HHS Settles HIPAA Case With Heart Surgery Center

Posted by Rachel Grunberger on April 21, 2012

By Anna Kraus and Rachel Grunberger

The Department of Health and Human Services (HHS) announced on Tuesday that Phoenix Cardiac Surgery, P.C. (Phoenix) agreed to pay $100,000 and implement a corrective action plan to come into full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  HHS had been investigating the Arizona physician practice for potential violations of the HIPAA Privacy and Security Rules.

The investigation began when HHS received a report that Phoenix was posting clinical and surgical appointments for patients on an Internet-based calendar that was accessible by the public.  Upon further investigation, HHS determined that the physician practice had, among other things, failed to:

  • implement appropriate and reasonable administrative and technical safeguards to protect the privacy of protected health information (PHI)
  • identify a security officer and conduct the risk assessment required by the HIPAA Security Rule
  • enter into business associate agreements with its Internet-based calendar provider and Internet-based public e-mail provider
  • document that it trained any employees on HIPAA policies and procedures 

Continue Reading

Final HIPAA/HITECH Rule Expected by July

Posted by Rachel Grunberger on April 17, 2012

By Anna Kraus and Rachel Grunberger

The Department of Health and Human Services (HHS) has submitted to the Office of Management and Budget (OMB) the long-awaited final rule implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The OMB has up to 90 days to review the final rule.  If OMB takes the full 90 days for its review (which is what HHS expects) and does not extend the review period, the final rule should be released by the end of June 2012.

HHS is calling the rule an “omnibus” regulation because it will finalize four different rulemakings:

  1. the proposed rule issued in July 2010 implementing changes to the HIPAA Privacy and Security Rules mandated by the HITECH Act, as well as other changes;
  2. the interim final breach notification rule issued in August 2009;
  3. the interim final enforcement rule issued in October 2009; and
  4. the proposed rule issued in October 2009 implementing changes to the HIPAA Privacy Rule mandated by the Genetic Information Nondiscrimination Act.

The rule is not expected to address the proposed rule concerning the accounting of disclosures requirement under the HIPAA Privacy Rule, which HHS issued in May 2011.

As OMB reviews the rule, covered entities and business associates should take the time to ensure they are positioned to implement the changes expected in the regulations, which we have discussed in previous posts.  HHS has indicated that it will likely begin enforcing the final rule 180 days after it becomes effective.  We will continue to report on developments related to the final rule.  In the meantime, if you have any questions about proposed changes, please contact our health privacy team.

Court Dismisses Claims Against Pharmacy for Selling Customers' Medical Information

Posted by Laura Brookover on February 23, 2012

Judge Mary McLaughlin of the Eastern District of Pennsylvania recently dismissed a class action complaint brought against CVS Pharmacy and CVS Caremark for selling information provided by prescription drug purchasers.  Notably, in its decision in Steinberg v. CVS Caremark Corp., the court found that information on a customer’s prescription drug and medical history “carries with it no compensable value at the individual level.”  

The plaintiffs, on behalf of a class of Pennsylvania prescription drug purchasers, brought claims under the Pennsylvania Unfair Trade Practices and Consumer Protection Law and for unjust enrichment and invasion of privacy.  The UTPCPL claim was based on defendants’ representations that they did not share customer information in violation of federal or state law.  Plaintiffs alleged that the defendants’ sale of information violated HIPAA, even though they conceded that the information the defendants sold was “de-identified.”  The information consisted of medical history, prescription drugs dispensed, dates of prescriptions, diagnoses, and physician names, but not of patient names, birth dates, or Social Security numbers. 

Plaintiffs argued, however, that the information shared could be “re-identified,” or associated with a specific person in violation of HIPAA.  The court found plaintiffs’ generalized warning of re-identification insufficient to show a HIPAA violation without demonstrating how the threat applied in the circumstances of the case: “The Court was referred to the name of an article in an academic journal discussing risks associated with re-identification of data, but counsel did not explain how or whether the theory applied to this case.” 

In the end, the court dismissed all three claims, determining that “the defendants neither sold information entitled to legal protection nor made any misrepresentations on which the plaintiffs justifiably relied . . . .”  Moreover, “the information the defendants sold to third parties does not carry a compensable value to the plaintiffs or constitute an invasion of privacy.”  The court also dismissed the claims with prejudice, finding that the plaintiffs had not presented a viable alternate theory of recovery.

Minnesota AG Files First HIPAA Enforcement Action Against Business Associate

Posted by Dena Feldman on February 21, 2012

Last month, the Minnesota Attorney General filed a lawsuit in federal court against Accretive Health, Inc. alleging that the company violated various provisions of HIPAA as well as Minnesota consumer privacy and protection law.  Although HIPAA-covered entities have been the subject of enforcement actions by state AGs and the Department of Health and Human Services, this marks the first time that an enforcement action has been brought against a HIPAA business associate.   

Accretive had partnered with two Minnesota hospitals to deliver “revenue cycle operations” services, including scheduling, registration, admissions, billing, collection and payment functions.  For one of the Minnesota hospitals, Accretive also performed “care coordination” services.  Because both the revenue cycle and care coordination services required the hospitals (HIPAA-covered entities) to disclose protected health information (PHI) to Accretive, Accretive qualifies as a “business associate” under HIPAA, and therefore must comply with certain HIPAA requirements or face civil or criminal penalties.

