'Willful Neglect' Is Difficult to Pin Down but Can Result in Enormous

Volume 10, Number 2 • February 2010

Practical News and Strategies for Complying With HIPAA

Contents First AG HIPAA Suit Portends More State Actions; Sends Message on Encryption Offshore BAs Pose 3 PHI Risk, But Have What began as an unfortunate — though not uncommon — loss of a hard drive has Incentives to resulted in a world of hurt for Health Net, Inc., which is now the target of the first-ever Self-Regulate lawsuit brought by a state attorney general for possible violations of HIPAA.

Effective Dates for Compounding Health Net’s troubles, on Jan. 21, the Connecticut State Medical 3 Privacy and Security Society, which represents physicians, filed a formal complaint to the HHS Office for Provisions in ARRA Civil Rights, charging that Health Net gave UnitedHealthcare inappropriate access to all member files, committing “an unambiguous violation of hundreds of thousands of What to Include in 4 Amendments to Connecticut patients’ privacy rights” (see box, p. 11). BA Agreements Connecticut Attorney General Richard Blumenthal — an announced candidate for the U.S. Senate — brought the suit in U.S. District Court in Connecticut on Jan. 13, as Tighten Remote Access RPP predicted he might (RPP 12/09, p. 1). 6 Controls to Prevent the Loss of Data Blumenthal charged Health Net, United and Oxford Health Plans (both subsidiar- ies of UnitedHealth Group, which recently acquired parts of Health Net) with “mul- Patient Privacy tiple violations” of both HIPAA and state laws, including the Connecticut Unfair Trade 10 Court Cases Practices Act, stemming from the May 2009 loss of a hard drive. The unencrypted drive 11 Medical Society Makes contained protected health information for a total of 1.5 million current and former Additional Claims members, 446,000 of whom lived in Connecticut. 12 Privacy Briefs continued on p. 8 ‘Willful Neglect’ Is Difficult to Pin Down But Can Result in Enormous Penalties Five narrative sections at www.AISHIPAA. Until this year, HIPAA civil monetary penalties (CMPs) represented something of com have now been an empty threat to covered entities because the fines were almost never imposed. Yet updated to reflect with the signing of the HITECH Act, which ups enforcement using a tiered penalty sys- new requirements contained tem, and the recent government push toward accountability, the possibility of a HIPAA in the HITECH Act, and a violation has become a much scarier thought. brand-new section on Security Breach Notification has been A privacy breach due to “willful neglect” that was corrected within 30 days and added. If you don’t have a Web affected 100 individuals, which would have cost an organization $10,000 in prior years, site password, call 800-521- will now cost a minimum of $1 million. 4323 or e-mail customerserv@ aispub.com. Please whitelist Covered entities (CEs) — and also business associates, who are now subject to civil [email protected] to and criminal penalties as of this month — need to know what actions (or lack thereof) ensure e-mail delivery. can push them into the “willful neglect” category, which carries the most severe fines. Editor They may be surprised to learn that routine inaction or procrastination by busy organi- Liana Heitin zations could be categorized as enormously costly willful neglect. [email protected] The interim final rule regarding enforcement, published in the Oct. 30, 2009,Fed - Contributing Editor eral Register, uses the same language as the previous enforcement rule, stating: “Willful Nina Youngstrom neglect means conscious, intentional failure or reckless indifference to the obligation to Executive Editor comply with the administrative simplification provision violated.” Jill Brown continued

Published by Atlantic Information Services, Inc., Washington, DC • 800-521-4323 • www.AISHealth.com An independent publication not affiliated with hospitals, government agencies, consultants or associations 2 Report on Patient Privacy February 2010

One step below willful neglect on the CMP tier is The most obvious demonstration of willful neglect “reasonable cause,” which is defined as “circumstances would be when a covered entity has no preventative that would make it unreasonable for the covered entity, policies and procedures in place and a breach occurs. An- despite the exercise of ordinary business care and pru- nulis notes that seven years into HIPAA compliance, it’s dence, to comply with the administrative simplification unlikely that a CE or BA would have no formal protocol. provision violated.” Greg Young, the privacy officer at Mammoth Hospi- Brian Annulis, attorney with Meade & Roach in Chi- tal in California, however, believes that many small doc- cago, says reasonable cause applies in situations when a tors’ offices and clinics still lack policies and procedures covered entity has appropriate policies and procedures in because they “don’t feel it’s necessary or don’t want to place, but those policies and procedures are not followed spend the money. They just want to take care of their pa- — for instance, an employee does not set up password tients, not realizing that part of taking care of patients is protection on a computer — and a breach ensues. He taking care of their information.” For instance, he recalls cites the Aug. 25, 2009, Blue Cross Blue Shield Associa- walking into a local doctor’s office where the reception- tion (BCBSA) security breach, in which a laptop con- ist’s computer screen faced outward toward the waiting taining confidential information for as many as 850,000 room. health care providers was stolen out of an employee’s car (RPP 11/09, p. 12). The employee had violated company Don’t Leave Policies on a Shelf regulations by downloading an unencrypted version of “The greatest danger” for an organization, accord- the information onto a personal laptop. As Annulis sees ing to former director of OCR Richard Campanelli, now it, since the CE had formal policies and procedures re- an attorney with Baker & Daniels LLP, is having poli- garding encryption, a breach such as that one should not cies and procedures that no one is enforcing and that constitute willful neglect. employees are not educated about. “A policy on a shelf is not going to be very helpful — it won’t be helpful in Report on Patient Privacy (ISSN: 1539-6487) is published 12 protecting privacy and security, and it won’t be helpful in times a year by Atlantic Information Services, Inc., 1100 17th responding to an investigation,” he says. Once a violation Street, NW, Suite 300, Washington, D.C. 20036, 202-775-9008, www.AISHealth.com. occurs, the fact that the policy exists signals to OCR that Copyright © 2010 by Atlantic Information Services, Inc. All rights reserved. the organization knows what it should be doing and has No part of this publication may be reproduced or transmitted by any means, chosen not to comply. electronic or mechanical, including photocopy, FAX or electronic delivery without the prior written permission of the publisher. For example, says Campanelli, if a covered entity is Report on Patient Privacy is published with the understanding that the “experiencing problems debugging the access-control publisher is not engaged in rendering legal, accounting or other professional software it implemented” but never solves the issue, the services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. covered entity shows that it “knows its basic obligation Editor, Liana Heitin; Contributing Editor, Nina Youngstrom; Executive and knows it has a fundamental problem.” The CE is Editor, Jill Brown; Publisher, Richard Biehl; Marketing Director, willfully neglecting its duties by giving up on that prob- Donna Lawton; Fulfillment Manager, Gwen Arnold; Production lem. Coordinator, Russell Roberts Call Liana Heitin at 800-521-4323 with story ideas for RPP. Annulis and Bob Coffield, an attorney with Flaherty, Subscribers to Report on Patient Privacy also receive access Sensabaugh & Bonasso, PLLC, both say that if an orga- to AIS’s HIPAA Compliance Center at www.AISHIPAA.com, with nization experiences a breach due to reasonable cause archives of past issues of the newsletter, links to government but does not take care of the security problem and con- documents, and 30 searchable narratives written by experts in privacy and security compliance. Subscribers receive e-mail sequently suffers a second breach, the scenario would be notification when a new issue ofReport on Patient Privacy is classified as willful neglect. At that point, the organiza- posted on the Web site. Please whitelist [email protected] to tion has demonstrated “reckless indifference.” ensure e-mail delivery. Document Actions and Nonactions To order Report on Patient Privacy: (1) Call 800-521-4323 (major credit cards accepted), or For example, Annulis says, if a CE found out it “had (2) Order online at www.AISHealth.com, or a glitch in [its] electronic medical record system that al- (3) Staple your business card to this form and mail it to: lowed for remote access and someone was able to get in AIS, 1100 17th St., NW, Suite 300, Wash., DC 20036. and peek around, and following that [the CE] didn’t do Payment Enclosed* ❑ $429 anything to fix it,” the next violation moves up the CMP Bill Me ❑ $404 ladder. “It’s like, ‘fool me once, shame on you; fool me *Make checks payable to Atlantic Information Services, Inc. D.C. residents add 6% sales tax. twice, shame on me’ — you have to learn from it,” says Annulis.

