The HIPAA Security Rule requires covered entities and business associates to implement physical, administrative, and technical safeguards to protect protected health information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued guidance warning that “essential” physical security is often overlooked.
Despite the lack of significant settlements for HIPAA enforcement by the federal Office of Civil Rights (OCR) so far in 2018, states have not hesitated to patrol privacy and security breach activity and take action against perceived violations. Indeed, under the HITECH Act, state attorneys general have their own HIPAA enforcement authority. Two recent settlements suggest that states are ramping up their enforcement activities.
The New Jersey Attorney General recently announced a settlement of nearly $418,000 involving physician network Virtua Medical Group, P.A. (Virtua) for an alleged breach of privacy involving 1,654 patients, most of whom reside in New Jersey. The settlement followed an investigation by the New Jersey Division of Consumer Affairs, which concluded that an online server misconfiguration during a software update by a third party vendor and business associate of Virtua rendered patient medical records and related electronic personal health information (ePHI) to be viewed online and indexed by search engines. The New Jersey Division’s investigation determined that the third party vendor and business associate of Virtua discovered the breach in January 2016 and reinstated the security protections put in place prior to the update, but did not notify Virtua upon its discovery of the breach. The resulting settlement stemmed allegations that Virtua failed to conduct a comprehensive analysis of risks relative to PHI sent to the third party vendor, failed to safeguard against the risk of disclosure, failed to set forth sufficient procedures requiring security measures necessary to mitigate the risk, and failed to implement awareness and training programs for workforce members related to impermissible disclosures.
Furthermore, in March 2018, the New York Attorney General announced a $575,000 settlement with EmblemHealth and wholly-owned subsidiary Group Health Incorporated (EmblemHealth), following an incident in which 81,122 social security numbers were disclosed on a mailing. In EmblemHealth’s case, a Medicare Prescription Drug Plan Evidence of Coverage notice included a mailing label with the policyholder’s social security number on it. In addition to the settlement, EmblemHealth is required to implement a corrective action plan.
These settlements serve as reminders to covered entities and business associates that states may aggressively enforce data privacy and security violations, separate from what the OCR does. Some state laws (such as those in New Jersey and New York) may not expressly target PHI breaches in the same manner as HIPAA and other federal data privacy and security regulations, but they may have similarly sharp teeth. Furthermore, state enforcers may share information with and involve federal enforcers in activities constituting a violation of such federal regulations. In addition, covered entities should thoroughly examine business associate agreements to ensure that third party vendors bear the financial risk for failures to provide notice regarding breaches and to maintain adequate security measures to mitigate against the risk of disclosures.
Health Information Highlight
Welcome back to our three-part series examining ways to efficiently identify, address and mitigate gaps in HIPAA compliance in transaction diligence. In Part I, we discussed four key diligence questions upon which buyers should focus their efforts in a transaction. In Part II, we reviewed considerations related to storage of and access to diligence materials, particularly in the context of using a data room or other cloud-based server. Here, we address potential risk mitigation strategies when HIPAA issues are identified in the course of diligence.
It is not unusual to identify gaps or deficiencies in HIPAA compliance during the diligence process. These deficiencies can range from a lack of robust policies, procedures and employee training to inappropriate use of texting and cloud storage or failure to conduct a required security risk assessment. Several years ago when HIPAA enforcement risk was more of a secondary concern, many buyers did not take a proactive approach to remediation and assumed these areas could be addressed in the ordinary course. Given the uptick in enforcement against both covered entities and business associates and ever-increasing fines, it is important to take a proactive approach to quickly address compliance gaps. When a buyer encounters compliance gaps, there are various ways to mitigate this risk, several of which are discussed below:
- Require Compliance Actions as a Pre- or Post-Close Condition. Depending on the level of risk and exposure, buyers should consider whether addressing compliance gaps should begin prior to closing. In other instances, it may be reasonable to address compliance post-close; however, it is important to ensure that any post-close compliance is completed within a specified time, such as 30, 60, 90 or 120 days post-close.