Continue Reading

ONC Proposes Nationwide Survey on EHR Privacy, Security

Posted by Rachel Grunberger on November 08, 2011

The Office of the National Coordinator for Health Information Technology (ONC) is proposing to conduct a nationwide survey regarding consumer attitudes toward the privacy and security aspects of electronic health records (EHR) and electronic health information exchange, according to a notice in last Thursday’s Federal Register.

ONC’s plan is to use computer-assisted telephone interviews to interview a representative sample of the general population annually for five years.  The survey will focus on the percentage of individuals who are concerned about the privacy and security of EHR, who have opted to withhold medical information from their doctor due to privacy concerns, and who are concerned that an unauthorized person will see their medical information if it is sent electronically, among other things.  ONC will analyze whether these numbers change over the course of the study from 2012 to 2016.

According to ONC, the purpose of the study is to “better understand individuals’ attitudes toward the privacy and security aspects of the use of [EHR] and electronic health information exchange as well as inform policy and programmatic objectives.”   

HHS Considers Providing Right to Receive Test Reports Directly From Labs

Posted by Rachel Grunberger on October 15, 2011

The U.S. Department of Health and Human Services (HHS) is currently accepting comments on a proposed rule that would amend regulations under the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

Under the HIPAA Privacy Rule, individuals have the right of access to their protected health information.  However, the rule currently contains exceptions for CLIA-certified laboratories and CLIA-exempt laboratories.  These exceptions were originally included in the Privacy Rule to avoid a conflict with CLIA requirements that limited patient access to reports, according to HHS.

HHS’s proposal would provide individuals the right to receive their test reports directly from laboratories by amending the HIPAA Privacy Rule to remove the exceptions for CLIA-certified laboratories and CLIA-exempt laboratories.  HHS explains that, because the Centers for Medicare & Medicaid Services (CMS) is proposing to amend the CLIA regulations to allow CLIA-certified laboratories to provide patients with direct access to their test reports, there is no longer a need for the exceptions.  HHS believes the existing exceptions will impede individuals’ right of access to test reports, and the failure to eliminate them “would be inconsistent with the CMS proposal and the goals of HHS to improve individuals’ electronic access to their health information and have widespread adoption of EHRs by 2014.”

 Comments on the proposed rule are due November 14, 2011.

HHS Contemplates Data Security Standards for Human Research

Posted by Kerry Monroe on August 02, 2011

The U.S. Department of Health and Human Services (“HHS”) has announced that the federal government is contemplating establishing mandatory data security and information protection standards for identifiable information collected from human research subjects. HHS made this announcement in a July 26, 2011 Advance Notice of Proposed Rulemaking.

The “Common Rule,” 45 C.F.R. 46, is a federal policy regarding the protection of human research subjects that applies to 17 federal agencies and offices. It has been in place since 1991. In the July 26 ANPRM, HHS seeks the public’s input on an array of issues related to the ethics, safety, and oversight of human research. The federal government’s two overarching goals with respect to the Common Rule revisions it is considering are: (1) to enhance the protection of research subjects and (2) to improve the efficiency of the review process. The changes under consideration would also extend federal oversight to some non-federally funded studies.

The agency is considering adopting the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) standards of identifiability in order to harmonize definitions across federal agencies. HHS recognizes that the majority of unauthorized disclosures of identifiable health information from investigators occur due to inadequate data security. Thus the agency seeks, among other possible regulatory reforms, to establish mandatory data security and information protection standards modeled on the HIPAA Security Rule for all studies involving identifiable or potentially identifiable data. These would include: a) data encryption for electronic forms, (b) physical safeguards for paper form, (c) breach notification procedures similar to HIPAA standards, and (d) prohibition against the inappropriate re-identification of de-identified information that is collected or generated as part of a study. HHS is also considering requiring the use of periodic random retrospective audits and additional enforcement tools.

HHS foresees that implementation of these new data security and information protection standards would reduce the potential for violations of privacy and confidentiality. However, HHS is considering applying the standards only to collections of data and biospecimens taking place after the implementation of changes to the Common Rule and not retrospectively to research involving existing data.

OIG Urges Inclusion of General IT Security Controls in HIT Standards

Posted by Rachel Grunberger on June 29, 2011

By Anna Kraus & Rachel Grunberger

As we reported previously, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) recently issued two reports that highlight continuing concerns over how best to ensure the privacy and security of electronic health information.  Earlier this week, we provided more detail on the OIG’s report regarding CMS oversight of the HIPAA Security Rule.

On May 16, 2011 the OIG released a second report relating to federal data security standards, Audit of Information Technology Security Included in Health Information Technology  Standards. In this report, the OIG expressed concern that federal health information technology (HIT) standards do not include general information technology (IT) security controls.  Instead, HIT standards focus primarily on application controls which apply within an IT system and can be circumvented in the absence of strong general security controls.  The audit recommended that that the Office of the National Coordinator for Health Information Technology (ONC) take the following steps:

  • Include general security controls in HIT standards;
  • Provide guidance to the health industry and the medical community regarding the value of general IT security as well as general IT security standards and best practices; and
  • Cooperate with the Centers for Medicare & Medicaid Services (CMS) and the HHS Office for Civil Rights (OCR) to require general IT security controls where appropriate.

