained in the CARES Act effective March 27, 2021. The forthcoming revisions to the Part 2 regulations may be substantial given these CARES Act changes to the federal statute.

Another significant change to the federal SUD confidentiality statute addresses the ability of health care providers to use SUD records for treatment, payment, and health care operations purposes (except for certain provider fundraising activities) in a manner more consistent with the allowances provided for protected health information under HIPAA. Specifically, the CARES Act authorizes a Covered Entity or Business Associate (as those terms are defined in the HIPAA Privacy Rule) or Part 2 Program (as defined by the Part 2 regulations) to use, disclose, or re-disclose SUD records with the patient’s written consent for treatment, payment, and health care operations as permitted by the HIPAA regulations, 45 C.F.R. Parts 160, 162, and 164, and Sections 13405(a) and (c) of the Health Information Technology and Clinical Health Act (42 U.S.C. § 17935(c)) (HITECH Act). Under the revised statute, a patient can provide written consent once that will then authorize all such future uses or disclosures for purposes of treatment, payment, and health care operations until such time as the patient revokes such consent in writing.

Additionally, the CARES Act incorporates the following privacy protections for SUD records:

  • Except as otherwise authorized by court order or by written patient consent, SUD records or testimony relaying information from the SUD records may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority.
  • Penalties applicable to HIPAA violations (42 U.S.C. §§ 1320d-5 and 6) shall apply to a violation of 42 U.S.C. § 290dd-2.
  • The breach notification provisions of Section 13402 of the HITECH Act shall apply to SUD records.
  • By March 27, 2021, HHS will update the HIPAA Privacy Rule to require that Part 2 programs provide notice of privacy practices, written in plain language, describing the patient’s rights with respect to the Part 2 records and how the patient may exercise those rights, and describing each purpose for which the Part 2 program is permitted or required to use or disclose the SUD records without the patient’s written authorization.
  • Part 2 providers can disclose information, regardless of whether the patient gives written consent, to a public health authority (as defined by HIPAA), if the content is de-identified in accordance with the HIPAA de-identification standards set forth at 45 C.F.R. § 164.514(b).
  • Patients shall have the right to request a restriction on the use or disclosure of SUD records for treatment, payment, or health care operations.
  • Patients shall have the right to request an accounting of disclosures of SUD records consistent with the HITECH Act and HIPAA.
  • Entities shall be prohibited from discriminating against an individual on the basis of information received, whether intentionally or inadvertently, from SUD records in: (a) admission, access to, or treatment for health care; (b) hiring, firing, or terms of employment, or receipt of worker’s compensation; (c) the sale, rental, or continued rental of housing; (d) access to federal, state, or local courts; or (e) access to, approval of, or maintenance of social services and benefits provided or funded by federal, state, or local governments.
  • Recipients of federal funds shall be prohibited from discriminating against an individual on the basis of information received, whether intentionally or inadvertently, from SUD records, when offering access to services provided with such funds.

The CARES Act provides that the above-summarized amendments to the federal SUD statute will apply to uses and disclosures of information on or after March 27, 2021. While these changes implement long-awaited alignment efforts to enable data sharing across providers in a manner consistent with the allowances permitted under HIPAA, the real impact of these changes will come from the forthcoming implementing agency regulations from, which are also due to be issued by March 27, 2021.

©2020 Greenberg Traurig, LLP. All rights reserved.

What Employers Need to Know About HIPAA

As the COVID-19 pandemic continues to affect everyday business operations across the country, employers are confronting a variety of issues on how to handle these disruptions. The intent of this Legal Update is to educate employers about under what circumstances they are permitted to disclose information related to an employee’s or patient’s positive test for COVID-19 under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Americans with Disabilities Act (“ADA”).

It may be difficult in some circumstances to discern whether health information was received by an employer through its ordinary status as an employer or through its status as a self-insured health plan. Employers should take care in making this determination based on the facts and circumstances of each situation and seek legal counsel as needed.

