HIPAA, Health Information Privacy & Security Compliance
At the Law Office of Kevin O’Mahony, we advise clients on the numerous privacy and security laws that physicians, healthcare providers and businesses working with healthcare providers must follow on a daily basis in their medical practices, healthcare entities or businesses. Implementing and following proper business and security practices that comply with state privacy laws on patient information, as well as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy, security and transactions rules, is essential for physicians and healthcare entities to avoid lawsuits, fines, penalties and damage awards.
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium — whether electronic, on paper or oral. The Privacy Rule calls this information protected health information (“PHI”). The HIPAA Privacy Rule requires that covered entities, their business associates and any subcontractors handling PHI apply appropriate administrative, technical and physical safeguards to protect the privacy of PHI in any form.
Covered entities are defined in the HIPAA Rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health & Human Services (“HHS”) has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations or persons.
The Health Information Technology for Economic and Clinical Health Act (“HITECH”) (enacted in 2009) was created to motivate the implementation of electronic health records (“EHR”) and supporting technology in the United States. Because this legislation anticipated a massive expansion in the exchange of electronic protected health information (“ePHI”), the HITECH Act widens the scope of privacy and security protections available under HIPAA. It also increases the potential legal liability for non-compliance, and provides for more enforcement.
Business Associate Agreements
A HIPAA Business Associate Agreement (“BAA”) is a contract between a HIPAA covered entity and a vendor used by that covered entity. A vendor of a HIPAA covered entity that needs to be provided with PHI to perform duties on behalf of the covered entity is called a business associate (“BA”) under HIPAA.
HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” A vendor is also classified as a BA if, as part of the services provided, ePHI passes through their systems. However, exclusions to this definition exist, and it may be the case that a covered entity’s relationship with a vendor changes over time.
A signed HIPAA Business Associate Agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI. And since the HITECH Act was passed and incorporated into HIPAA in 2013, subcontractors used by business associates are also required to comply with HIPAA. A business associate must likewise obtain a signed HIPAA business associate agreement from its subcontractors before access is given to PHI or ePHI. If subcontractors use vendors that require access to PHI or ePHI, they too need to enter into business associate agreements with their subcontractors.
The Business Associate Agreement is a contract that specifies the types of PHI that will be provided to the business associate (or subcontractor), the allowable uses and disclosures of PHI, the measures that must be implemented to protect that information, both at rest on-site and in transit (e.g., encryption), and the actions that the BA must take in the event of a security breach that exposes PHI. The contract should state that the BA (or subcontractor) must implement appropriate administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of ePHI and meet the requirements of the HIPAA Security Rule. Some of those measures may be stated in the BAA or they may be left to the discretion of the BA.
The BAA should also include the allowable uses and disclosures of PHI to meet the requirements of the HIPAA Privacy Rule. In the event that PHI is accessed by individuals unauthorized to view the information, such as an internal breach or cyberattack, the business associate is required to notify the covered entity of the breach and may be required to send notifications to individuals whose PHI has been compromised. The time frames and responsibilities for notifications should be detailed in the BAA.
A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by regulators for HIPAA violations. Both HHS’s Office for Civil Rights (“OCR”) and state attorneys general have the authority to issue financial penalties for violations of HIPAA Rules.
Unlike most contracts, a HIPAA business associate agreement does not necessarily indemnify a covered entity against financial penalties for a breach of PHI. If a covered entity fails to obtain “satisfactory assurances” that a BA is HIPAA-compliant prior to entering into a contract, and a breach of PHI subsequently occurs, the covered entity may be considered liable for the breach.
Covered entities can be fined for not having a HIPAA business associate agreement in place, or for having an incomplete agreement in place. This is true even though HITECH regulations state that BAs are obligated to comply with the HIPAA Security Rule, even if no HIPAA business associate agreement is executed.
In May 2019, the OCR issued a new fact sheet to highlight the provisions of HIPAA that apply to business associates and for which they can be held directly liable for non-compliance. The fact sheet spells out the specific requirements that could trigger OCR’s enforcement authority against business associates, including failing to comply with the HIPAA security rule, failing to provide breach notifications to a covered entity or another business associate, and impermissible uses and disclosures of protected health information. See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
HIPAA & HITECH Penalties
HIPAA penalties vary depending on the type of conduct involved. When enacted in 2009, HITECH established four categories for HIPAA violations, with penalty tiers commensurate with the level of culpability for each violation.
- Tier 1 violations are those where the person did not know (and, by exercising reasonable diligence, would not have known) that he or she violated the provision. Tier 1 violations were capped at $25,000 per calendar year.
- Tier 2 violations are those where “the violation was due to reasonable cause, and not willful neglect.” Tier 2 violations were capped at $100,000 per calendar year.
- Tier 3 violations are those due to willful neglect that is timely corrected. Tier 3 violations were capped at $250,000 per year.
- Tier 4 violations are those that occurred due to willful neglect that is not timely corrected. Tier 4 violations were capped at $1.5 million per year.
In 2013, the OCR implemented a final rule allowing for enhancements of HITECH’s penalty provisions. Under the enhanced penalty scheme, while the range of penalties for each violation continued to differ by tier, the total yearly cap for all violations under all tiers became $1.5 million (an amount which formerly was only applicable to the most serious violations). But in April 2019, HHS exercised its discretion to lower the annual cap for certain types of penalties (reducing the financial impact of HIPAA violations that fall into the lower tiers) as follows:
Minimum Penalty per Violation
Maximum Penalty per Violation
Annual Limit for Identical Violations
Person did not know, and by exercising reasonable diligence would not have known, that person violated HIPAA
$114 per recent inflation adjust.
$57,051 per recent
$28,525 per recent
The violation was due to reasonable cause, not willful neglect
$1,141 per recent
$57,051 per recent
$114,102 per recent
Person acted with willful neglect, but corrected the violation within 30 days
$11,182 per recent
$57,051 per recent
$285,255 per recent
Person acted with willful neglect and failed to correct the violation within 30 days
$57,051 per recent
$57,051 per recent
$1,711,533 per recent
While reduced annual caps are certainly good news, covered entities and business associates should keep in mind:
- The penalty amounts are subject to annual cost of living adjustments. So, in accordance with the Inflation Adjustment Act, HHS updated its regulations in November 2019 to reflect required annual inflation-related increases to civil monetary penalties, including those for certain violations of HIPAA’s “administrative simplification” provisions. Under the new rules, penalties for pre-February 18, 2009 violations of HIPAA’s administrative simplification provisions have increased to $159 per violation, with a $39,936 cap per calendar year. Penalties for violations occurring on or after February 18, 2009, where it is established that the covered entity or business associate did not know and could not reasonably have known of the violation, are now a minimum of $117 and a maximum of $58,490. If it is established that the violation was due to reasonable cause and not willful neglect, the minimum per violation increases to $1,170, with the maximum remaining at $58,490. If it is established that the violation was due to willful neglect but was corrected during the 30-day period running from the date the entity knew or should have known the violation had occurred, the penalties per violation are a minimum of $11,698 and a maximum of $58,490. If the violation was due to willful neglect and not corrected during the 30-day time period, the penalties per violation are $58,490 (minimum) and $1,754,698 (maximum). For all of these situations, the calendar year cap is now $1,754,698.
- The new annual caps only apply to identical violations. A single act or omission may result in different violations that are not identical. For example, an impermissible disclosure may violate separate HIPAA requirements, each of which may trigger a different penalty and separate annual cap. Moreover, OCR may impose a separate penalty for each individual whose information was improperly accessed or disclosed. In the case of a continuing violation (e.g., the failure to implement a required safeguard or obtain a required business associate agreement), a separate violation occurs each day the covered entity or business associate is in violation of the provision.
- If an entity does not act with willful neglect and corrects the violation within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence, would have known of the violation, the OCR may not impose a penalty; such correction is an affirmative defense to penalties. However, if the entity acts with willful neglect, the relevant penalty is mandatory.
- A covered entity or business associate is vicariously liable for the violations of their respective agents, including workforce members or business associates acting within the scope of their agency under the federal common law of agency.
In other words, HIPAA penalties may add up quickly despite the reduced annual cap on identical types of violations. And covered entities and business associates must ensure that they continue to comply with HIPAA, avoid acting with “willful neglect” at all costs, and correct any violations within 30 days to invoke the affirmative defense to penalties.
Health & Mobile Apps
Health apps are application programs that offer health-related services for mobile devices such as smartphones, smartwatches, personal digital tablets, patient monitoring devices, wearable technology and other wireless devices. Because they are accessible to patients both at home and elsewhere, health apps are part of a burgeoning movement towards mobile health (“mHealth”) programs in healthcare. There are many varieties of health apps available for purchase from app stores. Some (such as fitness, weight loss, wellness and exercise trackers) are designed to help consumers make healthier choices in their everyday life by offering advice about fitness or nutrition. Others are aimed at physicians and other healthcare providers themselves, combining mHealth with electronic medical records (“EMR”), and allowing providers to keep accurate records that are easily accessible. And others help doctors and patients communicate remotely, such as apps for diabetics that automatically send glucose readings to their primary care physicians.
HIPAA does not provide full, comprehensive coverage over, or protection to, all medical/health/wellness information, regardless of the manner in which it is transmitted or by whom. HIPAA is limited to “covered entities” and their “business associates,” who share or transmit “protected health information” (“PHI” or “ePHI” for electronic information) concerning “covered transactions.” All of these terms are specifically defined by HIPAA, and most third-party healthcare apps do not qualify as a “covered entity” or a “business associate” having “PHI,” or engaging in a “covered transaction,” for purposes of triggering HIPAA’s requirements. But many do. And because HIPAA does apply to many healthcare apps, healthcare providers, mobile app developers, and other health-related businesses need to keep HIPAA Rules in mind whenever PHI is transmitted or disclosed to third parties.
Given the growing number of apps that patients may choose to receive and use their PHI, and the limited control covered entities and EHR system developer business associates have following patient-directed disclosure, HHS issued new guidance in the form of Frequently Asked Questions (“FAQs”) in April 2019. These FAQs clarified (at least to some extent) potential HIPAA liability for transmitting PHI among covered entities, their EHR system developers, and patient-designated apps. Here are the five FAQs and HHS’s answers:
- Q: Does a HIPAA covered entity that fulfills an individual’s request to transmit electronic protected health information (ePHI) to an application or other software (collectively “app”) bear liability under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) for the app’s use or disclosure of the health information it received?