EDITORIAL ADVISORY BOARD: MICHAEL D. BELL, Esq., Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C., Wash. D.C.; JOHN BENTIVOGLIO, Esq., Arnold & Porter, Wash. D.C.; MICHAEL DOSCHER, Senior Manager, Global Healthcare Div., Covansys Corp., Glendale, Calif.; BRIAN GRADLE, Esq., Hogan & Hartson L.L.P., Wash., D.C.; REECE HIRSCH, Esq., Morgan, Lewis and Bockins LLP, San Francisco., CA; JAMES PASSEY, MPH, Director, Compliance & Risk Management, Valley Health System, Hemet, Calif.; ERIC S. TOWER, Esq., Associate General Counsel, Advocate Health Care, Oak Brook, Ill. February 2010 Report on Patient Privacy 3

There are still some gray areas, however, which and see what people are doing,” which he likens to being require case-by-case analysis. For instance, says on patrol. Annulis, if one employee out of 1,000 loses a personal If a breach does occur, OCR will look at the indi- digital assistant (PDA), a CE could argue that it’s not vidual circumstances, says Campanelli, and take into engaging in willful neglect by not requiring password account an organization’s efforts at implementing safe- protection on all PDAs. But if it has “1,000 employees guards. “Having procedures in place, training people and 10% of employees misplace or lose PDAs on in those procedures, and taking action when you find a monthly basis,” Annulis says, that’s a different a problem — that’s the best position you can be in,” story. “The facts and circumstances of this particular Campanelli says. situation are relevant.” Contact Annulis at (773) 907-8343 or bannulis@ The same goes for the destruction of PHI. “If it’s one meaderoach.com, Young at (760) 934-3311, Campanelli slip of paper [that’s not destroyed], does that happen? at (202) 589-2818 and Coffield at (304) 347-3791.G Yes,” says Coffield, of Charleston, W.Va. “But if it’s a pattern situation when the policy specifies you can’t do that and it’s been brought to the attention of the privacy Offshore BAs Pose PHI Risk, But officer,” then that is likely to constitute willful neglect. Have Incentives to Self-Regulate According to Coffield, when a privacy officer -be As providers move to cut operational costs, many comes aware of a complaint, he or she should always are taking their business associate (BA) dealings offshore. take “some action, even if it’s documentation of no action And while sending protected health information over- and the basis and reason for doing so.” Having evidence seas can be a risky endeavor for patients and health care of an attempt at compliance is sure to save some heart- organizations, one expert says the process has built-in ache if HHS comes knocking. safeguards, including financial motivators on the BA Young emphasizes the importance of documenting side, which can make working with offshore business as- employee education efforts, as well. “It’s not enough to sociates as safe — if not safer — than working with those say, for instance, that we had a staff meeting. Who was at in the U.S. that staff meeting? What was discussed? It doesn’t take Services such as medical transcribing, coding and much time, it’s just a habit you need to get into and do billing are commonly being outsourced these days, with for every single training.” An ex-cop, Young also encour- cost being the major driver, says security expert Ali ages privacy officers and other management personnel Pabrai, the CEO of ecfirst in Newport Beach, Calif. “You to “get out of the office, get on the floor and walk around know the Thomas Friedman book The World is Flat? The

Effective Dates for Privacy and Security Provisions Contained in ARRA Unless otherwise specified, all provisions are effective Feb. 17, 2010 PROVISION SECTION EFFECTIVE DATE Breach notification provisions 13402 Effective for breaches discovered 30 days after publication of interim final regulations; HHS released interim final regulations on Aug. 24, 2009. Personal health record (PHR) breach notification 13407 Effective for breaches discovered 30 days after publication of interim final regulations; FTC released interim final regulations on Aug. 18, 2009. Business associates — application of security provisions 13401 Feb. 17, 2010 — application of privacy provisions 13404 Feb. 17, 2010 Minimum necessary guidance 13405 Aug. 17, 2010 (18 months after enactment) Accounting for disclosures: — if used EHR before Jan. 1, 2009 13405(c) Jan. 1, 2014 — after Jan. 1, 2009 Jan. 1, 2011 Restrictions on disclosures 13405(a) Feb. 18, 2009 Prohibition on sale of electronic health records/PHRs 13405(d) Six months after final regulations, which must be promulgated within 18 months of enactment. Marketing 13406 Feb. 17, 2010 (12 months) Enforcement for ‘willful neglect’ 13410 Feb. 17, 2011 (24 months) Tiered penalties 13410(d) Feb. 18, 2009 Enforcement by state attorneys general 13410(e) Feb. 18, 2009

