HIPAA, Health Information Privacy & Security Compliance
At the Law Office of Kevin O’Mahony, we advise clients on the numerous privacy and security laws that physicians, healthcare providers and businesses working with healthcare providers must follow on a daily basis in their medical practices, healthcare entities or businesses. Implementing and following proper business and security practices that comply with state privacy laws on patient information, as well as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy, security and transactions rules, is essential for physicians and healthcare entities to avoid lawsuits, fines, penalties and damage awards.
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium — whether electronic, on paper or oral. The Privacy Rule calls this information protected health information (“PHI”). The HIPAA Privacy Rule requires that covered entities, their business associates and any subcontractors handling PHI apply appropriate administrative, technical and physical safeguards to protect the privacy of PHI in any form.
Covered entities are defined in the HIPAA Rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health & Human Services (“HHS”) has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations or persons.
The Health Information Technology for Economic and Clinical Health Act (“HITECH”) (enacted in 2009) was created to motivate the implementation of electronic health records (“EHR”) and supporting technology in the United States. Because this legislation anticipated a massive expansion in the exchange of electronic protected health information (“ePHI”), the HITECH Act widens the scope of privacy and security protections available under HIPAA. It also increases the potential legal liability for non-compliance, and provides for more enforcement.
Business Associate Agreements
A HIPAA Business Associate Agreement (“BAA”) is a contract between a HIPAA covered entity and a vendor used by that covered entity. A vendor of a HIPAA covered entity that needs to be provided with PHI to perform duties on behalf of the covered entity is called a business associate (“BA”) under HIPAA.
HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” A vendor is also classified as a BA if, as part of the services provided, ePHI passes through their systems. However, exclusions to this definition exist, and it may be the case that a covered entity’s relationship with a vendor changes over time.
A signed HIPAA Business Associate Agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI. And since the HITECH Act was passed and incorporated into HIPAA in 2013, subcontractors used by business associates are also required to comply with HIPAA. A business associate must likewise obtain a signed HIPAA business associate agreement from its subcontractors before access is given to PHI or ePHI. If subcontractors use vendors that require access to PHI or ePHI, they too need to enter into business associate agreements with their subcontractors.
The Business Associate Agreement is a contract that specifies the types of PHI that will be provided to the business associate (or subcontractor), the allowable uses and disclosures of PHI, the measures that must be implemented to protect that information, both at rest on-site and in transit (e.g., encryption), and the actions that the BA must take in the event of a security breach that exposes PHI. The contract should state that the BA (or subcontractor) must implement appropriate administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of ePHI and meet the requirements of the HIPAA Security Rule. Some of those measures may be stated in the BAA or they may be left to the discretion of the BA.
The BAA should also include the allowable uses and disclosures of PHI to meet the requirements of the HIPAA Privacy Rule. In the event that PHI is accessed by individuals unauthorized to view the information, such as an internal breach or cyberattack, the business associate is required to notify the covered entity of the breach and may be required to send notifications to individuals whose PHI has been compromised. The time frames and responsibilities for notifications should be detailed in the BAA.
A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by regulators for HIPAA violations. Both HHS’s Office for Civil Rights (“OCR”) and state attorneys general have the authority to issue financial penalties for violations of HIPAA Rules.
Unlike most contracts, a HIPAA business associate agreement does not necessarily indemnify a covered entity against financial penalties for a breach of PHI. If a covered entity fails to obtain “satisfactory assurances” that a BA is HIPAA-compliant prior to entering into a contract, and a breach of PHI subsequently occurs, the covered entity may be considered liable for the breach.
Covered entities can be fined for not having a HIPAA business associate agreement in place, or for having an incomplete agreement in place. This is true even though HITECH regulations state that BAs are obligated to comply with the HIPAA Security Rule, even if no HIPAA business associate agreement is executed.
In May 2019, the OCR issued a new fact sheet to highlight the provisions of HIPAA that apply to business associates and for which they can be held directly liable for non-compliance. The fact sheet spells out the specific requirements that could trigger OCR’s enforcement authority against business associates, including failing to comply with the HIPAA security rule, failing to provide breach notifications to a covered entity or another business associate, and impermissible uses and disclosures of protected health information. See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
HIPAA & HITECH Penalties
HIPAA penalties vary depending on the type of conduct involved. When enacted in 2009, HITECH established four categories for HIPAA violations, with penalty tiers commensurate with the level of culpability for each violation.
- Tier 1 violations are those where the person did not know (and, by exercising reasonable diligence, would not have known) that he or she violated the provision. Tier 1 violations were capped at $25,000 per calendar year.
- Tier 2 violations are those where “the violation was due to reasonable cause, and not willful neglect.” Tier 2 violations were capped at $100,000 per calendar year.
- Tier 3 violations are those due to willful neglect that is timely corrected. Tier 3 violations were capped at $250,000 per year.
- Tier 4 violations are those that occurred due to willful neglect that is not timely corrected. Tier 4 violations were capped at $1.5 million per year.
In 2013, the OCR implemented a final rule allowing for enhancements of HITECH’s penalty provisions. Under the enhanced penalty scheme, while the range of penalties for each violation continued to differ by tier, the total yearly cap for all violations under all tiers became $1.5 million (an amount which formerly was only applicable to the most serious violations). But in April 2019, HHS exercised its discretion to lower the annual cap for certain types of penalties (reducing the financial impact of HIPAA violations that fall into the lower tiers) as follows:
Minimum Penalty per Violation
Maximum Penalty per Violation
Annual Limit for Identical Violations
Person did not know, and by exercising reasonable diligence would not have known, that person violated HIPAA
$114 per recent inflation adjust.
$57,051 per recent
$28,525 per recent
The violation was due to reasonable cause, not willful neglect
$1,141 per recent
$57,051 per recent
$114,102 per recent
Person acted with willful neglect, but corrected the violation within 30 days
$11,182 per recent
$57,051 per recent
$285,255 per recent
Person acted with willful neglect and failed to correct the violation within 30 days
$57,051 per recent
$57,051 per recent
$1,711,533 per recent
While reduced annual caps are certainly good news, covered entities and business associates should keep in mind:
- The penalty amounts are subject to annual cost of living adjustments. So, in accordance with the Inflation Adjustment Act, HHS updated its regulations in November 2019 to reflect required annual inflation-related increases to civil monetary penalties, including those for certain violations of HIPAA’s “administrative simplification” provisions. Under the new rules, penalties for pre-February 18, 2009 violations of HIPAA’s administrative simplification provisions have increased to $159 per violation, with a $39,936 cap per calendar year. Penalties for violations occurring on or after February 18, 2009, where it is established that the covered entity or business associate did not know and could not reasonably have known of the violation, are now a minimum of $117 and a maximum of $58,490. If it is established that the violation was due to reasonable cause and not willful neglect, the minimum per violation increases to $1,170, with the maximum remaining at $58,490. If it is established that the violation was due to willful neglect but was corrected during the 30-day period running from the date the entity knew or should have known the violation had occurred, the penalties per violation are a minimum of $11,698 and a maximum of $58,490. If the violation was due to willful neglect and not corrected during the 30-day time period, the penalties per violation are $58,490 (minimum) and $1,754,698 (maximum). For all of these situations, the calendar year cap is now $1,754,698.
- The new annual caps only apply to identical violations. A single act or omission may result in different violations that are not identical. For example, an impermissible disclosure may violate separate HIPAA requirements, each of which may trigger a different penalty and separate annual cap. Moreover, OCR may impose a separate penalty for each individual whose information was improperly accessed or disclosed. In the case of a continuing violation (e.g., the failure to implement a required safeguard or obtain a required business associate agreement), a separate violation occurs each day the covered entity or business associate is in violation of the provision.
- If an entity does not act with willful neglect and corrects the violation within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence, would have known of the violation, the OCR may not impose a penalty; such correction is an affirmative defense to penalties. However, if the entity acts with willful neglect, the relevant penalty is mandatory.
- A covered entity or business associate is vicariously liable for the violations of their respective agents, including workforce members or business associates acting within the scope of their agency under the federal common law of agency.
In other words, HIPAA penalties may add up quickly despite the reduced annual cap on identical types of violations. And covered entities and business associates must ensure that they continue to comply with HIPAA, avoid acting with “willful neglect” at all costs, and correct any violations within 30 days to invoke the affirmative defense to penalties.
Health & Mobile Apps
Health apps are application programs that offer health-related services for mobile devices such as smartphones, smartwatches, personal digital tablets, patient monitoring devices, wearable technology and other wireless devices. Because they are accessible to patients both at home and elsewhere, health apps are part of a burgeoning movement towards mobile health (“mHealth”) programs in healthcare. There are many varieties of health apps available for purchase from app stores. Some (such as fitness, weight loss, wellness and exercise trackers) are designed to help consumers make healthier choices in their everyday life by offering advice about fitness or nutrition. Others are aimed at physicians and other healthcare providers themselves, combining mHealth with electronic medical records (“EMR”), and allowing providers to keep accurate records that are easily accessible. And others help doctors and patients communicate remotely, such as apps for diabetics that automatically send glucose readings to their primary care physicians.
HIPAA does not provide full, comprehensive coverage over, or protection to, all medical/health/wellness information, regardless of the manner in which it is transmitted or by whom. HIPAA is limited to “covered entities” and their “business associates,” who share or transmit “protected health information” (“PHI” or “ePHI” for electronic information) concerning “covered transactions.” All of these terms are specifically defined by HIPAA, and most third-party healthcare apps do not qualify as a “covered entity” or a “business associate” having “PHI,” or engaging in a “covered transaction,” for purposes of triggering HIPAA’s requirements. But many do. And because HIPAA does apply to many healthcare apps, healthcare providers, mobile app developers, and other health-related businesses need to keep HIPAA Rules in mind whenever PHI is transmitted or disclosed to third parties.
Given the growing number of apps that patients may choose to receive and use their PHI, and the limited control covered entities and EHR system developer business associates have following patient-directed disclosure, HHS issued new guidance in the form of Frequently Asked Questions (“FAQs”) in April 2019. These FAQs clarified (at least to some extent) potential HIPAA liability for transmitting PHI among covered entities, their EHR system developers, and patient-designated apps. Here are the five FAQs and HHS’s answers:
- Q: Does a HIPAA covered entity that fulfills an individual’s request to transmit electronic protected health information (ePHI) to an application or other software (collectively “app”) bear liability under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) for the app’s use or disclosure of the health information it received?
A: The answer depends on the relationship between the covered entity and the app. Once health information is received from a covered entity, at the individual’s direction, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules. If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach.
If, on the other hand, the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.
- Q: What liability does a covered entity face if it fulfills an individual’s request to send their ePHI using an unsecure method to an app?
A: Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app. With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.
- Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?
A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.
If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.
- Q: Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
A: No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information that has been disclosed pursuant to the individual’s right of access. For instance, a covered entity is not permitted to deny an individual’s right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual’s ePHI for research or because the app does not encrypt the individual’s data when at rest. In addition, as discussed in Question 1 above, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.
- Q: Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?
HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).
However if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer, acting as the covered entity’s business associate), then a business associate agreement would be required.
More information about apps, business associates, and HIPAA is available at: https://hipaaqsportal.hhs.gov.
See also OCR FAQ 2039, “What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party,” available at https://www.hhs.gov/hipaa/for-professionals/faq/2039/what-is-the-liability-of-a-covered-entity-in-responding/index.html.
Additionally, in 2019, the Consumer Technology Association, a trade association for the consumer technology industry, released new health data privacy guidelines. The guidelines are voluntary and intended to provide baseline recommendations for technology companies that handle personal health data. These guidelines, first developed in 2015, have been expanded and are based on privacy concepts currently present and developing in U.S. law, while recognizing the potential impact that international privacy laws have on U.S. companies. The guidelines can be accessed at: CTA-Privacy-Guidelines-Personal-Health-Wellness-Info.
OCR’s Guidance on HIPAA for Mobile Health Technology
Recently, and particularly during the COVID-19 pandemic, OCR has updated its HIPAA guidance and other related resources on its website. In September 2020, OCR announced a new feature on its website, titled “Health Apps,” which updates and renames OCR’s previous Health App Developer Portal. OCR’s Resources for Mobile Health Apps Developers can be viewed here. The new site includes OCR’s guidance on when and how HIPAA regulations may be applicable to mobile health applications, which is even more critical during the coronavirus pandemic, as many aspects of the healthcare industry shift to telehealth.
Key aspects of OCR’s new Health Apps include:
- Mobile Health Apps Interactive Tool
- The Federal Trade Commission (“FTC”), in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (“ONC”), and the Food and Drug Administration (“FDA”), created a web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.
- Health App Use Scenarios & HIPAA
- Provides various use scenarios for mHealth applications, and explains when an app developer may be acting as a business associate under the HIPAA Rules.