A: The answer depends on the relationship between the covered entity and the app. Once health information is received from a covered entity, at the individual’s direction, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules. If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach.
If, on the other hand, the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.
- Q: What liability does a covered entity face if it fulfills an individual’s request to send their ePHI using an unsecure method to an app?
A: Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app. With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.
- Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?
A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.
If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.
- Q: Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
A: No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information that has been disclosed pursuant to the individual’s right of access. For instance, a covered entity is not permitted to deny an individual’s right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual’s ePHI for research or because the app does not encrypt the individual’s data when at rest. In addition, as discussed in Question 1 above, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.
- Q: Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?
HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).
However if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer, acting as the covered entity’s business associate), then a business associate agreement would be required.
More information about apps, business associates, and HIPAA is available at: https://hipaaqsportal.hhs.gov.
See also OCR FAQ 2039, “What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party,” available at https://www.hhs.gov/hipaa/for-professionals/faq/2039/what-is-the-liability-of-a-covered-entity-in-responding/index.html.
Additionally, in 2019, the Consumer Technology Association, a trade association for the consumer technology industry, released new health data privacy guidelines. The guidelines are voluntary and intended to provide baseline recommendations for technology companies that handle personal health data. These guidelines, first developed in 2015, have been expanded and are based on privacy concepts currently present and developing in U.S. law, while recognizing the potential impact that international privacy laws have on U.S. companies. The guidelines can be accessed at: CTA-Privacy-Guidelines-Personal-Health-Wellness-Info.
Recent HIPAA Settlement Shows Importance of Encrypting Mobile Devices That Contain Patient Data
In November 2019, OCR settled with the University of Rochester Medical Center (“URMC”) after URMC filed two separate breach reports, revealing that PHI had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop. OCR had conducted a previous investigation prior to these two breach reports concerning a similar breach at URMC involving a lost unencrypted flash drive. OCR’s investigation found that URMC failed to: conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt ePHI when it was reasonable and appropriate to do so.
Despite this investigation and URMC’s identification of the risks that lack of encryption would bring to URMC, the medical center did not change its practices, and continued to use unencrypted mobile devices. Under the settlement, URMC agreed to pay OCR $3 million and undertake a corrective action plan which includes two years of monitoring its compliance with the HIPAA rules.
This is just one of many HIPAA settlements based on the failure to encrypt mobile devices. Similar settlements have arisen from lost or stolen smartphones, computers, hard drives, and other electronic media that were not properly encrypted.
Encryption is an “addressable” standard under the HIPAA Security Rule, which generally requires covered entities and business associates to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information” and, for such data transmitted over a network, to “[i]mplement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)).
Because the encryption implementation specification is addressable, it must be implemented if, after a risk assessment, the entity determines that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. (https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html).
Although encryption is not mandatory, it would be difficult to identify an “equivalent alternative measure” of protection so as to satisfy the addressable standard. Proper encryption allows covered entities and business associates to avoid HIPAA breach reports if the data or device is lost or stolen. The Breach Notification Rule only applies to the breach of “unsecured protected health information.” (45 CFR § 164.404(a)).
“Unsecured protected health information” means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act]. (45 CFR § 164.402). Encryption which satisfies HIPAA standards is not “unsecured”; accordingly, its loss does not require a breach report. (78 FR 5639 and 5644; 74 FR 42741-42, 42765). According to OCR, ePHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. (https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html; see also 74 FR 42742-43).
On the other hand, HHS commentary makes it clear that the loss or theft of an unencrypted device containing protected health information presumptively requires a breach report. (See, e.g., 78 FR 5671). For example, in its Breach Notification Rule commentary, HHS noted that “the most frequent form of data loss is the result of lost or stolen laptops and data bearing media such as hard drives. If the data on these devices is encrypted, then under the [Breach Notification Rule] definition of a breach, the event would not require the covered entity or the business associate to notify affected individuals.” (74 FR 42765). But “if laptops containing the unsecured protected health information of more than 500 residents of a particular city were stolen from a covered entity, notification under this section should be provided to prominent media outlets serving that city [in addition to individuals and HHS].” (Id. at 42752).
Significantly, “if a computer is lost or stolen, [HHS does] not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.” (Id. at 42745). Moreover, the failure to timely report the theft or loss of the unencrypted device would likely constitute “willful neglect”, resulting in mandatory HIPAA penalties ranging from $11,182 to $57,051 per individual whose information was on the laptop. (45 CFR §§ 102 and 160.404(a)).
In its commentary to the Enforcement Rule, HHS gave the following example of “willful neglect” for which an entity “will be held fully responsible”: “A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.” (75 FR 40879).
Consequently, key steps to be taken include the following:
- Implement HIPAA Safeguards. HIPAA covered entities and business associates should implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, as required by the Security Rule.
- Don’t delay. If you are a HIPAA covered entity or business associate, your legal and IT personnel should ensure that the safeguards are implemented entity-wide and without any undue delays. Your employees presumably travel for business and probably take work home. You therefore could be one lost device away from a disastrous data breach and a multi-million dollar fine.
- Encrypt your ePHI. An important technical safeguard is encryption of ePHI, which is not expressly, but effectively required under HIPAA, since only breaches of unsecured ePHI must be reported to the HHS. (See above and 45 C.F.R. § 164.408.)
- Don’t lose your encryption key. The encryption key should be stored separately from the ePHI. As specified in the HIPAA Security Rule, ePHI is encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.
- Hire expert help. For most covered entities and business associates, implementation of the Security Rule is outside the scope of their expertise, and security is usually not a do-it-yourself project. Hiring a reputable, skilled technology vendor to implement the physical safeguards, and hiring a knowledgeable outside legal counsel to ensure compliance with the Security Rule, as well as a certain level of privilege protection, can go a long way toward avoiding a reportable data breach. HHS and the OCR also provide numerous resources to assist covered entities and business associates in properly encrypting data.
Unfortunately, because medical information is lucrative and easy to exploit, patient records are likely to remain primary targets of hackers and cybercriminals for the foreseeable future. Compared to a stolen credit card number, for example, a stolen medical record offers much more personal information. And because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. Healthcare organizations therefore must ensure they have proper, up-to-date security measures in place, including data-breach response plans, ePHI encryption, and adequate employee training about the importance of security. Otherwise, they may face severe legal and financial consequences.
Business Associates’ Direct Liability Under HIPAA
In May 2019, the OCR released a fact sheet outlining and clarifying violations of HIPAA for which a business associate can be held directly liable. Published shortly after the release of the new guidance from OCR in the form of FAQs discussed above, the fact sheet was another example of OCR’s recent efforts to clarify its position and answer outstanding questions from the ever-changing healthcare industry.
In the May 2019 fact sheet, OCR first noted the history by which the application of certain aspects of HIPAA extended to business associates – the HITECH Act of 2009 and OCR’s 2013 Final Rule modifying the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, which further extended to business associates the need to comply directly with the HIPAA Security Rule and significant aspects of the HIPAA Privacy Rule. Since then, business associates have tried to comply with these HIPAA requirements, but with little guidance or certainty as to whether OCR will take action against them (as opposed to only covered entities) for HIPAA violations, and if so, the types of violations OCR will enforce against business associates.
OCR’s fact sheet finally provided some clarity regarding business associates’ own liability under HIPAA. Citing the HITECH Act and the 2013 Final Rule, the fact sheet clearly states that “OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below” (emphasis in original). Specifically, business associates can be held directly liable under HIPAA for:
- Failure to provide the Secretary of HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including PHI, pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the HIPAA Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of ePHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the BAA) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into BAAs with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such BAAs.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s BAA.
In one telling example, OCR indicated it has enforcement authority directly over a business associate that has agreed in a BAA to satisfy individual rights (e.g., requests from individuals for access to copies of their medical records). Although OCR did not explicitly say it would enforce a business associate’s failure to sign a BAA with a covered entity, it said it would with respect to BAAs with business associate subcontractors. And OCR’s example confirms that the agency will hold business associates accountable for certain contractual obligations made with covered entities, even if such obligations otherwise exceed the scope of business associate requirements under HIPAA.
OCR’s clarification regarding the direct liability of business associates came as the agency’s enforcement against business associates has been rising. Just a few days before releasing the new fact sheet, OCR settled allegations of HIPAA Privacy Rule and Security Rule violations for $100,000 with a business associate that provides software and electronic medical record services to healthcare providers. In that case, the business associate self-disclosed to OCR a HIPAA breach following discovery that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million people. OCR’s investigation revealed that the business associate had not conducted a comprehensive risk analysis, as required by the Security Rule prior to the breach.
Recent HIPAA Enforcement Actions Show Exposure on Multiple Fronts
In June 2019, an unprecedented settlement was announced, arising from a federal lawsuit brought by 16 state attorneys general (“AGs”) in the U.S. District Court for the Northern District of Indiana. In that case, a medical software provider agreed to pay the states $900,000 for alleged violations of a combination of federal and state privacy laws. The settlement represented the resolution of the first-ever multistate data breach suit based on alleged violations of HIPAA, as well as state deceptive trade practices acts, state personal information protection acts, and state breach notifications acts. The case arose out of a 2015 data breach, in which an Indiana-based electronic health record software provider and its subsidiary (the “EHR Provider”) discovered that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million individuals whose healthcare providers used the EHR Provider’s software. The information exposed by the breach included names, dates of birth, Social Security numbers, and clinical information.
In the lawsuit, the state AGs asserted that the EHR Provider ran a web application with a security framework that allowed the breach to occur. The EHR Provider allegedly failed to take appropriate measures to protect its computer systems and failed to take reasonable steps to prevent breaches. The state AGs claimed that the EHR Provider, as a business associate under the provisions of HIPAA, was required to comply with the HIPAA Security Rule, and had failed in numerous instances to meet the Security Rule’s enumerated requirements.
Although the sheer number of individuals impacted by the breach was significant, the major takeaway from the case was the nationwide collective effort by the state AGs. In addition to using their statutory authority to enforce HIPAA, the state AGs also brought claims under their respective data breach and personal information protection statutes. The combined effect was a powerful case in which the EHR Provider was accused of 38 separate counts of state law violations, all emanating from the same breach. The settlement with the state AGs was finalized about one month after the EHR Provider agreed to pay $100,000 to the OCR, the federal agency tasked with enforcing HIPAA, for alleged HIPAA violations associated with the same breach. In addition to the monetary consequences, the EHR Provider also agreed to numerous injunctive provisions and a corrective action plan, requiring the company to implement and adhere to specific data security policies and procedures.
