By Cynthia Marcotte Stamer
The Department of Health and Human Services Office of Civil Rights (OCR) has begun posting on its website the names and certain information about health care providers, health insurers, employer and other health plans, health care clearinghouses and their business associates (Covered Entities) reporting to OCR “breaches” of “unsecured protected health information” (UPHI) under new breach notice rules added by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
Covered Entities should anticipate the posting of the breach information and other HITECH Act breach notices coupled with amendments to the medical privacy and security requirements of the Health Insurance Portability & Accountability Act (HIPAA) effective since February 17, 2010, will heighten enforcement risks and public sensitivities about medical information privacy safeguards. As failing to comply with the amended rules effective February 17, 2010 can trigger obligations under the Breach Regulations and other significant liability exposures, Covered Entities should act quickly to manage these emerging risks.
Covered Entity Breach Notification Requirements
The initial list of Covered Entities reporting breaches of UPHI affecting 500 or more individuals posted by OCR on February 22, 2010 discloses the Covered Entity’s name and State, the approximate number of individuals affected, the date and type of breach and the location of the breached information. OCR’s posting of this information is required under the HITECH Act breach notification requirements as part of its implementation and enforcement of new breach notification requirements added to HIPAA by Section 13402(e)(3) of the HITECH Act.
The HITECH Act amended HIPAA to require Covered Entities to require Covered Entities provide notification to individuals, OCR and others when certain breaches of UPHI happen. The implementing interim “Breach Notification For Unsecured Protected Health Information” regulations (Breach Regulation) published by OCR here require Covered Entities subject to HIPAA to notify affected individuals, OCR and in some cases the media within specified periods following a “breach” of UPHI occurring on or after September 23, 2009 unless the Covered Entity can demonstrate that the breach qualified as exempt from the breach notification obligation under the Breach Regulations.
Covered Entities generally should consider the need to provide breach notification under the Breach Regulation whenever electronic or non-electronic protected health information which is not adequately encrypted or destroyed to qualify as “secured” under the breach rules is used, accessed or disclosed in violation of HIPAA.
Since the potential need to provide breach notification is triggered by an impermissible use, access or disclosure of UPHI, up-to-date maintenance, monitoring and enforcement is at the heart of compliance with the Breach Regulation as well as HIPAA generally.
You can review the currently posted list of Covered Entities that have reported breaches on the OCR website here. Learn more about the Breach Regulation requirements here.
Broader & Stricter Medical Privacy Mandates Effective 2/17/210
The new breach notification requirements are part of a series of changes made to HIPAA under the HITECH Act that are increasing the responsibilities and liability exposures of Covered Entities. On February 17, 2010, Covered Entities and their business associates also became subject to tighter federal requirements for the use, access, protection and disclosure of protected health information under amendments to HIPAA’s Privacy & Security Standards enacted in the HITECH Act. When the HITECH Act was signed into law on February 17, 2009, Covered Entities also became subject to expanded sanctions and remedies for HIPAA violations.
To comply with the HITECH Act changes to HIPAA effective on February 17, 2010, most Covered Entities and their business associates generally will need to update their written policies, operational procedures, technical safeguards, privacy notices, vendor and other agreements, training, and other management procedures in several respects. For more details, see here.
While the HITECH Act gave Covered Entities and business associates a year to complete the necessary arrangements to comply with these HITECH Act changes, many Covered Entities and business associates have not adequately implemented the necessary arrangements. To mitigate these exposures, Covered Entities and their business associates should act quickly to review and update their policies, procedures, training, business associate and other services agreements, and other practices and procedures, as well as to implement the training, oversight, and other management necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.
Exposures Significant & Growing
HIPAA-associated exposures for Covered Entities are significant and growing. Timely action to comply with the amended HIPAA requirements and Breach Regulations is important to avoid triggering the breach notification requirements; to prevent loss of public trust and reputation; and to minimize exposures to legal actions, administrative complaints and sanctions and the investigation, defense and correction costs likely to result when a Covered Entity violates or is accused of violating HIPAA or otherwise mishandling medical or other personal information.