- FAQs on the HIPAA Right of Access, Apps & APIs
- Provides helpful insight on how the HIPAA Rules apply to covered entities and their business associates with respect to the right of access, apps, and application programming interface (APIs).
- FAQs on HIPAA & Health Information Technology
- Provides helpful insight on the relationship between HIPAA and Health IT.
- Guidance on HIPAA & Cloud Computing
- Assistance for HIPAA covered entities and business associates, including cloud service providers, in how to effectively utilize cloud computing while still maintain HIPAA compliance.
As telehealth has increased and the nation implements various contact tracing apps, protecting patient privacy and complying with HIPAA privacy and security obligations are even more important. Increased use of mobile health applications and other related tools to assist healthcare providers with telehealth capabilities raise the risk of data breaches and improper disclosures of PHI to unauthorized individuals. OCR’s Health Apps guidance is an essential resource for HIPAA covered entities and businesses associates that utilize mobile health apps to ensure compliance with their HIPAA obligations.
OCR’s HIPAA Guidance for Audio-Only Telehealth Services
On June 13, 2022, OCR issued guidance on how HIPAA-covered healthcare providers and health plans can comply with privacy, security and breach notification requirements when using remote communication technologies to provide audio-only telehealth services, including after the COVID-19 public health emergency. OCR said the guidance recognizes that audio-only telehealth can be an important tool for delivering health care, particularly to patients in rural areas who lack access to audio-visual technologies or internet services. OCR has used its discretion in enforcing the HIPAA rules during the public health emergency.
The guidance addresses questions HHS received about whether, and in what circumstances, audio-only telehealth is permissible under the HIPAA rules. The guidance states that audio-only telemedicine appointments comply with HIPAA as long as healthcare providers take certain measures to protect patient privacy. OCR expects covered entities “to provide telehealth services in private settings to the extent feasible” or to implement other reasonable safeguards “such as using lowered voices and not using speakerphone.” In addition, covered entities must verify a patient’s identity, either orally or in writing.
The guidance notes that the HIPAA Security Rule does not apply to audio-only telehealth services using traditional landlines because the information is not transmitted electronically. However, compliance with the Security Rule is required for electronic communication technologies, including Voice Over Internet Protocol and mobile platforms that use the Internet, Wi-Fi and cellular services.
Recent HIPAA Settlements Show Importance of Encrypting Mobile Devices That Contain Patient Data
In November 2019, OCR settled with the University of Rochester Medical Center (“URMC”) after URMC filed two separate breach reports, revealing that PHI had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop. OCR had conducted a previous investigation prior to these two breach reports concerning a similar breach at URMC involving a lost unencrypted flash drive. OCR’s investigation found that URMC failed to: conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt ePHI when it was reasonable and appropriate to do so.
Despite this investigation and URMC’s identification of the risks that lack of encryption would bring to URMC, the medical center did not change its practices, and continued to use unencrypted mobile devices. Under the settlement, URMC agreed to pay OCR $3 million and undertake a corrective action plan which includes two years of monitoring its compliance with the HIPAA rules.
Similarly, on July 27, 2020, OCR reached a settlement with a non-profit health system, Lifespan, related to the theft of an unencrypted laptop. Lifespan filed a breach report with OCR after they learned that a hospital employee’s laptop had been stolen. The laptop contained PHI of over 20,000 individuals. OCR’s investigation determined that there was systemic noncompliance with the HIPAA Rules, including a failure to encrypt ePHI on laptops after Lifespan determined it was reasonable and appropriate to adopt encryption. Lifespan agreed to pay OCR over $1 million and adopt a corrective action plan that includes two years of monitoring.
These are just two of many HIPAA settlements based on the failure to encrypt mobile devices. Similar settlements have arisen from lost or stolen smartphones, computers, hard drives, and other electronic media that were not properly encrypted.
Encryption is an “addressable” standard under the HIPAA Security Rule, which generally requires covered entities and business associates to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information” and, for such data transmitted over a network, to “[i]mplement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)).
Because the encryption implementation specification is addressable, it must be implemented if, after a risk assessment, the entity determines that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. (https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html).
Although encryption is not mandatory, it would be difficult to identify an “equivalent alternative measure” of protection so as to satisfy the addressable standard. Proper encryption allows covered entities and business associates to avoid HIPAA breach reports if the data or device is lost or stolen. The Breach Notification Rule only applies to the breach of “unsecured protected health information.” (45 CFR § 164.404(a)).
“Unsecured protected health information” means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act]. (45 CFR § 164.402). Encryption which satisfies HIPAA standards is not “unsecured”; accordingly, its loss does not require a breach report. (78 FR 5639 and 5644; 74 FR 42741-42, 42765). According to OCR, ePHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. (https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html; see also 74 FR 42742-43).
On the other hand, HHS commentary makes it clear that the loss or theft of an unencrypted device containing protected health information presumptively requires a breach report. (See, e.g., 78 FR 5671). For example, in its Breach Notification Rule commentary, HHS noted that “the most frequent form of data loss is the result of lost or stolen laptops and data bearing media such as hard drives. If the data on these devices is encrypted, then under the [Breach Notification Rule] definition of a breach, the event would not require the covered entity or the business associate to notify affected individuals.” (74 FR 42765). But “if laptops containing the unsecured protected health information of more than 500 residents of a particular city were stolen from a covered entity, notification under this section should be provided to prominent media outlets serving that city [in addition to individuals and HHS].” (Id. at 42752).
Significantly, “if a computer is lost or stolen, [HHS does] not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.” (Id. at 42745). Moreover, the failure to timely report the theft or loss of the unencrypted device would likely constitute “willful neglect”, resulting in mandatory HIPAA penalties ranging from $11,182 to $57,051 per individual whose information was on the laptop. (45 CFR §§ 102 and 160.404(a)).
In its commentary to the Enforcement Rule, HHS gave the following example of “willful neglect” for which an entity “will be held fully responsible”: “A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.” (75 FR 40879).
Consequently, key steps to be taken include the following:
- Implement HIPAA Safeguards. HIPAA covered entities and business associates should implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, as required by the Security Rule.
- Don’t delay. If you are a HIPAA covered entity or business associate, your legal and IT personnel should ensure that the safeguards are implemented entity-wide and without any undue delays. Your employees presumably travel for business and probably take work home. You therefore could be one lost device away from a disastrous data breach and a multi-million dollar fine.
- Encrypt your ePHI. An important technical safeguard is encryption of ePHI, which is not expressly, but effectively required under HIPAA, since only breaches of unsecured ePHI must be reported to the HHS. (See above and 45 C.F.R. § 164.408.)
- Don’t lose your encryption key. The encryption key should be stored separately from the ePHI. As specified in the HIPAA Security Rule, ePHI is encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.
- Hire expert help. For most covered entities and business associates, implementation of the Security Rule is outside the scope of their expertise, and security is usually not a do-it-yourself project. Hiring a reputable, skilled technology vendor to implement the physical safeguards, and hiring a knowledgeable outside legal counsel to ensure compliance with the Security Rule, as well as a certain level of privilege protection, can go a long way toward avoiding a reportable data breach. HHS and the OCR also provide numerous resources to assist covered entities and business associates in properly encrypting data.
Unfortunately, because medical information is lucrative and easy to exploit, patient records are likely to remain primary targets of hackers and cybercriminals for the foreseeable future. Compared to a stolen credit card number, for example, a stolen medical record offers much more personal information. And because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. Healthcare organizations therefore must ensure they have proper, up-to-date security measures in place, including data-breach response plans, ePHI encryption, and adequate employee training about the importance of security. Otherwise, they may face severe legal and financial consequences.
On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit issued a landmark ruling vacating a $4.3 million penalty HHS sought to impose on MD Anderson for a HIPAA violation related to a stolen laptop. The case (styled University of Texas M.D. Anderson Cancer Center, Petitioner, vs. United States Department of Health and Human Services, Respondent, Case No. 19-60226 in the U.S. Court of Appeals for the Fifth Circuit) provides important additional HIPAA guidance regarding stolen devices and encryption requirements.
Business Associates’ Direct Liability Under HIPAA
In May 2019, the OCR released a fact sheet outlining and clarifying violations of HIPAA for which a business associate can be held directly liable. Published shortly after the release of the new guidance from OCR in the form of FAQs discussed above, the fact sheet was another example of OCR’s recent efforts to clarify its position and answer outstanding questions from the ever-changing healthcare industry.
In the May 2019 fact sheet, OCR first noted the history by which the application of certain aspects of HIPAA extended to business associates – the HITECH Act of 2009 and OCR’s 2013 Final Rule modifying the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, which further extended to business associates the need to comply directly with the HIPAA Security Rule and significant aspects of the HIPAA Privacy Rule. Since then, business associates have tried to comply with these HIPAA requirements, but with little guidance or certainty as to whether OCR will take action against them (as opposed to only covered entities) for HIPAA violations, and if so, the types of violations OCR will enforce against business associates.
OCR’s fact sheet finally provided some clarity regarding business associates’ own liability under HIPAA. Citing the HITECH Act and the 2013 Final Rule, the fact sheet clearly states that “OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below” (emphasis in original). Specifically, business associates can be held directly liable under HIPAA for:
- Failure to provide the Secretary of HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including PHI, pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the HIPAA Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of ePHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the BAA) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into BAAs with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such BAAs.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s BAA.
In one telling example, OCR indicated it has enforcement authority directly over a business associate that has agreed in a BAA to satisfy individual rights (e.g., requests from individuals for access to copies of their medical records). Although OCR did not explicitly say it would enforce a business associate’s failure to sign a BAA with a covered entity, it said it would with respect to BAAs with business associate subcontractors. And OCR’s example confirms that the agency will hold business associates accountable for certain contractual obligations made with covered entities, even if such obligations otherwise exceed the scope of business associate requirements under HIPAA.
OCR’s clarification regarding the direct liability of business associates came as the agency’s enforcement against business associates has been rising. Just a few days before releasing the new fact sheet, OCR settled allegations of HIPAA Privacy Rule and Security Rule violations for $100,000 with a business associate that provides software and electronic medical record services to healthcare providers. In that case, the business associate self-disclosed to OCR a HIPAA breach following discovery that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million people. OCR’s investigation revealed that the business associate had not conducted a comprehensive risk analysis, as required by the Security Rule prior to the breach.
Recent HIPAA Enforcement Actions Show Exposure on Multiple Fronts
In June 2019, an unprecedented settlement was announced, arising from a federal lawsuit brought by 16 state attorneys general (“AGs”) in the U.S. District Court for the Northern District of Indiana. In that case, a medical software provider agreed to pay the states $900,000 for alleged violations of a combination of federal and state privacy laws. The settlement represented the resolution of the first-ever multistate data breach suit based on alleged violations of HIPAA, as well as state deceptive trade practices acts, state personal information protection acts, and state breach notifications acts. The case arose out of a 2015 data breach, in which an Indiana-based electronic health record software provider and its subsidiary (the “EHR Provider”) discovered that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million individuals whose healthcare providers used the EHR Provider’s software. The information exposed by the breach included names, dates of birth, Social Security numbers, and clinical information.
In the lawsuit, the state AGs asserted that the EHR Provider ran a web application with a security framework that allowed the breach to occur. The EHR Provider allegedly failed to take appropriate measures to protect its computer systems and failed to take reasonable steps to prevent breaches. The state AGs claimed that the EHR Provider, as a business associate under the provisions of HIPAA, was required to comply with the HIPAA Security Rule, and had failed in numerous instances to meet the Security Rule’s enumerated requirements.
Although the sheer number of individuals impacted by the breach was significant, the major takeaway from the case was the nationwide collective effort by the state AGs. In addition to using their statutory authority to enforce HIPAA, the state AGs also brought claims under their respective data breach and personal information protection statutes. The combined effect was a powerful case in which the EHR Provider was accused of 38 separate counts of state law violations, all emanating from the same breach. The settlement with the state AGs was finalized about one month after the EHR Provider agreed to pay $100,000 to the OCR, the federal agency tasked with enforcing HIPAA, for alleged HIPAA violations associated with the same breach. In addition to the monetary consequences, the EHR Provider also agreed to numerous injunctive provisions and a corrective action plan, requiring the company to implement and adhere to specific data security policies and procedures.
These settlements represent cautionary tales for the healthcare industry for several reasons. First, the affected entity in this instance was a business associate governed by HIPAA. The settlements show that to the extent a HIPAA-covered entity must take specific measures to protect the ePHI of its patients, the business associate that handles the information on the covered entity’s behalf also must do so. Business associates should assess their data security programs and ensure that they have procedures in place to monitor, detect and address data vulnerabilities and breaches, consistent with HIPAA Security Rule requirements. As demonstrated by the federal suit, business associates are not only on OCR’s radar, they also are on state radars. HIPAA-covered entities should also pay close attention to their business associates’ HIPAA compliance to ensure that they are adequately protecting the covered entity’s information.
