In earlier updates, we’ve provided background and tracked the progress (and the unique circumstances) of FTC v. Wyndham Worldwide Corp., et al. On April 7, a highly anticipated opinion was issued by New Jersey District Court Judge Esther Salas in a case that will likely have broad implications in the realms of privacy and data security. Through a motion to dismiss, Wyndham argued that the FTC had no authority to assert a claim in the data security context, that the FTC must first formally promulgate data security regulations before bringing such a claim, and that the FTC’s pleadings of consumer harm were insufficient to support their claims. The Wyndham court sided with the FTC on all of these arguments, and dismissed Wyndham’s motion to dismiss.
The U.S. Department of Health and Human Services ("HHS") has announced a Notice of Proposed Rulemaking concerning the disclosure requirements under the HIPAA Privacy Rule. The proposed rule would give individuals the right to obtain a report on persons who have electronically accessed the individual’s protected health information ("PHI"). HHS issued the proposed rule pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act.
Under the proposed rule, individuals would be able to request an access report, which would document the particular persons who electronically accessed and viewed their PHI. Currently, covered entities are only required to track access to electronic PHI. However, they are not required to share this information with individuals. The proposed rule also requires covered entities to modify their privacy notices in order to inform individuals that they have the right to obtain an access report from such covered entity.
Earlier this week, HHS announced that it had imposed fines of $4.3 million on Maryland based Cignet Health of Prince George’s County for violations of the HIPAA Privacy Rule.
In October, HHS released its Notice of Proposed Determination against Cignet. HHS found that Cignet had violated the rights of 41 patients when it denied them access to their medical records despite the HIPAA requirement that covered entities provide patients with copies of their medical records no later than 60 days from receipt of a request. The civil monetary penalty for this violation was $1.3 million.
HHS imposed an additional civil monetary penalty in the amount of $3 million on Cignet for failure "to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule." The Notice of Final Determination stated that Cignet failed to request a hearing to dispute or settle the fine amount. This fine is the first imposed against a healthcare provider under the Privacy Rule.
HHS also announced this week that it had reached a settlement with Massachusetts General Hospital for $1 million to settle potential Privacy Rule violations. Some privacy observers have taken these two actions as a warning that HHS is prepared to actively enforce HIPAA privacy protections.
On November 8, 2010, the Connecticut Insurance Commissioner announced that the Connecticut Insurance Department has reached a settlement with Health Net of Connecticut (“Health Net”) over Health Net’s actions during a 2009 data breach affecting approximately 500,000 Connecticut residents. The Insurance Department alleged that Health Net failed to safeguard personal health information and other personally indefinable information, including social security numbers and bank account numbers, of Connecticut residents from misuse by third parties and failed to timely notify affected residents of the data breach. The settlement requires Health Net to pay $375,000 in penalties. Since the 2009 data breach, Health Net has also provided credit monitoring protection for two years to affected Connecticut residents and agreed to improve data and information security standards to better protect information from unauthorized disclosure. Health Net’s settlement with the Insurance Department is in addition to a settlement between Health Net and the Connecticut Attorney General reached in July 2010, which required Health Net to pay the state $250,000. The Connecticut Attorney General had alleged that Health Net violated Connecticut data breach and data safeguard laws, as well as the federal Health Insurance Portability and Accountability Act (“HIPAA”).
The Department of Health and Human Services (“HHS”) received numerous comments on its proposed modifications to the Health Insurance Portability and Accountability Act Privacy, Security and Enforcement Rules, which were issued on July 8, 2010. Some highlights from the comments are outlined below.
The American Hospital Association (“AHA”) suggested that HHS should continue to require the Secretary of HHS to attempt to resolve a complaint or compliance review through informal means, instead of making the informal resolution process optional. According to the AHA, making “resolution via informal means optional, regardless of the perceived level of culpability of a particular entity” would not be appropriate or effective. The Coalition for Patient Privacy, on the other hand, recommended stricter enforcement so that “the only category of violators that should not be penalized with fines are those who despite due diligence could not discover the violation, who reported the violation immediately when discovered, and fully corrected the problems within 30 days of discovery.”
The AHA requested that HHS “consider modifying the Privacy Rule to make clear which provisions are directly applicable to business associates and to specify business associates’ compliance obligations associated with each of these provisions” in order to “provide greater clarity and better facilitate compliance” with the Privacy Rule. The Association of American Medical Colleges recommended that the exception to the rule prohibiting the sale of protected health information (“PHI”) for research purposes be expanded to included PHI that is provided to a data registry for the benefit of providing researchers with access to a larger pool of data for their research.
The American Health Information Management Association expressed concern that the modifications to the Security Rule “appear to suggest that Covered Entities do not need to make as many specific requirements of a Business Associate as in the pre-HITECH agreements because the Business Associate becomes directly subject to HIPAA.” The Coalition for Patient Privacy went further and recommended that HHS require all business associates and covered entities to “undergo meaningful and comprehensive security and privacy audits annually, to establish and prove that their methods of operation do in fact safeguard patient information.”
HHS will accept or reject the submitted comments to the modifications to the HIPAA Rules and decide whether to incorporate them into the Final Rule, which is expected to be published by the end of 2010.
On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement. Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule. This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards.
This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH. For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”). NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance. Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007.
OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov
Mark Paulding of the Privacy and Information Management practice in Hogan Lovells’ Washington, D.C. office prepared this entry.