Go to www.AISHealth.com to sign up for FREE e-mail newsletters — AIS’s Health Business Daily and Government News of the Week. 4 Report on Patient Privacy February 2010 only thing I would add is that it’s getting flatter,” he says, These kinds of offshore dealings come with obvi- referring to the increasing opportunity for international ous privacy risks. In a chilling 2003 scenario, a woman business competition. “There’s a significant differential in Pakistan, at the end of a long chain of subcontrac- in getting the same services outside the U.S., purely in tors hired to do transcription for the University of terms of economics.” California San Francisco Medical Center, threatened Offshore contracting can have operational ben- to expose confidential patient records on the Internet efits as well, according to Brian Annulis, an attorney unless the university helped get her money she was with Meade & Roach in Chicago. In what’s known as owed, reported the San Francisco Chronicle. (She even- “nighthawking,” a radiologist in Iowa can send X-rays tually withdrew her threat when one of the subcon- overnight to a radiologist in India, who reads them tractors sent money.) and prepares the preliminary results. The U.S.-based Is Your PHI Going Offshore? radiologist comes in the next morning and reviews the pre-report from India, signs off on an order, and is able This highly publicized event illustrated the perils to get the results to the patient as quickly as possible. of outsourcing PHI — but did not slow the trend. The It’s a means of client management and building rela- GAO released a report in 2006 stating that “federal tionships with patients, says Annulis. The recent CMS contractors and state Medicaid agencies widely report- transmittal requiring providers to report the precise ed domestic outsourcing of services involving the use location where diagnostic tests are interpreted when of personal health information.” And, in a finding that submitting Medicare claims (RMC 1/18/10, p. 1) could would prove surprising to patients, it said that “the re- have an impact on “nighthawking,” though that im- ported extent of offshore outsourcing by vendors may pact is unclear since the U.S. doctor is ultimately sign- be understated because many federal contractors and ing the order. agencies did not know whether their domestic ven-

What to Include in Amendments to Business Associate Agreements With the Feb. 17 effective date of HITECH Act provisions, covered entities would be well-advised to amend their business associate agreements ASAP to reflect new compliance realities. Here are options to consider: Mandated Amendments gathered, managed, and consulted by authorized u The business associate (BA) must be in compliance health care clinicians and staff.” with the HIPAA security rule, including the admin- u The new definition for “unsecured PHI” should be istrative, physical and technical safeguards and any included: “protected health information that is not additional security requirements contained in the secured through the use of a technology or methodol- HITECH Act that are applicable to CEs. ogy specified by the Secretary.” u The BA must be in compliance with the additional privacy requirements under the HITECH Act. Amendments to Consider u The business associate will provide notice of a se- u Update recitals of the BAA to reflect that the agree- curity breach to the CE; the specific timing for such notifications is recommended below. ment addresses American Recovery and Reinvestment Act (ARRA) requirements. Perhaps cite specific BAA- u The new definition for “breach” should be included: “unauthorized acquisition, access, use, or related provisions of ARRA: 42 U.S.C. § 17931(a) and disclosure of protected health information which com- 42 U.S.C. § 17934(a) promises the security or privacy of such information,” u The BA will notify the CE of a security breach with- with the compromise of security defined as posing in one to five business days of discovery, to give CEs “a significant risk of financial, reputational, or other as much time as possible to notify the individuals. harm to individuals.” u The new definition for “electronic health record” u Define “discovery” and state that the knowledge of should be included: “an electronic record of health- employees, officers and agents is imputed to the BA. related information on an individual that is created, continued

Access newsletter archives, links to government documents and expert guidance at www.AISHIPAA.com. If you don’t already have a Web site password, please call 800-521-4323 or e-mail [email protected]. February 2010 Report on Patient Privacy 5 dors transferred personal health information to other heightened due diligence…and provide for audit locations or vendors.” rights,” Hirsch says. Experts interviewed by RPP say that the economic But what happens when the covered entity directly downturn has contributed to the increased use of off- contracts with an offshore BA that has no presence in the shore business associate contracts. U.S.? In this case, U.S. law does not apply and cannot be enforced. How can a CE protect itself? Is it even advis- U.S. Law Does Not Apply able to enter into these sorts of contracts? As the GAO report highlighted, a lot of health Some countries, such as those in the European Union information ends up overseas because business as- (EU), may have their own privacy and security policies sociates pass on work to their offshore affiliates, says and procedures that are comparable to those in the U.S., Reece Hirsch, a San Francisco attorney with Morgan, says Annulis. In those cases, the CE may be willing to Lewis & Bockius LLP. Fortunately, in these cases, the rely on representations and warranties that the vendor BA has a nexus in the U.S., so U.S. law is applicable will comply with HIPAA as well as operative EU direc- and enforceable. The CE can rest easy and write a stan- tives, deferring in part to the other country’s laws and dard BA agreement that, under the HITECH Act, is enforcement capabilities. subject to enforcement by the federal government. Countries with No Policies Are a Giant Risk “It’s more an issue of getting assurance that the subcontractor affiliate outside the U.S. is doing the BAs in countries that lack rigorous policies seem to right thing,” says Hirsch. He recommends adding a pose a giant risk because there’s no one to police those provision in business associate agreements requir- issues internationally. ing the BA to notify the CE and obtain consent before But those BAs have strong incentives to comply transferring data outside the U.S. If a BA may use an with U.S. regulations, explains Pabrai, who conducts offshore affiliate, “you’ll also want to conduct some compliance audits for BAs both nationally and inter-