Second, the increasing use of web-based applications for electronic health information management represents not only an opportunity for innovation and progress, but also a threat of increased exposure and liability. Transmission of ePHI via the Internet enables healthcare organizations to better treat and engage patients, and helps facilitate the beneficial exchange of medical information among providers. Utilized properly, this electronic network improves healthcare and makes its delivery more efficient. However, as the electronic network of patients and providers continues to grow, it becomes a more valuable and data-rich target for hackers. This means that covered entities and business associates participating in any given electronic network are exposed to potential hazards that may impact individuals in multiple states, and are subject to multiple state and federal laws and threats of enforcement action. Consequently, attention to data privacy and security must grow in scale with the size of the network managing the highly-regulated information.
Finally, the federal suit and settlements show that states are willing to utilize and combine their resources and efforts nationwide to hold health industry participants accountable for compliance with both federal and state laws when it comes to data protection and health information privacy. As already noted, electronic networks transmitting health information are growing. This growth means the activities of healthcare entities will reach more and more patients, which means handling highly-regulated information in more and more states. With the no-longer-theoretical prospect of multistate enforcement actions, it is essential that covered entities and business associates take measures to comply with HIPAA and applicable state laws wherever their businesses are conducted.
Georgia Ambulance Company Pays to Settle Allegations of HIPAA Violations
In December 2019, West Georgia Ambulance, Inc. (“WGA”) agreed to pay OCR $65,000 to adopt a corrective action plan to settle potential violations of the HIPAA Security Rule. WGA is an ambulance company that provides emergency and non-emergency ambulance services in Carroll County, Georgia.
OCR began its investigation after WGA filed a breach report in 2013 following the loss of an unencrypted laptop containing the PHI of 500 individuals. OCR’s investigation revealed longstanding noncompliance with HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. OCR also alleged that despite OCR’s investigation and technical assistance, WGA did not take meaningful steps to address its systemic failures.
Physician Practice Liable After Reporting Business Associate’s HIPAA Violation
A 2020 Resolution Agreement between OCR and a sole practitioner physician practice illustrates how complying with HIPAA by reporting a business associate for a breach can result in liability for covered entities. Following the breach report, OCR opened an investigation into the physician’s practice, which resulted in a $100,000 settlement and a corrective action plan that includes two years of monitoring.
On March 3, 2020, OCR announced a $100,000 settlement and corrective action plan with the practice of Steven Porter, M.D. According to HHS’s press release, OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR on November 21, 2013, related to a dispute with a business associate. The practice’s breach report claimed that the business associate was improperly using the practice’s patients’ electronic protected health information (“ePHI”) by blocking the practice’s access to such ePHI until Dr. Porter paid $50,000. (For OCR guidance regarding how such information blocking is inappropriate, see OCR FAQ 2074.)
OCR apparently used the practice’s breach report about the business associate’s conduct to open an investigation into the practice itself. OCR’s investigation determined that, both prior to the breach and despite technical assistance from OCR during the investigation, Dr. Porter failed to conduct a security risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI as required by the Security Rule. He also failed to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level. The practice also allegedly permitted another business associate to create, receive, maintain or transmit ePHI on the practice’s behalf at least since 2013, without obtaining satisfactory assurances that it would appropriately safeguard the ePHI.
OCR cited these failures as grounds for imposing the $100,000 settlement and two-year corrective action plan, which includes multiple compliance requirements – such as conducting a security risk analysis, implementing responsive risk mitigation measures, revising policies and procedures for business associate relationships, and conducting workforce training. The scope of the corrective action plan suggests that the practice’s overall HIPAA compliance may have been poor, but it is notable that the investigation was initiated not based on any action or breach by the practice, but rather in response to the practice’s report of its business associate’s noncompliance in withholding PHI to gain leverage in a business dispute.
This Resolution Agreement highlights a tension between the HIPAA regulatory framework and practical operations for covered entities. Covered entities are required to report a breach of unsecured PHI to the Secretary (see 45 C.F.R. 164.408). Covered entities also must take corrective actions if they suspect that a business associate has breached an obligation of their business associate agreement (“BAA”) or the HIPAA rules. Specifically, 45 C.F.R. 164.504(e)(1)(ii) provides:
A covered entity is not in compliance with the standards in §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.
However, this Resolution Agreement shows that complying with reporting obligations or pursuing the regulatory remedy of filing a complaint with the Secretary in a dispute with a business associate can increase scrutiny on the covered entity and may ultimately lead to penalties. Despite the risk, there will be instances where a covered entity is required to report conduct to the Secretary, or in which such a report is a reasonable step the covered entity must take as part of its own compliance efforts.
Nonetheless, there are certain steps covered entities can take to mitigate their risks, including:
- Compliance. Needless to say, the best defense in an OCR investigation is HIPAA compliance. Therefore, every covered entity should work hard to ensure that it is complying with HIPAA. But even if a covered entity’s compliance cannot be perfect, good-faith efforts and organized record-keeping can go a long way toward mitigating OCR enforcement risks. As OCR Director Roger Severino put it: “All health care providers, large and small, need to take their HIPAA obligations seriously. The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.” And all covered entities, regardless of size, need to understand that OCR is serious about Security Rule compliance.
- Vetting. Covered entities should carefully evaluate business associates before retaining them. Working with vendors with good track records of reputable business practices and strong HIPAA compliance will decrease the likelihood of a breach or dispute requiring a report to the Secretary. Moreover, although no organization can make itself completely immune to a breach, a business associate with solid security practices should be less vulnerable.
- Indemnification. Covered entities and business associates should carefully negotiate indemnification provisions in their BAAs. The parties should consider the structure of the relationship, the services to be provided by the business associate, and the amount and nature of the PHI to which the business associate will have access when determining how to allocate risks and responsibilities under the BAA. Covered entities may push for business associates to be responsible for fines and penalties that arise from OCR investigations that relate to reports of business associate misconduct or breach of the BAA. On the other hand, business associates may want to limit such responsibility since fines and penalties can expand well beyond the business associate’s conduct once an OCR investigation begins. Other areas to consider in indemnification negotiations are costs associated with investigation, mitigation and reporting HIPAA noncompliance, including but not limited to breaches of unsecured PHI.
State Law Liability for Failure to Protect Confidentiality of Medical Records
As noted above, HIPAA is a federal statute providing for confidentiality of health and medical records under certain circumstances. HIPAA is administered by the federal Department of Health and Human Services (“HHS”), which can impose substantial fines for non-compliance. However, HIPAA provides no private, federal cause of action for a patient to sue a healthcare provider or business directly for damages.
If an HHS-OCR investigation concludes there was a possible criminal violation, OCR will forward the matter to the U.S. Department of Justice. If there’s a determination that a non-criminal violation occurred, the OCR will seek voluntary corrective action or will issue a formal finding of violation. OCR may impose civil monetary penalties as part of a negotiated resolution or file suit for damages. And, as noted above, penalties or damages for violating HIPAA can run into the millions of dollars. However, monetary penalties for such violations are paid to HHS, not to any injured individual or patient.
Nevertheless, alleged HIPAA violations may be remedied in state court under state tort or contract law as well. Although HIPAA does not provide a private right to sue for HIPAA violations, healthcare providers, businesses and business associates should bear in mind that remedies for non-compliance are not necessarily limited to federal agency fines or damages.
Recent state court decisions demonstrate this dual-liability-exposure reality. For example, in one state court case, a plaintiff-patient alleged that a healthcare provider mistakenly gave his records to another individual. The plaintiff-patient sued the provider to recover damages under a variety of state law theories, including negligence based on a state law duty of care informed by HIPAA.
The appellate court explained that although the negligence claim did not arise under HIPAA, the provider owed the plaintiff a state law duty of care to act as a reasonably prudent healthcare provider would under the circumstances. The court then found that the allegations in the complaint for wrongful disclosure of protected information were sufficient to survive a motion to dismiss, and allowed the case to proceed into discovery and perhaps trial phases.
Notably, the provider tried to argue that HIPAA preempted all such state law claims. But the court rejected that preemption argument, reasoning that allowing state law claims in this context does not interfere with government enforcement actions authorized by HIPAA. The court stated that “additional state law remedies encourage compliance with HIPAA by providing further means for patients to recover for harm suffered due to non-compliance.” The court concluded: “[W]e hold HIPAA’s requirements may inform the standard of care in state-law negligence actions, just as common industry practice may establish an alleged tortfeasor’s duty of care.” The court also kept alive a related punitive damages claim.
In another state case, the appellate court held that a patient may pursue her negligence claim against a hospital for improperly disclosing her medical information. In that case, the plaintiff-patient argued that the hospital violated its duty to protect the privacy, security and confidentiality of her health records, when it allowed the plaintiff’s employer to receive digital images of her X-rays without her consent. While acknowledging that HIPAA does not provide a private right of action, the patient argued that the statute could be used to establish the standard of care in a common law negligence action, and the court agreed.
To ensure that litigants don’t make an end-run around the lack of a private right of action under HIPAA, the court said there must first be an underlying common law duty. But the court noted that medical providers owe a duty of confidentiality to their patients. And, having found a common law duty, the court had “little trouble” holding that HIPAA and its implementing regulations could inform the standard of care in tort claims related to alleged breaches of the duty of confidentiality owed by medical providers to their patients.
The takeaway from these and other state cases is that alleged HIPAA violations may be remedied by state lawsuits in addition to HHS fines. While the case law to date makes it clear that individuals cannot bring a case based solely on violations of HIPAA, claims related to privacy of health information may still be viable under state law.
Certain states (including Georgia) have privacy laws creating private causes of action in tort or negligence. So, while an individual plaintiff bringing claims solely for violations of HIPAA almost certainly will fail in federal court, healthcare providers and businesses are not necessarily off the hook for liability to individuals for health information privacy violations under state law theories.
A patient may be able to bring a civil lawsuit for violation of Georgia’s state medical records disclosure law, or under Georgia’s invasion of privacy or negligence law, for example. And personal medical records are protected by Georgia’s constitutional right to privacy also. Other state law theories of recovery for unauthorized disclosures include breach of contract (or an implied contract) for confidentiality, and intentional infliction of emotional distress.
The challenge to successfully waging these types of claims is that a patient must show documented and provable damages — that is, specifically and quantifiably how he or she was harmed by the disclosure or release of information. Examples of documented losses include medical or counseling bills, credit protection or identity theft insurance, costs related to stolen identity, lost pay for time off, and other expenses that resulted directly from the breach of the patient’s privacy. But if the required elements can be established, a healthcare provider or business may be liable for damages under state law, regardless of whether HHS-OCR found a HIPAA violation.
Georgia Supreme Court Rules Case Arising From Patient Records Hack May Proceed
In December 2019, in Collins v. Athens Orthopedic Clinic, PA, the Georgia Supreme Court revived a class action involving claims by at least 200,000 current and former patients of a medical clinic whose personal information (including names, addresses, Social Security numbers and insurance information) was stolen in a 2016 data breach. In overturning the Georgia Court of Appeals and a trial judge, the Georgia Supreme Court found that there was sufficient potential for future harm to allow the case to proceed.
The case began when Athens Orthopedic Clinic learned in June 2016 that someone self-identified as “Dark Overlord” hacked its computer system. The clinic subsequently notified its patients about the hack, but not until approximately two months later.
The hackers demanded a ransom but the clinic refused to pay. After the clinic refused to pay the demanded ransom, some of the stolen patient information was offered for sale on the dark web, and at least some of the patients’ information was later made available on the dark web. Some patient information also appeared on Pastebin, a data-storage and sharing website.
At least one plaintiff actually had fraudulent charges made to her credit card after the breach. And all the plaintiffs claimed that the hack made them possible targets of identity theft and fraud, and that they had been damaged by having to place fraud alerts on their credit reports.
In January 2017, three plaintiffs filed a putative class action in Clarke County Superior Court, claiming violation of the Georgia Uniform Deceptive Trade Practices Act, breach of implied contract, unjust enrichment and negligence. The plaintiffs’ claimed damages included past and future costs for credit monitoring and identity theft protection, credit freezes on their accounts, and injunctive relief.
In June 2017, however, a Cobb County Superior Court judge dismissed the case with little discussion on a motion to dismiss. And in 2018, a divided Georgia Court of Appeals panel affirmed the dismissal. In upholding the trial judge, the Court of Appeals ruled that the plaintiffs’ claimed damages were too speculative to provide standing. Specifically, the Court of Appeals said that “while credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us because the plaintiffs seek only to recover for an increased risk of harm.” Such “prophylactic measures” are “insufficient to state a cognizable claim under Georgia law.”