Covered Entities under HIPAA

  • HIPAA defines “Covered Entities” to generally include health care providers, health plans, and health care clearinghouses.

  • Covered Entities may not disclose protected health information (“PHI”) unless permitted by HIPAA. An individual’s health status related to testing positive for COVID-19 is considered PHI.

  • One permitted disclosure under HIPAA is that Covered Entities may disclose PHI to public health authorities to the extent relevant to the authority and purview of public health authorities. This includes disclosing positive test results for COVID-19 to state and local health departments, HHS, or the CDC as appropriate.

  • Covered Entities may not disclose PHI to the media.

  • Unless an employer is otherwise a Covered Entity as described above, it is not subject to HIPAA’s restrictions on disclosures of PHI.

Confidentiality under the ADA

  • The ADA requires employers that obtain medical information through inquiry or examination to maintain it in a confidential medical file and keep it separate from the employee’s personnel file.

  • Employers have been encouraged by the CDC and EEOC to question their employees regarding travel, exposure, or symptoms related to COVID-19. Any medical information disclosed as part of this dialogue should be treated as confidential.

  • If a positive case is identified in the workplace, the employer is encouraged to investigate the exposure of others in the workplace without disclosing the name of the individual or any personally identifiable information about the person.

  • The confidentiality requirements under the ADA do not prohibit disclosure to state, local, or federal health departments.

Employers with a Self-Insured Health Plan

  • Notwithstanding the discussion above regarding employers, a self-insured employee health plan maintained by an employer is a Covered Entity under HIPAA (i.e. the plan itself, not the employer, although we acknowledge this distinction is difficult to make for most employers). As a result:

    • If the employer obtained the information through its status as a plan (i.e., as the payer for the employee’s health care services), then such information is PHI and subject to HIPAA (see first bullet above for Covered Entities).

    • If the employer receives the information in the ordinary course (e.g. voluntary disclosure by the affected employee), then the second bullet above regarding employer permitted disclosures is applicable.

©2020 von Briesen & Roper, s.c

U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus

The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.

The OCR guidance focused on sharing patient information in several areas, including: treatment, public health activities, disclosures to family, friends, and others involved in an individual’s care, and disclosures to prevent a serious and imminent threat.

The HIPAA Privacy Rule allows a covered entity to disclose PHI to the Center for Disease Control (CDC) or to state or local health departments that are authorized to collect or receive such information, for the purpose of preventing disease and protecting public health.  This would include disclosure to the CDC, and/or state or local health departments, of PHI as needed to report prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus.

The OCR message in the guidance document is clear and it emphasized the balance between protecting the privacy of patient PHI and the appropriate uses and disclosures of such information to protect the public health. For more information and resources, see the HHS interactive decision tool which provides assistance to covered entities to determine how the Privacy Rule applies to disclosures of PHI in emergency situations.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more on HIPAA regulation, see the National Law Review Health Law & Managed Care section.

D.C. District Court Limits the HIPAA Privacy Rule Requirement for Covered Entities to Provide Access to Records

On January 23, 2020, the D.C. District Court narrowed an individual’s right to request that HIPAA covered entities furnish the individual’s own protected health information (“PHI”) to a third party at the individuals’ request, and removed the cap on the fee covered entities may charge to transmit that PHI to a third party.

Specifically the Court stated that individuals may only direct PHI in an electronic format to such third parties, and that HIPAA covered entities, and their business associates, are not subject to reasonable, and cost-based fees for PHI directed to third parties.

The HIPAA Privacy Rule grants individuals with rights to access their PHI in a designated record set, and it specifies the data formats and permissible fees that HIPAA covered entities (and their business associates) may charge for such production. See 45 C.F.R. § 164.524. When individuals request copies of their own PHI, the Privacy Rule permits a HIPAA covered entity (or its business associate) to charge a reasonable, cost-based fee, that excludes, for example, search and retrieval costs. See 45 C.F.R. § 164.524(c) (4). But, when an individual requests his or her own PHI to be sent to a third party, both the required format of that data (electronic or otherwise) and the fees that a covered entity may charge for that service have been the subject of additional OCR guidance over the years—guidance that the D.C. District Court has now, in part, vacated.