Even before the HITECH Act changes became effective, federal regulators were stepping up HIPAA enforcement. The HITECH Act amendments further increase the risk that Covered Entities violating HIPAA face investigation and sanction. The HITECH Act amendments increase the likelihood that Covered Entities violating HIPAA will get caught and will face some form of damage or penalty assessment. Heightened awareness of UPHI breaches resulting from HITECH Act mandated breach notifications are likely to fuel new HIPAA-related complaints, charges and demands. Covered Entities, workforce members who wrongfully access protected health information now face potential civil penalties, criminal prosecution, civil lawsuits and other actions. Allowing state attorneys general to bring suit adds more manpower to the enforcement team. Furthermore, the wrongful use, access or disclosure of protected health information or other confidential information also increasingly is the basis of civil or criminal actions brought under a variety of other federal and state laws.
New Risks Created By HITECH Act Amendments
Heightened HIPAA exposures stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions. Among other things, the HITECH Act amended HIPAA to:
- Allow a State Attorney General to sue Covered Entities that commit HIPAA violations after February 16, 2009 for damages caused to state citizens;
- Expand the mandate by OCR to investigate violations and audit compliance with HIPAA;
- Require OCR to impose civil sanctions against Covered Entities and business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
- Revise the criminal sanctions that the Department of Justice can seek against Covered Entities and others for violations of HIPAA; and
- Amend HIPAA to make clear that workforce members and others improperly using, accessing or disclosing protected health information in violation of HIPAA can face criminal prosecution.
State Attorney General Lawsuit Exposures
Covered Entities must be concerned about the potential that a state Attorney General may bring civil suit to remedy damages caused to state citizens by a breach of HIPAA. In certain situations, the HITECH Act empowers a state attorney general to sue Covered Entities for damages if their HIPAA violations harm state citizens. Statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs are authorized.
A HIPAA civil lawsuit demonstrates the willingness of at least some states to exercise the new authority to sue Covered Entities. On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers. The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net.
Stepped Up Federal Enforcement
Even before the HITECH Act amendments, OCR and Department of Justice increased HIPAA investigation and enforcement. The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA. See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information. Meanwhile, OCR also is emphasizing HIPAA enforcement. In February, 2009, OCR announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges. This announcement followed OCR’s announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges. OCR also has taken HIPAA enforcement actions against a broad range of other Covered Entities. See more details here. While not resulting in the significant payments involved in CVS or Providence, all Covered Entities involved in these and other enforcement actions or investigations have incurred significant legal and other defense costs, loss of community trust, or both.
In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can expose Covered Entities, members of their workforce and others improperly using, accessing or disclosing protected health information to liability under other federal or state laws. Federal and state prosecutors may and increasingly do bring criminal or civil actions against organizations or individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws . See e.g., Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year.
State Civil Lawsuits
Covered Entities also need to prepare to defend HIPAA-related conduct in state civil actions. Individual plaintiffs increasingly used alleged HIPAA violations in state privacy, negligence, retaliation, wrongful discharge or other lawsuits. State courts have allowed private plaintiffs to use the obligations imposed by HIPAA as the basis of a Covered Entity’s duty for purposes of certain state law lawsuits. In Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim. Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit. Meanwhile, disgruntled employees or other business partners performing services for Covered Entities also increasingly are pointing to HIPAA as the basis for their retaliation or wrongful discharge claims. See, e.g., Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim. Read more here.
Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for Covered Entities that fail to properly manage their HIPAA compliance obligations and risks. To help guard against these exposures, Covered Entities should act quickly to strengthen their HIPAA defenses by updating policies, contracts, practices, security, training, oversight, documentation and management.