However, Judge Christopher McFadden dissented, arguing that the plaintiffs had sufficiently pleaded facts to survive a motion to dismiss, because their “allegations of future injury show a substantial risk that harm will occur.” In his dissent, Judge McFadden wrote that neither Georgia appellate courts nor the U.S. Court of Appeals for the Eleventh Circuit “have decided whether a data breach, with little more, amounts to an injury in fact for purposes of standing.” “But federal courts have uniformly applied a rule that a substantial risk of future harm is sufficient to show an injury in fact for purposes of standing.” “And applying that rule here, leads to the conclusion that the plaintiffs have standing.”
In its December 2019 Collins decision, the Georgia Supreme Court agreed with Judge McFadden’s dissent. In doing so, the court first acknowledged that prior appellate rulings dealing with stolen personal data generally held that plaintiffs had to show the information “had actually fallen into criminal hands” and had been used to harm them in order to show a “legally cognizable injury.” But the Georgia Supreme Court said “this case, which was dismissed on the pleadings despite allegations of large-scale criminal activity, falls into a different category of data-exposure cases.”
“Here, the plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is ‘imminent and substantial.’” “This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach.”
The Georgia Supreme Court opinion said that the plaintiffs’ claims were more than sufficient to survive a motion to dismiss, as they alleged that “all class members now face the ‘imminent and substantial risk’ of identity theft given criminals’ ability to use the stolen data to assume the class members’ identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names.” “Assuming the truth of these allegations, as we must at this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers.” The allegations of future injury “show a substantial risk that harm will occur. The allegations thus suffice to establish standing,” according to the court.
The Georgia Supreme Court’s Collins decision indicates that where “plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is ‘imminent and substantial,’” it “amounts to a factual allegation about the likelihood that any given [plaintiff] will have her identity stolen as a result of the data breach.” So, under Collins, pleading such facts apparently will be sufficient to survive a motion to dismiss, because such “allegations of future injury show a substantial risk that harm will occur.” That said, for such claims to succeed, patients almost certainly will still have to show some documented and provable damages – i.e., specifically, quantifiably, how they have been harmed by the disclosure or release of the information.
On September 21, 2020, HHS’s OCR announced that Athens Orthopedic agreed to pay $1.5 million to HHS’s OCR and to adopt a corrective action plan for the potential HIPAA violations. The corrective action plan includes two years of monitoring. The resolution agreement and corrective action plan can be viewed here.
Ransomware Attacks Against Healthcare Entities Rise
Ransomware attacks are a growing problem, and cyberattacks against healthcare providers can be particularly damaging. Healthcare providers and health systems are highly vulnerable to ransomware attacks. In 2020, at least 91 U.S. healthcare providers suffered attacks (up from 50 in 2019), and the U.S. healthcare industry lost an estimated $20.8 billion from downtime caused by ransomware attacks. A third of healthcare organizations reported being victims of a ransomware attack in 2020, according to the results of a global survey. Of these, 65% said their data was encrypted by cybercriminals. Moreover, those numbers continue to rise.
For example, the FBI recently linked the Conti ransomware group to at least 16 cyberattacks aimed at disrupting healthcare and first responder networks in the U.S. And the Ryuk ransomware gang (named after its signature software, with reported ties to Russian government security services) has hit at least 235 general hospitals and inpatient psychiatric facilities, in addition to dozens of other healthcare entities in the U.S. since 2018.
Hackers exploit network and connectivity vulnerabilities to infiltrate health system servers or gain access using tactics such as “phishing” emails, which are designed to trick employees into inadvertently installing malware on their computers, encrypt data and prevent providers from accessing critical records, including PHI. To increase the chances of payment, attackers steal confidential files and launch ransomware, blocking user access to computer systems. If blackmail demands — usually made in cryptocurrency such as Bitcoin — are not met, organizations risk their data being sold or published via a leak site.
Criminals promise that if the victim of the attack pays the amount demanded, the bad actors will provide software keys that decode the data and enable the victim to continue its operations. But law enforcement agencies discourage victim organizations from paying ransoms because there are no guarantees decryption keys will work or files can be recovered, and each successful extortion attempt encourages more ransomware activity. However, until a resolution or work-around is achieved, normal (often vital, lifesaving) operations are disrupted or crippled, and serious economic and non-economic damage occurs.
As a result, on June 2, 2021, the White House issued a memo urging business executives to convene their leadership teams to discuss ransomware threats and review corporate security measures and business continuity plans. The memo outlines best practices for all organizations to adopt. Those practices include: multi-factor authentication; encryption; network backups; deploying skilled, empowered security teams; and endpoint detection and response. The federal government has also issued a Ransomware and HIPAA fact sheet and an Interagency Guidance Document, titled How to Protect Your Networks from Ransomware, to assist organizations defend against cyberattacks. And HHS has published guidance materials specifically designed to give HIPAA covered entities and business associates insight into how to respond to cyber-related security incidents. Adequate cyber insurance that covers the risks and potential damages of a ransomware attack has also become crucial. (For an article on what physicians need to know about cyberliability coverage, see, e.g., this article.)
On September 22, 2021, the Cybersecurity and Infrastructure Security Agency, the FBI, and the National Security Agency announced publication of a cybersecurity advisory regarding increased Conti ransomware cyberattacks. The advisory includes technical details on the threat and mitigation steps that public and private sector organizations can take to reduce their risk to that ransomware. Ransomware attacks continue to threaten the U.S. and global healthcare sectors, in part due to many health entities’ dependency on legacy systems and lack of security resources, according to an October 2021 analysis by HHS’ Health Sector Cybersecurity Coordination Center. And healthcare providers are a favorite target of top ransomware gangs because of the confidential information they possess and the essential, time-sensitive services they provide.
An example of what can happen — no matter how careful a healthcare provider is — occurred in Georgia in June 2021. On June 17th, Savannah, Georgia-based St. Joseph’s/Candler Health System discovered “suspicious network activity,” prompting the health system’s hospital to isolate and shut down its IT systems to limit the potential effects of the cyberattack. The health system investigated the activity and confirmed that it involved ransomware. The health system switched to backup processes and other downtime procedures, including paper documentation, while its IT systems were offline. It took the system two full months to return to “fully operational” status after discovering the ransomware attack, the Savannah Morning News reported on Aug. 18, 2021.
Fortunately, patient care operations continued at the system’s facilities using previously established back-up processes and other computer downtime procedures. Otherwise, not only time and money, but also lives, could have been lost. Such procedures are specifically designed for events like system upgrades or other circumstances that may cause computer downtime. But for patient safety reasons, physicians, nurses and staff must be able to provide uninterrupted care even in extraordinary situations like cyberattacks. Individual providers should be trained to do everything possible to mitigate disruption and provide patient care while computer systems are down, electronic records are unavailable, mobile devices are unusable, and the attack is being investigated and (hopefully) remedied as quickly as possible. Health entities that are victims of cyberattacks also must be prepared to promptly notify individual patients if they determine that patients’ personal or health information has been exposed or compromised. And they may need to pay for credit monitoring services for affected individuals.
Moreover, large health systems and hospitals are not the only targets of health entity cyberattacks. Somewhat surprisingly, a recent report showed that attackers breached outpatient facilities and specialty clinics nearly as much as hospitals and health systems. And business associates accounted for a large percentage of breaches. The report notes that smaller organizations generally run the same systems and use the same technologies as hospital systems. But smaller entities generally have less money to spend on security. And attackers look for easy targets. So no healthcare entity or professional can safely assume they won’t be attacked.
According to another recent report, over the last two years, 43% of healthcare providers said their organizations experienced a ransomware attack, of which 33% said they experienced two or more. 71% of respondents said that these cyberattacks drove up lengths of stay; 70% said they caused delays in procedures and tests; 65% said they increased patient transfers or facility diversions; 36% said that they led to an increase in clinical complications; and 22% saw death rates rise following a ransomware attack. Thus, the stakes are not only economic, but also patient health, life and death.
On February 23, 2022, following President Biden’s Feb. 22 announcement that Russia’s invasion of Ukraine had begun, the American Hospital Association issued a cybersecurity advisory with steps that hospitals can take to safeguard their facilities from possible cyberattacks stemming from the invasion. The U.S. government and NATO allies responded to Russia’s actions with economic and military sanctions, and one concern is that Russia may retaliate against the U.S. with disruptive cyberattacks.
On April 20, 2022, the cybersecurity authorities of the U.S., Australia, Canada, New Zealand and the UK released a joint Cybersecurity Advisory to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as material support provided by the U.S., U.S. allies and partners. Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks, including against the healthcare industry.
Two days earlier, the HHS Cybersecurity Program issued an alert to healthcare providers warning them to defend against the “exceptionally aggressive” Hive ransomware group. Per the alert, the group uses many common ransomware tactics, including exploiting remote desktop protocols or VPN, and phishing attacks, as well as directly calling victims to apply pressure and negotiate ransom payments. Other tactics include searching victims’ systems that are tied to backups and either terminating or disrupting those connections, and deleting shadow copies, backup files and system snapshots.
Hive also conducts double extortion and supports this with their data leaks site, while operating as a ransomware-as-a-service model. Within 100 days of operations, Hive claimed attacks on approximately 355 companies. HHS urged healthcare organizations to increase their preventive security measures, such as two-factor authentication, strong passwords, sufficient backups of the most critical data, and continuous monitoring.
On September 12, 2022, the FBI issued an advisory on how to protect medical devices from cyberattacks that can threaten healthcare operations, patient safety, and data privacy. The FBI stated it has identified an increasing number of vulnerabilities posed by unpatched medical devices that run on outdated software or lack adequate security features.
On October 21, 2022, the FBI, Cybersecurity and Infrastructure Security Agency, and HHS issued an advisory alerting U.S. organizations to a cybercrime group, the “Daixin Team,” that is targeting the healthcare sector with ransomware and data extortion operations. The group has attacked multiple organizations since June, deploying ransomware to encrypt servers responsible for healthcare services, exfiltrating personal identifiable information and patient health information, and threatening to release the information if a ransom is not paid. The advisory includes indicators of compromise and recommended actions to protect against these attacks.
On October 28, 2022, the HHS Health Sector Cybersecurity Coordination Center issued an alert recommending that all health sector organizations immediately test and deploy a critical OpenSSL patch when it becomes available Nov. 1, because many of the most common operating systems and applications use the OpenSSL software library for secure communications.
Check Point’s 2022 Mid-Year Report showed that the healthcare industry had the largest percentage rise in cyberattacks out of all industry sectors, increasing by 69% in 1H 2022, compared to 2021. Healthcare ranked fifth highest in the number of weekly attacks, behind only education, government/military, ISP/MSP, and communications.
With cyberattacks increasing and the healthcare industry a prime target of hackers, having a well-established plan for responding to a HIPAA breach is a necessity for any organization that creates, receives, maintains or transmits electronic protected health information. Failure to create and implement such a plan will only lead to greater liability exposure and potential harm.
Lawsuits vs. Healthcare Providers Following Ransomware Attacks
Lawsuits by plaintiffs who claim healthcare providers were negligent in failing to secure patient data against breaches are being filed. For example, in June 2021, a lawsuit was filed in San Diego County Superior Court on behalf of a patient, asserting that because there have been so many “high-profile data breaches” involving millions of patients within the last 2 years, Scripps Health “knew or should have known that its electronic records would likely be targeted by cyber-criminals.” But the healthcare provider “failed to take appropriate steps” to keep patients’ protected health information from being compromised. The lawsuit claimed the failure was preventable, because the FBI warned potential targets repeatedly of the possibility of such attacks involving hospitals.
The lawsuit claimed that the plaintiff was harmed because he was unable to access his patient portal, “which contained the ability to communicate with doctors, access test results, request prescription refills, manage appointments, pay as a guest, and view [his] video visit tutorials, which was necessary for his medical treatment.” The patient spent an undisclosed amount of time and incurred anxiety “attempting to restart his medical services/online medical classes, verifying the legitimacy of the Data Breach, monitoring his medical records for identity/information theft, and self-monitoring his financial accounts” — time that “has been lost forever.” Such stolen information, the lawsuit claimed, can be sold “for as much as $363 per record.” “Defendant could have prevented this Data Breach by properly securing and encrypting the PII and PHI of Plaintiff and Class Members. Alternatively, Defendant could have destroyed the data that was no longer useful, especially outdated data,” the lawsuit said. In addition to the $1,000 per violation, the lawsuit is seeking actual damages and punitive damages of up to $3,000 per plaintiff and class member, as well as attorney’s fees, litigation expenses, and court costs.
Another lawsuit filed June 1, 2021 on behalf of 174,000 other patients believed to have been impacted by the breach alleged that medical history, mental and/or physical condition or treatment, including diagnosis and treatment dates, and other personal information were kept on the Scripps Health computer network “in a non-encrypted form.” As a result of the breach, the plaintiffs “have suffered damages from the unauthorized release of their individual identifiable ‘medical information.'”
