Volume 10, Number 2 • February 2010 Practical News and Strategies for Complying With HIPAA Contents First AG HIPAA Suit Portends More State Actions; Sends Message on Encryption Offshore BAs Pose 3 PHI Risk, But Have What began as an unfortunate — though not uncommon — loss of a hard drive has Incentives to resulted in a world of hurt for Health Net, Inc., which is now the target of the first-ever Self-Regulate lawsuit brought by a state attorney general for possible violations of HIPAA. Effective Dates for Compounding Health Net’s troubles, on Jan. 21, the Connecticut State Medical 3 Privacy and Security Society, which represents physicians, filed a formal complaint to the HHS Office for Provisions in ARRA Civil Rights, charging that Health Net gave UnitedHealthcare inappropriate access to all member files, committing “an unambiguous violation of hundreds of thousands of What to Include in 4 Amendments to Connecticut patients’ privacy rights” (see box, p. 11). BA Agreements Connecticut Attorney General Richard Blumenthal — an announced candidate for the U.S. Senate — brought the suit in U.S. District Court in Connecticut on Jan. 13, as Tighten Remote Access RPP predicted he might (RPP 12/09, p. 1). 6 Controls to Prevent the Loss of Data Blumenthal charged Health Net, United and Oxford Health Plans (both subsidiar- ies of UnitedHealth Group, which recently acquired parts of Health Net) with “mul- Patient Privacy tiple violations” of both HIPAA and state laws, including the Connecticut Unfair Trade 10 Court Cases Practices Act, stemming from the May 2009 loss of a hard drive. The unencrypted drive 11 Medical Society Makes contained protected health information for a total of 1.5 million current and former Additional Claims members, 446,000 of whom lived in Connecticut. 12 Privacy Briefs continued on p. 8 ‘Willful Neglect’ Is Difficult to Pin Down But Can Result in Enormous Penalties Five narrative sections at www.AISHIPAA. Until this year, HIPAA civil monetary penalties (CMPs) represented something of com have now been an empty threat to covered entities because the fines were almost never imposed. Yet updated to reflect with the signing of the HITECH Act, which ups enforcement using a tiered penalty sys- new requirements contained tem, and the recent government push toward accountability, the possibility of a HIPAA in the HITECH Act, and a violation has become a much scarier thought. brand-new section on Security Breach Notification has been A privacy breach due to “willful neglect” that was corrected within 30 days and added. If you don’t have a Web affected 100 individuals, which would have cost an organization $10,000 in prior years, site password, call 800-521- will now cost a minimum of $1 million. 4323 or e-mail customerserv@ aispub.com. Please whitelist Covered entities (CEs) — and also business associates, who are now subject to civil [email protected] to and criminal penalties as of this month — need to know what actions (or lack thereof) ensure e-mail delivery. can push them into the “willful neglect” category, which carries the most severe fines. Editor They may be surprised to learn that routine inaction or procrastination by busy organi- Liana Heitin zations could be categorized as enormously costly willful neglect. [email protected] The interim final rule regarding enforcement, published in the Oct. 30, 2009,Fed - Contributing Editor eral Register, uses the same language as the previous enforcement rule, stating: “Willful Nina Youngstrom neglect means conscious, intentional failure or reckless indifference to the obligation to Executive Editor comply with the administrative simplification provision violated.” Jill Brown continued Published by Atlantic Information Services, Inc., Washington, DC • 800-521-4323 • www.AISHealth.com An independent publication not affiliated with hospitals, government agencies, consultants or associations 2 Report on Patient Privacy February 2010 One step below willful neglect on the CMP tier is The most obvious demonstration of willful neglect “reasonable cause,” which is defined as “circumstances would be when a covered entity has no preventative that would make it unreasonable for the covered entity, policies and procedures in place and a breach occurs. An- despite the exercise of ordinary business care and pru- nulis notes that seven years into HIPAA compliance, it’s dence, to comply with the administrative simplification unlikely that a CE or BA would have no formal protocol. provision violated.” Greg Young, the privacy officer at Mammoth Hospi- Brian Annulis, attorney with Meade & Roach in Chi- tal in California, however, believes that many small doc- cago, says reasonable cause applies in situations when a tors’ offices and clinics still lack policies and procedures covered entity has appropriate policies and procedures in because they “don’t feel it’s necessary or don’t want to place, but those policies and procedures are not followed spend the