Continue Reading

OIG Finds CMS Oversight of the HIPAA Security Rule Insufficient to Ensure Covered Entity Compliance

Posted by Rachel Grunberger on June 27, 2011

By Anna Kraus & Rachel Grunberger

In a previous post, we highlighted two reports recently issued by Department of Health and Human Services (HHS) Office of Inspector General (OIG), which criticize HHS’s oversight of health information privacy and security.  In today’s post, we provide greater detail regarding one of those reports (Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight).  We will delve into the second report in a forthcoming post. 

The OIG’s Nationwide Rollup Review found that oversight by the Centers for Medicare & Medicaid Services (CMS) had been insufficient to ensure that hospitals and other covered entities have effectively implemented the HIPAA Security Rule.  Specifically, the OIG noted that although CMS had performed a limited number of covered entity compliance reviews, these reviews tended to be reactive rather than proactive.  According to the OIG, CMS relied primarily on education efforts and voluntary compliance to enforce the Security Rule rather than developing a structured compliance review process. 

CMS was initially delegated authority to enforce compliance with the Security Rule in 2003 and published a final Security Rule that year.  Enforcement authority was subsequently transferred to the HHS Office for Civil Rights (OCR) in 2009.  OCR reports that it has a process in place to conduct proactive compliance reviews even in the absence of specific complaints.  However, the OIG appeared to question this assertion, stating that OCR had not produced evidence of reviews targeted at entities which had not been specifically flagged for scrutiny.  The OIG concluded by recommending that OCR continue the compliance review process begun by CMS and ensure that it provides for reviews in the absence of complaints. 

Continue Reading

Supreme Court Strikes Down Vermont Law Restricting Use of Prescriber-Identifiable Data

Posted by Libbie Canter on June 23, 2011

Today, in a 6-3 decision, the U.S. Supreme Court struck down a Vermont law restricting the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of individual doctors.  In so holding, the Supreme Court found that speech in aid of pharmaceutical marketing is a form of expression protected by the First Amendment.   The decision is consistent with the concerns about the statute evident from the Court’s questions at oral argument, which were discussed in a previous post.

At issue was the Vermont Prescription Confidentiality Law, which regulates the ability of pharmacies to sell information about physician prescription practices — known as “prescriber-identifying information.”  The Vermont law prohibited pharmacies and other entities from selling prescriber-identifying information for marketing purposes or allowing such information to be used for marketing purposes without a prescriber’s consent.  The law was challenged by a group of three data miners and an association of pharmaceutical manufacturers. 

The Supreme Court characterized the use of prescriber-identifying information as “speech in aid of pharmaceutical marketing” and concluded that it is a form of expression protected by the First Amendment, the regulation of which is subject to heightened scrutiny.  It rejected arguments that the law was a commercial regulation that placed only an incidental burden on expression, finding instead that “Vermont’s law imposes a burden based on the content of speech and the identity of the speaker.”  According to the Supreme Court, the law had the effect of preventing only pharmaceutical marketers, but not other speakers, from communicating with physicians in an effective and informative manner.   Because the law prohibited use of the information for only one purpose, the Court observed that while “[i]t may be assumed that . . . physicians have an interest in keeping their prescription decisions confidential,” the challenged law “is not drawn to serve that interest.”     

Justice Kennedy authored the Supreme Court’s opinion in this case, Sorrell v. IMS Health, Inc.  Justice Breyer authored a dissent, which was joined by Justices Ginsburg and Kagan.

HHS Regulatory Review Plan Contemplates Modifications to HIPAA

Posted by Rachel Grunberger on May 30, 2011

 By Anna Kraus and Rachel Grunberger

Last Thursday, the Office of Management and Budget (OMB) released the preliminary regulatory review plans of 30 federal agencies, including the Department of Health and Human Services (HHS).  The regulatory review plans were mandated by President Obama in an executive order issued earlier this year, and are intended to identify initiatives to reduce burdens and save money.

In HHS’s regulatory review plan, available here, the Department states that it is undertaking revisions to the HIPAA requirements in order to:

  • streamline the process for children to be enrolled in schools;
  • facilitate the ability of individuals to access their own health information; and
  • ease burdens on health plans while ensuring that beneficiaries receive notice of material changes to their plans.

As part of this effort, HHS intends to review existing HIPAA regulations related to disclosures of student immunizations to schools, accounting of disclosures requirements, and requirements on health plans to redistribute to individuals their notices of privacy practices when material changes are made.

The HHS plan also references the proposed modifications to the HIPAA Privacy Rule to streamline the authorization requirements for research, stating that the Office for Civil Rights (OCR) is “working to finalize changes in this area as part of a broader rulemaking that includes final modifications to the HIPAA Rules pursuant to the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, as well as a final Breach Notification Rule.”

The plan suggests that we will be seeing more changes to the HIPAA regulations in the future, beyond those contemplated in the proposed rule implementing the HITECH Act.  Indeed, OCR on Friday issued a proposed rule containing modifications to the requirement for an accounting of disclosure, which we will discuss in a subsequent entry. 

OIG Criticizes HHS Oversight of the HIPAA Security Rule, Data Security Controls in Health IT Standards

Posted by Rachel Grunberger on May 24, 2011

By Anna Kraus and Rachel Grunberger

Last week, the Office of Inspector General (OIG) within the Department of Health and Human Services (HHS) issued two audit reports regarding federally mandated data security measures for health information.  Both reports are highly critical of HHS’s efforts to protect the security of electronic health information.