These settlements represent cautionary tales for the healthcare industry for several reasons. First, the affected entity in this instance was a business associate governed by HIPAA. The settlements show that to the extent a HIPAA-covered entity must take specific measures to protect the ePHI of its patients, the business associate that handles the information on the covered entity’s behalf also must do so. Business associates should assess their data security programs and ensure that they have procedures in place to monitor, detect and address data vulnerabilities and breaches, consistent with HIPAA Security Rule requirements. As demonstrated by the federal suit, business associates are not only on OCR’s radar, they also are on state radars. HIPAA-covered entities should also pay close attention to their business associates’ HIPAA compliance to ensure that they are adequately protecting the covered entity’s information.
Second, the increasing use of web-based applications for electronic health information management represents not only an opportunity for innovation and progress, but also a threat of increased exposure and liability. Transmission of ePHI via the Internet enables healthcare organizations to better treat and engage patients, and helps facilitate the beneficial exchange of medical information among providers. Utilized properly, this electronic network improves healthcare and makes its delivery more efficient. However, as the electronic network of patients and providers continues to grow, it becomes a more valuable and data-rich target for hackers. This means that covered entities and business associates participating in any given electronic network are exposed to potential hazards that may impact individuals in multiple states, and are subject to multiple state and federal laws and threats of enforcement action. Consequently, attention to data privacy and security must grow in scale with the size of the network managing the highly-regulated information.
Finally, the federal suit and settlements show that states are willing to utilize and combine their resources and efforts nationwide to hold health industry participants accountable for compliance with both federal and state laws when it comes to data protection and health information privacy. As already noted, electronic networks transmitting health information are growing. This growth means the activities of healthcare entities will reach more and more patients, which means handling highly-regulated information in more and more states. With the no-longer-theoretical prospect of multistate enforcement actions, it is essential that covered entities and business associates take measures to comply with HIPAA and applicable state laws wherever their businesses are conducted.
Georgia Ambulance Company Pays to Settle Allegations of HIPAA Violations
In December 2019, West Georgia Ambulance, Inc. (“WGA”) agreed to pay OCR $65,000 to adopt a corrective action plan to settle potential violations of the HIPAA Security Rule. WGA is an ambulance company that provides emergency and non-emergency ambulance services in Carroll County, Georgia.
OCR began its investigation after WGA filed a breach report in 2013 following the loss of an unencrypted laptop containing the PHI of 500 individuals. OCR’s investigation revealed longstanding noncompliance with HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. OCR also alleged that despite OCR’s investigation and technical assistance, WGA did not take meaningful steps to address its systemic failures.
Physician Practice Liable After Reporting Business Associate’s HIPAA Violation
A 2020 Resolution Agreement between OCR and a sole practitioner physician practice illustrates how complying with HIPAA by reporting a business associate for a breach can result in liability for covered entities. Following the breach report, OCR opened an investigation into the physician’s practice, which resulted in a $100,000 settlement and a corrective action plan that includes two years of monitoring.
On March 3, 2020, OCR announced a $100,000 settlement and corrective action plan with the practice of Steven Porter, M.D. According to HHS’s press release, OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR on November 21, 2013, related to a dispute with a business associate. The practice’s breach report claimed that the business associate was improperly using the practice’s patients’ electronic protected health information (“ePHI”) by blocking the practice’s access to such ePHI until Dr. Porter paid $50,000. (For OCR guidance regarding how such information blocking is inappropriate, see OCR FAQ 2074.)
OCR apparently used the practice’s breach report about the business associate’s conduct to open an investigation into the practice itself. OCR’s investigation determined that, both prior to the breach and despite technical assistance from OCR during the investigation, Dr. Porter failed to conduct a security risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI as required by the Security Rule. He also failed to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level. The practice also allegedly permitted another business associate to create, receive, maintain or transmit ePHI on the practice’s behalf at least since 2013, without obtaining satisfactory assurances that it would appropriately safeguard the ePHI.
OCR cited these failures as grounds for imposing the $100,000 settlement and two-year corrective action plan, which includes multiple compliance requirements – such as conducting a security risk analysis, implementing responsive risk mitigation measures, revising policies and procedures for business associate relationships, and conducting workforce training. The scope of the corrective action plan suggests that the practice’s overall HIPAA compliance may have been poor, but it is notable that the investigation was initiated not based on any action or breach by the practice, but rather in response to the practice’s report of its business associate’s noncompliance in withholding PHI to gain leverage in a business dispute.
This Resolution Agreement highlights a tension between the HIPAA regulatory framework and practical operations for covered entities. Covered entities are required to report a breach of unsecured PHI to the Secretary (see 45 C.F.R. 164.408). Covered entities also must take corrective actions if they suspect that a business associate has breached an obligation of their business associate agreement (“BAA”) or the HIPAA rules. Specifically, 45 C.F.R. 164.504(e)(1)(ii) provides:
A covered entity is not in compliance with the standards in §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.
However, this Resolution Agreement shows that complying with reporting obligations or pursuing the regulatory remedy of filing a complaint with the Secretary in a dispute with a business associate can increase scrutiny on the covered entity and may ultimately lead to penalties. Despite the risk, there will be instances where a covered entity is required to report conduct to the Secretary, or in which such a report is a reasonable step the covered entity must take as part of its own compliance efforts.
Nonetheless, there are certain steps covered entities can take to mitigate their risks, including:
- Compliance. Needless to say, the best defense in an OCR investigation is HIPAA compliance. Therefore, every covered entity should work hard to ensure that it is complying with HIPAA. But even if a covered entity’s compliance cannot be perfect, good-faith efforts and organized record-keeping can go a long way toward mitigating OCR enforcement risks. As OCR Director Roger Severino put it: “All health care providers, large and small, need to take their HIPAA obligations seriously. The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.” And all covered entities, regardless of size, need to understand that OCR is serious about Security Rule compliance.
- Vetting. Covered entities should carefully evaluate business associates before retaining them. Working with vendors with good track records of reputable business practices and strong HIPAA compliance will decrease the likelihood of a breach or dispute requiring a report to the Secretary. Moreover, although no organization can make itself completely immune to a breach, a business associate with solid security practices should be less vulnerable.
- Indemnification. Covered entities and business associates should carefully negotiate indemnification provisions in their BAAs. The parties should consider the structure of the relationship, the services to be provided by the business associate, and the amount and nature of the PHI to which the business associate will have access when determining how to allocate risks and responsibilities under the BAA. Covered entities may push for business associates to be responsible for fines and penalties that arise from OCR investigations that relate to reports of business associate misconduct or breach of the BAA. On the other hand, business associates may want to limit such responsibility since fines and penalties can expand well beyond the business associate’s conduct once an OCR investigation begins. Other areas to consider in indemnification negotiations are costs associated with investigation, mitigation and reporting HIPAA noncompliance, including but not limited to breaches of unsecured PHI.
Enforcement Summary Tables
The American Health Law Association’s Health Information and Technology Practice Group and Privacy and Security Risk Compliance and Enforcement Affinity Group have developed tables on OCR and Federal Trade Commission (“FTC”) enforcement actions imposed on covered entities and business associates in relation to HIPAA and/or Section 5 of the FTC Act. The tables provide summaries of OCR or FTC actions, respectively, including the following information:
- Nature of the breach or violation
- OCR’s or FTC’s findings
- Corrective action plans or terms of orders
- Resolution and/or the civil money penalty amount imposed on the entity
State Law Liability for Failure to Protect Confidentiality of Medical Records
As noted above, HIPAA is a federal statute providing for confidentiality of health and medical records under certain circumstances. HIPAA is administered by the federal Department of Health and Human Services (“HHS”), which can impose substantial fines for non-compliance. However, HIPAA provides no private, federal cause of action for a patient to sue a healthcare provider or business directly for damages.
If an HHS-OCR investigation concludes there was a possible criminal violation, OCR will forward the matter to the U.S. Department of Justice. If there’s a determination that a non-criminal violation occurred, the OCR will seek voluntary corrective action or will issue a formal finding of violation. OCR may impose civil monetary penalties as part of a negotiated resolution or file suit for damages. And, as noted above, penalties or damages for violating HIPAA can run into the millions of dollars. However, monetary penalties for such violations are paid to HHS, not to any injured individual or patient.
Nevertheless, alleged HIPAA violations may be remedied in state court under state tort or contract law as well. Although HIPAA does not provide a private right to sue for HIPAA violations, healthcare providers, businesses and business associates should bear in mind that remedies for non-compliance are not necessarily limited to federal agency fines or damages.
Recent state court decisions demonstrate this dual-liability-exposure reality. For example, in one state court case, a plaintiff-patient alleged that a healthcare provider mistakenly gave his records to another individual. The plaintiff-patient sued the provider to recover damages under a variety of state law theories, including negligence based on a state law duty of care informed by HIPAA.
The appellate court explained that although the negligence claim did not arise under HIPAA, the provider owed the plaintiff a state law duty of care to act as a reasonably prudent healthcare provider would under the circumstances. The court then found that the allegations in the complaint for wrongful disclosure of protected information were sufficient to survive a motion to dismiss, and allowed the case to proceed into discovery and perhaps trial phases.
Notably, the provider tried to argue that HIPAA preempted all such state law claims. But the court rejected that preemption argument, reasoning that allowing state law claims in this context does not interfere with government enforcement actions authorized by HIPAA. The court stated that “additional state law remedies encourage compliance with HIPAA by providing further means for patients to recover for harm suffered due to non-compliance.” The court concluded: “[W]e hold HIPAA’s requirements may inform the standard of care in state-law negligence actions, just as common industry practice may establish an alleged tortfeasor’s duty of care.” The court also kept alive a related punitive damages claim.
In another state case, the appellate court held that a patient may pursue her negligence claim against a hospital for improperly disclosing her medical information. In that case, the plaintiff-patient argued that the hospital violated its duty to protect the privacy, security and confidentiality of her health records, when it allowed the plaintiff’s employer to receive digital images of her X-rays without her consent. While acknowledging that HIPAA does not provide a private right of action, the patient argued that the statute could be used to establish the standard of care in a common law negligence action, and the court agreed.
To ensure that litigants don’t make an end-run around the lack of a private right of action under HIPAA, the court said there must first be an underlying common law duty. But the court noted that medical providers owe a duty of confidentiality to their patients. And, having found a common law duty, the court had “little trouble” holding that HIPAA and its implementing regulations could inform the standard of care in tort claims related to alleged breaches of the duty of confidentiality owed by medical providers to their patients.