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act set a statutory cap on the fee that a covered entity may charge an individual for delivering records in an electronic form. 42 U.S.C. § 17935(e)(3). Then, in the 2013 Omnibus Rule, developed pursuant to Administrative Procedure Act rulemaking, the Department of Health and Human Services, Office for Civil Rights (“HHS OCR”) implemented the HITECH Act statutory fee cap in two ways. First, OCR determined that the fee cap applied regardless of the format of the PHI—electronic or otherwise. Second, OCR stated the fee cap also applied if the individual requested that a third party receive the PHI. 78 Fed. Reg. 5566, 5631 (Jan. 25, 2013). Finally, in its 2016 Guidance document on individual access rights, OCR provided additional information regarding these provisions of the HIPAA Privacy Rule. OCR’s FAQ on this topic is available here.

The D.C. District Court struck down OCR’s 2013 and 2016 implementation of the HITECH Act, in part. Specifically, OCR’s 2013 HIPAA Omnibus Final Rule compelling delivery of protected health information (PHI) to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress. That statute requires only that covered entities, upon an individual’s request, transmit PHI to a third party in electronic form. Additionally, OCR’s broadening of the fee limitation under 45 C.F.R. § 164.524(c)(4) in the 2016 Guidance document titled “Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. Sec. 164.524” violates the APA, because HHS did not follow the requisite notice and comment procedure.” Ciox Health, LLC v. Azar, et al., No. 18-cv0040 (D.D.C. January 23, 2020).

All other requirements for patient access remain the same, including required time frames for the provision of access to individuals, and to third parties designated by such individuals. It remains to be seen, however, how HHS will move forward after these developments from a litigation perspective and how this decision will affect other HHS priorities, such as interoperability and information blocking.

© Polsinelli PC, Polsinelli LLP in California

For more on HIPAA Regulation, see the National Law Review Health Law & Managed Care section.

Federal Court Strikes Down HIPAA Fee Limitations for Third-Party Medical Records Requests

On Jan. 29, 2020, OCR released a notice regarding a recent federal court ruling in the case of Ciox Health, LLC v. Azar, et al., where a federal judge in the District Court for the District of Columbia vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to protected health information (“PHI”) of an individual … in an electronic format.”Additionally, the court held that the fee limitation set forth at 45 CFR § 164.524(c)(4) should only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party.

The Ciox Health case centered on the restrictions the Department of Health and Human Services (“HHS”) and the Office for Civil Rights (“OCR”) put in place in the 2013 Omnibus Rule 2 and through informal guidance published in 2016 regarding fees that can be charged to patient in searching for, retrieving, and delivering their records and PHI as it pertains to third-party directives. Third-party directives are a mechanism promulgated by the HITECH Act that granted individuals the right to obtain a copy of their PHI maintained electronically, and “if the individual so chooses, to direct the covered entity to transmit such copy directly to an entity or person designed by the individual.”3 Additionally, the HIPAA Privacy Rule permits a reasonable cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct a copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage (this fee is also referred to as the “Patient Rate”).4

The 2013 Omnibus Rule broadened the third-party directives to PHI maintained in any format, not just electronic records. Moreover, the 2013 Omnibus Rule amended the Patient Rate and required actual labor costs associated with the retrieval of electronic information to be excluded.5

In 2016, HHS issued a guidance document titled Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524 (the “2016 Guidance”).6  The 2016 Guidance made two notable requirements that gave rise to the current litigation. Most significantly, HHS declared that the Patient Rate applies “when an individual directs a covered entity to send the PHI to a third party.”7

“This limitation,” HHS said, referring to the Patient Rate, “applies regardless of whether the individual has requested that the copy of PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn’t matter who the third party is).”8

Additionally, in the 2016 Guidance, HHS provided a methodology to calculate the Patient Rate in requests for an electronic copy of PHI maintained electronically. The methodology would require the entity to determine a fee by calculating the actual allowable costs to fulfill each request or by using a schedule of costs based on the average allowable labor costs to fulfill standard requests. HHS also provided an option for entities to charge a flat rate for requests for electronic copies of PHI not to exceed $6.50 as an alternative to going through the process of calculating these costs.