In the first report, available here, the OIG concluded that the Centers for Medicare and Medicaid Services’ (CMS) oversight of the HIPAA Security Rule was insufficient.  Specifically, the OIG concluded that CMS’s oversight and enforcement activities did not adequately ensure that covered entities, such as hospitals, effectively implemented the Security Rule.  CMS consequently had limited assurance that controls were in place to protect electronic protected health information (ePHI), the OIG concluded, thereby “leaving ePHI vulnerable to attack and compromise.”

In the second report, available here, the OIG found that the health information technology (HIT) standards issued by the Office of the National Coordinator for Health Information Technology (ONC) lacked general IT security controls.  Examples of general IT security controls include:

  • encrypting data stored on mobile devices
  • requiring two-factor authentication when remotely accessing an HIT system
  • patching the operating systems of computer systems that process and store EHR

The OIG concluded that the lack of these controls raises concern about the effectiveness of IT security for HIT.

The OIG audit findings suggest that we may be seeing heightened enforcement activities related to the HIPAA Security Rule and more stringent security controls for electronic health records.  In future posts, we will delve into the OIG’s specific findings and recommendations.

HIPAA Privacy, Security Rules Are "Quite Far Along"

Posted by Libbie Canter on May 17, 2011

Last week, Sue McAndrew, deputy director for health information privacy at the Office of Civil Rights in the Health and Human Services Department, said that OCR was "quite far along" on its efforts to adopt a final rule implementing changes to the HIPAA regulations pursuant to the HITECH Act.  She added that she anticipated the rule “certainly by the end of the year." McAndrew made the remarks at a HIPAA conference, sponsored by OCR and the National Institute of Standards and Technology.  Previously, OCR had indicated that the final rule would be published in March.

As we have previously reported, the proposed rule, released last July, contains sweeping changes to the privacy, security, and enforcement rules promulgated under HIPAA. In prior blog entries, we explored aspects of the proposed rule relating to marketing, clinical research, and the sale of protected health information that, if included in the final rule, are likely to have a significant impact on the business operations of pharmaceutical and other life sciences companies. (Although generally not regulated under HIPAA directly, such companies often have arrangements with entities that are covered entities or business associates under HIPAA.)

Supreme Court Justices Seem Skeptical of Vermont Law Restricting Use of Prescriber-Identifiable Data

Posted by Anna Kraus on May 02, 2011

The U.S. Supreme Court heard oral argument last week in Sorrell v. IMS Health, Inc.  As described in our earlier post, the case involves a constitutional challenge to a Vermont law prohibiting the use or sale of doctors’ identifying information in prescription records—i.e., prescriber-identifiable data—without the doctor’s express consent.

The key legal issue, as framed by the Vermont Attorney General in the cert petition, is whether “laws that restrict access to or commercial use of non-public drug prescriber information implicate First Amendment rights and, if so, what type of First Amendment review applies.”  The Court of Appeals for the Second Circuit had ruled that the law is an impermissible restriction on commercial speech under the First Amendment.

At the oral argument on April 26, the assistant state attorney general characterized the law as meant to protect a privacy interest of physicians.  She asserted that physicians should be allowed to choose whether information they’re required to give to pharmacies may be used in marketing directed toward them.  The lawyer for IMS Health countered that the State may not restrict the speech of one type of stakeholder to favor another.

Press reports of the oral argument indicate that, like the Second Circuit, a majority of the Supreme Court seemed to be troubled by the law.  The Court seemed to be leaning toward a determination that the commercial use of the data is protected commercial speech.  The concept that the law served to protect a privacy interest of the physicians seemed to gain very little traction, since it was noted that the same information that Vermont seeks to prevent the branded pharmaceutical industry from using is generally available for use by other stakeholders in the health care industry.  A number of the justices also reportedly expressed concern with the way Vermont sought to lower health care costs through the law—not by direct regulation, but by restricting the flow of information to doctors.

A decision in the case is expected by June.

Saskatchewan Information and Privacy Officer Issues Advisory on Health Record Disposition

Posted by Anna Kraus on April 29, 2011

Improper disposition of medical records appears to be an international problem.  The Saskatchewan Information and Privacy Officer recently issued regulatory guidance to health care providers on complying with the province's health data protection law.  The guidance is being sent to all health regulatory bodies and health care organization privacy boards in Saskatchewan to remind them of their obligations under the Health Information Protection Act (HIPAA), which was enacted in 1999 and took effect Sept. 1, 2003.  The guidance was prompted in part by an incident where thousands of patient records were dumped in a recycling bin in the provincial capital of Regina. 

The guidance noted that “[e]lectronic medical records may largely eliminate the prospect of patient files blowing in the wind around dumpsters but pose other significant privacy risks. These include snooping, viewing of personal health information without any appropriate need to know, gossip, and carelessness.”

Among the recommendations in the guidance are the following:

  • Designate a Privacy Officer with specific responsibility for compliance with privacy laws and the safe retention and disposition of personal health information.
  • Adopt written policies and procedures, “including physical, administrative and technical measures reasonable for the protection of personal health information.”
  • Adopt and follow a record retention and disposition schedule.
  • Ensure that all personal health information is properly and safely stored at all times.
  • Ensure that when disposing of personal health information all materials are shredded or otherwise completely destroyed.
  • Enter into an appropriate agreement with any entity to which the storage or destruction of patient files is outsourced.

Sound advice for those maintaining personal health information, no matter where they are located.