The takeaway from these and other state cases is that alleged HIPAA violations may be remedied by state lawsuits in addition to HHS fines. While the case law to date makes it clear that individuals cannot bring a case based solely on violations of HIPAA, claims related to privacy of health information may still be viable under state law.
Certain states (including Georgia) have privacy laws creating private causes of action in tort or negligence. So, while an individual plaintiff bringing claims solely for violations of HIPAA almost certainly will fail in federal court, healthcare providers and businesses are not necessarily off the hook for liability to individuals for health information privacy violations under state law theories.
A patient may be able to bring a civil lawsuit for violation of Georgia’s state medical records disclosure law, or under Georgia’s invasion of privacy or negligence law, for example. And personal medical records are protected by Georgia’s constitutional right to privacy also. Other state law theories of recovery for unauthorized disclosures include breach of contract (or an implied contract) for confidentiality, and intentional infliction of emotional distress.
The challenge to successfully waging these types of claims is that a patient must show documented and provable damages — that is, specifically and quantifiably how he or she was harmed by the disclosure or release of information. Examples of documented losses include medical or counseling bills, credit protection or identity theft insurance, costs related to stolen identity, lost pay for time off, and other expenses that resulted directly from the breach of the patient’s privacy. But if the required elements can be established, a healthcare provider or business may be liable for damages under state law, regardless of whether HHS-OCR found a HIPAA violation.
Georgia Supreme Court Rules Case Arising From Patient Records Hack May Proceed
In December 2019, in Collins v. Athens Orthopedic Clinic, PA, the Georgia Supreme Court revived a class action involving claims by at least 200,000 current and former patients of a medical clinic whose personal information (including names, addresses, Social Security numbers and insurance information) was stolen in a 2016 data breach. In overturning the Georgia Court of Appeals and a trial judge, the Georgia Supreme Court found that there was sufficient potential for future harm to allow the case to proceed.
The case began when Athens Orthopedic Clinic learned in June 2016 that someone self-identified as “Dark Overlord” hacked its computer system. The clinic subsequently notified its patients about the hack, but not until approximately two months later.
The hackers demanded a ransom but the clinic refused to pay. After the clinic refused to pay the demanded ransom, some of the stolen patient information was offered for sale on the dark web, and at least some of the patients’ information was later made available on the dark web. Some patient information also appeared on Pastebin, a data-storage and sharing website.
At least one plaintiff actually had fraudulent charges made to her credit card after the breach. And all the plaintiffs claimed that the hack made them possible targets of identity theft and fraud, and that they had been damaged by having to place fraud alerts on their credit reports.
In January 2017, three plaintiffs filed a putative class action in Clarke County Superior Court, claiming violation of the Georgia Uniform Deceptive Trade Practices Act, breach of implied contract, unjust enrichment and negligence. The plaintiffs’ claimed damages included past and future costs for credit monitoring and identity theft protection, credit freezes on their accounts, and injunctive relief.
In June 2017, however, a Cobb County Superior Court judge dismissed the case with little discussion on a motion to dismiss. And in 2018, a divided Georgia Court of Appeals panel affirmed the dismissal. In upholding the trial judge, the Court of Appeals ruled that the plaintiffs’ claimed damages were too speculative to provide standing. Specifically, the Court of Appeals said that “while credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us because the plaintiffs seek only to recover for an increased risk of harm.” Such “prophylactic measures” are “insufficient to state a cognizable claim under Georgia law.”
However, now-Chief Judge Christopher McFadden dissented, arguing that the plaintiffs had sufficiently pleaded facts to survive a motion to dismiss, because their “allegations of future injury show a substantial risk that harm will occur.” In his dissent, Judge McFadden wrote that neither Georgia appellate courts nor the U.S. Court of Appeals for the Eleventh Circuit “have decided whether a data breach, with little more, amounts to an injury in fact for purposes of standing.” “But federal courts have uniformly applied a rule that a substantial risk of future harm is sufficient to show an injury in fact for purposes of standing.” “And applying that rule here, leads to the conclusion that the plaintiffs have standing.”
In its December 2019 Collins decision, the Georgia Supreme Court agreed with Judge McFadden’s dissent. In doing so, the court first acknowledged that prior appellate rulings dealing with stolen personal data generally held that plaintiffs had to show the information “had actually fallen into criminal hands” and had been used to harm them in order to show a “legally cognizable injury.” But the Georgia Supreme Court said “this case, which was dismissed on the pleadings despite allegations of large-scale criminal activity, falls into a different category of data-exposure cases.”
“Here, the plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is ‘imminent and substantial.’” “This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach.”
The Georgia Supreme Court opinion said that the plaintiffs’ claims were more than sufficient to survive a motion to dismiss, as they alleged that “all class members now face the ‘imminent and substantial risk’ of identity theft given criminals’ ability to use the stolen data to assume the class members’ identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names.” “Assuming the truth of these allegations, as we must at this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers.” The allegations of future injury “show a substantial risk that harm will occur. The allegations thus suffice to establish standing,” according to the court.
The Georgia Supreme Court’s Collins decision indicates that where “plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is ‘imminent and substantial,’” it “amounts to a factual allegation about the likelihood that any given [plaintiff] will have her identity stolen as a result of the data breach.” So, under Collins, pleading such facts apparently will be sufficient to survive a motion to dismiss, because such “allegations of future injury show a substantial risk that harm will occur.” That said, for such claims to succeed, patients almost certainly will still have to show some documented and provable damages – i.e., specifically, quantifiably, how they have been harmed by the disclosure or release of the information.
Liability for Failing to Properly Respond to Patients’ Records Requests
In 2019, OCR announced its HIPAA “Right of Access Initiative,” promising to vigorously enforce patients’ rights to receive copies of their medical records promptly and without being overcharged. In September 2019, OCR announced that it entered into a Resolution Agreement with a Florida medical center (“Medical Center”) following allegations that the Medical Center failed to respond to a patient’s request for medical records in a timely fashion and in violation of the patient’s right to access such records under HIPAA. While the $85,000 settlement amount was relatively small in comparison to the seven-figure settlements that OCR entered into in recent years, the enforcement action was notable for being the first related to OCR’s Right of Access Initiative launched earlier in 2019.
OCR initiated an investigation into the Medical Center following its receipt of a complaint from a mother who requested access to her unborn baby’s medical records under the HIPAA right of access. The HIPAA right of access extends to personal representatives of the patient, such as parents of minor children. The mother first requested access to her baby’s medical records in October 2017, at which point the Medical Center informed the mother that the records could not be found. The mother’s attorney subsequently requested the records on her behalf in January 2018 and again in February 2018. The Medical Center did not provide the mother with a complete set of records until August 2018, after she had already submitted her complaint to OCR and OCR’s investigation had commenced.
According to the Resolution Agreement, OCR’s investigation revealed that the Medical Center failed to provide the mother with access to protected health information pursuant to the HIPAA right of access set forth at 45 C.F.R. § 164.524, which requires covered entities to provide individuals with access to their medical records and other protected health information maintained in a designated record set within 30 days of the individual’s request for such records.
In addition to the $85,000 monetary settlement, the Medical Center agreed to a one-year Corrective Action Plan (“CAP”) that requires the Medical Center to, among other things, revise and implement policies and procedures regarding patient access to medical records and train its workforce on such policies. Notably, the CAP also reached to the Medical Center’s business associates involved in receiving or fulfilling medical records requests in several ways. First, the Medical Center’s business associates must certify compliance with the Medical Center’s revised policies and undergo training on such policies. Second, the Medical Center must provide OCR with the names of its business associates involved in receiving or fulfilling medical records requests, and copies of its business associate agreements with such vendors. Third, in addition to reporting to OCR each instance where its own workforce member fails to comply with its revised policies, the Medical Center also must report to OCR each instance of a business associate failing to comply with the policies.
OCR’s Second Settlement Under HIPAA Right of Access Initiative
In December 2019, OCR announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. Under the terms of the settlement, Korunda Medical, LLC agreed to pay $85,000 to settle a potential violation of HIPAA’s right of access.
According to HHS, “Korunda is a Florida-based company that provides comprehensive primary care and interventional pain management to approximately 2,000 patients annually.” In March 2019, OCR received a complaint that “Korunda [had] failed to forward a patient’s medical records in electronic format to a third party” after multiple requests by the patient. Based on the complaint, OCR provided Korunda with assistance on how to correct the issues and closed the complaint. Despite OCR’s assistance, Korunda continued to fail to provide the requested records, which resulted in another complaint to OCR. In May 2019, after OCR’s second intervention, Korunda provided the requested records, free-of-charge and in the requested format.
A news release, quoting OCR’s Director, stated that “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.” The resolution agreement can be accessed here.
Takeaways from Right of Access Settlements
OCR has made clear through these settlements that it intends to hold covered entities and business associates accountable for providing patients with access to their medical records under HIPAA. Healthcare providers and business associates should ensure that they have the written policies and procedures, as well as the operational infrastructure, needed to respond to medical records requests in a manner that complies with both HIPAA and applicable state law.
While HIPAA sets a “floor” of requirements regarding patients’ rights to access medical records, the laws in many states are more stringent than HIPAA on this issue, particularly with respect to how quickly records must be provided. In Georgia, a physician must provide medical records to a patient within 30 days of the receipt of a records request. But in California, for example, physicians must provide patients with copies of requested medical records within only 15 days of the patient’s request, shortening HIPAA’s 30-day time frame. Additionally, many states establish specific fee schedules that further limit the HIPAA “reasonable, cost-based fee” that healthcare providers may charge for fulfilling a records request. So healthcare providers and business associates must also take note of the state laws on access requests that may apply in addition to HIPAA.
HHS Reverses Position Regarding Access & Copy Fees for Third-Party Requests for Medical Records After Court Invalidates Portion of HIPAA Regulations & Guidance
In January 2020, the U.S. District Court for the District of Columbia issued a ruling in Ciox Health, LLC v. Azar, et. al., invalidating portions of the Modifications to the HIPAA Privacy, Security and Enforcement Rules and the 2016 guidance issued by HHS’s OCR addressing the assessment of fees for copies of electronic and paper health records to third parties. Under HIPAA’s Privacy Rule, providers generally must provide a patient with the right to access his or her own PHI and can charge a “reasonable, cost-based fee” for providing such copies. OCR guidance expanded this obligation, requiring providers to provide copies of patients’ medical records to third parties when requested by a patient while charging the same reasonable, cost-based fee. The court ruled that OCR overstepped its statutory authority by imposing the fee cap on records to be provided to third parties, even when requested by a patient. However, the court did not rule on what fee is permissible, leaving that issue for resolution through rulemaking comment and review.