- Indemnification, Escrows & Representation and Warrantee Insurance. Buyers should consider whether it is appropriate to obtain specific indemnification or escrow of funds to cover potential HIPAA non-compliance. When negotiating indemnification provisions, a buyer should consider applicable dollar caps, floors and the survival period to ensure appropriate coverage for potential future liability.
- Ongoing Settlements. If the seller is involved in any government or third party investigation or settlement negotiation related to HIPAA compliance, buyers should consider obtaining a waiver of liabilities and rights from the government or third party prior to close. Buyers should also ensure that the indemnification provisions from the seller are modified so as to adequately protect the buyer from undue risk or exposure.
With the continued risk of HIPAA enforcement, privacy and security diligence should not be a “check the box” activity. Buyers should fully understand the scope of potential risk in the early stages of transaction diligence, take steps to adequately mitigate that risk and understand the cost of protecting the target’s greatest assets.
Health Information Highlight
Welcome back to our three-part series examining ways to efficiently identify, address and mitigate gaps in HIPAA compliance in transaction diligence. In Part I of this series, we discussed four key diligence questions upon which buyers should focus their efforts in a transaction. Here, we review considerations related to storage of and access to diligence materials, particularly in the context of using a data room or other cloud-based server.
For an online or virtual data room administrator, opening access to an inquiring stakeholder, valuator, or reviewer party to an acquisition target company’s documentation may be as simple as a few clicks and perhaps an email or two. However, if any document contains personal or identifiable health information, a number of privacy and data protection regulations may deem access to such information by an unauthorized party to be a violation. In the case of disclosure of protected health information (PHI) in a healthcare transaction, HIPAA may impose significant penalties on target providers posting the PHI and the unauthorized parties accessing the PHI alike.
There are a number of ways to minimize the risk of inadvertent unauthorized disclosure:
1. Consider Restricted Access. The uploading party can restrict the access of unauthorized parties to uploaded PHI by either (a) preparing separate data rooms with PHI for authorized parties and with no PHI for unauthorized parties, or (b) if the data room’s user features permit, restricting access to unauthorized parties to certain documents or folders which may contain PHI. Prior to permitting or restricting access, a covered entity uploading its data should review and categorize its relationship with each accessing party for HIPAA purposes. All parties accessing data should enter into and be bound by certain confidentiality provisions relative to the data, which may include putting into place a Business Associate Agreement (BAA).
2. Remove Patient Identifiers. Alternatively, prior to uploading any data into the room, ensure that the uploading party scrubs all data and financials of any patient identifiers and only uploads “clean” versions of documents. The uploading party could also elect to provide “model” contracts rather than contracts which might disclose PHI. With respect to provider financial data, which may have patient detail containing PHI identifying a patient, this process may be a particularly time-consuming investment in resources. Regardless, the up-front investment in cleaning data prior to uploading would reduce the risk of disclosing any actual PHI.
3. Secure Data Rooms. Choose a secure data room provider which complies with data protection laws. Services such as popular file-sharing applications may be exceedingly simple to set up, share, and have no costs, however, many such cloud providers may not have appropriate security or data protection measures in place and may increase the risk of unauthorized access.
Stay tuned for Part Three where we will examine HIPAA risk mitigation strategies.
Health Information Highlight
Welcome to a three-part series that will examine several ways to efficiently identify, address, and mitigate gaps in HIPAA compliance in transaction diligence.
A target’s value is often held in its information and people. An increased risk of HIPAA enforcement means that privacy and security diligence should not be a “check the box” activity. Buyers should fully understand the scope of potential risk in the early stages of transaction diligence, take steps to adequately mitigate any potential go-forward risk, and, most importantly, understand the cost of protecting the target’s greatest assets.
Beginning last year, we saw a substantial increase in the economic impact of HIPAA enforcement by the Department of Health and Human Services, Office for Civil Rights (OCR). Since then, several new cases have illuminated the need for increased scrutiny of HIPAA compliance during the transaction diligence process.