ONC Seeks Public Comment on Federal Health IT Strategic Plan

Posted by Rachel Grunberger on March 31, 2011

The Office of the National Coordinator for Health Information Technology (ONC) is requesting public comment on its Federal Health Information Technology Strategic Plan: 2011-2015.  ONC updated the Plan (last published in 2008) to reflect the major changes to health IT policy contained in the HITECH Act and the Affordable Care Act.  The Plan, which reflects ONC’s strategy for realizing Congress’s and the Administration’s health IT agenda over the next five years, focuses on, among other things, new privacy and security protections for electronic health records. 

Specifically, Goal III of the Plan highlights efforts to update the government’s approach to privacy and data security issues related to health IT and to foster greater confidence and trust in electronic health records and health information exchange among providers and the public.  These efforts will include a major investment in education and outreach strategy to improve the public’s understanding of electronic health information, how this information can be used, and the privacy and security requirements under the HIPAA regulations.

ONC will accept comments on the Strategic Plan through April 22, 2011. 

Covington to Participate in Healthcare Privacy Panel

Posted by Libbie Canter on March 04, 2011

Next week, IAPP hosts its annual Global Privacy Summit in Washington, D.C.  Inside Privacy will be attending the event, which has attracted a number of significant stakeholders in years past and will provide a good opportunity to take the temperature of stakeholders on key privacy and data security issues.

Those who are interested in health privacy may be especially interested in the panel led by my colleague, Demetrios Kouzoukas, on March 11 from 11:45 am to 12:45 pm. “Notions of Health Privacy as a Function of Technology, Law and Policy,” will look at how notions of privacy in the area of healthcare area have changed and what that means for legal rights and responsibilities regarding health information. Technology has made health privacy both more and less possible, and has created new questions regarding health privacy, especially in a time when new media and social networking have made private lives more public. As Demetrios discussed in a prior post, the panel will provide an overview of significant legal developments, including regulatory and legislative developments and enforcement efforts and explore how government agencies look at health care privacy issues. Demetrios previously served as Deputy General Counsel for the Department of Health & Human Services. The other panelists include:

  • Jodi Daniel, Director, Office of Policy and Planning, Office of the National Coordinator for Health IT, U.S. Department of Health & Human Services
  • Kerry Weems, Senior Vice President and General Manager, Health Solutions, Vantage; Former Administrator, Centers for Medicare & Medicaid Services

HHS Announces $1 Million HIPAA Settlement

Posted by Rachel Grunberger on February 25, 2011

Two days after imposing the first-ever civil money penalty for HIPAA violations, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced that Massachusetts General Hospital (Mass General) has agreed to pay $1 million to settle potential violations of the HIPAA Privacy Rule.

OCR initiated an investigation of Mass General after receiving a complaint from a patient whose protected health information (PHI) was lost.  The investigation revealed that, on March 9, 2009, a Mass General employee left documents on a train during her morning commute that contained PHI—including name, date of birth, and diagnosis—of 192 patients of an outpatient practice, including patients with HIV/AIDS.  Based on these findings, OCR concluded that Mass General had failed to implement reasonable and appropriate safeguards to protect PHI when removed from the premises, and potentially had impermissibly disclosed PHI in violation of the Privacy Rule. 

In a Resolution Agreement with HHS, Mass General agreed to pay $1 million and enter into a Corrective Action Plan to implement policies and procedures to protect the privacy of its patients.  This latest announcement is further evidence that the agency is gearing up to flex its enforcement muscles.  It will be interesting to see if the recent enforcement actions are the first in a long string of actions that HHS announces over the next few weeks.

HHS Imposes $4.3 Million Civil Money Penalty for HIPAA Privacy Violations

Posted by Anna Kraus on February 24, 2011

The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced Tuesday that it has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Maryland (Cignet) violated the HIPAA Privacy Rule.  HHS imposed a $4.3 million civil money penalty on Cignet for the violations—the first civil money penalty ever issued by HHS for violations of the Privacy Rule.

The civil money penalty imposed on Cignet is based on the new violation categories and increased penalty amounts established under the HITECH Act, which we reported on previously.  In a Notice of Proposed Determination issued on October 20, 2010, OCR found that:

  • Between September 2009 and October 2009, Cignet failed to provide 41 individuals with timely access to copies of protected health information (PHI) about them in the designated record sets maintained by Cignet, in violation of 45 C.F.R. § 164.524.
  • From March 2009 through April 2010, Cignet failed to cooperate with OCR’s investigation of 27 complaints regarding Cignet’s noncompliance described above, in violation of 45 C.F.R. § 160.310(b).

Continue Reading

Report: Over 6 Million Individuals Affected by PHI Breaches Since August 2009

Posted by Rachel Grunberger on February 22, 2011

A total of 225 breaches of protected health information (PHI) affecting 6,067,751 individuals have been recorded since the HIPAA breach notification rule was issued in August 2009 pursuant to the HITECH Act, according to a report by Redspin, a provider of HIPAA risk analysis and IT assessment services.

According to the report:

  • Single breaches affecting over 500 individuals have taken place across 43 states, the District of Columbia, and Puerto Rico.
  • 27,000 individuals, on average, are affected by a single breach.
  • 82 days, on average, pass between breach discovery and notification/update to HHS.
  • 40% of records breached involve business associates.
  • 61% of breaches are a result of malicious intent.