With this decision and HHS’s change in position, covered entities and their business associates received relief from the sometimes significant financial burden of producing copies of voluminous medical records to third parties, such as lawyers and insurance companies. Specifically, the court vacated HHS’s 2013 rule compelling delivery of medical records to third parties regardless of the records’ format (instead scaling it back to align with the statutory scope of the HITECH Act, which is limited to electronic health records), and also vacated the 2016 guidance which applied strict HIPAA fee limits to records delivered to third parties pursuant to a patient-directed request. On January 28, 2020, HHS announced the reversal of its position on these two key points.
By way of background, the implementing regulations for HIPAA at 45 C.F.R. 164.524 establish an individual’s right to access PHI and set requirements for the permissible fee that can be charged for such production. Following the enactment of the HITECH Act in 2009, HHS revised these regulations in 2013. One aspect of these revisions was the promulgation of 45 C.F.R. 164.524(c)(3)(ii), which required that a covered entity must provide a copy of PHI directly to a third party designated by the individual (i.e., a “third-party directive”). Although HHS promulgated this regulation pursuant to the HITECH Act, which limited third-party directives to PHI in electronic health records (“EHRs”), HHS’s regulations did not include that important limit, instead applying third-party directive requirements to access requests for all PHI in any format.
In 2016, HHS issued extensive guidance on the patient right of access provisions, including third party directives. In the guidance, HHS did three things relevant here. Specifically, it:
- applied the HIPAA fee limits at 45 C.F.R. 164.524(c)(4) to third-party directives;
- laid out three methods for calculating the fees that may be charged; and
- limited what activities may be included as “labor costs” in calculating the fees.
Following this regulation and guidance, third-party directives soared, driven largely by requests from plaintiffs’ attorneys. This, in turn, resulted in a significant increase in costs for covered entities and their business associates engaged in producing copies of patient records. Ciox Health, LLC (“Ciox”), a release of information vendor that contracts with hospitals and other healthcare providers to fulfill requests for copies of medical records, filed suit against HHS in the U.S. District Court for the District of Columbia in January 2018. In its suit, Ciox challenged the regulation and guidance cited above.
Key Takeaways from the court’s 2020 Ciox decision include the following:
- Third-Party Directives Apply to PHI in Electronic Health Records Only. Going forward, third-party directives are scaled back to only apply to requests for electronic copies of PHI maintained in EHRs, in alignment with the scope of the HITECH Act, which provides at 42 U.S.C. § 17935(e)(1): “[I]n the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual . . . the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.”
- Fee Limits Apply to Direct Patient Requests Only. HIPAA’s fee limits for copies now apply only to an individual’s request for access to his or her own records and do not apply to requests to transmit records to a third party. Note, however, that state or other law may impose limits and should be read alongside HIPAA to determine the appropriate fees to charge, both for direct patient requests and third-party requests.
- Methods of Calculating Fees and Limits on Labor Activities are Unchanged. The court left intact HHS’s guidance on the three methods HHS discusses as options by which fees may be calculated when responding to a patient’s request for records (i.e., actual cost, average cost, and optional flat fee for electronic copies of electronic records), as well as what activities may be included in labor cost calculations.
As a result of this decision and HHS’s response, covered entities and business associates responding to requests for medical records should bear in mind the following:
- Responding to Direct Patient Requests. Covered entities and business associates must still follow the HIPAA regulations and HHS guidance regarding responding to a patient’s request for copies of his or her own records (e.g., covered entities must respond to a patient’s request within 30 days and, when providing copies, must limit the fee charged to the individual to a “reasonable, cost-based fee,” among other requirements).
- Responding to Third-Party Directives for Electronic Records. If a patient directs a covered entity to send electronic copies of PHI maintained in EHRs directly to a third party, the covered entity must comply. However, HIPAA no longer imposes fee limits for such transmission (though state or other law could apply).
- Responding to All Other Requests. As the healthcare industry adjusts to the revised requirements for third-party directives, covered entities and business associates may still receive third-party directives for copies of paper records. If a patient directs a covered entity to send paper records directly to a third party, the covered entity should inform the individual of the need to receive a valid authorization or comply with an applicable exception under HIPAA (e.g., providing records to another healthcare provider for treatment) before releasing the records. Similarly, for all requests that originate from a third party (i.e., not at the patient’s direction), the covered entity also must receive a valid authorization or comply with an applicable exception under HIPAA before releasing the records.
Interoperability & Data Blocking Final Rules
On March 9, 2020, HHS released its final electronic health record interoperability and data blocking rules. The two rules, issued by HHS’s Office of the National Coordinator for Health Information Technology (“ONC”) and CMS, implement interoperability and patient access provisions of the bipartisan 21st Century Cures Act and support the MyHealthEData initiative. The rules aim to give patients better access to their health records so they can make better healthcare decisions. The rules take effect as early as January 1, 2021, while implementation of the interoperability rule is staged over time. (See https://www.hhs.gov/about/news/2020/03/09/hhs-finalizes-historic-rules-to-provide-patients-more-control-of-their-health-data.html.)
Together, these final rules are the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure. For more information on the ONC final rule, please visit: https://healthit.gov/curesrule. For more information on the CMS final rule, please see: https://www.cms.gov/newsroom/fact-sheets/interoperability-and-patient-access-fact-sheet and https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index.
Frequently Asked Questions About Medical Records
Common questions physicians and medical groups have about medical records, and answers provided by the Medical Association of Georgia, include the following:
Can a physician withhold a patient’s medical record for a past due balance for services rendered?
No, medical records should not be withheld for any reason. AMA E-3.3.1 (See also https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html; and https://www.hhs.gov/about/news/2019/09/09/ocr-settles-first-case-hipaa-right-access-initiative.html.)
Physicians (or other providers) must furnish a complete and current copy of a patient’s medical record to the patient or to a person authorized (by the patient) to have access to medical record under an advanced directive or durable power of attorney. O.C.G.A. § 31-33-2
Can a physician withhold a patient’s record until the patient pays for copies of the records?
Yes, a physician may require payment for the costs of medical records prior to providing them to patient. O.C.G.A. § 31-33-3 (See also the HHS webpages cited above.)
How quickly must a physician release requested medical records?
A physician must provide medical records to a patient within 30 days of the receipt of a records request. O.C.G.A. § 31-33-2
A covered entity must act on a request for access to medical records within 30 days. A physician must either grant access to medical records or give a justified denial of access within 30 days of receipt of the request for release. HIPAA – 45 CFR § 164.524(b)(2) (See also the HHS webpages cited above.)
How long must a physician retain medical records?
A physician must retain medical records for at least 10 years. This does not apply to an individual provider who has retired or sold his or her practice if the provider has notified the patient of retirement/sale and offered to provide the patient’s record to another provider of the patient’s choice and, if requested, to the patient. O.C.G.A. § 31-33-2
What must a physician do with medical records upon retiring or selling a practice?
In Georgia, a physician is required to maintain a patient’s complete treatment records for at least 10 years from the date of the patient’s last office visit. O.C.G.A. § 31-33-2
These requirements do not apply to a physician who has retired or sold his or her medical practice if…
- The physician has notified his or her patients of retirement or sale of practice by mail – offering to provide the patient’s records to another provider of the patient’s choice and, if requested, to the patient.
- The physician has published a notice – containing the date of retirement or sale – that offers to provide the patient’s records to another provider of the patient’s choice and, if requested, to the patient.
- The physician has posted a sign announcing retirement or sale of the practice. The sign must be placed 30 days prior to retirement or sale of the practice and must remain posted until the date of retirement or sale.
- The physician has placed both the notice and sign required by Ga. Medical Board Rule 360-3-.02(16)(c) and has advised patients of their opportunity to transfer or receive their records.
A physician should always seek advice from their private counsel or their malpractice insurance carrier. Ga. Medical Board Rule 360-3-.02
“A patient’s records may be necessary to the patient in the future not only for medical care but also for employment, insurance, litigation, or other reasons. When a physician retires or dies, patients should be notified and urged to find a new physician and should be informed that upon authorization, records will be sent to the new physician. Records which may be of value to a patient and which are not forwarded to a new physician should be retained, either by the treating physician, another physician, or such other person lawfully permitted to act as a custodian of the records. The patients of a physician who leaves a group practice should be notified that the physician is leaving the group. Patients of the physician should also be informed of the physician’s new address and offered the opportunity to have their medical records forwarded to the departing physician at his or her new practice location. It is unethical to withhold such information upon request of a patient. If the responsibility for notifying patients falls to the departing physician rather than to the group, the group should not interfere with the discharge of these duties by withholding patient lists or other necessary information.” AMA E-7.03; see also https://www.privatepracticepreparedness.com/content/american-medical-association-ama
Does a physician have to give medical records to third party without a subpoena or court order?
No, a physician should not release a patient’s medical records to a third party without a proper release by the patient or legally authorized individual in accordance with Georgia law, a court order, a subpoena signed by a judge, or certification that the party has placed the opposing party on notice with opportunity to object. A physician may release medical records if there is no objection from the patient after 20 days.
What should a physician do if a patient steals their own medical records?
HIPAA specifies that the data contained within a medical record belongs to the patient, but the physical form containing the data belongs to the entity responsible for maintaining the record (i.e., the physician). If a patient takes medical records without permission and will not return them upon request, the act should be treated as a normal theft and the physician should contact the police.
Does a physician have to keep a paper copy of electronically stored medical records?
No, a provider is not required to maintain separate paper copies of electronically stored records. O.C.G.A. §31-33-8(b)
Do the same laws that apply to paper copies apply to electronic medical records?
Yes, all provisions of Chapter 33 of Title 31 of the Georgia Code, including fees, apply to electronic medical records. O.C.G.A. § 31-33-8(c)
What happens to my patients’ medical records when I leave a group?
Medical records belong to the practice. Unless your employment agreement provides otherwise, you may be able to notify patients that you are leaving the practice and notify them of your new address. However, you should be very clear about what you are allowed to do regarding notification of patients when leaving the practice. It is recommended that you discuss/negotiate the process by which you will exit the practice. Request the right to notify your patients of your new address of your departure and information on how to contact you at your new location.
Patients are not prohibited from requesting that their medical record be forwarded to another physician, but a physician should be careful to avoid a breach of an employment agreement or a breach of privacy or patient confidentiality in accessing, copying, or taking patient records. AMA E-7.03; see also https://www.privatepracticepreparedness.com/content/american-medical-association-ama.