Amendments to Business Associate Agreements (continued) u The business associate must encrypt or otherwise u The BA will obtain liability insurance covering secure PHI to satisfy the “functional safe harbor.” (BAs claims in case of a violation of the privacy or security may raise fees to make up for these expenses.) rule. u The business associate should not employ the u The party responsible for notifying individuals of a “harm standard” to determine whether a breach has breach is…(typically the CE, unless the BA has a direct occurred, but instead should inform the CEs of all relationship with the patient). unauthorized disclosures or losses of PHI. u The business associate will cooperate in the CE’s u The BA must have a disaster recovery plan and risk assessment to determine whether notification of a perform security audits, though this is understood as breach is required. part of security rule compliance. u The new privacy obligations with which the BA u The CE must have access to the BA’s security poli- must comply under the HITECH Act include: access to PHI in an electronic health record, accounting of cies and procedures. disclosures of PHI in an EHR, new clarification of u Specify the content of the BA’s notification, which minimum necessary standard, limitation on market- should include identification of each individual whose ing communications paid for by third parties, and secured PHI has been, or is reasonably believed by the limitation on the sale of EHRs and PHI. BA to have been, accessed, acquired or disclosed dur- u The business associate is required to cure a breach ing the breach. of a BAA or terminate the agreement if it knows of a u If a business associate is responsible for a breach, pattern of activity or practice by a CE that violates the the BA will indemnify the CE. agreement. u If a business associate is responsible for a breach, uThis catch-all phrase should be considered: “Other the BA will pay for the damages associated with the requirements applicable to BAs under the HITECH breach. Act are incorporated by reference into the BAA.”

Visit www.AISHealth.com/conflist.html to review a free, regularly updated six-month calendar with dozens of Upcoming Health Business Meetings. 6 Report on Patient Privacy February 2010 nationally. Offshore entities are motivated — at times A comprehensive BA agreement, combined with the even more motivated than domestic entities — to BA’s motivation to build a solid reputation, should pro- demonstrate their diligence in protecting information vide a strong compliance safeguard. privacy because they are trying to build a reputa- However, as evidenced by UCSF, no system is fool- tion among American companies. “They know that proof. If a covered entity finds that the BA has violated if American citizens’ patient information is breached the agreement, the first recourse available is to cancel the in New Delhi…it could have an impact on the agree- contract. ments they’ve executed and business opportunities But that may not be in the covered entity’s best inter- they’re looking to get from American covered enti- est, says Pabrai, so the CE may instead put the business ties,” says Pabrai. “That’s the carrot, if you will, and associate on a corrective action plan and give it a set they want to ensure it is not threatened.” amount of time to clear up the deficiencies. The most im- Offshore BAs Are Responsive portant thing to push, he says, is the right to audit, which is the best way to ensure compliance is ongoing. Annulis He explains that, to his surprise, he’s found that off- agrees it’s a good idea to “go over and kick the tires at shore entities “clearly understand the HIPAA privacy and their facility,” though it’s important to establish who will HIPAA security regulations. They want to demonstrate pay for the audit. This is something that can be included they have taken formal, comprehensive, thorough steps to in the BA agreement as well. ensure any patient information is, in fact, protected. In my experience, they try hard to go beyond letter of the law.” Share Policies With BAs Many still have compliance gaps, he says, but once the Pabrai also recommends that the covered entity gaps are discovered the BAs are eager to fill them. share its internal policies and procedures with its BAs, This is critical to covered entities because ultimately to give them “a good feel for how the covered entity is compliance issues are traced back to them. In the 2003 implementing the HIPAA and HITECH regulations in its transcription breach, the media pointed to UCSF Medi- own organization.” cal Center, where the business dealing originated. When Hirsch notes that many entities are uncomfortable knowledge of the business is imputed to the covered with disclosing their policies in full, because it can make entity, the HHS Office for Civil Rights may hold the CE their practices and security systems vulnerable to exploi- accountable as well, in the case of an unreported breach tation. He suggests having the CE security officer speak of unsecured PHI which compromises the security or with the BA security officer to review matters they deter- privacy of the PHI, says Annulis. mine are necessary to share. And since Feb. 17, 2009, when the HITECH Act’s Contact Pabrai at (949) 260-2030 or ali.pabrai@ecfirst. breach notification requirements and tiered enforcement com, Annulis at (773) 907-8343 or bannulis@meaderoach. penalties came into effect, the financial risks have grown com and Hirsch at (415) 442-1422 or rhirsch@morgan- for all U.S. entities. Pabrai says he’s seen an uptick in CEs lewis.com. G checking in on their business associates and putting pres- sure on them to stay compliant with the BA contract. Tighten Remote Access Controls Beef Up BA Agreements To Help Prevent the Loss of Data While BA agreements may not be enforceable outside Covenant Health, headquartered in Knoxville, Tenn., the U.S., they are legally necessary to protect the U.S.- is no different from other HIPAA covered entities — it is based covered entity. Pabrai encourages CEs to include revising its policies and procedures to comply with the these three provisions in BA agreements for offshore busi- new breach notification requirements and other man- ness associates with whom they contract directly: dates under the HITECH Act, which will be enforced (1) The CE has a right to audit the BA if it suspects beginning this month. that any aspect of the BA agreement has been violated. Yet that doesn’t mean the Covenant system, which Audits will be unannounced. includes six acute-care hospitals, a psychiatric hospital, (2) The BA must meet or exceed the requirements rehab center and nursing home, as well as numerous of four key areas: the HIPAA privacy rule, the HIPAA outpatient centers, is neglecting the bread-and-butter of security rule, the HITECH Act and the state regulations medical privacy and security, especially controls on re- where the CE is located. mote access to its network. In fact, its access controls are (3) The BA must demonstrate annually (or on an- always being improved. other regular schedule) that it is in compliance with the “Our computer security processes related to laptop four key areas listed above. distribution, remote access and encryption have been