To reduce the risk and impact of a future breach, the report recommends that covered entities and business associates should: (1) implement encryption on all PHI in storage and transit; (2) strengthen information security user awareness and training programs; (3) implement a mobile device security policy; and (4) ensure that business associate due diligence includes a periodic review of implemented controls.

The report also warns that “business associates are data rich targets that are consequently likely to see an increase in malicious activity,” underscoring the need for covered entities carefully to select and contract with their business associates and for business associates to implement robust physical, administrative and technical safeguards.

The full report is available here.

HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 5 of 5)

Posted by Rachel Grunberger on February 22, 2011

In our final post on what pharmaceutical companies should know about the forthcoming HIPAA/HITECH regulations, we will discuss provisions in the proposed rule relating to the sale of protected health information.  We previously covered the Department of Health and Human Service’s  (HHS) proposed treatment of communications about currently prescribed drugs, remunerated treatment communications, authorizations for future research, and compound authorizations.

Sale of Protected Health Information

The HITECH Act added a new circumstance where a covered entity must obtain authorization: the sale of protected health information.  (The HIPAA Privacy Rule also requires authorizations for uses and disclosures for marketing and most uses and disclosures of psychotherapy notes.)

Continue Reading

HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 4 of 5)

Posted by Anna Kraus on February 21, 2011

This is the fourth in our series on provisions of the Department of Health and Human Services (HHS) proposed rule implementing the HITECH Act that, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies.  We previously covered HHS’s proposed treatment of communications about currently prescribed drugs, remunerated treatment communications, and authorizations for future research.

Today we will address how HHS may relax the current restrictions on “compound authorizations” for research purposes.

Compound Authorizations

HHS is proposing to amend the compound authorization requirements under the HIPAA Privacy Rule, which currently prohibit combining an authorization that conditions treatment, payment, enrollment in a health plan, or eligibility for benefits with an authorization for another purpose for which treatment, payment, enrollment, or eligibility may not be condition.  HHS recognized that the excess paperwork that results from this restriction has been found to be burdensome and potentially confusing to patients, as well as administratively burdensome for clinical researchers.

Continue Reading

HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 3 of 5)

Posted by Anna Kraus on February 18, 2011

In this third post on the forthcoming HIPAA/HITECH regulations, we will discuss potential modifications to the rules regarding authorization for future research.  In earlier posts, we covered the Department of Health and Human Service’s (HHS) proposed treatment of communications about currently prescribed drugs and remunerated treatment communications

Future Research

In the proposed rule issued last July, HHS stated that it is “considering whether to modify its interpretation that an authorization for the use or disclosure of protected health information for research be research-study specific.”  The agency was prompted to revisit this issue after hearing concerns from covered entities and researchers about how the current interpretation encumbers secondary research, results in individuals being re-contacted to sign multiple authorization forms at different points in the future, and is inconsistent with the Common Rule.

Continue Reading

HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 1 of 5)

Posted by Rachel Grunberger on February 16, 2011

As we previously reported, the Office for Civil Rights within the Department of Health and Human Services (HHS) has indicated that the final rule implementing changes to the HIPAA regulations under the HITECH Act will be issued in March.  The proposed rule, released last July, contains sweeping changes to the privacy, security, and enforcement rules promulgated under HIPAA.  In this and four subsequent blog posts, we will explore aspects of the proposed rule relating to marketing, clinical research, and the sale of protected health information.  These changes, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies.  (Although generally not regulated under HIPAA directly, such companies often have arrangements with entities that are covered entities or business associates under HIPAA.)

Communications About Currently Prescribed Drugs

The first topic we will address is HHS’s proposed treatment of refill reminders and other communications about currently prescribed drugs.  The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate is compensated by a third party for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization.

Continue Reading

FTC Issues Guidance on Medical Identity Theft

Posted by Anna Kraus on February 16, 2011

The Federal Trade Commission recently posted a frequently asked question designed to remind health care providers and health plans of their obligations when they become aware of medical identity theft.  The FAQ describes medical identity theft as occurring “when someone uses another person’s name or insurance information to get medical treatment, prescription drugs or surgery.  It also happens when dishonest people working in a medical setting use another person’s information to submit false bills to insurance companies.” 

The guidance states that a complaint from an individual that he or she has been billed for services he or she did not receive should trigger an investigation and, where appropriate, correction of the records and notification of the correction “to everyone who accessed the patient’s medical or billing records.”  The guidance further reminds health care providers and health plans that they may have additional obligations under the Fair Credit Reporting Act and the HIPAA breach notification and security rules. 

The FTC seems to be taking a new interest in medical identity theft.  The agency also recently published Facts for Consumers on Medical Identity Theft.

HHS Sends to OMB Rule Expanding HIPAA Disclosure Requirement

Posted by Anna Kraus on February 14, 2011

On February 9, the Department of Health & Human Services (HHS) sent to the Office of Management and Budget (OMB) a proposed rule to implement the requirement in the Health Information Technology for Economic and Clinical Health (HITECH) Act that individuals be given an expanded accounting of disclosures of protected health information (PHI) contained in an electronic health record.  OMB should finish its review within 90 days, and the proposed rule could be published shortly thereafter. 

Under the HIPAA Privacy Rule, upon request from an individual, a covered entity must provide the individual with an accounting of certain disclosures of his/her PHI made by the covered entity during the prior six years.  That accounting need not include disclosures made for purposes of treatment, payment or health care operations.  Under the HITECH Act, if a covered entity maintains an electronic health record, the covered entity must provide the individual, upon request, an accounting that includes disclosures for treatment, payment and health care operations for the prior three years. 