Can a physician release a patient’s medical records and health information to an insurance company or third party payer without the patients consent and/or knowledge?
Yes. The amended HIPAA Privacy Rule gives health plans and self-insured employers broad authority (“regulatory permission”) to get information without a patient’s consent. Health plans and employers are also authorized to obtain, use and disclose an individual’s health information without their consent for the purpose of:
1. Conducting due diligence that’s related to the sale or transfer of assets;
2. Certain types of marketing;
3. Business planning and development;
4. Business management and general administrative activities; and
5. Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance (45 CFR 164.501)
Medical practices must (are also required to) provide every patient with a notice that lets them know how their personal health information will be used and disclosed. (45 CFR 164.520) See https://www.mag.org/georgia/Public/Resources/Medical_Records.aspx.
Texting Between Providers & Patients
For obvious reasons, the health technology industry wants to make it easier for patients to text with their providers regarding healthcare issues and services. Texting and other electronic communications between healthcare providers and patients can save time and money and improve patient health.
Patients demand that their healthcare providers keep up with the latest technology. But HIPAA and other privacy and security concerns have stood in the way of significant progress. Healthcare providers and companies are hesitant because penalties for HIPAA violations can be severe.
Advocates pitch texting as convenient for patients and providers and a way to boost the quality of care provided at little cost. But making that happen in a secure manner is harder than simply hitting send on a mobile device or PC.
Health privacy laws generally require the sender (and, by extension, telephone and internet service providers) to take steps to ensure that any patient data sent via text message is protected. Text messages are usually not encrypted or protected, so using them to send sensitive patient data violates HIPAA.
Another risk is that patients may change their phone numbers without updating their physicians or other healthcare providers. Telephone numbers can also be reassigned in ways that email addresses typically are not. Thus, the risk of sending personal information to the wrong recipient is greater via text than email.
“Access controls are very important because you never know who is looking at the phones. So providers would need a protocol to ensure they are texting the right person and complying with rules regarding the ‘minimum necessary,’ which means that only the bare minimum amount of protected health information should be included in texts,” notes the general counsel of a telehealth startup that provides healthcare services to patients and their families.
HIPAA only covers data collected by healthcare providers, health plans and clearinghouse billing systems in the industry. But those requirements extend to business associates, which can include telephone companies and internet service providers if they handle or transmit PHI. So another hurdle is getting phone carriers to sign multiple different business associate agreements with countless covered entities under HIPAA.
“Patients can’t always text physicians because AT&T and other phone companies don’t have HIPAA in place, so our model brings you into this secure chat room,” said a CEO of a company which bills itself as offering HIPAA-compliant communications outside of doctors’ offices. But that company executive quickly added that more “common sense on this HIPAA conversation is going to need to be a part of the solution going forward.”
Telemedicine companies and physician groups have urged HHS to provide guidance on how providers and patients can legally text one another under HIPAA. The American Medical Association, for example, believes that creating guidance around texting would both ease anxiety in the medical industry and help patients.
HHS has said that it plans to offer guidance on text messaging and HIPAA. But few details are currently available, and there is no firm timeline for progress.
HHS issued a request for information in 2018 for the healthcare industry to describe how HIPAA slows progress to value-based healthcare. In response, the agency received nearly 1,500 comments. And the agency continues to weigh options for regulatory guidance.
In the meantime, texting in healthcare requires taking all steps necessary to protect patient data, while also trying to satisfy the needs of patients demanding access to their providers and health information in the most convenient and efficient manner possible. This means trying to securely use and transmit sensitive information via technologies that are constantly evolving.
Texting patient information among members of a healthcare team is allowed if it is sent through a secure platform, according to CMS. But sending information electronically through a computer is the preferred method for now, while texting with patients remains risky.
While HIPAA does not specifically prohibit sending PHI by text, in order for texting to be HIPAA-compliant, texting safeguards have to be in place to ensure the confidentiality of PHI when it is at rest and in transit. There also have to be controls in place for who can access PHI, and what authorized personnel do with PHI when they access it.
There are numerous reasons why it is far safer for covered entities to simply prohibit texting PHI rather than allow it. These include, but are not limited to, lack of access controls, lack of audit controls, and lack of encryption.
Although encryption is an “addressable” requirement of the HIPAA Security Rule, it is the only feasible way to ensure the security of PHI in transit. With regard to access controls, anyone can pick up an unattended mobile device and read messages on it. Moreover, mobile devices can be lost or stolen, which not only potentially exposes PHI to unauthorized access, the information in the messages can be used to commit insurance fraud or identity theft.
That is why the HIPAA rules for text messaging (or any other form of electronic communication) state that audit controls are necessary to record when PHI is created, modified, accessed, shared or deleted. Unfortunately, it currently is impossible to implement audit trails for HIPAA-compliant text messaging because the technology does not exist that can audit every possible operating system.
Even if there were a way to overcome the HIPAA texting rules for access controls and audit controls, that would not make text messaging HIPAA-compliant. There also has to be a way to prevent the interception of plain text messages, or extraction of plain text messages, from carriers’ servers – which is why encryption of PHI in transit is strongly recommended.
Nevertheless, texting patient information to patients may be allowed by HIPAA, provided the covered entity has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient’s consent to communicate by text. But both the warning and the consent must be documented.
Another way in which text messaging may be HIPAA-compliant is when the covered entity has implemented a solution such as a HIPAA-compliant messaging app that has the necessary controls and encryption to support HIPAA-compliant texting. But even when these apps are used, it is still necessary to comply with the minimum necessary standard and the physical, technical and administrative safeguards of the HIPAA Security Rule.
Pushing against the desire to ease regulatory burdens is the alarming fact that more than 41 million people were impacted by health records breaches in 2019 — the highest number in the last four years, according to HHS’s OCR. And hackers keep finding new ways to circumvent security measures that are put in place.
So the security threats are real and rapidly growing. Despite the risks, companies continue to innovate, and healthcare is moving in the direction of increased text communications. But as the industry awaits further regulatory guidance, healthcare providers need to be cautious, and when in doubt seek counsel before hitting send.
HIPAA Compliance Programs
According to HHS’s OIG, the seven fundamental elements of an effective compliance program are:
- Implementing written policies, procedures and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
Each of the seven elements requires robust, organization-wide enforcement and documentation. And many HIPAA standards require annual review as well. See, e.g., https://oig.hhs.gov/compliance/provider-compliance-training/files/Compliance101tips508.pdf.
Security threats that were once unimaginable have now become commonplace in an age of cyberattacks, malware and high-profile data breaches. So HIPAA compliance and data security are not static, one-time fixes. They are dynamic processes that require continuous monitoring and improvements as criminals develop new and innovative ways to access and steal sensitive information.
HIPAA Compliance & Waivers During COVID-19 Pandemic
(Initial portions of the following update are excerpted from a March 17, 2020 article by Madison Pool and Carol Saul of Arnall Golden & Gregory. The full article can be accessed here.)
Coronavirus-Related Communications from Healthcare Entities
Healthcare providers are on the front lines of the rapidly-evolving COVID-19 pandemic. Public anxiety is running high, and media scrutiny is intense. As providers are faced with escalating inquiries and public demand for information, they must remain cognizant of patient privacy rights and vigilant in their HIPAA compliance. It is critical to understand what information can be disclosed and under what circumstances. Important tips to assist providers in maintaining compliance include:
- Emergencies do not exempt compliance – but limited waivers of sanctions and penalties for certain compliance requirements have been issued.
It is important to remember that HIPAA protections are not automatically waived during an emergency like the COVID-19 pandemic. The requirements of the HIPAA rules generally remain in place. However, in limited circumstances, the Secretary of HHS does have the authority to waive sanctions and penalties for noncompliance with certain provisions of the rules.
Accordingly, pursuant to President Trump’s declaration of a national emergency on March 13, 2020, and HHS Secretary Azar’s earlier declaration of a public health emergency, HHS has announced two areas in which it is waiving sanctions and penalties during the period of declared emergency:
- Limited waivers of penalties for hospitals for noncompliance with certain Privacy Rule requirements (announced March 16, 2020); and
- Waivers of penalties for HIPAA violations for health care providers that serve patients in good faith through everyday communications technologies, such as FaceTime or Skype (announced March 17, 2020).
HHS announced that it will waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- the patient’s right to request confidential communications. See 45 CFR 164.522(b).
The waiver became effective on March 15, 2020, retroactive to March 1, 2020, and a bulletin discussing the waiver can be accessed here. When the Secretary issues such a waiver, it only applies:
- in the emergency area identified in the public health emergency declaration;
- to hospitals that have instituted a disaster protocol; and
- for up to 72 hours from the time the hospital implements its disaster protocol. Further, when the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.
On March 17, 2020, HHS announced that it will waive sanctions and penalties for HIPAA violations against health care providers that provide telehealth services to patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency.
Specifically, OCR stated, “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
Importantly, OCR explained:
- Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
- Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
- However, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.
In contrast to the above, providers may not use Facebook Live, Twitch, TikTok, and similar video communication applications in the provision of telehealth because they are public facing.
- Certain information can be shared pursuant to limited HIPAA exceptions, or pursuant to a HIPAA-compliant Authorization.
HHS issued a helpful bulletin via its Privacy and Security listservs on February 3, 2020, addressing ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation. The bulletin is available here.
- The bulletin addresses how covered entities may use and disclose protected health information: about the patient as necessary to treat the patient or to treat a different patient; for permissible public health activities, such as disclosure to the CDC or a state or local health department authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability; to family, friends, and others involved in an individual’s care and for notification purposes; and for certain other limited uses and disclosures.
- Each of these exceptions has specific requirements and elements that must be met for the use or disclosure to be permissible under HIPAA, and covered entities and business associates should not forget the general rule that disclosure of patient-identifiable information to the media or the public at large is prohibited without the patient’s (or HIPAA-compliant Personal Representative’s) written authorization.
- This means that information about an identifiable patient such as specific tests, test results, or details of a patient’s illness must remain confidential unless an exception applies or there is a HIPAA-compliant authorization in place. The requirements for a valid HIPAA authorization can be found at 45 CFR 164.508.
- Innovate and adapt – but use caution.