Call 800-521-4323 or visit the MarketPlace at www.AISHealth.com for more information on AIS’s detailed A Guide to Auditing and Monitoring HIPAA Privacy Compliance. February 2010 Report on Patient Privacy 7 implemented and are constantly being enhanced and Physicians may use their own equipment to access updated — not because of HITECH, but because they the network but they and others face restrictions. “Except are good security and business practices,” Tish Breeding, in very limited circumstances, Covenant Health’s servers Covenant Health’s integrity compliance officer, tellsRPP. do not permit remote access users to download or print “Our HITECH-related activities have been focused on information,” she adds. revising policies to take breach notification requirements Restricting access is among the strategies that pri- into account and updating business associates’ agree- vacy and security compliance officials recommend to ments, along with employee education.” tighten up remote access. CEs and BAs should also “develop and employ proper clearance procedures and Remote Access Is a Common Risk verify training of workforce members prior to granting Remote access is one area of vulnerability that is remote access,” says Parmigiani. common to both CEs and business associates, which now “I also warn clients to be mindful of, and to safe- must comply with nearly the same requirements under guard, their computers, whether PCs, or laptops against the HITECH Act. Covenant’s experience may not be the …threats” such as phishing, IP spoofing, malware, file norm, according to experts who say they see a significant sharing, and use of instant-messenger correspondence, lack of such adequate controls. he says. As John Parmigiani, president of an information se- Other Controls Are Suggested curity consulting firm in Maryland and the author of the government’s proposed security rule, tells RPP, “There The IT experts also offer these recommendations: is spotty, inconsistent application [of controls], especially u Forbid employees from accessing PHI from home when using personally-owned computers. Lack of en- computers unless they are logged into a virtual private forcement and the fact that these areas were ‘addressable’ network (VPN). rather than ‘required’ [under the security rule] were con- u Allow access to PHI only through company-issued tributing factors to this weakened security posture.” computers or other portable devices. Record serial num- Sean Lee, a senior auditor for Apgar and Associ- bers and passwords. Individually train users on security ates, a HIPAA consulting firm, adds: “I have had clients and other controls. compliant with regards to remote access, but they are in u Carefully choose who gets remote access. Some deny a minority. The biggest mistake I see people making is this to physicians, while allowing access for coders and transmitting PHI unencrypted over an open network,” claims processors, for example. such as the Internet. u Insist users sign a stronger confidentiality agreement Two-Level Authentication Is Recommended than other employees, specifying they will adhere to all privacy and security policies and understand that termi- Breeding shared with RPP some of the ways her nation may result from compliance failures. system controls and monitors access, and other experts provided their strategies as well. u Limit functionality on portable devices. Printing, sav- ing, copying and downloading can be disabled, so that Not everyone is allowed remote access to the Cov- all the user is really doing is viewing PHI. enant network, according to Breeding. “All requests for remote access to Covenant Health’s network come u Periodically pull computers and other devices into the through the information security officer for approval, facility and run checks to ensure no inappropriate mate- and Covenant Health limits the access of remote users by rial has been downloaded. a profile/active directory,” she says. u Ensure the data on laptops are encrypted and that no Once approval is granted, Covenant Health issues a work-arounds are possible to disable the encryption. fob to each user that provides a one-time-use password u Consider allowing access through home devices, but to access the network, she says. block access to everything but e-mail — and prohibit the When the user logs in, his or her identity is “authen- inclusion of PHI in e-mails. ticated through a two-factor process and remote users are u Firewall and virus protection software should be in- limited to accessing only the information they have been stalled and operational on any remote devices. previously authorized to access,” Breeding says. Authen- As effective as these policies might be, putting tication is unique to each user and “cannot be shared,” them in place is not always easy and can sometimes she adds. be met with backlash. One compliance officer recently Access is also monitored. “We can track remote ac- asked a listserv for advice. “I am having a battle with cess through the logs kept by the network,” she says. senior leadership regarding the ability of providers

Post your Health Business Job Openings at no charge at www.AISHealth.com/HealthJobsList.html. 8 Report on Patient Privacy February 2010 accessing PHI database on their home computer. Com- Small CEs and BAs are more likely to have inade- pliance has taken the stance that only company-issued quate safeguards for remote access, says Lee. “Provid- computers can access PHI from home. The rationale ers, especially small provider groups, tend to greatly is that we cannot monitor virus protection, password lack policies, procedures and proper documentation,” complexity, etc.,” the officer said on the listserv, com- he says. “They usually hire out an IT person to help [email protected], which is run by The Council of them set up their remote access. These IT people don’t Ethical Organizations’ Health Ethics Trust division. know the HIPAA requirements and thus they overlook certain necessary steps.” Smaller Entities Lack Many Safeguards When larger covered entities allow these noncom- Another listserv member responded, “We allow pliant CEs or BAs into their network, they are opening providers to remotely access our electronic medical re- themselves up to risks, Parmigiani and Lee agree. cord with their own computers, but only if their computers meet certain essential criteria such as processor BAs Are Playing Catch Up speed, memory, virus protection, and many more.” And BAs may have some catching up to do. “The HITECH Act now requires BAs to be compliant with the entire security rule and part of the privacy Compliance Resources From AIS rule — mostly [related to] the uses and disclosures requirements, whereas previously only the CEs had to comply,” says Lee. “What BAs have to do that is new ✔ High-Risk Areas in Medicare Billing, which is to them are privacy and security audits, risk analyses, packed with “how-to” compliance auditing tools disaster recovery plans, emergency mode operations, for hospitals and providers that were prepared policies, procedures and documentation.” by experienced compliance consultants from Stra- Lee has also seen controls that were simply ig- tegic Management Systems, Inc. See a demo at nored. “The number one problem I see is the VPN not www.MedicareRiskAreas.com. actually being used,” says Lee. “For most provider ✔ Report on Medicare Compliance, the industry’s setups using remote access, it makes sense to install leading compliance newsletter, with weekly news client VPN software. This means that the remote user and insightful analysis of the key compliance prob- must manually enable a VPN connection. The problem lems that lie ahead for the industry. with this is that the default for the Windows terminal ✔ Report on Research Compliance, a monthly server is to still allow remote sessions. So the provider newsletter, weekly e-letters and subscriber-only may have a VPN firewall setup, but they are not using Web site on conflict of interest, human subjects, it. This is where the non-HIPAA IT professionals hurt scientific misconduct, tech transfer and much more; the CEs. The default needs to be removed so that a copublished by NCURA. VPN ‘tunnel’ is required in order for a remote session ✔ The HCCA-AIS Medicaid Compliance News, to be initiated.” monthly news and valuable how-to strategies for Contact Breeding at [email protected], Par- identifying and reducing the top Medicaid com- migiani at [email protected], and Lee at slee@ pliance risks. Co-published by the Health Care apgarandassoc.com G Compliance Association (HCCA) and AIS. ✔ A Guide to Complying With Stark Physician Self-Referral Rules, a comprehensive looseleaf More State AG Actions Are Likely (plus quarterly updates) with practical summaries continued from p. 1 of the federal rules and separate analyses for hospi- For suspected violations of state law, Blumenthal has tals, physician groups and other stakeholders. asked that Health Net pay a civil penalty of “not more ✔ 49 Steps to Implement Sarbanes-Oxley Best than” $5,000 “per willful violation,” court costs and at- Practices in Private & Nonprofit Health Care En- torney’s fees. For the alleged HIPAA violations, under tities, a highly practical book that identifies and de- convictions won by AGs, a guilty party is subject to fines scribes steps for adopting consensus best practice of up to $100 for each violation not to exceed $25,000 for standards (includes a free CD with templates). identical violations in a calendar year. These fines are half the amount that the federal gov- Visit the AIS MarketPlace at ernment could impose. Blumenthal also requested an in- www.AISHealth.com junction to prevent Health Net and the other plans from engaging in similar violations of HIPAA and state laws.