The HITECH Act directs HHS to promulgate regulations implementing the new accounting requirement.  The statute further directs that, “Such regulations shall only require such information to be collected through an electronic health record in a manner that takes into account the interests of the individuals in learning the circumstances under which their protected health information is being disclosed and takes into account the administrative burden of accounting for such disclosures.”  Last May, HHS published a request for information to help inform the agency’s rulemaking in this area.

Prior to the 2003 compliance date for the HIPAA Privacy Rule, many covered entities feared that complying with requests for accountings of disclosure would be one of the more burdensome aspects of Privacy Rule compliance.  Anecdotal evidence, however, indicates that very few individuals have sought to exercise their right to an accounting.  It will be interesting to see how much of an administrative burden on covered entities HHS is proposing in light of the general public’s current lack of interest in obtaining an accounting.

Supreme Court Grants Review of Second Circuit Medical Privacy Ruling

Posted by Rachel Grunberger on January 21, 2011

On January 7, 2010, the U.S. Supreme Court agreed to review a Court of Appeals decision striking down Vermont's prescription confidentiality law.  The State of Vermont had petitioned the Supreme Court to review the case on December 13, 2010, after the Second Circuit ruled that the law constituted an impermissible restriction on commercial speech under the First Amendment. 

The Vermont law at issue requires doctors’ consent before their identifying information in prescription records—i.e., prescriber-identifiable data—can be used or sold for marketing prescription drugs.

The Court of Appeals for the Second Circuit had ruled that the law is an impermissible restriction on commercial speech under the First Amendment, reversing and remanding the district court.  This ruling created a split with the First Circuit, which had previously upheld prescription confidentiality laws in Maine and New Hampshire.

The key legal issue that the Supreme Court will confront, as framed by the Vermont Attorney General, is whether “laws that restrict access to or commercial use of non-public drug prescriber information implicate First Amendment rights and, if so, what type of First Amendment review applies.”  Oral arguments are expected to be scheduled for the current term, with a decision potentially announced by the end of the term in June.

The Supreme Court’s ruling on this issue is likely to have significant implications for the pharmaceutical industry.  Pharmaceutical companies use prescriber-identifiable data for many different purposes, such as to focus their marketing efforts, to impart safety and risk information to prescribers of particular drugs, and to conduct research.  A ruling that Vermont’s law is constitutional could pave the way for other States to enact similar (or potentially more onerous) laws restricting the commercial use of prescriber-identifiable data. 

Governmental Cloud in the EU - New ENISA Report

Posted by Mark Young on January 18, 2011

Hot on the heels of its report on data breach notifications in the EU, the EU's cyber security regulator, ENISA, published yesterday a new report on cloud computing in the government.  The report is targeted at senior managers of public bodies who are considering cloud computing platforms and services, and it aims to highlight the pros and cons of different cloud models with regard to information security and resilience.  The report summarizes relevant legal and regulatory considerations, and bases its analysis and conclusions on the examples of a healthcare authority and local public administration migrating to the cloud, and the creation of a governmental cloud infrastructure.

The report acknowledges that cloud computing has the potential to offer public administrations substantial benefits and improvements over current IT provisioning, such as increased availability and reliability, stronger security and better value.  However, the report recommends private and community clouds over public clouds, and ultimately urges European governments to adopt a staged approach in integrating cloud computing into their operations.

Notions of Health Privacy as a Function of Technology, Law and Policy

Posted by Demetrios Kouzoukas on January 17, 2011

The International Association of Privacy Professionals hosts its Global Privacy Summit in Washington, DC on March 9-11.  Those who are interested in health privacy may be especially interested in the following session on March 11 from 11:45 am to 12:45 pm:

Notions of Health Privacy as a Function of Technology, Law and Policy

As medical records move from paper charts to databases, notions of privacy in the area of healthcare area have changed significantly, and will continue to do so. Legal rights and responsibilities regarding health information have emerged, and policymakers have contended with competing stakeholder interests. Explore how technology has made health privacy both more and less possible, and has created new questions regarding health privacy, especially in a time when new media and social networking have made private lives more public. This session will examine how legal rights and responsibilities regarding health privacy have emerged from legislatures, prosecutors and courts, and how government has had to balance patient perspectives with the interests of health providers, health plans, the IT community and other stakeholders.

Jodi Daniel, Director, Office of Policy and Planning, Office of the National Coordinator for Health IT, U.S. Department of Health & Human Services
Demetrios Kouzoukas, Of Counsel, Covington & Burling LLP; Former Deputy General Counsel, U.S. Department of Health & Human Services
Kerry Weems, Senior Vice President and General Manager, Health Solutions, Vantage; Former Administrator, Centers for Medicare & Medicaid Services 

What you'll take away:

  • Overview of significant legal developments, including regulatory and legislative developments, and enforcement efforts
  • Insights into how legal rights and responsibilities in the health privacy area may change as notions of privacy in healthcare change
  • A sense of how government agencies look at these issues

If you miss the session, but are interested in the discussion, please contact dkouzoukas@cov.com.

Privacy in a Health IT World

Posted by Demetrios Kouzoukas on January 16, 2011

The President's Council of Advisors on Science and Technology recently released a report entitled, "Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward."  It is a wonkish discourse on the future of health information technology. 