Although no specific instances of identity theft were cited, the lawsuit alleges patients suffered an increased risk of identity theft and medical identity theft, and “have been forced to expend, and must expend in the future, to monitor their financial accounts, health insurance accounts, and credit files as a result of the data breach.” That information could include, a patient’s name, address, birth date, social security and driver’s license numbers, billing accounts, health insurance plans, and medical records, among other personal and financial details. The plaintiffs requested a jury trial and seek compensatory and punitive damages, as well as attorneys’ fees.
U.S. Supreme Court Rulings on Concrete Injury Standing Requirement in Data Privacy Cases
On June 25, 2021, a divided U.S. Supreme Court issued a decision, which significantly affects plaintiffs’ ability to pursue data and privacy breach class actions in federal courts. In TransUnion LLC v. Ramirez, Case No. 20-297, the Supreme Court ruled that most of the plaintiffs in that case failed to show a “concrete” injury and thus had no standing to pursue their claims because they did not suffer real, personal harm. The case bolstered companies’ legal defenses in federal privacy class actions. However, despite somewhat curtailing plaintiffs’ ability to pursue such claims in federal court, the Ramirez ruling did not entirely preclude such lawsuits. Rather, the plaintiffs must now carefully evaluate their likelihood of success in a federal forum before filing their case, or risk facing a heavy motion practice and ultimate dismissal on standing grounds, or they must pursue their claims in state court.
The Ramirez case was closely watched by privacy lawyers because actual privacy harms can be difficult to establish, and there was little guidance from the Supreme Court to date on the meaning of a “concrete harm.” In May 2016, the Supreme Court issued a key decision on this issue in Spokeo v. Robins, holding that plaintiffs must allege a concrete injury in order to have standing to sue for a statutory violation. This meant that mere procedural violations would not suffice to assert statutory privacy claims, and that tangible losses had to be alleged. After Spokeo, however, the courts grappled with the precise meaning of “concrete” injury. (See, e.g., this report.)
Spokeo required courts to analyze whether the claimed injuries were sufficient to support the alleged violations of various federal and state consumer privacy statutes, such as the Federal Credit Reporting Act, Telephone Consumer Protection Act, the Biometric Information Privacy Act, and HIPAA. It also impacted standing in data breach class actions. Yet, Spokeo did not give sufficient guidance on this issue. Ultimately, this led to inconsistent rulings across the U.S. and to significant forum shopping by plaintiffs’ attorneys. The Ramirez case finally shed some light on the intended meaning of Spokeo, making it clear that the harm is concrete only if the plaintiffs can adequately plead that they have been personally harmed by the alleged conduct.
Nonetheless, it remains unclear how lower courts will apply Ramirez in the context of data breach class actions. In those actions, plaintiffs typically allege that their personal information was exposed as a result of a breach or a ransomware attack. But they do not always allege that their data was actually or already misused. Consequently, companies facing data breach class actions in federal court may now have a stronger argument for dismissal under Ramirez. Ultimately, however, even if this argument is successful, it may simply lead to re-filings of cases in state courts.
For this reason, the Ramirez dissent called the majority’s opinion “a pyrrhic victory,” explaining that it “does not prohibit Congress from creating statutory rights for consumers; it simply holds that federal courts lack jurisdiction to hear some of these cases,” potentially leaving state courts “as the sole forum for such cases, with defendants unable to seek removal to federal court.” There are often significant advantages for both sides to litigating data breach class actions and other privacy actions in federal court. They include, for example, greater resources, efficiency, expediency or predictability, and potentially lower litigation costs. As a result, companies facing such lawsuits may want to think twice before invoking Ramirez as a defense.
Controlling Access to ePHI
On July 14, 2021, OCR issued its Summer 2021 Cybersecurity Newsletter, focusing on controlling access to ePHI. The newsletter highlights the numerous security incidents affecting the healthcare industry and OCR’s investigations into hackers infiltrating information systems, workforce members impermissibly accessing patient’s information and ePHI being left on unsecured servers. The newsletter reminds healthcare organizations that Information Access Management and Access Control are two HIPAA Security Rule standards that govern access to ePHI. Information Access Management is an administrative safeguard for ePHI, and Access Control is a technical safeguard for ePHI.
Although their roles in securing ePHI are distinct, together, they ensure that organizations implement policies and procedures and technical controls that limit access to ePHI to only authorized persons or software programs that have been granted access rights. The rise in data breaches due to hacking, as well as threats to ePHI by malicious insiders, underscore the importance of establishing and implementing appropriate policies and procedures regarding these Security Rule requirements. Ensuring that workforce members are only authorized to access the ePHI necessary, and that technical controls, such as encryption, are in place to restrict access to ePHI, can help limit potential unauthorized access to ePHI for both threats.
FTC Confirms that Health Apps Must Comply with Data Breach Rule & Have Duty to Report Security Breaches
On September 15, 2021, the FTC issued a policy statement clarifying that health apps that collect or use consumers’ health information are subject to the Health Breach Notification Rule’s notification requirements when the consumer data they collect is subject to unauthorized access. The FTC’s policy statement notes that the American Recovery and Reinvestment Act of 2009 directed the FTC to ensure that web-based companies contact customers in the event of a data security breach and that, pursuant to the Act, the FTC issued the Health Breach Notification Rule (“Rule”), which requires vendors of personal health records to notify consumers and the FTC when such a breach occurs. The Rule is intended to ensure that entities who are not covered by HIPAA are still accountable for the safety of consumers’ health information.
The FTC observed that health apps and wearable devices, which collect such sensitive and personal data as glucose levels, sleep cycles, heart health, and fertility, are increasingly targeted by scammers and hackers, but many apps do not have adequate privacy protections in place. Therefore, the FTC provided the policy statement to clarify the scope of the Rule, such that health apps and connected devices that can draw information from multiple sources (such as a wearable device and a user’s smartphone) must also comply with the Rule, and it potentially subjects violators to monetary penalties of up to $43,792 per violation per day.
Many apps that collect health information, but are not subject to HIPAA, are subject to the Health Breach Notification Rule. In January 2022, the FTC released two new publications that help entities navigate the Rule. The Health Breach Notification Rule: The Basics For Business provides an introduction for entities, while Complying With the FTC’s Health Breach Notification Rule provides additional guidance.
Liability for Failing to Properly Respond to Patients’ Records Requests
In 2019, OCR announced its HIPAA “Right of Access Initiative,” promising to vigorously enforce patients’ rights to receive copies of their medical records promptly and without being overcharged. In September 2019, OCR announced that it entered into a Resolution Agreement with a Florida medical center (“Medical Center”) following allegations that the Medical Center failed to respond to a patient’s request for medical records in a timely fashion and in violation of the patient’s right to access such records under HIPAA. While the $85,000 settlement amount was relatively small in comparison to the seven-figure settlements that OCR entered into in recent years, the enforcement action was notable for being the first related to OCR’s Right of Access Initiative launched earlier in 2019.
OCR initiated an investigation into the Medical Center following its receipt of a complaint from a mother who requested access to her unborn baby’s medical records under the HIPAA right of access. The HIPAA right of access extends to personal representatives of the patient, such as parents of minor children. The mother first requested access to her baby’s medical records in October 2017, at which point the Medical Center informed the mother that the records could not be found. The mother’s attorney subsequently requested the records on her behalf in January 2018 and again in February 2018. The Medical Center did not provide the mother with a complete set of records until August 2018, after she had already submitted her complaint to OCR and OCR’s investigation had commenced.
According to the Resolution Agreement, OCR’s investigation revealed that the Medical Center failed to provide the mother with access to protected health information pursuant to the HIPAA right of access set forth at 45 C.F.R. § 164.524, which requires covered entities to provide individuals with access to their medical records and other protected health information maintained in a designated record set within 30 days of the individual’s request for such records.
In addition to the $85,000 monetary settlement, the Medical Center agreed to a one-year Corrective Action Plan (“CAP”) that requires the Medical Center to, among other things, revise and implement policies and procedures regarding patient access to medical records and train its workforce on such policies. Notably, the CAP also reached to the Medical Center’s business associates involved in receiving or fulfilling medical records requests in several ways. First, the Medical Center’s business associates must certify compliance with the Medical Center’s revised policies and undergo training on such policies. Second, the Medical Center must provide OCR with the names of its business associates involved in receiving or fulfilling medical records requests, and copies of its business associate agreements with such vendors. Third, in addition to reporting to OCR each instance where its own workforce member fails to comply with its revised policies, the Medical Center also must report to OCR each instance of a business associate failing to comply with the policies.
OCR’s Second Settlement Under HIPAA Right of Access Initiative
In December 2019, OCR announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. Under the terms of the settlement, Korunda Medical, LLC agreed to pay $85,000 to settle a potential violation of HIPAA’s right of access.
According to HHS, “Korunda is a Florida-based company that provides comprehensive primary care and interventional pain management to approximately 2,000 patients annually.” In March 2019, OCR received a complaint that “Korunda [had] failed to forward a patient’s medical records in electronic format to a third party” after multiple requests by the patient. Based on the complaint, OCR provided Korunda with assistance on how to correct the issues and closed the complaint. Despite OCR’s assistance, Korunda continued to fail to provide the requested records, which resulted in another complaint to OCR. In May 2019, after OCR’s second intervention, Korunda provided the requested records, free-of-charge and in the requested format.
A news release, quoting OCR’s Director, stated that “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.” The resolution agreement can be accessed here.
Takeaways from Initial Right of Access Settlements
OCR made clear through these settlements that it intends to hold covered entities and business associates accountable for providing patients with access to their medical records under HIPAA. Healthcare providers and business associates should ensure that they have the written policies and procedures, as well as the operational infrastructure, needed to respond to medical records requests in a manner that complies with both HIPAA and applicable state law.
While HIPAA sets a “floor” of requirements regarding patients’ rights to access medical records, the laws in many states are more stringent than HIPAA on this issue, particularly with respect to how quickly records must be provided. In Georgia, a physician must provide medical records to a patient within 30 days of the receipt of a records request. But in California, for example, physicians must provide patients with copies of requested medical records within only 15 days of the patient’s request, shortening HIPAA’s 30-day time frame. Additionally, many states establish specific fee schedules that further limit the HIPAA “reasonable, cost-based fee” that healthcare providers may charge for fulfilling a records request. So healthcare providers and business associates must also take note of the state laws on access requests that may apply in addition to HIPAA.
HHS Reverses Position Regarding Access & Copy Fees for Third-Party Requests for Medical Records After Court Invalidates Portion of HIPAA Regulations & Guidance
In January 2020, the U.S. District Court for the District of Columbia issued a ruling in Ciox Health, LLC v. Azar, et. al., invalidating portions of the Modifications to the HIPAA Privacy, Security and Enforcement Rules and the 2016 guidance issued by HHS’s OCR addressing the assessment of fees for copies of electronic and paper health records to third parties. Under HIPAA’s Privacy Rule, providers generally must provide a patient with the right to access his or her own PHI and can charge a “reasonable, cost-based fee” for providing such copies. OCR guidance expanded this obligation, requiring providers to provide copies of patients’ medical records to third parties when requested by a patient while charging the same reasonable, cost-based fee. The court ruled that OCR overstepped its statutory authority by imposing the fee cap on records to be provided to third parties, even when requested by a patient. However, the court did not rule on what fee is permissible, leaving that issue for resolution through rulemaking comment and review.
With this decision and HHS’s change in position, covered entities and their business associates received relief from the sometimes significant financial burden of producing copies of voluminous medical records to third parties, such as lawyers and insurance companies. Specifically, the court vacated HHS’s 2013 rule compelling delivery of medical records to third parties regardless of the records’ format (instead scaling it back to align with the statutory scope of the HITECH Act, which is limited to electronic health records), and also vacated the 2016 guidance which applied strict HIPAA fee limits to records delivered to third parties pursuant to a patient-directed request. On January 28, 2020, HHS announced the reversal of its position on these two key points.
By way of background, the implementing regulations for HIPAA at 45 C.F.R. 164.524 establish an individual’s right to access PHI and set requirements for the permissible fee that can be charged for such production. Following the enactment of the HITECH Act in 2009, HHS revised these regulations in 2013. One aspect of these revisions was the promulgation of 45 C.F.R. 164.524(c)(3)(ii), which required that a covered entity must provide a copy of PHI directly to a third party designated by the individual (i.e., a “third-party directive”). Although HHS promulgated this regulation pursuant to the HITECH Act, which limited third-party directives to PHI in electronic health records (“EHRs”), HHS’s regulations did not include that important limit, instead applying third-party directive requirements to access requests for all PHI in any format.