Call Bailey Sterrett at 800-521-4323 for rates on bulk subscriptions or site licenses, electronic delivery to multiple readers, and customized feeds of selective news and data…daily, weekly or whenever you need it. February 2010 Report on Patient Privacy 9

In announcing the suit, Blumenthal railed about Health Net apparently learned on May 14, 2009, that Health Net’s misdeeds, but he never mentioned that, so the drive was lost somewhere between California and far, Health Net has no evidence that any members have Health Net’s Shelton, Conn., office, but allegedly did not been victims of identity theft or that the data have been notify health plan members or state officials of the loss misused in any way. until November. AG Calls Suit ‘Historic’ The suit contends that Health Net violated HIPAA in 12 different ways, including failing to train its workforce “Sadly, this lawsuit is historic — involving an un- (“including independent contractors involved in the data paralleled health care privacy breach and an unprece- breach”), failing to allow access to only approved users dented state enforcement of HIPAA,” Blumenthal says of its data; and failing to implement policies to prevent, in a statement. “Protected private medical records and detect and correct threats to the security of its PHI. It also financial information on almost a half million Health did not have an effective sanctions policy for dealing Net enrollees in Connecticut were exposed for at least with employee misdeeds, the AG says. six months — most likely by thieves — before Health The reason for the failures was ultimately simple, Net notified appropriate authorities and consumers. Blumenthal says in the filing: ”[T]he design and imple- These missing medical records included some of the mentation of the defendant Health Net’s purported most personal, intimate patient information — expos- policies and procedures regarding the security of pro- ing individuals to grave embarrassment and emotional tected health information were ineffective in appro- distress, as well as financial harm and identity theft. priately and reasonably safeguarding protected health The staggering scope of the data loss, and deliberate information.” delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net, according to the suit, lost valuable time Health Net downplayed and dismissed the danger to to “mitigate” the data loss because it didn’t “create a log patients and consumers,” Blumenthal said. file of the collection and transfer of the data that was included on the disk drive. …As a consequence, the defen- The perhaps more chilling words for Health Net and dant Health Net replicated the entire creation of the disk United investors was Blumenthal’s promise “to fight for drive, thus delaying efforts to safeguard or otherwise civil penalties.” In response to a request for comment mitigate the data breach.” on the suit, a Health Net spokeswoman on Jan. 29 gave RPP a prepared statement, dated Jan. 13, which says the ‘Tip of the Iceberg’? plan “has just received a copy of the lawsuit and is in the In bringing the suit, Blumenthal had to navigate the process of reviewing it. We will continue to work coop- labyrinth of procedural “strings” that were attached to eratively with the Connecticut attorney general on this the HITECH Act provisions that granted new HIPAA matter.” enforcement powers to attorneys general. He had to no- Health Net is also “offering two years of free credit tify HHS, in advance, of his plans to file suit, and, by law, monitoring services for all impacted members who elect must allow HHS to take the lead in the case if it chooses. this service,” which the plan says “includes $1 million of HHS may “intervene in the action; upon so interven- identity theft insurance coverage and enrollment in fraud ing, [can] be heard on all matters arising therein; and resolution services for two years, if needed.” Health Net [can] file petitions for appeal,” according to the HITECH also says it will “provide services to restore the member’s Act. And AGs are not allowed to bring an action if HHS identity at no cost to the member” if an individual ex- is already doing so (RPP 4/09, p. 1), so it would appear periences “any identity theft between May 2009 and the in this case that Blumenthal beat HHS to the punch. date of their enrollment.” OCR did not respond to RPP’s requests for comment on Suit Details Numerous Lapses Health Net. According to the suit, the drive “containing the Now that Blumenthal has filed the first suit, CEs and missing information pertained to approximately 446,000 BAs should be on notice that other AGs are likely to fol- individuals and comprised 27.7 million scanned pages of low in his footsteps. over 120 different types of documents such as insurance “I think this is probably only the tip of the iceberg” claims forms, membership forms, appeals and griev- of what is to come now that AGs have HIPAA enforce- ances, correspondence and medical records. Within these ment powers, says Steven Eisenberg, a partner in the documents was contained personal information includ- Cleveland office of Baker Hostetler. Suits are likely to ing names, addresses, Social Security numbers, protected be more prevalent in states where “AGs are seeking health information and financial information such as higher office,” he adds. A week before suing Health bank account numbers.” Net, Blumenthal announced his candidacy for the U.S.

Go to www.AISHealth.com to sign up for AIS’s Health Business Daily, a quick-and-easy daily news feed that is informative, provocative…and free. 10 Report on Patient Privacy February 2010

Senate seat that will be open upon the retirement of the Connecticut AG is particularly aggressive and con- Sen. Chris Dodd (D). The youthful-looking Blumen- sumer-friendly — and not averse to publicity — so he fits thal, 63, has been the Connecticut AG since 1990. the profile of the kind of AG I would expect to exercise “I think the only thing that surprises me is that an this authority sooner rather than later.” Similar actions AG used the new HITECH authority so soon,” says John may result when breaches are larger and have already Christiansen, a health care attorney in Seattle. “I do know made headlines, says Christiansen.

