In earlier updates, we’ve provided background and tracked the progress (and the unique circumstances) of FTC v. Wyndham Worldwide Corp., et al. On April 7, a highly anticipated opinion was issued by New Jersey District Court Judge Esther Salas in a case that will likely have broad implications in the realms of privacy and data security. Through a motion to dismiss, Wyndham argued that the FTC had no authority to assert a claim in the data security context, that the FTC must first formally promulgate data security regulations before bringing such a claim, and that the FTC’s pleadings of consumer harm were insufficient to support their claims. The Wyndham court sided with the FTC on all of these arguments, and dismissed Wyndham’s motion to dismiss.
The U.S. Department of Health and Human Services ("HHS") has announced a Notice of Proposed Rulemaking concerning the disclosure requirements under the HIPAA Privacy Rule. The proposed rule would give individuals the right to obtain a report on persons who have electronically accessed the individual’s protected health information ("PHI"). HHS issued the proposed rule pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act.
Under the proposed rule, individuals would be able to request an access report, which would document the particular persons who electronically accessed and viewed their PHI. Currently, covered entities are only required to track access to electronic PHI. However, they are not required to share this information with individuals. The proposed rule also requires covered entities to modify their privacy notices in order to inform individuals that they have the right to obtain an access report from such covered entity.
Earlier this week, HHS announced that it had imposed fines of $4.3 million on Maryland based Cignet Health of Prince George’s County for violations of the HIPAA Privacy Rule.
In October, HHS released its Notice of Proposed Determination against Cignet. HHS found that Cignet had violated the rights of 41 patients when it denied them access to their medical records despite the HIPAA requirement that covered entities provide patients with copies of their medical records no later than 60 days from receipt of a request. The civil monetary penalty for this violation was $1.3 million.
HHS imposed an additional civil monetary penalty in the amount of $3 million on Cignet for failure "to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule." The Notice of Final Determination stated that Cignet failed to request a hearing to dispute or settle the fine amount. This fine is the first imposed against a healthcare provider under the Privacy Rule.
HHS also announced this week that it had reached a settlement with Massachusetts General Hospital for $1 million to settle potential Privacy Rule violations. Some privacy observers have taken these two actions as a warning that HHS is prepared to actively enforce HIPAA privacy protections.
On November 8, 2010, the Connecticut Insurance Commissioner announced that the Connecticut Insurance Department has reached a settlement with Health Net of Connecticut (“Health Net”) over Health Net’s actions during a 2009 data breach affecting approximately 500,000 Connecticut residents. The Insurance Department alleged that Health Net failed to safeguard personal health information and other personally indefinable information, including social security numbers and bank account numbers, of Connecticut residents from misuse by third parties and failed to timely notify affected residents of the data breach. The settlement requires Health Net to pay $375,000 in penalties. Since the 2009 data breach, Health Net has also provided credit monitoring protection for two years to affected Connecticut residents and agreed to improve data and information security standards to better protect information from unauthorized disclosure. Health Net’s settlement with the Insurance Department is in addition to a settlement between Health Net and the Connecticut Attorney General reached in July 2010, which required Health Net to pay the state $250,000. The Connecticut Attorney General had alleged that Health Net violated Connecticut data breach and data safeguard laws, as well as the federal Health Insurance Portability and Accountability Act (“HIPAA”).
The Department of Health and Human Services (“HHS”) received numerous comments on its proposed modifications to the Health Insurance Portability and Accountability Act Privacy, Security and Enforcement Rules, which were issued on July 8, 2010. Some highlights from the comments are outlined below.
The American Hospital Association (“AHA”) suggested that HHS should continue to require the Secretary of HHS to attempt to resolve a complaint or compliance review through informal means, instead of making the informal resolution process optional. According to the AHA, making “resolution via informal means optional, regardless of the perceived level of culpability of a particular entity” would not be appropriate or effective. The Coalition for Patient Privacy, on the other hand, recommended stricter enforcement so that “the only category of violators that should not be penalized with fines are those who despite due diligence could not discover the violation, who reported the violation immediately when discovered, and fully corrected the problems within 30 days of discovery.”