In 2016, HHS issued extensive guidance on the patient right of access provisions, including third party directives. In the guidance, HHS did three things relevant here. Specifically, it:
- applied the HIPAA fee limits at 45 C.F.R. 164.524(c)(4) to third-party directives;
- laid out three methods for calculating the fees that may be charged; and
- limited what activities may be included as “labor costs” in calculating the fees.
Following this regulation and guidance, third-party directives soared, driven largely by requests from plaintiffs’ attorneys. This, in turn, resulted in a significant increase in costs for covered entities and their business associates engaged in producing copies of patient records. Ciox Health, LLC (“Ciox”), a release of information vendor that contracts with hospitals and other healthcare providers to fulfill requests for copies of medical records, filed suit against HHS in the U.S. District Court for the District of Columbia in January 2018. In its suit, Ciox challenged the regulation and guidance cited above.
Key Takeaways from the court’s 2020 Ciox decision include the following:
- Third-Party Directives Apply to PHI in Electronic Health Records Only. Going forward, third-party directives are scaled back to only apply to requests for electronic copies of PHI maintained in EHRs, in alignment with the scope of the HITECH Act, which provides at 42 U.S.C. § 17935(e)(1): “[I]n the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual . . . the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.”
- Fee Limits Apply to Direct Patient Requests Only. HIPAA’s fee limits for copies now apply only to an individual’s request for access to his or her own records and do not apply to requests to transmit records to a third party. Note, however, that state or other law may impose limits and should be read alongside HIPAA to determine the appropriate fees to charge, both for direct patient requests and third-party requests.
- Methods of Calculating Fees and Limits on Labor Activities are Unchanged. The court left intact HHS’s guidance on the three methods HHS discusses as options by which fees may be calculated when responding to a patient’s request for records (i.e., actual cost, average cost, and optional flat fee for electronic copies of electronic records), as well as what activities may be included in labor cost calculations.
As a result of this decision and HHS’s response, covered entities and business associates responding to requests for medical records should bear in mind the following:
- Responding to Direct Patient Requests. Covered entities and business associates must still follow the HIPAA regulations and HHS guidance regarding responding to a patient’s request for copies of his or her own records (e.g., covered entities must respond to a patient’s request within 30 days and, when providing copies, must limit the fee charged to the individual to a “reasonable, cost-based fee,” among other requirements).
- Responding to Third-Party Directives for Electronic Records. If a patient directs a covered entity to send electronic copies of PHI maintained in EHRs directly to a third party, the covered entity must comply. However, HIPAA no longer imposes fee limits for such transmission (though state or other law could apply).
- Responding to All Other Requests. As the healthcare industry adjusts to the revised requirements for third-party directives, covered entities and business associates may still receive third-party directives for copies of paper records. If a patient directs a covered entity to send paper records directly to a third party, the covered entity should inform the individual of the need to receive a valid authorization or comply with an applicable exception under HIPAA (e.g., providing records to another healthcare provider for treatment) before releasing the records. Similarly, for all requests that originate from a third party (i.e., not at the patient’s direction), the covered entity also must receive a valid authorization or comply with an applicable exception under HIPAA before releasing the records.
OCR Settles More Investigations in HIPAA Right of Access Initiative
On September 15, 2020, OCR announced that it had settled five more investigations in its HIPAA Right of Access Initiative. OCR announced the initiative as an enforcement priority in 2019 to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. The five additional settlements brought OCR’s total to seven completed enforcement actions under the Right of Access Initiative.
OCR’s enforcement actions are designed to send a message to the healthcare industry about the importance and necessity of compliance with the HIPAA Rules. The HIPAA Rules generally require covered healthcare providers to provide medical records within 30 days of an access request in a readily producible format of the patient’s choosing. And providers are only permitted to charge a reasonable cost-based fee.
OCR considers a variety of factors in determining the amount of a settlement, including: the nature and extent of the potential HIPAA violation; the nature and extent of the harm resulting from the potential HIPAA violation; the entity’s history with respect to compliance with the HIPAA Rules; the financial condition of the entity, including its size and the impact of the COVID-19 public health emergency; and other matters as justice may require. Additional details regarding the settlements, including the payment amounts and corrective action plans required, can be accessed here.
In the fall of 2020, OCR continued its enforcement of HIPAA’s right of access provision by settling its eighth enforcement action with Phoenix-based St. Joseph’s Hospital and Medical Center for $160,000. St. Joseph allegedly took almost 2 years to provide copies of the patient’s medical records. As patient care and satisfaction receive most of the attention across healthcare, HHS highlighted the fact that many patients face impediments with the simple act of obtaining a copy of their own medical chart.
In another case, OCR announced that it settled its ninth enforcement action related to its HIPAA Right of Access Initiative with NY Spine Medicine, a private medical practice specializing in neurology and pain management with offices in New York and Florida. NY Spine Medicine agreed to take corrective actions and pay $100,000. The investigation of NY Spine Medicine arose from a complaint from an individual alleging that she had made multiple requests for her medical records from NY Spine Medicine but did not receive the diagnostic films that she had specifically requested. OCR determined that the failure to provide timely access to all of the patient’s records was a potential violation of the right of access standard.
Riverside Psychiatric Medical Group (“RPMG”) agreed to take corrective actions and pay $25,000 to OCR, the agency announced November 6, 2020. The settlement was the tenth enforcement action in OCR’s HIPAA Right of Access initiative.
In March 2019, OCR received a complaint from a patient alleging that RPMG—a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders—failed to provide a copy of her medical records despite multiple requests.
Shortly after receiving the complaint, OCR said it provided RPMG with technical assistance on how to comply with the HIPAA Right of Access requirements and closed the matter. However, in April 2019, OCR received a second complaint alleging that RPMG still had not provided the patient with access to her medical records.
According to OCR, RPMG claimed that because the requested records included psychotherapy notes, they did not have to comply with the access request. While the HIPAA rules do not require production of psychotherapy notes, they do require covered entities (1) to provide requestors a written explanation when it denies any records request in whole or in part (which RPMG did not do), and (2) to provide the individual access to his or her medical records other than psychotherapy notes, OCR said. RPMG’s corrective action plan includes, among other things, two years of monitoring.
OCR’s enforcement initiative to help ensure patients receive timely access to their medical records also resulted in a $15,000 settlement with a physician in New York of a potential violation of the HIPAA Privacy Rule. The settlement was the eleventh under OCR’s HIPAA right of access probe, which the agency launched in 2019, the agency said on November 12, 2020. Dr. Rajendra Bhayani, who specializes in otolaryngology, also agreed to a corrective action plan that includes two years of monitoring.
OCR initiated an investigation of Dr. Bhayani after receiving a complaint in September 2018 that he failed to provide a patient access to her medical records, which she requested two months earlier. OCR provided Bhayani with technical assistance on complying with HIPAA’s right of access requirements, but in July 2019 the agency received a second complaint alleging he had still not provided the requested access. Following OCR’s investigation, the patient received a complete copy of her medical records in September 2020, the agency said.
“Doctor’s offices, large and small, must provide patients their medical records in a timely fashion. We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message,” said Roger Severino, OCR Director.
On November 19, 2020, OCR announced that the University of Cincinnati Medical Center, LLC (“UCMC”) will pay $65,000 to resolve a potential violation of the HIPAA Privacy Rule’s right of access standard. UCMC, an academic medical center in the Greater Cincinnati area, also agreed to take corrective actions, including two years of monitoring. The settlement is the twelfth under OCR’s HIPAA right of access enforcement initiative.
OCR initiated an investigation of UCMC after receiving a complaint in May 2019 that it failed to respond to a patient’s request three months earlier to send an electronic copy of her medical records to her lawyers. HIPAA rules include the right of patients to have electronic copies of records in an electronic health record transmitted directly to a third party. After OCR’s investigation, the patient received the requested medical records in August 2019.
“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” OCR Director Roger Severino said.
Georgia-Based Primary Care Practice Settles Right of Access Enforcement Action
On December 22, 2020, OCR announced a $36,000 settlement and corrective action plan with Georgia-based Elite Primary Care. This was the thirteenth enforcement action made under the HHS initiative. The settlement stemmed from a record access complaint filed with OCR on April 22, 2019, alleging Elite failed to provide a patient with access to his medical records. In response, OCR provided the covered entity with technical assistance regarding the HIPAA standard.
OCR also advised Elite to review the HIPAA Privacy Rule’s right of access standard and facts around the request, stating that the provider should swiftly give the patient access to their records if the request met the HIPAA requirements. The patient submitted another records request in writing to Elite in June 2019. However, by October 9, 2019, the patient still had not received the requested records and filed a second request with OCR. Elite sent the records to the patient’s new healthcare provider on November 21, 2019 and to the patient on May 8, 2020.
OCR found that Elite failed to provide the patient with timely access to the patient’s access request. As a result, the practice agreed to pay HHS a $36,000 civil monetary penalty and to enter into a corrective action plan, which includes two years of monitoring. Under the corrective action plan, Elite is required to develop, maintain, and revise, as necessary, written policies and procedures for complying with the HIPAA standards around the privacy of individually identifiable health information. At a minimum, these measures must include a review and update of the designated record set policy within its Right of Access to protected health information to ensure effective and comprehensive responses to access requests.
The policies must also include training protocols for all workforce members involved in receiving or fulfilling records requests, as well as application of appropriate sanctions for members who fail to comply with Elite’s policies and procedures. Elite is also required to review and update, as necessary, its designated record set policy to “ensure the provision of a standard method for requesting access for personal representatives versus individuals with whom the Covered Entity is authorized to share PHI.” Those policies must be distributed to the entire workforce, and Elite must then provide the appropriate employees with training.
A recently released OCR audit report found that 89 percent of providers failed to comply with the requirements of the HIPAA right of access standards. On December 10, 2020, HHS proposed changes to the privacy rule that are designed to further improve patients’ right of access.
On January 12, 2021, HHS OCR announced its fourteenth settlement as part of the HIPAA Right of Access Initiative. In this case, the violations stemmed from two complaints against Banner Health related to delays in the receipt of medical records requested in December 2017 and September 2019. In each case, Banner Health took six months to provide the requested records. As part of the settlement, Banner Health agreed to pay $200,000 and implement a corrective action plan which included two years of monitoring.
On February 10, 2021, OCR announced that Renown Health, PC, a private, not-for-profit health system in Nevada, will pay $75,000 to resolve potential violations of the HIPAA Privacy Rule’s right of access standard. The settlement is the fifteenth under OCR’s HIPAA right of access enforcement initiative. OCR received a complaint in February 2019 alleging Renown Health failed to timely respond to a patient’s request that an electronic copy of her protected health information be sent to a third party. Following the investigation, Renown provided access to the requested records. Renown also agreed to take corrective actions including two years of monitoring, OCR said.
OCR settled its sixteenth enforcement action related to the HIPAA Right of Access on February 12, 2021. As part of this settlement, Sharp Healthcare agreed to pay $70,000 for, among other things, allegedly failing to direct an electronic copy of PHI in an electronic health record to a third party at the patient’s request. (Details are available here.) Similar enforcement actions have followed. (See, e.g., OCR’s seventeenth, eighteenth, nineteenth and twentieth settlements under the HIPAA Right of Access enforcement initiative.)
On November 30, 2021, OCR announced five more resolutions of potential violations of the HIPAA Privacy Rule’s right of access standard. This announcement brought the total number of enforcement actions to 25 since the right of access initiative was launched in 2019. As a result of these enforcement actions:
- Advanced Spine & Pain Management, which provides management and treatment of chronic pain services in Cincinnati and Springboro, OH, agreed to take corrective actions that include two years of monitoring, and paid $32,150 to resolve the potential HIPAA violation.
- Denver Retina Center, a provider of ophthalmological services in Denver, CO, agreed to take corrective actions that include one year of monitoring and paid $30,000 to resolve the potential HIPAA violation.
- Dr. Robert Glaser, a cardiovascular disease and internal medicine physician in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record. Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. OCR issued a civil money penalty of $100,000 and closed the case.
- Rainrock Treatment Center, LLC d/b/a Monte Nido Rainrock, a licensed provider of residential eating disorder treatment services in Eugene, OR, took corrective actions including one year of monitoring and paid OCR $160,000 to settle a potential HIPAA violation.
- Wake Health Medical Group, a provider of primary care and other healthcare services in Raleigh, NC, agreed to take corrective actions and paid $10,000 to settle a potential HIPAA violation.
Under HIPAA, covered entities must respond to access requests no later than 30 days after receipt by providing access, denying the request, or asking for an extension. OCR has issued guidance on this topic noting that covered entities could provide almost instantaneous or very prompt electronic access to PHI when using health information technology. OCR has further included FAQs on HIPAA’s Access Right and a new clarification on the Flat Rate Option for Copies of PHI as part of this guidance.