PATIENT PRIVACY COURT CASES

This monthly column is written by Kayla Tabela of the Washington, D.C., office of Sonnenschein, Nath & Rosenthal LLP. It is designed to provide RPP readers with a sampling of the types of patient privacy cases that courts are now hearing. It is not intended to be a comprehensive monthly survey of all patient privacy court actions. Contact Tabela at [email protected].

u The Texas health department agrees to destroy also agreed to create and maintain a list of all research newborn blood samples retained and used without projects that use newborn blood specimens on Texas’ consent. On Dec. 22, 2009, Andrea Beleno, Geoffrey newborn screening Web site. (Beleno v. Texas Depart- Courtney, Maryann Overath and Keith Taylor, on ment of State Health Services; Beleno v. David L. Lakey — behalf of their respective children (collectively, “Plain- Settlement Agreement) tiffs”), entered into a settlement agreement and release u A former UCLA hospital employee pleads guilty with David Lakey, in his capacity as the Commission- to HIPAA violations. On Jan. 8, 2010, Huping Zhou er of the Texas Department of State Health Services, entered into a plea agreement with the United States and Nancy Dickey, in her capacity as the Vice Chan- Attorney’s Office for the Central District of California cellor for Health Affairs of the Texas A&M University for four separate violations of the privacy provisions System and President of the Texas A&M University of HIPAA. Mr. Zhou, a former research assistant Health Science Center (collectively, “Defendants”). at the UCLA Health System medical facilities and The Agreement centers on Defendants’ actions in a licensed cardiothoracic surgeon in China, had connection with the state’s newborn screening pro- regular access to UCLA patients’ protected health gram. Under Texas law, blood samples are collected information (PHI) in connection with his position at from all newborn babies so that babies with detect- the hospital. In the agreement, Mr. Zhou admits he able disorders can be treated early, thereby preventing wrongfully accessed and obtained patient PHI from potentially disabling disorders. Parental consent is UCLA’s computer system. Mr. Zhou began accessing not required, and Plaintiffs did not object to the state’s the records on or around Oct. 29, 2003, and contin- screening program. Rather, Plaintiffs objected to De- ued to do so until Nov. 19, 2003. Despite the fact that fendants’ indefinite storage of the samples at the Texas UCLA terminated him on Nov. 14, 2003, Mr. Zhou A&M Health Science Center School of Rural Public continued to have access to UCLA’s information Health and the use of those samples for undisclosed system until Nov. 19. Most of the records he accessed research purposes. Plaintiffs argued that the samples belonged to celebrities or his co-workers. Mr. Zhou contained “deeply private medical and genetic infor- further admits that he did not have a legitimate rea- mation” and that Defendants’ actions violated their son (i.e., a reason associated with one of his duties constitutional rights as guaranteed by the Fourth (pro- or responsibilities, or otherwise permitted under tection against unlawful search and seizure) and Four- HIPAA) at the time he obtained these patients’ PHI. teenth (protection against deprivation of fundamental Mr. Zhou is scheduled to appear for sentencing in the federal liberty and privacy) Amendments to the U.S. U.S. District Court of Central California on March 22, Constitution. Plaintiffs also argued that Defendants 2010. The court may impose any reasonable sentence violated standard medical research protocols relating up to the statutory maximum for his crimes — four to informed consent. As part of the settlement agree- years in federal prison and $200,000 in fines. Accord- ment, Defendants agreed to destroy all samples in ing to a statement made by the USAO, Mr. Zhou is their possession taken before May 27, 2009, for which one of the first people in the United States to be con- they do not have written consent from the parent/ victed of violating the HIPAA privacy rules. (U.S. v. guardian to retain and use the sample. Defendants Huping Zhou)

Call 800-521-4323 to receive free copies of AIS’s Report on Medicare Compliance, Health Plan Week, Medicare Advantage News, Drug Benefit Newsand Medicare Part D Compliance News. February 2010 Report on Patient Privacy 11

“This…was a big breach — 446,000 is lot of people, ents, I don’t see the issue of the [financial] penalty as the and once something like that goes public, I think you can biggest problem,” Eisenberg says. “I think the adverse expect state officials to take action if they can figure out publicity is the bigger problem.” a way,” Christiansen says. “So covered entities — and News about a security breach — or as in Health now business associates — should definitely take this as Net’s case, a breach followed by a lawsuit for a HIPAA an indicator of one more thing that is more likely to hap- violation — that breaks at a point when employers are pen to them if they have a breach since the passage of conducting open season, could cause employers to drop HITECH.” a plan or a provider group, he says. News of a legal ac- “I also think that this is a situation where Health Net tion such as this coming during open enrollment season appears to have made its situation worse by failing to could have significant consequences, Eisenberg says. notify state authorities,” Christiansen adds. As a result of Health Net’s very public troubles, It appears they had “appropriate policies in place other plans “are looking at a couple of things. Staying in that were not followed, given that the missing disc drive the safe harbor for encryption. Reducing what [PHI] goes was not encrypted,” Christiansen says. “Policy failures out. Making sure they are disciplining employees,” says happen even in the best-run organizations, and the fact Eisenberg. that this incident involved only a single device could indicate it was an isolated failure.” Adds Christiansen, “My recommendation for han- dling something like this would be to immediately notify Other Health Plans Are Worried the appropriate authorities, prepare for well-organized The Health Net case is on the minds of other covered public notification, find out who was responsible for entities and business associates, says Eisenberg. “I got a the failure to follow policy and fire them, and take steps couple of calls about it,” he says. When asked if his call- to make sure it doesn’t happen again. Sure, you’d have ers thought the Health Net case was unique, his answer egg on your face and probably face some penalties and was a resounding “no.” lawsuits,” but as Health Net’s case shows, that might be “They all could completely see how it could happen unavoidable. to them. Most [CEs] have good systems in place. Could Contact Eisenberg at [email protected] and they do things better? Yes,” he says. “As I advise my cli- Christiansen at [email protected]. G