In this case, HHS was sued by Ciox Health, a medical record retrieval company, over the changes to the Patient Rate set forth in both the 2013 Omnibus Rule and the 2016 Guidance. Ciox Health argued that the $6.50 flat fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee has negatively impacted its business. Ciox Health claims the 2013 Omnibus Rule and the 2016 Guidance, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

The district court, in declaring the changes to the Patient Rate set forth in the 2013 Omnibus Rule unlawful, held that HHS cannot rely on its general rulemaking authority to supplement the limited-scope, third-party directive enacted by Congress in the HITECH Act. The court held that the 2013 Omnibus Rule’s expansion of the third-party directive is therefore arbitrary and capricious. Moreover, the district court held that the 2016 Guidance that worked a change into the Patient Rate was akin to a legislative rule that HHS had no authority to adopt without notice and comment. As a result, the court vacated the 2013 Omnibus Rule’s expansion of the HITECH Act’s third-party directive beyond requests for a copy of electronic records with respect to PHI of an individual in an electronic format. The court also declared unlawful and vacated the 2016 Guidance as it extended the Patient Rate to third-party directives without going through notice and comment.

Health care providers and medical records access companies are no longer required to limit the fees charged to their average costs, or charge a $6.50 flat fee, when a patient requests their medical records be transmitted to a third party. The fee limitations will still apply to individuals when they request their own records, however, as decided in the Ciox Health decision, on January 23, 2020.

OCR released a notice on Jan. 29, 2020 that the right of individuals to access their own records and any fee limitations that apply when exercising this right still apply. However, OCR appears to have at least accepted this ruling for now, as it pertains to third-party directives. OCR stated that it will continue to enforce the right of access provisions in 45 CFR § 164.524 that are not restricted by the court order. The court order can be viewed here.

[1] Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020)

[2] See Modifications to the HIPAA Privacy, Security,

Enforcement, and Breach Notification Rules Under the [HITECH] Act and the Genetic

Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,566

(Jan. 25, 2013).

[3] 42 U.S.C. § 17935(e);

[4] 45 CFR § 164.524(c)(4)

[5] 78 Fed. Reg. at 5,636.

[6] This guidance is available at this link: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

[7] Id. at 16.

[8] Id.

© 2020 Dinsmore & Shohl LLP. All rights reserved.

For more on HIPAA medical-records regulation, see the National Law Review Health Law & Managed Care section.

U.S. District Court Upholds Short-Term Limited Duration Insurance Rule

The U.S. District Court for the District of Columbia upheld a rule that expanded the maximum length of time for short-term, limited duration insurance (STLDI).

STLDI is coverage that lasts a limited period of time and is exempt from many of the requirements that apply to plans in the individual health insurance market. Concerned that STLDI was drawing healthy lives away from the individual health insurance market that the Affordable Care Act (ACA) sought to support, the Obama administration shortened the length of time an individual could enroll in STLDI from 12 months to three months. Seeing STLDI as a low cost alternative to individual insurance, the Trump administration reversed course. Final regulations issued last year restored the period to 12 months and allowed for up to two renewals, for a total period of 36 months of coverage. One month later, seven organizations representing small health insurers, mental health patients and providers, and others brought suit challenging these regulations.

The court denied the challenge. It found that the ACA–and HIPAA, which first introduced STLDI–did not define the length of time STLDI could remain in effect and that the U.S. Departments of Treasury, Labor, and Health and Human Services could extend the length of time STLDI may remain available to enrollees without posing a threat to the ACA’s “structural core.”