Covered Entities & Business Associates Urged To Act Promptly To Manage Mitigating Expanded HIPAA Risks & Obligations
Faced with these expanding obligations and exposures, Covered Entities should prepare for the need to defend the adequacy of their HIPAA compliance efforts on paper and in operation. As part of these efforts, Covered Entities should consider:
- Reviewing the adequacy of the practices, policies and procedures of the Covered Entities, business associates, and others that may come into contact with protected health information within the scope of attorney-client privilege taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable;
- Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility;
- Renegotiating and enhancing service provider agreements to detail the specific compliance obligations of each party; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; to clarify rights of indemnification; and other related relevant matters;
- Improving technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information;
- Conducting well-documented training as necessary to ensure that members of the Covered Entity’s workforce understand and are prepared to comply with the expanded requirements of HIPAA, can detect potential breaches or other compliance concerns, and understand and are prepared to follow appropriate procedures for reporting and responding to suspected violations;
- Tracking actual and near miss violations and making adjustments to policies, practices, training, safeguards and other compliance components as necessary to deter future concern
- Establishing and providing well-documented monitoring of compliance;
- Establishing and providing well-documented timely investigation and redress of reported violations or other compliance concerns;
- Establishing contingency plans for responding in the event of a breach;
- Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements;
- Preparing and maintaining a well-documented record of compliance activities; and
- Pursuing other appropriate strategies to enhance the Covered Entity’s ability to demonstrate its compliance commitment both on paper and in operation.
For Assistance With Compliance Or Other Concerns
The author of this article, Ms. Stamer has extensive experience advising and assisting health care practitioners and other businesses and business leaders to establish, administer, investigate and defend health care fraud and other compliance and internal control policies and practices to reduce risk under federal and state health care and other laws. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact the author of this article, Cynthia Marcotte Stamer, CTT Health Care Practice Group Chair, at email@example.com, 214.270.2402 or another Curran Tomko Tarski LLP attorney of your choice. You can get more information about the CTT Health Care Practice and more specifics about Ms. Stamer’s health industry experience here.
Ms. Stamer is nationally known for her work, training and presentations, and publications on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.
Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 22 years experience advising clients, conducting workshops and other training, and providing policy advice about health care, privacy, data security, and other matters. She advises health care providers, health insurers and administrators, employer and other health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, ERISA, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. A widely published author on privacy, data security, health care and other related matters, Ms. Stamer is the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.
Other Helpful Resources & Other Information
If you found these updates of interest, you also be interested in one or more of the following other recent articles:
- Health Plan Liability Heats Up As Plans & Businesses Face New Obligations, Costs & Exposures under New HIPAA Privacy Rules Effective 2/17 & Other Expanding Federal Health Plan Mandates
- Employers, Group Health Plans Subject To New CHIP/Medicaid Notice, Coordination of Benefits & Special Enrollment Requirements
- Health Plans & Business Associates Face 2/17 Deadline To Update Policies, Contracts & Procedures For HIPAA Privacy Rule Changes
- Federal Health Care Fraud Enforcement Efforts Score More Than 15 Successes In December As OIG Claims Enforcement Saved $20.97 Billion in ‘09
- HEAT Initiative Secures Health Fraud Related Guilty Pleas of Physical Therapist, Money Launderer and Patient Recruiter In Detroit
- Stericycle Inc.’s Acquisition Of Medserve Inc. Challenged As Anticompetitive
- Medicare Paid Physicians More Than $92 Million in Incentives for 2008 Under Physician Quality Reporting Initiative
- HIPAA Covered Entities & Business Associates Deadline To Comply With HITECH Act Data Breach Rules Tomorrow
- CMS Proposes New Prospective Payment System For Renal Dialysis Facilities; Hopes To Improve Quality, Efficiency
- Wrongful Access of Health Care Records Prompts HIPAA Criminal Actions, Whether Prompted By Curiosity or Fraudulent Intent
- Pfizer To Pay $2.3 Billion For Fraudulent Marketing In Largest Health Care Fraud Settlement in DOJ History
- CMS Releases Brochure On ICD-10 Coding System
- COBRA, HIPAA, GINA, Mental Health Parity or Other Group Health Plan Rule Violations Trigger New Excise Tax Self-Assessment & Reporting Obligations
- Inapplicability of HIPAA Privacy To Disability Insurer Not License To Impose Unreasonable Claims Requirements
- HHS Delays 2010 HHS Federal Poverty Rate Update To March 1, 2010
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.
For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.
©2010 Cynthia Marcotte Stamer. All rights reserved.