To better understand a seller’s overall HIPAA compliance, there are four key diligence questions upon which buyers should focus their efforts in a transaction:
1. Does the seller have the core HIPAA documentation in place? At minimum, the buyer should look for:
- Privacy and Security Rule Policies and Procedures
- Breach Notification Policies and Procedures and Risk Assessments
- Security Audits and Incident Logs
- HIPAA Risk Analyses (for the last 2-3 years) and corresponding Management Plans
- Business Associate Agreements (BAAs) with Contractors/Customers
- As applicable, Notice of Privacy Practices
2. Is the seller complying with its policies? The principal measure of the effectiveness of a HIPAA compliance program is whether the seller’s internal controls and compliance practices live up to the promise set out in the policies. To determine whether a seller is complying with its policies, a buyer should look to whether the seller is:
- sufficiently training employees and documenting this training;
- assessing and tracking security incidents;
- identifying and empowering compliance personnel;
- auditing and monitoring compliance on a periodic basis; and
- performing frequent security assessments regarding risk areas.
In some cases, a simple public news search may identify target’s incidents or reputational risks that may be meaningful to the buyer, even where a formal investigation or enforcement has not yet been triggered.
3. How does the seller address potential HIPAA security and breach risk areas? A seller’s representation that “no HIPAA breaches have occurred” may tell the buyer much about what the seller is not doing to identify and take action on various security and privacy compliance risks. The buyer should review seller security risk analyses, breach assessments, and investigation logs to understand the seller’s historical liabilities and what the seller has treated as actionable risks. Buyer may also wish to understand how seller is assessing third party risks, including determining BAA compliance and determining whether and how third parties are accessing and using protected health information (PHI).
4. What is the nature of risk related to any identified gaps? A buyer should carefully consider the spectrum of liability to the parties related to risks identified in transaction diligence. Buyer should review the liabilities in the context of:
- the risk of governmental enforcement, including more restrictive state and international laws that may attach to the data;
- civil liability, including contractual breaches;
- ethical and organizational fines;
- criminal executive liability for profiting off or knowingly not reporting breaches; and
- related reputational harm to the parties related to an enforcement action or third party suit.
Stay tuned for Part Two where we will examine cloud server data and HIPAA compliance strategies.
So far, 2018 has been a light year in terms of HIPAA enforcement. There have been only two publicly-disclosed settlements. But that doesn’t mean covered entities and business associates should let their guard down and assume that they don’t need to be mindful of HIPAA. Indeed, it is hard to know what is going on in the Office for Civil Rights (OCR) with respect to enforcement. Theories include that the priorities of the current administration are driving less enforcement, that the OCR is focusing its efforts on the current round of audits, and that the OCR is simply holding back on some settlements so that it can ensure a consistent approach to multiple settlements that it will announce in the near future. No matter the answer, it is not safe to assume that things will remain quiet on the HIPAA front.
Looking at the 2018 settlements, they reflect two very different scenarios, and they both demonstrate that HIPAA settlements can take a long time to work their way through the OCR (which makes enforcement predicting even more difficult). The first settlement of the year was with Fresenius Medical Care North America (Fresenius) for $3.5 million and the adoption of a comprehensive corrective action plan. The Fresenius settlement dates back to 2012 when Fresenius experienced breaches at five different facilities around the country. The OCR’s investigation revealed systematic failures by Fresenius to adopt appropriate policies and procedures to address the Privacy and Security Rules. In the press release for the Fresenius settlement, the OCR Director stressed the importance of enterprise-wide risk analysis.
The second settlement was for $100,000 with the receiver that was appointed to liquidate the assets of Filefax, as it was closing its operations in 2015. The OCR’s investigation followed an anonymous complaint regarding improper disposal of medical records, and the OCR found a variety of issues in which records were left unsecured. Even though Filefax had closed, the receiver was held responsible for on-going compliance with HIPAA. Thus, the OCR has confirmed that closing operations does not relieve covered entities of HIPAA obligations, and that any entity that assumes custody of health records needs to be mindful of HIPAA.
Given that the Omnibus Final Rule is now more than five years old, the OCR is unlikely to tolerate non-compliance and it is probably only a matter of time before the sleeping giant awakens—or, more likely, that we learn that the giant hasn’t been sleeping at all. Indeed, because settlements take so long to process, no one outside the OCR really knows how active the OCR is with respect to enforcement activities for situations occurring right now. Therefore, all covered entities and business associates need to stay vigilant with respect to the three pillars of HIPAA compliance: Privacy Rule Policies and Procedures, reasonably current Security Rule Risk Assessments, and workforce training regarding HIPAA. And, any entity that experiences a breach—particularly a breach involving 500 or more individuals that requires prompt notice to the OCR—should revisit all three of these compliance pillars.