money. They just want to take care of their pa- — for instance, an employee does not set up password tients, not realizing that part of taking care of patients is protection on a computer — and a breach ensues. He taking care of their information.” For instance, he recalls cites the Aug. 25, 2009, Blue Cross Blue Shield Associa- walking into a local doctor’s office where the reception- tion (BCBSA) security breach, in which a laptop con- ist’s computer screen faced outward toward the waiting taining confidential information for as many as 850,000 room. health care providers was stolen out of an employee’s car (RPP 11/09, p. 12). The employee had violated company Don’t Leave Policies on a Shelf regulations by downloading an unencrypted version of “The greatest danger” for an organization, accord- the information onto a personal laptop. As Annulis sees ing to former director of OCR Richard Campanelli, now it, since the CE had formal policies and procedures re- an attorney with Baker & Daniels LLP, is having poli- garding encryption, a breach such as that one should not cies and procedures that no one is enforcing and that constitute willful neglect. employees are not educated about. “A policy on a shelf is not going to be very helpful — it won’t be helpful in Report on Patient Privacy (ISSN: 1539-6487) is published 12 protecting privacy and security, and it won’t be helpful in times a year by Atlantic Information Services, Inc., 1100 17th responding to an investigation,” he says. Once a violation Street, NW, Suite 300, Washington, D.C. 20036, 202-775-9008, www.AISHealth.com. occurs, the fact that the policy exists signals to OCR that Copyright © 2010 by Atlantic Information Services, Inc. All rights reserved. the organization knows what it should be doing and has No part of this publication may be reproduced or transmitted by any means, chosen not to comply. electronic or mechanical, including photocopy, FAX or electronic delivery without the prior written permission of the publisher. For example, says Campanelli, if a covered entity is Report on Patient Privacy is published with the understanding that the “experiencing problems debugging the access-control publisher is not engaged in rendering legal, accounting or other professional software it implemented” but never solves the issue, the services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. covered entity shows that it “knows its basic obligation Editor, Liana Heitin; Contributing Editor, Nina Youngstrom; Executive and knows it has a fundamental problem.” The CE is Editor, Jill Brown; Publisher, Richard Biehl; Marketing Director, willfully neglecting its duties by giving up on that prob- Donna Lawton; Fulfillment Manager, Gwen Arnold; Production lem. Coordinator, Russell Roberts Call Liana Heitin at 800-521-4323 with story ideas for RPP. Annulis and Bob Coffield, an attorney with Flaherty, Subscribers to Report on Patient Privacy also receive access Sensabaugh & Bonasso, PLLC, both say that if an orga- to AIS’s HIPAA Compliance Center at www.AISHIPAA.com, with nization experiences a breach due to reasonable cause archives of past issues of the newsletter, links to government but does not take care of the security problem and con- documents, and 30 searchable narratives written by experts in privacy and security compliance. Subscribers receive e-mail sequently suffers a second breach, the scenario would be notification when a new issue of Report on Patient Privacy is classified as willful neglect. At that point, the organiza- posted on the Web site. Please whitelist [email protected] to tion has demonstrated “reckless indifference.” ensure e-mail delivery. Document Actions and Nonactions To order Report on Patient Privacy: (1) Call 800-521-4323 (major credit cards accepted), or For example, Annulis says, if a CE found out it “had (2) Order online at www.AISHealth.com, or a glitch in [its] electronic medical record system that al- (3) Staple your business card to this form and mail it to: lowed for remote access and someone was able to get in AIS, 1100 17th St., NW, Suite 300, Wash., DC 20036. and peek around, and following that [the CE] didn’t do Payment Enclosed* ❑ $429 anything to fix it,” the next violation moves up the CMP Bill Me ❑ $404 ladder. “It’s like, ‘fool me once, shame on you; fool me *Make checks payable to Atlantic Information Services, Inc. D.C. residents add 6% sales tax. twice, shame on me’ — you have to learn from it,” says Annulis. EDITORIAL ADVISORY BOARD: MICHAEL D. BELL, Esq., Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C., Wash. D.C.; JOHN BENTIVOGLIO, Esq., Arnold & Porter, Wash. D.C.; MICHAEL DOSCHER, Senior Manager, Global Healthcare Div., Covansys Corp., Glendale, Calif.; BRIAN GRADLE, Esq., Hogan & Hartson L.L.P., Wash., D.C.; REECE HIRSCH, Esq., Morgan, Lewis and Bockins LLP, San Francisco., CA; JAMES PASSEY, MPH, Director, Compliance & Risk Management, Valley Health System, Hemet, Calif.; ERIC S.