The plaintiffs have already expressed their intent to appeal the decision. In the meantime, states continue to consider the question of whether and how to regulate the availability and terms of STLDI policies issued within their borders.

Copyright © by Ballard Spahr LLP
This article is by Edward I. Leeds  and Paige A. Haughton of Ballard Spahr LLP.
For more on health insurance, please see the National Law Review Health Law & Managed Care page.

Three Critical Legal Documents Every Parent Should Get in Place Now to Safeguard Their Adult Children

As a parent, you might not fully appreciate that when your child turns 18 years of age, at least in the eyes of the law, you no longer have certain inherent rights related to medical and financial details about your adult child. For this reason, you’re strongly advised to get three simple legal documents in place to ensure you’re able to intervene on behalf of your adult child in the event your child is injured, becomes ill or is otherwise incapacitated.

These situations aren’t easy to think about, but imagine the following scenarios:

  • Your 19-year-old son, while away at college, is involved in a severe car accident and is rushed to the hospital unconscious.

  • Your unmarried 25-year-old daughter, while vacationing with friends in Hawaii, is unconscious in the hospital following a jet-skiing accident.

  • Your newly divorced 30-year-old son is hospitalized after suffering a brain hemorrhage and is put into a medically induced coma.

In each scenario, when you find out that your adult child is in the hospital, you immediately call for details about your child’s condition. You are horrified when the nurse says, “I’m sorry, but I am not authorized to provide you with any information or allow you to make any decisions.”

Here are insights about the three legal documents that would be prudent to have in place on behalf of your adult child before another day goes by.

1. HIPAA Authorization Form (for Authority to Speak with Healthcare Providers)

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, exists for good reason; it is a federal law that safeguards who can access an adult’s private health data. If you call or visit the hospital to inquire about your adult child, as in the above scenarios, healthcare providers are prohibited by law from revealing health information to you – or anybody else – about your child; healthcare practitioners could face severe penalties if they violate HIPAA laws.

This illustrates why a HIPAA authorization, signed by your adult child and naming you as an authorized recipient, is so critical. It gives you the ability to ask for and receive information from healthcare providers about your child’s health status, progress, and treatment. This is particularly important in the event your adult child is unconscious or incapacitated for a period of time. Without a HIPAA authorization in place, the only other way to obtain information regarding your child’s health would be to go to court.

2. Healthcare Power of Attorney (for Medical Decisions)

If your adult child signs a Healthcare Power of Attorney naming you his/her “medical agent,” you will have the ability to view your child’s medical records and make informed medical decisions on his/her behalf. Without this document or a court-appointed guardianship, healthcare decisions concerning your child’s diagnosis and treatment will be solely in the hands of healthcare providers. While this is not always a bad thing, a physician’s primary duty is to keep the patient alive. So, a healthcare provider might not pursue a risky or experimental course of treatment at the risk of exposure to liability.

Keep in mind that doctors prefer to see one medical agent named rather than multiple medical agents. The concern is that multiple medical agents may not agree on the medical course of action to take on behalf of the incapacitated adult. As a best practice, it’s prudent to name multiple agents in priority order with single authority; for example, the adult child’s mother might be listed first as the medical agent; if the mother is unable or unwilling to serve in that capacity, the second person listed—say the child’s father—would be empowered to step in.

3. General Durable Power of Attorney (for Financial Decisions)

If your adult child were ever incapacitated, you would also benefit greatly from having a General Durable Power of Attorney in place, where you were named as the “agent” authorized to make financial decisions on his/her behalf. This would allow you as the named agent to manage bank accounts, pay bills, sign tax returns, apply for government benefits, break or apply for a lease, and conduct similar activities relating to your child’s financial and legal affairs. Otherwise, you will not be able to assist your child in managing his or her financial affairs without a court-appointed conservatorship.