To better mitigate HIPAA enforcement actions, stay tuned for a three-part series that will examine several ways to efficiently identify and address gaps in HIPAA compliance during transaction diligence.
Nearly two and a half years following the appeal of the Federal Communications Commission’s (FCC) July 2015 Order, the U.S. Court of Appeals for the District of Columbia issued a ruling on March 16, 2018. On appeal, over a dozen entities sought review of the 2015 Order, in which the FCC interpreted various aspects of the Telephone Consumer Protection Act (TCPA). The appeal addressed four issues: (1) which devices constitute an automatic telephone dialing system (ATDS or “autodialer”); (2) whether a call to a reassigned phone number violates the TCPA; (3) whether the FCC’s approach to revocation was too broad; and (4) whether the FCC’s exemption for certain healthcare related calls was proper.
In short, the court set aside the FCC’s definition of an ATDS and vacated the FCC’s approach to calls placed to reassigned numbers. The court upheld, however, the FCC’s broad approach to a party’s revocation of consent and sustained the scope of the FCC’s exemption for time-sensitive healthcare calls.
The FCC’s 2015 Order held that the analysis of whether equipment constitutes an ATDS is not limited to its present capacities, but also includes its “potential functionalities”—therefore having the apparent effect of encompassing ordinary smartphones. On appeal, the D.C. Circuit concluded that the FCC’s approach could not be sustained in light of the “unchallenged assumption that a call made with a device having the capacity to function as an autodialer can violate the statute even if autodialer features are not used to make the call.” The court reasoned that if a device’s capacity includes functions that could be added through app downloads and software additions, and if smartphone apps can introduce ATDS functionality into the device, then all smartphones would meet the statutory definition of an autodialer—and therefore, the TCPA’s restrictions on autodialer calls “assume an eye popping sweep.” Accordingly, the court found the FCC’s interpretation that all smartphones qualify as autodialers is unreasonably and impermissibly expansive.
Regarding functionality, the FCC identified a basic function of an ATDS as the ability to “dial numbers without human intervention,” but declined to clarify this point, apparently suggesting that a device might still qualify as an autodialer even if it cannot dial numbers without human intervention. The FCC further said that another basic function of an ATDS is to dial thousands of numbers in a short period of time, but the ruling provides no additional guidance on whether that is a necessary, sufficient, or relevant condition, leaving affected parties “in a significant fog of uncertainty.” In addressing these questions, the court found the FCC’s guidance gave no clear answer and in many ways provided contradictory interpretations. The court seemed particularly concerned with the practical implications that the FCC ruling seemingly imposed liability even if a system was not used to randomly or sequentially generate a call list, as “[a]nytime phone numbers are dialed from a set list, the database of numbers must be called in some order—either in a random or some other sequence.” The court set aside the FCC’s ruling on what type of functionality a device must employ to qualify as an autodialer, finding that the FCC could not promote competing interpretations in the same order.
- Reassigned numbers and consent
If a call is made to a consenting party’s number, but that number has been reassigned to a nonconsenting party, the FCC’s 2015 Order stated that this situation violates the TCPA—except in the instance of a one-call safe harbor, which enables a caller to avoid liability for the first call to a wireless number following reassignment. The court found that the FCC’s limitation of the safe harbor to only the first call was arbitrary, questioning why a caller’s “reasonable reliance” on the previous subscriber’s consent necessarily stops being reasonable after there has been only one call, as the first call may give the caller no indication of a possible reassignment. The court set aside the FCC’s treatment of reassigned numbers in its entirety, finding it could not, without consequence, excise the one-call safe harbor, but leave in place the FCC’s interpretation that the “called party” refers to the current subscriber, and not the intended recipient. This, the court found, would mean a caller is strictly liable for all calls made to the reassigned number, even without knowledge of the reassignment.