With the spread of COVID-19, providers may be looking for ways to help patients that will also decrease exposure and community spread, such as telemedicine. However, even as certain requirements are modified in the face of the pandemic, HIPAA as a whole has not been waived as of the time of this alert, and the only waivers of sanctions, penalties, and compliance requirements are those described above. Thus, any telemedicine encounter should be conducted in a HIPAA-compliant way within the bounds of the waivers. Further, covered entities and business associates should keep in mind that the requirements and safeguards of the HIPAA Privacy and Security Rules will likely return to full enforcement following the expiration of the waivers.
- Seek counsel where greater clarity is needed.
Providers should carefully review the HIPAA regulations and HHS’s guidance, and consider consulting qualified legal counsel if they are unsure about how HIPAA applies, such as whether a use or disclosure is permitted, whether an authorization is compliant, or whether a business associate agreement is required. Guidance from regulators is evolving as the situation continues to develop, and providers should stay informed and monitor for updates.
OCR’s HIPAA Telehealth FAQs During COVID-19 Crisis
Following its Notification of Enforcement Discretion for good faith provision of telehealth during the COVID-19 public health emergency, OCR issued FAQs guidance on March 20, 2020. OCR’s press release and FAQs can be accessed here. As healthcare providers increasingly switch to telehealth services in an attempt to minimize exposure during the COVID-19 pandemic, they should review the FAQs and other recent guidance carefully and apply the guidance in their practices. Providers also should bear in mind that these FAQs are limited to HIPAA’s applicability to telehealth services. State licensure and other laws and regulations, such as Medicare and Medicaid, also should be considered and may apply, depending on the circumstances involved.
FCC’s Guidance to Healthcare Providers Regarding Automated Calls & Text Messages During COVID-19 Pandemic
On March 20, 2020, the Federal Communications Commission (“FCC”) issued a Declaratory Ruling confirming that the COVID-19 pandemic constitutes an imminent health risk to the public and is now classified as an emergency under the Telephone Consumer Protection Act (“TCPA”), which permits certain callers to lawfully make automated calls and send text messages for health and safety reasons. As a result, hospitals, healthcare providers, and state and local health officials can lawfully communicate information through automated or pre-recorded calls to wireless telephone numbers to help educate the public and mitigate the spread of the novel coronavirus.
The TCPA was enacted in response to the substantial rise in volume of telemarketing calls and it remains one of the major federal statutes governing telecommunications commerce. The TCPA primarily regulates tools telemarketers use to make calls to consumers, such as automated telephone dialing systems and artificial and prerecorded voice recordings. The law covers calls for three types of telephone lines: (1) wireless, including SMS text messages and voice over internet protocol (“VoIP”) services; (2) landlines; and (3) fax lines.
The TCPA places prohibitions and restrictions on telemarketing calls and text messages to wireless and residential landlines, as well as robocalls to medical facilities and emergency number lines. To make an automated call or text message to a cell phone, an organization needs to obtain prior express consent of the individual receiving the message. Violations of the TCPA can result in statutory damages of at least $500, and up to $1,500 per call or text. However, the TCPA contains an exception for communications made for emergency purposes that are clearly time-sensitive and directly related to mitigation of a health or safety risk to the public.
In determining whether a call relating to the COVID-19 pandemic qualifies as a call made for an emergency purpose, the FCC looks to the identity of the caller and content of the call. In its March 2020 Declaratory Ruling, the FCC stated that for a call to qualify as an emergency relating to the coronavirus outbreak:
- The caller must be from a hospital, a healthcare provider, state or local health official, or other government official, as well as a person under the express direction of such an organization and acting on its behalf.
- The content of the call must be solely informational, made necessary as a result of the COVID-19 pandemic, and directly related to the imminent health or safety risk arising out of the coronavirus outbreak.
The FCC explained that calls or texts that comply with the emergency purpose exception are messages that provide vital and time-sensitive health information that individuals can expect and rely upon to stop the spread of the disease. A permissible example provided by the FCC includes a county official sending out messaging informing the public regarding a shelter-in place order, quarantines, school closures, or available medical testing information and sites. By contrast, calls containing advertising or marketing messages are not permissible and fail to meet the emergency purpose exception.
Messages falling outside the scope of the emergency purpose exception include advertising for health insurance, commercial delivery services, or home testing kits. Calls made for debt collection purposes, even if the debt arises from healthcare treatment, also would not be considered an emergency purpose, as these messages are not time-sensitive and do not prevent or mitigate an imminent health or safety risk. The FCC also noted in its Declaratory Ruling that scammers are viewing the pandemic as an opportunity to prey upon consumers, with fraudulent robocalls and messages offering unapproved home testing kits, unproven vaccines, treatments and so-called “cures,” all of which are unlawful.
Healthcare providers wanting to send messages under the emergency purpose exception need to ensure that the message is solely informational and does not contain any marketing or advertising. Marketing or advertising messages require prior express consent of the recipient before such a message is sent.
In addition to TCPA requirements, healthcare providers also must comply with state laws and regulatory requirements regarding emergency messaging. To minimize risks of potential liability under the TCPA or state law, healthcare providers should bear in mind that the emergency purposes exception is context-specific and messages should be crafted to comply with the FCC’s Declaratory Ruling. Even if the message relates to products or services that can mitigate the spread of the novel coronavirus, communications should be sent for informational purposes only. Whenever possible, healthcare providers should also seek prior express consent of the recipients to receive the communications at issue. Healthcare providers should also continue to monitor for any additional guidance the FCC or other governmental agencies may provide regarding such text messages or calls.
COVID-19 Telehealth Program Guidance from FCC
The COVID-19 Telehealth Program will provide $200 million in funding, appropriated by Congress as part of the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, to help healthcare providers provide connected care services to patients at their homes or mobile locations in response to the COVID-19 pandemic. The FCC released a notice on April 8, 2020, providing clarification as to the scope of equipment and services it would consider eligible for funding under the program. According to an additional notice, the FCC began accepting applications on April 13, 2020. Interested healthcare providers must complete several steps to apply for funding through the COVID-19 Telehealth Program. To assist applicants in preparing their applications, the FCC has provided instructions and guidance available online.
HHS Allows Certain Video Chat Apps for Medical Consultations During COVID-19 Emergency
On March 30, 2020, HHS-OCR issued another announcement on its website, stating that “During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies.” “Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.” However, the Notice goes on to caution that “Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.” The full text of OCR’s Notice can be accessed here.
Physicians Using Zoom Face Security Scrutiny, Despite Regulatory Easing During Pandemic
Even after federal regulators relaxed enforcement, physicians still may face lawsuits or state actions for any patient privacy violations through use of tools such as Zoom Video Communication Inc.’s app. OCR has said that it won’t penalize providers for “good faith” telehealth use during the coronavirus pandemic that violates HIPAA’s Privacy Rule.
“We are empowering medical providers to serve patients wherever they are,” OCR director Roger Severino said in a notice of enforcement discretion. Under the notice, video apps such as Apple Inc.’s FaceTime, Facebook Inc.’s Messenger, or Google Hangouts can be used to chat with patients without first getting a business associate agreement, something that would be required under the HIPAA Privacy Rule. But the video apps still must protect patient data, including notes, treatments and lab reports, under HIPAA’s Security Rule.
The HIPAA security rule is still very much in effect and is expected to be followed. That means apps that don’t comply with HIPAA’s physical and technical safeguards to protect patient data could still face lawsuits, or state enforcement, despite the notice of enforcement discretion.
Privacy and cybersecurity experts have said that the notice of enforcement discretion “has been relied upon way too heavily” by providers and won’t necessarily spare them from litigation or regulatory actions. And the ease of use of Zoom has been particularly attractive, which has led some healthcare providers to make some arguably bad choices. But the privacy concerns and reported hacking intrusions that prompted some entities (including, for example, the New York City Department of Education, Tesla Inc. and the Taiwanese government) to stop using Zoom, also exist for physicians and other healthcare providers.
Phoenix Children’s Hospital and Bayada Home Health Care are among the providers that say on their websites that they use Zoom for telemedicine. And Zoom also promotes partnerships with Delta Dental, Magellan Healthcare, and other medical providers.
Many doctors like Zoom because they see it as HIPAA-compliant (based on OCR’s and Zoom’s own assessments), easy for patients to use, and inexpensive. Zoom offers a medical video conferencing account for as little as $200 per month, according to the company’s website.
However, physicians using video-conference technology must use “every privacy and security tool they have available” to keep patients’ trust, the AMA has said. And systems should have end-to-end encryption and shouldn’t store transmissions, according to the AMA.
OCR’s director has said the HHS guidance for telemedicine “depends on videos not being broadcast or made available to the general public.” Providers, he said, “should make use of available privacy and security features, such as requiring passwords and using encryption.”
Cybersecurity experts, however, say the Zoom product lacks end-to-end encryption, at least currently. And until Zoom reconfigures its product to include that feature, it is not truly HIPAA-compliant. Nonetheless, HHS in its notice listed Zoom as one of the services providers could use without apparent enforcement risk.
Thus far in its public statements, Zoom does not directly address end-to-end encryption, although it says its product complies with HIPAA. Zoom configures account settings differently for medical providers than for its generally-available commercial product. Cloud recording is disabled, in-meeting chat and file transfer are turned off, and participant identities are not logged or reported, it has said.
Patients, however, say they feel more comfortable using apps with stricter protocols and more secure channels such as FaceTime or Microsoft Corp.’s Teams, said Cynthia Fisher, founder and chairman of PatientRightsAdvocate.org. Members of her group are voicing concerns about the Zoom app’s continued use, she said.
State attorneys general have also taken note, based on consumer concerns. For instance, Connecticut Attorney General William Tong has been in discussions with Zoom about their privacy and security features, “including in the healthcare sector,” said a spokeswoman for his office. And Iowa Attorney General Tom Miller is “monitoring” Zoom’s privacy and security practices “surrounding telehealth” and other applications, the communications director for his office said.
On May 7, 2020, New York Attorney General Letitia James reached an agreement with Zoom Video Communications, Inc. to provide enhanced privacy and security protections for Zoom’s 300 million users. As previously reported, AG James had sent a letter to Zoom seeking information regarding the security measures Zoom had put in place to handle surging traffic and expressing concerns about the increased activity of hackers on Zoom’s platform. Under the terms of the letter agreement, among other things, Zoom will conduct risk assessments and software code reviews to identify vulnerabilities, enhance encryption protocols, enable privacy controls for free accounts, cease sharing user data with Facebook by disabling users’ ability to log into Zoom from Facebook, and disable its LinkedIn Navigator feature, which shares profiles of users even for users that want to stay anonymous. Also on May 7, 2020, Zoom Video Communications announced it is buying security firm Keybase in an effort to shore up security for its video meetings. Keybase will help Zoom implement end-to-end encryption, a type of security which means Zoom has no access to the contents of encrypted data.