Important Considerations

There are some important considerations to keep in mind regarding these documents:

  • Update these forms yearly. Be prepared to have your adult child re-sign and re-execute these documents every couple of years. This is especially critical for Powers of Attorney. The institutions where you would be most likely to use these documents – such as hospitals and banks – might refuse to honor them if they perceive them to be outdated.

  • These documents are only as good as the institutions that will accept them. Making sure these documents are properly executed is half the battle; whether they will be accepted by the involved institutions is the other half of the battle—one you don’t have complete control over.

  • These documents can be revoked at any time by your adult child either orally or in writing. Your adult child retains control of the ongoing validity of these documents; therefore, your best bet is to maintain a trusting relationship with your child so he/she sees the benefit of giving you the access and control these documents afford.

  • For adult children attending college at an out-of-state university, parents will want to execute separate documents in both the student’s home state and college state. If your daughter is from Denver but is attending college in Los Angeles, you’ll want one set of documents prepared under and governed by Colorado law and a second set of documents prepared under and governed by California law.

Copyright © 2019 Ryley Carlock & Applewhite. A Professional Association. All Rights Reserved.

Sharing Cyber Threat Information

HIPAA PRIVACY ISAOsThe Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities.  Therefore, in advising their companies’ management, general counsel and others  might benefit from reviewing the FAQ’s and answers contained in the draft document that can be accessed at the link below.

Announcing the April 20 – May 5, 2017 comment period, the Standards Organization has noted the following:

Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.

With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.

To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.

The draft FAQ’s can be accessed at :  https://www.isao.org/drafts/isao-sp-8000-frequently-asked-questions-for-isao-general-counsels-v0-01/

ARTICLE BY Stuart M. Gerson of Epstein Becker & Green, P.C.

©2017 Epstein Becker & Green, P.C. All rights reserved.

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

ransomwareOn July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

What Is Ransomware?

Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.

HIPAA Security Rule and Best Practices

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

HHS has suggested that covered entities and business associates frequently back up their documents because ransomware denies access to the covered entity’s and business associate’s data. Maintaining frequent backups and ensuring the ability to recover data from a separate backup source is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed-up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and inaccessible from their networks.

Covered entities and business associates should also install malicious software protections and educate its workforce members on data security practices that can reduce the risk of ransomware, including how to detect malware-type emails, the importance of avoiding suspicious websites and complying with sound password policies.

Lastly, each covered entity or business associate should ensure that its incident response plan addresses ransomware incidents. Many entities have crafted their policies and incident response plans to focus on other more typical daily personal information risks, such as the lost laptop or personal device. A ransomware event should expressly trigger the activities required by the incident response plan, including the requirement to activate the response team, initiate the required investigation, identify appropriate remediation, determine legal and regulatory notification obligations, and conduct post-event review.

Indications of a Ransomware Attack

Indicators of a ransomware attack could include:

  • The receipt of an email from an attacker advising that files have been encrypted and demanding a ransom in exchange for the decryption key
  • A user’s realization that a link that was clicked on, a file attachment opened or a website visited may have been malicious in nature
  • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (due to the ransomware searching for, encrypting and removing data files)
  • An inability to access certain files as the ransomware encrypts, deletes and renames and/or relocates data
  • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT personnel via an intrusion detection or similar solution)

What to Do if Subject to a Ransomware Attack?

A covered entity or business associate that is subject to a ransomware attack may find it necessary to activate its contingency or business continuity plans. Once the contingency or business continuity plan is activated, an entity will be able to continue its day-to-day business operations while continuing to respond to, and recover from, a ransomware attack. The entity’s robust security incident procedures for responding to a ransomware attack should include the following processes to:

Activate the entity’s incident response plan and follow its requirements;

  • Notify the entity’s cyber liability insurer as soon as enough information is available to indicate a possible ransomware attack and within any time period required under the applicable policy;
  • Detect and conduct an analysis of the ransomware, determining the scope of the incident and identifying what networks, systems or applications are affected;
  • Determine the origin of the incident (who/what/where/when), including how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited);
  • Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment;
  • Contain and eradicate the ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • Recover from the ransomware attack by restoring data lost during the attack and returning to “business-as-usual” operations; and
  • Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