- Revocation of consent
The FCC, in declining to unilaterally prescribe the exclusive means for consumers to revoke their consent, instead concluded that a called party may revoke consent at any time and through any reasonable means that clearly expresses a desire to receive further messages. In upholding the FCC’s approach to revocation, the court found that the FCC’s ruling absolves callers of any responsibility to adopt a system that would entail undue burdens, like training every retail employee on the “finer points of revocation.” And, under this approach, callers have every incentive to avoid TCPA liability by making available clearly-defined and easy-to-use opt-out methods, therefore making a call recipient’s unconventional and idiosyncratic revocation requests unreasonable. Finally, the court concluded that nothing in the 2015 Order “should be understood to speak to the parties’ ability to agree upon revocation procedures”—thereby leaving open the possibility of contractually specified revocation methods.
- Healthcare-related exemption
The final challenge concerns the scope of the FCC’s exemption of certain healthcare related calls from the TCPA’s prior-consent requirement for calls to wireless numbers. The exemption is limited to calls that have a healthcare treatment purpose, and excludes calls related to telemarketing, solicitation, or advertising. The court rejected the argument that any partial exemption of healthcare related communications is unlawful because HIPAA supersedes any TCPA prohibition, finding that the two statutes provide separate protections and, therefore, there is no obstacle to complying with both. Moreover, the court found that the FCC did not act arbitrarily in affording a narrower exemption for healthcare related calls made to wireless callers, finding that the TCPA assumes the fact that residential and wireless numbers warrant different treatment. Finally, the court rejected the argument that the FCC erred in failing to recognize that all healthcare related calls satisfy the TCPA’s “emergency purposes” exception to the consent requirement, reasoning that it is implausible to conclude that calls related to telemarketing, solicitation, or advertising are made for emergency purposes. Therefore, the court upheld the way in which the FCC narrowly fashioned the exemption for healthcare related calls.
Without question, the long-awaited ruling will significantly impact TCPA compliance and litigation. Stay tuned for additional analysis on the impact of the D.C. Circuit’s ruling.
With 2017 having drawn to a close, it is once again time for HIPAA covered entities to complete their annual breach reporting obligations to the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”). Whereas covered entities must report breaches involving 500 or more individuals no later than 60 calendar days from the discovery date, for breaches affecting less than 500 individuals, entities have the option of submitting the year’s incident notifications 60 days after the end of the respective calendar year.
Even as entities work to meet this deadline, certain trends are becoming apparent. To assist with identifying trends and mitigating risks, this post explores a brief overview of current OCR activity and 2017 breach reports. Because breaches can be reported until February 28, 2018, the figures herein are not yet final. Nevertheless, the 2017 statistics to date provide insight into the healthcare industry’s current challenges, general trends in data security, and considerations for 2018 OCR compliance.
To date, the annual figures of HIPAA privacy breaches of unsecured protected health information (“PHI”) reveal network servers, emails, and other information technology (“IT”) events continued to challenge the healthcare industry in 2017. OCR data shows that HIPAA privacy breach reports affecting 500 or more individuals remained relatively stable when compared to 2016, increasing slightly from 327 to 345. Hacking and IT incidents, however, rose by 25%, with 142 in 2017 compared to 113 in 2016. Other events, such as unauthorized access/disclosures, theft, and improper disposal saw more modest fluctuations. Breaches occurring via portable electronic devices in the workplace (e.g., smartphones and tablets) remained stable, with 22 in 2017 and 21 in 2016. The increase in email based breaches, however, rose by 60% — up to 85 in 2017 from 50 in 2016.
The healthcare industry obviously still has work to do, particularly with larger data sets. The numbers show an increase in hacking and email related breaches, which makes the need for email and software safety measures more apparent.
There are several key lessons gleaned from the 2017 statistics on protection measures that a covered entity may take in 2018 to help mend current gaps and minimize risk of the increasingly commonplace hacking and email incidents:
- Work force training and education that emphasizes the identification of suspicious emails and links that may allow hackers into a covered entity’s network remain vital compliance tools.
- From an administrative and management perspective, as well as OCR enforcement perspective, updating risk analyses of systems is more important than ever.