“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”
OCR resolved four more HIPAA-related enforcement actions, the agency announced March 28, 2022. Two of the cases involved potential violations of the HIPAA Privacy Rule’s right of access standard. As of the end of March 2022, OCR had taken 27 enforcement actions since launching its right of access probe in 2019 to help ensure patients are receiving timely access to their medical records. The other enforcement actions related to the impermissible disclosure of patients’ protected health information, OCR said.
Dr. Donald Brockley, D.D.M., a solo dental practitioner in Butler, PA, agreed to pay $30,000 for allegedly failing to provide a patient with a copy of their medical record, and Jacob and Associates, a psychiatric medical service provider in California, agreed to pay $28,000 to settle potential violations of the right of access standard. Both providers also agreed to take corrective action, OCR said.
In addition, OCR imposed a $50,000 civil monetary penalty on Dr. U. Phillip Igbinadolor, D.M.D. & Associates, PA , a dental practice with offices in Charlotte and Monroe, NC, for disclosing a patient’s PHI on a webpage in response to a negative online review. And Northcutt Dental-Fairhope, LLC, a dental practice in Fairhope, AL, agreed to pay $62,500 to settle potential violations of the HIPAA Privacy Rule for allegedly disclosing its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign. Northcutt Dental also agreed to take corrective action.
On July 15, 2022, HHS announced the resolution of eleven more investigations in its HIPAA Right of Access Initiative, bringing the total number of these enforcement actions to thirty-eight since the initiative began. The largest involved Houston-based Memorial Hermann Health System, which paid HHS’ OCR $240,000 to settle a possible violation of HIPAA. The health system allegedly “failed to respond to a patient’s request for access to her health records in a ‘timely’ manner,” according to an HHS news release.
The above settlements demonstrate OCR’s continued prioritization of enforcing the HIPAA Privacy Rule’s right of access requirements. Healthcare providers should do all they can to ensure proper training on and compliance with the HIPAA Privacy Rule’s right of access mandate, which provides criteria for providing or denying access and record-keeping requirements for medical record requests. (See, e.g., 45 C.F.R. § 164.524 and HHS guidance here.)
While the cost of settlement may seem small in some cases, the overall cost of a HIPAA complaint is not limited to an assessed penalty. An investigation can result in legal fees in navigating the investigation, disruptions to the provider’s operations during the investigation, and the cost of implementing a corrective action plan, including monitoring for years, after the settlement.
Interoperability & Data Blocking Final Rules
On March 9, 2020, HHS released its final electronic health record interoperability and data blocking rules. The two rules, issued by HHS’s Office of the National Coordinator for Health Information Technology (“ONC”) and CMS, implement interoperability and patient access provisions of the bipartisan 21st Century Cures Act and support the MyHealthEData initiative. The rules aim to give patients better access to their health records so they can make better healthcare decisions. Implementation of the interoperability rule is staged over time. (See https://www.hhs.gov/about/news/2020/03/09/hhs-finalizes-historic-rules-to-provide-patients-more-control-of-their-health-data.html.)
Together, these final rules are the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure. For more information on the ONC final rule, please visit: https://healthit.gov/curesrule. For more information on the CMS final rule, please see: https://www.cms.gov/newsroom/fact-sheets/interoperability-and-patient-access-fact-sheet and https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index.
To help organizations prepare, eight health industry groups pooled their efforts to create an Information Blocking Resource Center, a free online resource containing guidelines and helpful documents. Participating organizations include the College of Healthcare Information Management Executives (“CHIME”), the American College of Physicians (“ACP”), the American Health Information Management Association (“AHIMA”), the American Medical Association (“AMA”), American Medical Informatics Association (“AMIA”), American Psychiatric Association (“APA”), Medical Group Management Association (“MGMA”), and Premier Inc.
Under the new rules, clinical notes must be shared by health systems by April 5, 2021, and shared with a patient’s third party application that may be downloaded to a smart phone or other device by October 6, 2022. The types of clinical notes that must be shared are outlined in the United States Core Data for Interoperability and include:
- consultation notes
- discharge summary notes
- history & physical
- imaging narratives
- laboratory report narratives
- pathology report narratives
- procedure notes
- progress notes
Clinical notes to which the rules do not apply include:
- Psychotherapy notes that are separated from the rest of the individual’s medical record and are recorded (in any medium) by a healthcare provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session. (Note: All clinicians and organizations are required to share medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.)
- Information compiled in reasonable anticipation of, or use in a civil, criminal or administrative action or proceeding.
On September 27, 2022, Healthcare Dive (Mensik) reported that “The American Hospital Association, along with a coalition of other healthcare organizations, wants the HHS to postpone an information blocking deadline slated to start Oct. 6, according to a Monday letter sent to Secretary Xavier Becerra.” As of that date, hospitals and physicians’ offices, “health IT developers and others must start sharing all electronic protected health information in a designated record, effectively prohibiting entities from information blocking.” However, the groups caution “they’re not prepared to meet the deadline and are struggling to interpret a clear definition of electronic health information or technical infrastructure to support secure exchanges, according to the release.”
As of October 6, 2022, the Information Blocking Rule applies to electronic protected health information in a designated record set. Previously, only certain United States Core Data for Interoperability was subject to the Rule. The Information Blocking Rule generally prohibits covered actors, including healthcare providers, from engaging in a practice that is likely to interfere with the access, exchange or use of electronic health information. And HHS has issued various regulatory reminders about the Rule.
Frequently Asked Questions About Medical Records
Common questions physicians and medical groups have about medical records, and answers provided by the Medical Association of Georgia, include the following:
Can a physician withhold a patient’s medical record for a past due balance for services rendered?
No, medical records should not be withheld for any reason. AMA E-3.3.1 (See also https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html; and https://www.hhs.gov/about/news/2019/09/09/ocr-settles-first-case-hipaa-right-access-initiative.html.)
Physicians (or other providers) must furnish a complete and current copy of a patient’s medical record to the patient or to a person authorized (by the patient) to have access to medical record under an advanced directive or durable power of attorney. O.C.G.A. § 31-33-2
Can a physician withhold a patient’s record until the patient pays for copies of the records?
Yes, a physician may require payment for the costs of medical records prior to providing them to patient. O.C.G.A. § 31-33-3 (See also the HHS webpages cited above.)
How quickly must a physician release requested medical records?
A physician must provide medical records to a patient within 30 days of the receipt of a records request. O.C.G.A. § 31-33-2
A covered entity must act on a request for access to medical records within 30 days. A physician must either grant access to medical records or give a justified denial of access within 30 days of receipt of the request for release. HIPAA – 45 CFR § 164.524(b)(2) (See also the HHS webpages cited above.)
How long must a physician retain medical records?
A physician must retain medical records for at least 10 years. This does not apply to an individual provider who has retired or sold his or her practice if the provider has notified the patient of retirement/sale and offered to provide the patient’s record to another provider of the patient’s choice and, if requested, to the patient. O.C.G.A. § 31-33-2
What must a physician do with medical records upon retiring or selling a practice?
In Georgia, a physician is required to maintain a patient’s complete treatment records for at least 10 years from the date of the patient’s last office visit. O.C.G.A. § 31-33-2
These requirements do not apply to a physician who has retired or sold his or her medical practice if…
- The physician has notified his or her patients of retirement or sale of practice by mail – offering to provide the patient’s records to another provider of the patient’s choice and, if requested, to the patient.
- The physician has published a notice – containing the date of retirement or sale – that offers to provide the patient’s records to another provider of the patient’s choice and, if requested, to the patient.
- The physician has posted a sign announcing retirement or sale of the practice. The sign must be placed 30 days prior to retirement or sale of the practice and must remain posted until the date of retirement or sale.
- The physician has placed both the notice and sign required by Ga. Medical Board Rule 360-3-.02(16)(c) and has advised patients of their opportunity to transfer or receive their records.
A physician should always seek advice from their private counsel or their malpractice insurance carrier. Ga. Medical Board Rule 360-3-.02
“A patient’s records may be necessary to the patient in the future not only for medical care but also for employment, insurance, litigation, or other reasons. When a physician retires or dies, patients should be notified and urged to find a new physician and should be informed that upon authorization, records will be sent to the new physician. Records which may be of value to a patient and which are not forwarded to a new physician should be retained, either by the treating physician, another physician, or such other person lawfully permitted to act as a custodian of the records. The patients of a physician who leaves a group practice should be notified that the physician is leaving the group. Patients of the physician should also be informed of the physician’s new address and offered the opportunity to have their medical records forwarded to the departing physician at his or her new practice location. It is unethical to withhold such information upon request of a patient. If the responsibility for notifying patients falls to the departing physician rather than to the group, the group should not interfere with the discharge of these duties by withholding patient lists or other necessary information.” AMA E-7.03; see also https://www.privatepracticepreparedness.com/content/american-medical-association-ama
Does a physician have to give medical records to third party without a subpoena or court order?
No, a physician should not release a patient’s medical records to a third party without a proper release by the patient or legally authorized individual in accordance with Georgia law, a court order, a subpoena signed by a judge, or certification that the party has placed the opposing party on notice with opportunity to object. A physician may release medical records if there is no objection from the patient after 20 days.
What should a physician do if a patient steals their own medical records?
HIPAA specifies that the data contained within a medical record belongs to the patient, but the physical form containing the data belongs to the entity responsible for maintaining the record (i.e., the physician). If a patient takes medical records without permission and will not return them upon request, the act should be treated as a normal theft and the physician should contact the police.
Does a physician have to keep a paper copy of electronically stored medical records?
No, a provider is not required to maintain separate paper copies of electronically stored records. O.C.G.A. §31-33-8(b)
Do the same laws that apply to paper copies apply to electronic medical records?
Yes, all provisions of Chapter 33 of Title 31 of the Georgia Code, including fees, apply to electronic medical records. O.C.G.A. § 31-33-8(c)
What happens to my patients’ medical records when I leave a group?
Medical records belong to the practice. Unless your employment agreement provides otherwise, you may be able to notify patients that you are leaving the practice and notify them of your new address. However, you should be very clear about what you are allowed to do regarding notification of patients when leaving the practice. It is recommended that you discuss/negotiate the process by which you will exit the practice. Request the right to notify your patients of your new address of your departure and information on how to contact you at your new location.
Patients are not prohibited from requesting that their medical record be forwarded to another physician, but a physician should be careful to avoid a breach of an employment agreement or a breach of privacy or patient confidentiality in accessing, copying, or taking patient records. AMA E-7.03; see also https://www.privatepracticepreparedness.com/content/american-medical-association-ama.
Can a physician release a patient’s medical records and health information to an insurance company or third party payer without the patients consent and/or knowledge?
Yes. The amended HIPAA Privacy Rule gives health plans and self-insured employers broad authority (“regulatory permission”) to get information without a patient’s consent. Health plans and employers are also authorized to obtain, use and disclose an individual’s health information without their consent for the purpose of:
1. Conducting due diligence that’s related to the sale or transfer of assets;
2. Certain types of marketing;
3. Business planning and development;
4. Business management and general administrative activities; and
5. Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance (45 CFR 164.501)
Medical practices must (are also required to) provide every patient with a notice that lets them know how their personal health information will be used and disclosed. (45 CFR 164.520) See https://www.mag.org/georgia/Public/Resources/Medical_Records.aspx.
Texting Between Providers & Patients
For obvious reasons, the health technology industry wants to make it easier for patients to text with their providers regarding healthcare issues and services. Texting and other electronic communications between healthcare providers and patients can save time and money and improve patient health.
Patients demand that their healthcare providers keep up with the latest technology. But HIPAA and other privacy and security concerns have stood in the way of significant progress. Healthcare providers and companies are hesitant because penalties for HIPAA violations can be severe.
Advocates pitch texting as convenient for patients and providers and a way to boost the quality of care provided at little cost. But making that happen in a secure manner is harder than simply hitting send on a mobile device or PC.
Health privacy laws generally require the sender (and, by extension, telephone and internet service providers) to take steps to ensure that any patient data sent via text message is protected. Text messages are usually not encrypted or protected, so using them to send sensitive patient data violates HIPAA.
Another risk is that patients may change their phone numbers without updating their physicians or other healthcare providers. Telephone numbers can also be reassigned in ways that email addresses typically are not. Thus, the risk of sending personal information to the wrong recipient is greater via text than email.
“Access controls are very important because you never know who is looking at the phones. So providers would need a protocol to ensure they are texting the right person and complying with rules regarding the ‘minimum necessary,’ which means that only the bare minimum amount of protected health information should be included in texts,” notes the general counsel of a telehealth startup that provides healthcare services to patients and their families.
HIPAA only covers data collected by healthcare providers, health plans and clearinghouse billing systems in the industry. But those requirements extend to business associates, which can include telephone companies and internet service providers if they handle or transmit PHI. So another hurdle is getting phone carriers to sign multiple different business associate agreements with countless covered entities under HIPAA.