Medical Society Makes Additional Claims There’s another wrinkle in the larger Health Net United through another job or another division of the story. The Conn. State Medical Society contends in a corporation.” formal complaint filed with the HHS Office of Civil The medical society alleges that Health Net com- Rights that UnitedHealthcare, whose bid to buy mitted “an unambiguous violation of hundreds of Health Net’s northeast operations was approved by thousands of Connecticut patients’ privacy rights.” Blumenthal last month, is being given inappropriate According to the society, under the “business access to members’ health records. The deal between transfer agreement” between the parties, “United will the plans, the society claims, is a unique sales ar- have complete and total access to the personal and rangement in which Health Net sold United only the sensitive PHI of Health Net enrollees, including medi- “renewal rights” to current Health Net of Conn. com- cal diagnoses and treatment, without the consent of those patients.” This is a HIPAA violation, it alleges. mercial members. Whether OCR will agree is unclear, and the agen- In announcing its Jan. 21 request that OCR look cy does not comment on complaints it receives or on into the matter, the society said its “concern stems ongoing investigations. from the possibility that United can look at an em- While he did not study the claim in detail, Steven ployer’s claims and then at individual enrollees’ medi- Eisenberg, a partner in the Cleveland office of Baker cal records, to determine which businesses it wishes to Hostetler, has doubts about its merits. “I don’t think offer policy renewal — and at what price. In addition, it’s a slam dunk,” Eisenberg says. “The sale of infor- the publicly filed documents indicate there is noth- mation and the use of PHI in terms of a sale are pretty ing to prevent United from keeping this information broad in terms of operations,” which are allowable on file should an individual later seek coverage from uses of PHI along with treatment and payment.

Visit the “Compliance” channel on www.AISHealth.com to access a wide range of free resources related to HIPAA. 12 Report on Patient Privacy February 2010

PRIVACY BRIEFS

u Aurora Health Care Inc., in Milwaukee, is facing Kline faces a hearing in front of a judicial ethics panel several lawsuits claiming it violated Wisconsin’s on May 26 and could face disbarment. One of the doc- privacy laws by including personal medical informa- tors Kline had investigated, George Tiller, M.D., was tion when filing claims against debtors,according to shot to death in 2009 while serving as an usher at his the Journal Sentinel. The plaintiffs, some of whom have church. Scott Roeder, an anti-abortion extremist, was joined class-action suits, allege that when they filed for convicted of first-degree murder for Tiller’s death on bankruptcy, Aurora submitted bills to the court with Jan. 29. Read the Kansas City Star article at http://www. specific details about the kind of medical treatment kansascity.com/115/story/1695335.html. they received. The complaints say Aurora could have filed only summary information to protect its creditors’ u A computer containing personal information for claims. The suits seek $25,000 in damages for each per- 689 patients was stolen from Methodist Hospital in son whose medical record was revealed and to have the Houston on Jan. 18, according to the hospital’s media information stricken from thousands of other debtors’ release. The computer was used to perform pulmonary files. The Wisconsin Hospital Association filed notice function tests and had information such as names, that it interprets state law to allow for the disclosure birthdates, Social Security numbers and diagnostic indi- of patient records for billing and claims collections. cators. The hospital says it has “no knowledge that the See the article at http://www.jsonline.com/busi- information has been removed from the computer or ness/80553442.html. will be used inappropriately.” Administrators have sent letters to the affected individuals and are offering one u A licensed practical nurse at Our Lady of Per- year of free credit monitoring and identity theft protec- petual Help in Virginia Beach, Va., was sentenced to tion. The Houston Police Department is investigating two years in prison for aggravated identity theft and the theft. Contact Stefanie Asin at (832) 667-5809. stealing the identities of nursing home patients, according to a Jan. 19 press release by the U.S. Attorney’s u On Jan. 26, police found medical files containing Office for the Eastern District of Virginia. Erica Fowler sensitive patient information in a trash bin outside pleaded guilty on Oct. 20, 2009, to accessing and steal- University Medical Clinics in Port St. Lucie, Fla., re- ing identity information for at least nine residents be- ports WPTV. The files were initially found by a woman tween May and July 2008. She used the information to who received an anonymous tip about them and con- open credit card accounts and make more than $14,000 tacted police after finding them in the trash, according in purchases. The lending institutions reimbursed the to the news station. The police indicate that the files residents for the purchases. The judge ordered Fowler have been returned to the medical office. University to pay restitution to the financial institutions. The case Medical Clinics could not be reached for comment. See was investigated by the U.S. Postal Inspection Service the article at http://tinyurl.com/yze7w9w. and the Virginia Beach Police Department. See the press u release at http://tinyurl.com/ydd5yc4. A study entitled Americans’ Opinions About Healthcare Privacy, conducted by the Ponemon u A new ethics complaint accuses former Kansas Institute, says people are wary of the government attorney general Phill Kline of widespread abuse of having control of their health records. Sponsored by office,according to the Kansas City Star. The 36-page Crowe-Horwath LLP and published Feb. 1, the study complaint states that Kline dispatched staff members to finds that more than 73% of respondents do not trust stake out an abortion clinic and record women’s license the federal government to protect the privacy of their plate numbers, obtained state medical files under false health records. It also finds that 71% of respondents do pretenses, held onto the files after his tenure in office trust health care providers to protect their records. In and lied about his actions under oath. As attorney gen- addition, it says 84% of Americans “are not aware that eral, Kline investigated doctors at two abortion clinics the U.S. government is considering implementing a na- (RPP 3/05, p. 12), to determine if they had performed tional database for the management of health records” abortions on girls under age 16 without filing child- and “75% of respondents think such a database is not abuse reports. Klein appeared on the O’Reilly Factor in a good idea.” The results come from a national survey 2006, during which the host read parts of the patients’ of 883 adult-aged Americans. Read the study at http:// (de-identified) medical records on air(RPP 1/07, p. 12). tinyurl.com/yl5wcrf.

1. Return to any Web page that linked you to this issue

2. Go to the MarketPlace at www.AISHealth.com and click on “newsletters.”

3. Call Customer Service at 800-521-4323

If You Are a Subscriber And Want to Routinely Forward this PDF Edition of the Newsletter to Others in Your Organization:

Call Customer Service at 800-521-4323 to discuss AIS’s very reasonable rates for your on-site distribution of each issue. (Please don’t forward these PDF editions without prior authorization from AIS, since strict copyright restrictions apply.)