- Following a management plan, created from the identification of threats to PHI through the risk analysis, can significantly minimize risk exposure and avoidable attacks.
- Investment and implementation of advanced intrusion detection systems can identify malicious activity or software more quickly, creating real-time alerts.
- Continued auditing and monitoring of systems and the workforce further assist entities with identifying abnormalities or weak points in its safeguards.
- Software updates can help shut out malicious and expansive attacks. As seen with the global “WannaCry” security breach and the most recent “Meltdown” and “Spectre” hardware glitches, potential hacks, phishing schemes, and viruses may be easily mitigated with the appropriate patches and operating system updates.
The 2017 numbers regarding data breaches show the need for HIPAA entities to remain vigilant against large breaches, especially as they are growing increasingly malicious and difficult to anticipate. Large and small solutions exist, each of which can make a significant impact on protecting against breaches in the coming year.
 45 C.F.R § 164.408(b),(c); Submitting Notice of a Breach to the Secretary, U.S. Dep’t Health & Human Servs. (Jan. 5, 2015), https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html;
Drug adherence programs have significantly evolved over the last few years with drug companies, health plans, and providers taking steps to monitor patient medication compliance. Drug adherence is the degree to which a patient complies with medication administration advice for treatment of chronic disease. Beyond the obvious benefits to patients’ health and health entities’ bottom lines, drug adherence can have a large effect on public health and social communities. Therefore, although it is no surprise that the health care industry has turned its focus to adherence in a big way, it may be surprising that in an industry where confidentiality is king, the most recent strategy may be turning to big brother.
U.S. Food & Drug Administration Announcement
This past November, the U.S. Food & Drug Administration (“FDA”) announced approval of a new solution to medication noncompliance – digital tracking. The FDA has not broadly blessed the practice, which has been around since 2012, but rather took a large leap in that direction by approving the digital drug Abilify MyCite – a collaboration between drug manufacturer Otsuka and technology company Proteus Digital Health. The drug is used for the treatment of schizophrenia, episodes associated with bipolar I disorder, and certain depression diagnoses in adults, and Abilify MyCite, specifically, uses an ingestible sensor embedded in the drug tablet to trigger an electrical signal upon reacting with stomach acids. The signal is sent to a wearable patch and a mobile application, which records that medication was taken. The medication compliance can be tracked by patient relatives and caregivers so that they may directly access the information through a similar application or web-based portal.
Privacy Concerns and Obtaining Consent
As the industry looks to improve public health and reduce health care costs (medication noncompliance is estimated to cost $100 billion/year in the U.S.), it works to balance the need to uphold patient rights, including patient privacy, especially where disease increases patients’ vulnerability. While HIPAA and state laws generally allow the access to and disclosure of patient information with consent as well as for treatment purposes, regulation regarding this kind of monitoring by third parties and resulting use of the data is less explicit. Just as states are beginning to take a stronger stance on protection of biometric and genetic information, digital drugs and medication compliance may be next to receive additional scrutiny and increased protections. Continue Reading Big Brother is a Pill: Digital Tracking Drugs
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently issued guidance emphasizing the increased risks of using mobile devices in the workplace when the mobile devices contain or have access to sensitive data. Particularly, OCR warns of the risks of the use of mobile devices by healthcare organizations when the mobile devices are used to create, receive, maintain or transmit electronic protected health information (“ePHI”) that is protected by the Health Insurance Portability and Accountability Act (“HIPAA”).
Under the HIPAA Security Rule, covered entities and their business associates are required to conduct a risk analysis of the organization’s security risks and vulnerabilities and address identified vulnerabilities. OCR highlights that compliance with the Security Rule requires organizations to include mobile devices in the risk analysis and to address the inherent risks “to a reasonable and appropriate level.” A significant portion of reported settlements of alleged HIPAA claims have involved lost or stolen mobile devices that were not addressed in a risk assessment or not appropriately secured. In some cases, settlements for alleged non-compliance involving mobile devices have exceeded $2 million.
In addition to their inherent risk of being lost or stolen, OCR notes the following risks of using mobile devices to store or transmit ePHI: Continue Reading Balancing Convenience and Risk: OCR Issues Statement on Use of Mobile Devices