Besides state government enforcement, providers also face the risk that patients who believe a video consultation violated their privacy could sue, plaintiffs’ attorneys have said. Healthcare professionals faced suits before the coronavirus pandemic for flaws tied to technology use, and some have been filed after the pandemic began.
For example, a home healthcare provider and a cloud-computing company were sued on April 6, 2020 in a Pennsylvania federal court after a ransomware attack allegedly harmed at least 156,409 patients. The affected patients raised claims under Pennsylvania’s consumer protection law, citing HIPAA’s security rule. (The case is ongoing, as of this writing). Lawsuits also could be brought under California’s Consumer Privacy Act if the security around telehealth platforms is lacking. And other states’ consumer protection and privacy laws, including Georgia’s, could be cited as bases for lawsuits.
It is important to bear in mind that OCR’s exercise of enforcement discretion only applies to HIPAA and OCR’s enforcement of it. So potential plaintiffs still could sue under state law if they believe their personal data is not being properly protected.
Legal enforcement actions also may follow when video conferencing app vendors are business associates of healthcare providers. Under HIPAA, business associates are subject to the same patient data protection responsibilities as healthcare providers. Tech companies under business associate agreements, therefore, are subject to HHS enforcement in the event of a security failure. And liability exposure may exist because the provider of the video conferencing tool may be acting in a business-associate role. So caution is still advised for healthcare providers when using these video-conferencing tools to examine, treat or communicate with patients – even with the apparent relaxation of governmental regulations during the pandemic.
New COVID-19 Guidance for Disclosure of PHI to First Responders & Public Health Authorities
On March 24, 2020, HHS’s OCR issued guidance on how covered entities may disclose PHI about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with HIPAA. The guidance explains the circumstances under which a covered entity may disclose PHI such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples. The guidance also clarifies the regulatory permissions that covered entities may use to disclose PHI to first responders and others so they can take extra precautions or use personal protective equipment. The guidance also includes a reminder that generally, covered entities must make reasonable efforts to limit the PHI used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.
Instances where covered entities may make disclosures of PHI to law enforcement, paramedics, other first responders, and public health authorities without patient consent include: (1) when the disclosure is needed to provide treatment; (2) when such notification is required by law; (3) to notify a public health authority in order to prevent or control spread of disease; (4) when first responders may be at risk of infection; (5) when the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public; and (6) when responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual. Details are available here. Also, in response to questions from first responders about the ability of a first responder agency or transporting EMS agency to know the COVID-19 status of those they care for, the Georgia Department of Public Health issued this letter to clarify previous guidance.
HHS-OCR Eases HIPAA Enforcement for Good-Faith Disclosures of PHI for Public Health Purposes
On April 2, 2020, HHS announced it won’t enforce penalties for violations of certain provisions of the HIPAA privacy rule against healthcare providers or their business associates for good-faith disclosures of protected health information for public health purposes during the COVID-19 emergency. The HHS OCR said that it was exercising its enforcement discretion in making the policy change during the declared emergency period. The notification was issued to support federal and state agencies, including CMS and the CDC, that need access to COVID-19 related data including protected health information.
“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” OCR director Roger Severino said in a statement. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”
HIPAA’s privacy rule only allows business associates of HIPAA-covered entities to disclose protected health information for certain purposes under explicit terms of a written BAA. Under the temporary enforcement waiver, OCR won’t impose penalties for disclosure of protected health information if the business associate makes good-faith use or disclosure for public health activities and informs the covered entity within 10 business days. This enforcement moratorium does not extend to other requirements or prohibitions under the privacy rule, nor to any obligations under the HIPAA security and breach notification rules, OCR said.
Guidance from regulators continues to evolve as the situation develops and changes. So providers should stay informed and monitor for updates.
HHS Eases Enforcement of Interoperability Rules Amid COVID-19 Crisis
As a result of the COVID-19 public health emergency, the ONC and CMS, in conjunction with HHS-OIG, announced on April 21, 2020 a policy of enforcement discretion to allow compliance flexibilities regarding implementation of the interoperability final rules announced on March 9, 2020. Due to the COVID-19 emergency, CMS will give hospitals until July 1, 2021 to implement admission, discharge and transfer notification requirements once its final rule on interoperability and patient access is published in the May 1 Federal Register, the agency announced. The original deadline was January 1, 2021. Also, ONC will publish on May 1, 2020 its final rule implementing 21st Century Cures Act provisions on interoperability, information blocking and the Health IT Certification Program.
ONC’s National Coordinator for Health Information Technology, Don Rucker, MD, said: “ONC remains committed to ensuring that patients and providers can access electronic health information, when and where it matters most. During this critical time, we understand that resources need to be focused on fighting the COVID-19 pandemic. To support that important work and the information sharing efforts we are already seeing, ONC intends to exercise enforcement discretion for 3 months at the end of certain ONC Health IT Certification Program compliance dates associated with the ONC Cures Act Final Rule, to provide flexibility while ensuring the goals of the rule remain on track.”
CMS Administrator Seema Verma said: “Today’s action follows the extensive steps CMS has taken to ease burden on the healthcare industry as it fights COVID-19. Now more than ever, patients need secure access to their healthcare data. Hospitals should be doing everything in their power to ensure that patients get appropriate follow-up care. Nevertheless, in a pandemic of this magnitude, flexibility is paramount for a healthcare system under siege by COVID-19. Our action today will provide hospitals an additional 6 months to implement the new requirements.” HHS said that ONC, CMS and OIG will continue to monitor the implementation landscape to determine if further action is needed.
CMS’s announcement is here. ONC’s announcement is here. And OIG’s announcement is here. Guidance from regulators continues to evolve as the situation develops and changes. So providers should monitor for updates and stay tuned.
Healthcare Providers Face Surge of Cyberattacks During Pandemic
In an analysis piece on April 15, 2020, the Washington Post reported that hospitals and healthcare providers, already stressed dealing with patient surges and health and economic fallout from the novel coronavirus pandemic, are getting slammed with cyberattacks and digital scams, as well. Among the most damaging are ransomware attacks that threaten to shut down entire hospitals or medical practices until they pay a fee that can cost millions of dollars.
Such attacks shut down computers at the Champaign-Urbana Public Health District in Illinois for three days in March and forced the district to pay $300,000 in ransom, as reported by the Pew Charitable Trust’s Stateline service. Another attack shut down computers at a university hospital in the Czech Republic, which was forced to turn away patients.
The attacks prompted the Department of Homeland Security and Interpol to warn of a “significant increase” in cyberattacks targeting hospitals and other healthcare providers around the world. Interpol issued a “purple notice” — basically a warning about a criminal trend and its methods — alerting police in 194 countries about the heightened ransomware threat.
The attacks are part of a surge in hacks and scams prompted by the coronavirus pandemic aimed at taking advantage of people’s dislocation and fears. But they’re particularly effective against hospitals and healthcare entities where intense pressure created by the pandemic might make workers more likely to hastily click a link they shouldn’t. As one government official put it, “people are stressed, and it might short-circuit the logic in their brain that says I shouldn’t click that.”
Even before the pandemic struck, hospitals and healthcare providers were among the top targets of ransomware attacks because they are among the organizations that can least afford to be knocked offline for even short periods of time. That can also mean that they are more likely to pay up, and cybercriminals know that.
Hospitals and other healthcare providers are not necessarily more susceptible to ransomware attacks. However, an attack can have severely detrimental consequences for them, such as the loss of patient records, and treatment delays or cancellations. And healthcare providers, like other employers, are especially vulnerable to hacking during the pandemic because more non-essential staff are working remotely. That makes it harder to patch their laptops and mobile devices against threats, and they may be relying on unfamiliar networking tools to connect with co-workers.
Moreover, it’s not just large organizations that are targets. In fact, about 70 percent of cyberattacks against healthcare providers in recent years focused on smaller providers likely to have weaker digital defenses, an April 9, 2020 briefing by cybersecurity firm RiskIQ found. And experts expect that the coronavirus/covid-themed attacks will continue as long as they are effective.
One bit of good news came on April 14, 2020, however, when Microsoft announced that it will offer hospitals and other healthcare entities free access to an advanced security system called “AccountGuard.” The service offers the protection to hospitals, clinics and medical labs, as well as pharmaceutical, life sciences and medical device companies that are researching, developing or manufacturing coronavirus-related treatments. The service means that Microsoft will closely monitor email traffic and other avenues hackers typically use and alert the organizations about any hacking efforts by nation-states and criminal groups. “Every patient deserves the best possible healthcare treatment, and we all need to thank and applaud the truly heroic work by those risking their own health to help those who are sick,” said Microsoft’s Corporate Vice President Tom Burt. “Their work is challenging enough but is being made more difficult by cyberattacks.”
So although some governmental regulations may be temporarily relaxed while the pandemic rages, the cybersecurity threats only increase. And healthcare providers must do all they can to protect patients’ privacy, even as they fight a deadly infectious disease with scarce resources available.
How We Can Help & Services We Provide
We advise and assist healthcare providers, mobile app developers and other health-related businesses with their implementation of measures necessary to comply with the complex requirements imposed on healthcare providers and their vendors by the HIPAA Privacy and Security and HITECH Act requirements, as well as state privacy laws and regulations. Our services include:
- Advice and legal assistance in connection with protecting the confidentiality of patients’ medical records and PHI.
- Drafting and negotiating Business Associate Agreements and Subcontractor BAAs from Covered Entities’, Business Associates’ and Subcontractors’ perspectives.
- Assisting both healthcare providers and healthcare vendors in integrating requirements of the security and privacy rules in their operational documents.
- Providing advice, guidance and assistance to clients as they conduct privacy and security assessments and audits, develop compliance plans, and implement policies, procedures and forms for compliance.
- Advising and assisting clients as they choose appropriate consultants to help them prepare, improve and implement necessary policies and procedures, and respond to audits.
- Assisting on incident response and breach reporting, including counseling on OCR compliance reviews, HIPAA audits or other government investigations.
- Representing healthcare clients in legal actions alleging violations of federal or state privacy laws or regulations.
Our law firm is experienced in counseling and assisting healthcare clients regarding medical privacy and security matters in a cost-effective manner. We have broad experience counseling clients regarding how they can meet the requirements of the various federal and state privacy and security rules in their day-to-day business activities. And we can assist if a legal action is brought alleging a violation. Please call or email us if you wish to schedule a consultation.