The report offers an interesting glimpse at what may be the next, next generation of health privacy: automated access controls (by patients and providers) over individual elements of a health record.  See page 41 for a description of the metadata-tagging technology that would enable this, and pages 51-52 for examples of how it would work in practice.

In this case, new technology may provide simpler ways to comply with the existing regulatory scheme.  Consider, for example, the task of drafting and interpreting patient authorizations and the related conundrum of competing authorizations.  Entities holding records often insist on having their own forms signed by patients, even if those seeking records have their own forms signed by patients.  In a metadata-tagged health IT environment, a protocol for authorization elements could be incorporated into data exchange, and the data to which the authorization refers would be much clearer.

Those involved in the use of data for non-treatment purposes, e.g. research, should be at the table in ironing out those protocols and procedures, at least if the framework is going to be enable compliance with the regulatory scheme and the research mission as opposed to frustrate it.

Coming Soon: Final HITECH Act HIPAA Privacy/Security Rules

Posted by Demetrios Kouzoukas on January 15, 2011

In July of last year, the U.S. Department of Health & Human Services Office for Civil Rights issued a proposed regulation implementing changes to HIPAA resulting from the HITECH Act.  As we previously reported, the proposed regulation significantly expands the scope of the privacy, security, and enforcement provisions of HHS's existing HIPAA rules.

Last month, in the Executive Branch's Unified Reglatory Plan, the Department indicated that the final regulation will be published in March.  According to media reports, HHS officials plan to simltaneously issue a final breach notification rule, final HIPAA enforcement rule, and a final rule implementing HIPAA changes resulting from the Genetic Information Nondiscrimination Act.

The next public step in the process is for the Office of Management and Budget, which is a part of the Executive Office of the President, to review the proposed regulation.  Once the rule rule reaches OMB, it is likely to be issued within 120 days.

Health Information Privacy Law Enacted in Nova Scotia

Posted by Shamma Iqbal on January 07, 2011

On December 10, 2010, Nova Scotia's Personal Health Information Act, which regulates the collection, use, disclosure and disposal of personal health information, was granted royal assent.  The purpose of the new legislation is to better protect citizens’ health data, while also facilitating the use of electronic medical records by provincial health institutions.  Nine of Canada’s 10 provinces have legislation specifically regulating the health information sector. 

Vermont Seeks Supreme Court Review of Second Circuit Medical Privacy Ruling

Posted by Rachel Grunberger on December 16, 2010

The State of Vermont is petitioning the Supreme Court to review a Court of Appeals decision holding that the State’s prescription confidentiality law is unconstitutional.

The law at issue prohibits regulated entities from selling or using records containing prescriber-identifiable information—i.e., information linking prescribers to prescriptions for particular drugs—for marketing or promoting prescription drugs, unless the prescriber consents.

The Court of Appeals for the Second Circuit ruled that the law is an impermissible restriction on commercial speech under the First Amendment, reversing and remanding the district court.  This ruling is being compared to two First Circuit decisions upholding prescription confidentiality laws in Maine and New Hampshire.

In its petition, Vermont points to other States that have considered legislation to restrict the commercial use of prescriber-identifiable data, and urges the Supreme Court to weigh in to provide States and other regulators with “guidance as to the scope of their ability to allow individual Americans to control access to and use of their information.”

Quantcast, Clearspring Agree to Settle "Flash Cookies" Suits

Posted by Steve Satterfield on December 07, 2010

Just two days after the Director of the FTC's Bureau of Consumer Protection announced that the agency would not tolerate an "arms race" aimed at developing technologies that subvert user choice regarding online tracking, two firms accused of employing such technologies agreed to settle lawsuits against them.  Quantcast and Clearspring--which provide web analytics and certain functionality to consumer-facing websites--were named in several class action complaints this summer.  The suits alleged that the companies used "Flash cookies" (i.e., local shared objects stored in the memory of Adobe's Flash Player plug-in) to track user activity on websites where Quantcast and Clearspring provide their services.  The publishers of some of those sites were also named in the suits.  

Although the use of traditional "HTTP" cookies for tracking has become so commonplace as to be relatively uncontroversial, Flash cookies have been criticized because they are unaffected by browser privacy settings.  Moreover, as noted by researchers at UC-Berkeley, Flash cookies can be used to re-create or "respawn" browser cookies after a user deletes the latter.  The plaintiffs in the Quantcast and Clearspring cases seized on these distinctive qualities in asserting that the defendants used Flash cookies to "circumvent" users' privacy settings.  The complaints included claims under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and various state laws.

Continue Reading

Open Data Partnership Will Give Consumers Access To Online Profiles

Posted by Libbie Canter on December 06, 2010

On the heels of last week's release of a proposed consumer privacy report by the FTC, a group of businesses that track online behavior announced that they will give consumers access to information collected about their interests.  The Open Data Partnership will also allow consumers to edit this online profile information. 

This service, which will launch in January, moves participating businesses in the direction of one of the FTC's recommended privacy-by-design features.  In last week's proposed report, the FTC admonished that "companies should take reasonable steps to ensure the accuracy of the data they collect."  Providing consumers access to and a means to edit collected information may enhance accuracy.

The announcement of the Open Data Partnership arrived the same week as the FTC's proposed report, as well as a hearing on "Do Not Track" proposals held by the House Subcommittee on Commerce, Trade, and Consumer Protection.