Additionally, it is recommended that an entity infected with ransomware consult, early on, with legal counsel who can assist with reporting the incident to the extent it is a criminal matter to law enforcement. Counsel frequently have ongoing contacts within the cybercrime units of the Federal Bureau of Investigation (FBI) or the United States Secret Service that may deploy appropriate resources to address the matter and to supply helpful information. These agencies work with federal, state, local and international partners to pursue cyber criminals globally and assist victims of cybercrime. Counsel can advise on the type of information appropriate to disclose to law enforcement, while taking steps to establish and maintain the attorney-client privilege and, if appropriate, the attorney work product protection. Counsel also can assist in preparing communications (e.g., mandatory notifications and reports to senior executives and boards), advise on potential legal exposure from the incident and provide representation in connection with government inquiries or litigation.

If Ransomware Infects a Covered Entity’s or a Business Associate’s Computer System, Is It a Per Se HIPAA Breach?

Not necessarily. Whether or not the presence of ransomware would be a breach under the HIPAA Privacy Rule or HIPAA Security Rule (the HIPAA Rules) is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” A covered entity or business associate should, however, perform a risk assessment after experiencing a ransomware incident to determine if a reportable breach has occurred and to determine the appropriate mitigating action.

If the ePHI was encrypted prior to the incident in accordance with the HHS guidance, there may not be a breach if the encryption that was in place rendered the affected PHI unreadable, unusable and indecipherable to the unauthorized person or people. If, however, the ePHI is encrypted by the ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Thus, in order to determine if the information was acquired and accessed in the incident, additional analysis will be required. Unless the covered entity or business associate can demonstrate that there is a “[l]ow probability that the PHI has been compromised,” based on the factors set forth in the HIPAA breach notification rule, a breach of PHI is presumed to have occurred. If a breach has occurred, the entity must comply with the applicable breach notification provisions under HIPAA and, if applicable, state law.

Does a Ransomware Event Trigger State Data Breach Notification Obligations?

Possibly. In a majority of states, data breach notification requirements are triggered when there is both “unauthorized access” to and “acquisition” of personally identifiable information. Whether a ransomware event meets the access and acquisition elements of these statutes is, as in the HIPAA analysis, a fact-specific determination. If, for example, the hackers were able to move the personally identifiable information from the entity’s network to their own, it is clear that the hackers achieved unauthorized access to and acquisition of the information. State data breach notification laws pertaining to the affected individuals would need to be analyzed and factored into the entity’s overall notification requirements.

Ransomware though is usually designed to extort money from victim entities rather than steal personally identifiable information. If the forensics team can present credible evidence that no personally identifiable information was acquired by the hackers, then these obligations may not be triggered. The forensics team, consistent with the incident response team requirements, should document findings that support a defensible decision under these statutes, in case of a subsequent regulatory investigation or litigation, not to notify affected individuals.

In a minority of states, the data breach notification requirements are triggered when there is simply “unauthorized access” to personally identifiable information. This lower standard may mean that the entity must notify its customers of a data breach even when no personally identifiable information is acquired by a hacker. Entities that maintain personally identifiable information of residents of Connecticut, New Jersey and Puerto Rico, for example, may find themselves in the unfortunate position of having to provide data breach notifications even when the information is not acquired by a hacker.

Finally, if the entity is providing services to a business customer, it will need to determine whether it is obligated to notify the business customer (as owner of the affected personal information) of the ransomware attack, taking into account state data breach notification requirements, contractual obligations to notify the business customer and the overall value of the commercial relationship.

ARTICLE BY Amy GordonAnn KillileaMichael G. MorganSusan M. Nash & Angela M. Stockbridge of
McDermott Will & Emery
© 2016 McDermott Will & Emery