The AHA requested that HHS “consider modifying the Privacy Rule to make clear which provisions are directly applicable to business associates and to specify business associates’ compliance obligations associated with each of these provisions” in order to “provide greater clarity and better facilitate compliance” with the Privacy Rule. The Association of American Medical Colleges recommended that the exception to the rule prohibiting the sale of protected health information (“PHI”) for research purposes be expanded to included PHI that is provided to a data registry for the benefit of providing researchers with access to a larger pool of data for their research.
The American Health Information Management Association expressed concern that the modifications to the Security Rule “appear to suggest that Covered Entities do not need to make as many specific requirements of a Business Associate as in the pre-HITECH agreements because the Business Associate becomes directly subject to HIPAA.” The Coalition for Patient Privacy went further and recommended that HHS require all business associates and covered entities to “undergo meaningful and comprehensive security and privacy audits annually, to establish and prove that their methods of operation do in fact safeguard patient information.”
HHS will accept or reject the submitted comments to the modifications to the HIPAA Rules and decide whether to incorporate them into the Final Rule, which is expected to be published by the end of 2010.
On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement. Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule. This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards.
This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH. For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”). NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance. Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007.
OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov
Mark Paulding of the Privacy and Information Management practice in Hogan Lovells’ Washington, D.C. office prepared this entry.
The Department of Health and Human Services (“HHS”) has posted to its website a notification form that may be used to report breaches of unsecured protected health information to the agency. Although some state agencies requiring notice of a breach employ a standard reporting form, the form issued by HHS has several unique features and requests more information than a typical breach reporting form. Some interesting features of the form include:
- The form may be used to report both breaches affecting 500 or more individuals, as well as breaches affecting fewer than 500 individuals, although the former must be notified to the agency within 60 days of discovery and the later need only be logged over the course of the year and reported to the agency on an annual basis.
- The form requires that, if the breach occurred "at or by" a business associate, that business associate must be identified by name and contact information must be provided. The form is, however, required to be completed by the covered entity.
- The form requires a description of the breach and provides drop-down lists to facilitate the description of the type of breach (e.g., theft, loss, improper disposal, etc.), the location of the "breached information" (e.g., laptop, desktop computer, network server, etc.) and the type of PHI affected (e.g., demographic information, financial information, clinical information or "other").
- The form further requests a description of the safeguards that were in place prior to the breach and a description of actions taken in response to the breach, again via selection from a drop-down list. Actions taken in response to the breach also may be described in narrative form.
- The form requires completion of an attestation that the information provided is accurate, and acknowledgement that the Office of Civil Rights ("OCR") may be required to release information provided via the form pursuant to the Freedom of Information Act, that some of the information will be posted to HHS’s web site, and that OCR will use the information to provide an annual report to Congress, as required by the HITECH Act.
- The form also may be used to submit an "initial breach report" or an "addendum to previous report," implying that covered entities could submit the form based on then-available information and later file an addendum, which may be necessary in some cases to avoid missing the 60-day reporting deadline.
The form, which is intended to be submitted electronically, includes all of the required elements specified by the HITECH Act and HHS’s implementing regulations. HHS also has provided instructions for completing the form.
The HITECH Act’s breach notice provisions became effective yesterday, but there are many additional features of the statute of which covered entities and business associates should be aware. For example, the HITECH Act creates several new and potentially burdensome obligations that affect the relationship between covered entities and business associates. Because these changes are quite substantial and necessitate revisions to existing business associate agreements, covered entities and business associates should begin compliance efforts as soon as possible. Additional comentary on the HITECH Act and implementing regulations is available here and here.
The Health Privacy Project will become part of CDT to address a slate of privacy issues raised by the electronic exchange of health information by traditional providers and by new consumer access services like Google Health and Microsoft HealthVault. CDT announces it will take on questions relating to notice and consent, identification and authentication, subject access to electronic records, secondary uses and enforcement mechanisms.