“Patients can’t always text physicians because AT&T and other phone companies don’t have HIPAA in place, so our model brings you into this secure chat room,” said a CEO of a company which bills itself as offering HIPAA-compliant communications outside of doctors’ offices. But that company executive quickly added that more “common sense on this HIPAA conversation is going to need to be a part of the solution going forward.”
Telemedicine companies and physician groups have urged HHS to provide guidance on how providers and patients can legally text one another under HIPAA. The American Medical Association, for example, believes that creating guidance around texting would both ease anxiety in the medical industry and help patients.
HHS has said that it plans to offer guidance on text messaging and HIPAA. But few details are currently available, and there is no firm timeline for progress.
HHS issued a request for information in 2018 for the healthcare industry to describe how HIPAA slows progress to value-based healthcare. In response, the agency received nearly 1,500 comments. And the agency continues to weigh options for regulatory guidance.
In the meantime, texting in healthcare requires taking all steps necessary to protect patient data, while also trying to satisfy the needs of patients demanding access to their providers and health information in the most convenient and efficient manner possible. This means trying to securely use and transmit sensitive information via technologies that are constantly evolving.
Texting patient information among members of a healthcare team is allowed if it is sent through a secure platform, according to CMS. But sending information electronically through a computer is the preferred method for now, while texting with patients remains risky.
While HIPAA does not specifically prohibit sending PHI by text, in order for texting to be HIPAA-compliant, texting safeguards have to be in place to ensure the confidentiality of PHI when it is at rest and in transit. There also have to be controls in place for who can access PHI, and what authorized personnel do with PHI when they access it.
There are numerous reasons why it is far safer for covered entities to simply prohibit texting PHI rather than allow it. These include, but are not limited to, lack of access controls, lack of audit controls, and lack of encryption.
Although encryption is an “addressable” requirement of the HIPAA Security Rule, it is the only feasible way to ensure the security of PHI in transit. With regard to access controls, anyone can pick up an unattended mobile device and read messages on it. Moreover, mobile devices can be lost or stolen, which not only potentially exposes PHI to unauthorized access, the information in the messages can be used to commit insurance fraud or identity theft.
That is why the HIPAA rules for text messaging (or any other form of electronic communication) state that audit controls are necessary to record when PHI is created, modified, accessed, shared or deleted. Unfortunately, it currently is impossible to implement audit trails for HIPAA-compliant text messaging because the technology does not exist that can audit every possible operating system.
Even if there were a way to overcome the HIPAA texting rules for access controls and audit controls, that would not make text messaging HIPAA-compliant. There also has to be a way to prevent the interception of plain text messages, or extraction of plain text messages, from carriers’ servers – which is why encryption of PHI in transit is strongly recommended.
Nevertheless, texting patient information to patients may be allowed by HIPAA, provided the covered entity has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient’s consent to communicate by text. But both the warning and the consent must be documented.
Another way in which text messaging may be HIPAA-compliant is when the covered entity has implemented a solution such as a HIPAA-compliant messaging app that has the necessary controls and encryption to support HIPAA-compliant texting. But even when these apps are used, it is still necessary to comply with the minimum necessary standard and the physical, technical and administrative safeguards of the HIPAA Security Rule.
Pushing against the desire to ease regulatory burdens is the alarming fact that more than 41 million people were impacted by health records breaches in 2019 — the highest number in the last four years, according to HHS’s OCR. And hackers keep finding new ways to circumvent security measures that are put in place.
So the security threats are real and rapidly growing. Despite the risks, companies continue to innovate, and healthcare is moving in the direction of increased text communications. But as the industry awaits further regulatory guidance, healthcare providers need to be cautious, and when in doubt seek counsel before hitting send.
Remote Patient Monitoring
Remote Patient Monitoring (“RPM”) can involve third-party platform providers utilizing videoconferencing capabilities, and leveraging cloud and internet technologies combined with RPM devices, to treat numerous conditions, such as patients fighting chronic illnesses or requiring post-operative monitoring. But as the use of these capabilities continues to grow, it is critical to ensure that the infrastructure supporting them can maintain the confidentiality, integrity and availability of patient data, as well as ensure patients’ safety.
CMS’s 2020 final rule with changes for RPM went into effect on January 1, 2020. The changes were highly anticipated by many in the healthcare industry who wanted to have more clarity for RPM services. RPM can now be provided “incident to” under general supervision, thereby making it less burdensome for providers to furnish RPM services. An “incident to” service is defined by CMS as a service performed under the supervision of a qualified healthcare professional and billed to Medicare in the name of that professional.
Those utilizing RPM must ensure they comply with licensure, scope of practice, and other requirements to be eligible for reimbursement. Those “other requirements” include adequate privacy and security safeguards.
Patient monitoring equipment has historically been installed in healthcare facilities, where trained IT staff can hopefully help ensure adequate privacy and security measures are maintained. By contrast, RPM and the associated monitoring devices are placed in patients’ homes. This difference presents significant practical and legal risks. Wireless networks, platforms and devices are susceptible to being hacked, allowing access to protected health information.
As patients have become more accustomed to remote care (particularly during the coronavirus pandemic), and healthcare organizations invest in and utilize RPM solutions, they should consider the privacy and security risks and compliance challenges to RPM, as well as understand the reimbursement rules. In general, RPM or any other remote or telehealth service cannot be conducted using technology that does not meet all applicable data privacy and security requirements. For example, business associate agreements are usually required with IT vendors, and the communication from end-to-end must be private, secure, and comply with applicable state and federal laws.
Because of the requirements that apply to technologies that transmit and receive protected health information, and the relationships between the providers and the technologies, if the technology cannot meet the requirements, then that service cannot be used as a RPM or telehealth technology vendor. All parties involved in delivering RPM services need to keep these requirements firmly in mind and consult counsel whenever there any legal questions or concerns.
HIPAA Compliance Programs
According to HHS’s OIG, the seven fundamental elements of an effective compliance program are:
- Implementing written policies, procedures and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
Each of the seven elements requires robust, organization-wide enforcement and documentation. And many HIPAA standards require annual review as well. See, e.g., https://oig.hhs.gov/compliance/provider-compliance-training/files/Compliance101tips508.pdf.
Additionally, while an IT asset inventory list is not required under the HIPAA Security Rule, such a list can be helpful in analyzing risks and implementing appropriate safeguards – which are HIPAA Security Rule requirements. After all, if a medical practice or healthcare entity does not know what IT assets it has or where its ePHI is stored, it cannot effectively assess the risks associated with those assets or protect the information they contain.
In its Summer 2020 Cybersecurity Newsletter, the OCR published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where ePHI is located within their organization, and improve HIPAA Security Rule compliance. An organization’s IT asset inventory list consists of “IT assets with corresponding descriptive information, such as data regarding identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., person accountable for the asset, location of the asset.”
The OCR Newsletter suggests organizations include the following types of assets in an IT asset inventory list:
- Hardware assets that comprise physical elements, including electronic devices and media, which make up an organization’s networks and systems. These may include mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers.
- Software assets that are programs and applications which run on an organization’s electronic devices. Software assets include anti-malware tools, operating systems, databases, email, administrative and financial records systems, and EMR and EHR systems. Other programs important to IT operations and security, such as backup solutions, virtual machine managers/hypervisors, and other administrative tools, should also be included in an organization’s inventory.
- Data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media. How ePHI is used and flows through an organization is important to consider as an organization conducts its risk analysis.
- Other assets – the OCR Newsletter also recommends inclusion of IT assets that don’t necessarily store or process ePHI, but still may lead to a security incident, such as Internet of Things (“IoT”) or other smart devices.
The OCR Newsletter notes that an IT asset inventory list can provide other cybersecurity-related and HIPAA compliance benefits beyond risk analysis. For example, HIPAA requires that covered entities and business associates “[i]mplement policies and procedures that govern the receipt and removal of hardware and electronic media that contain [ePHI] into and out of a facility, and the movement of these items within the facility,” which will be more efficient if the organization has an IT asset inventory list that has location/owner/assignment information in place. An IT asset inventory list can also aid an organization in identifying and tracking devices to ensure timely updates, patches and password changes.
In the fall of 2022, HHS-OCR released a video on recognized security practices under the HIPAA Security Rule, and explained how covered entities may demonstrate implementation in the event of a HIPAA Security Rule investigation or audit. The national advisor for cybersecurity and risk for the American Hospital Association explained that a 2021 amendment to the HITECH Act provided regulatory relief for a HIPAA-covered entity that becomes a victim of a cyberattack and can demonstrate that it had security practices in place for the previous 12 months. The HHS video shows what type of evidence and documentation must be presented to OCR to qualify for the regulatory relief. The evidence must demonstrate that the organization has implemented the security practices throughout the entire facility.
In November 2022, Senate Intelligence Committee Chair Mark Warner (D-VA) released a report outlining cybersecurity threats in the healthcare sector and ways the federal government can improve security standards in the industry. The report recommended that the federal government improve the country’s cybersecurity risk posture in the healthcare sector, help the private sector mitigate cyber threats and assist healthcare providers in responding and recovering from cyberattacks.
Security threats that were once unimaginable have now become commonplace in an age of cyberattacks, malware and high-profile data breaches. So HIPAA compliance and data security are not static, one-time fixes. They are dynamic processes that require continuous monitoring and improvements as criminals develop new and innovative ways to access and steal sensitive information.
HIPAA Compliance & Waivers During COVID-19 Pandemic
(Initial portions of the following update are excerpted from a March 17, 2020 article by Madison Pool and Carol Saul of Arnall Golden & Gregory. The full article can be accessed here.)
Coronavirus-Related Communications from Healthcare Entities
Healthcare providers are on the front lines of the rapidly-evolving COVID-19 pandemic. Public anxiety is running high, and media scrutiny is intense. As providers are faced with escalating inquiries and public demand for information, they must remain cognizant of patient privacy rights and vigilant in their HIPAA compliance. It is critical to understand what information can be disclosed and under what circumstances. Important tips to assist providers in maintaining compliance include:
- Emergencies do not exempt compliance – but limited waivers of sanctions and penalties for certain compliance requirements have been issued.
It is important to remember that HIPAA protections are not automatically waived during an emergency like the COVID-19 pandemic. The requirements of the HIPAA rules generally remain in place. However, in limited circumstances, the Secretary of HHS does have the authority to waive sanctions and penalties for noncompliance with certain provisions of the rules.
Accordingly, pursuant to President Trump’s declaration of a national emergency on March 13, 2020, and HHS Secretary Azar’s earlier declaration of a public health emergency, HHS has announced two areas in which it is waiving sanctions and penalties during the period of declared emergency:
- Limited waivers of penalties for hospitals for noncompliance with certain Privacy Rule requirements (announced March 16, 2020); and
- Waivers of penalties for HIPAA violations for health care providers that serve patients in good faith through everyday communications technologies, such as FaceTime or Skype (announced March 17, 2020).
HHS announced that it will waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- the patient’s right to request confidential communications. See 45 CFR 164.522(b).
The waiver became effective on March 15, 2020, retroactive to March 1, 2020, and a bulletin discussing the waiver can be accessed here. When the Secretary issues such a waiver, it only applies:
- in the emergency area identified in the public health emergency declaration;
- to hospitals that have instituted a disaster protocol; and
- for up to 72 hours from the time the hospital implements its disaster protocol. Further, when the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.
On March 17, 2020, HHS announced that it will waive sanctions and penalties for HIPAA violations against health care providers that provide telehealth services to patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency.
Specifically, OCR stated, “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
Importantly, OCR explained:
- Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
- Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
- However, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.
In contrast to the above, providers may not use Facebook Live, Twitch, TikTok, and similar video communication applications in the provision of telehealth because they are public facing.
- Certain information can be shared pursuant to limited HIPAA exceptions, or pursuant to a HIPAA-compliant Authorization.
HHS issued a helpful bulletin via its Privacy and Security listservs on February 3, 2020, addressing ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation. The bulletin is available here.
- The bulletin addresses how covered entities may use and disclose protected health information: about the patient as necessary to treat the patient or to treat a different patient; for permissible public health activities, such as disclosure to the CDC or a state or local health department authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability; to family, friends, and others involved in an individual’s care and for notification purposes; and for certain other limited uses and disclosures.
- Each of these exceptions has specific requirements and elements that must be met for the use or disclosure to be permissible under HIPAA, and covered entities and business associates should not forget the general rule that disclosure of patient-identifiable information to the media or the public at large is prohibited without the patient’s (or HIPAA-compliant Personal Representative’s) written authorization.
- This means that information about an identifiable patient such as specific tests, test results, or details of a patient’s illness must remain confidential unless an exception applies or there is a HIPAA-compliant authorization in place. The requirements for a valid HIPAA authorization can be found at 45 CFR 164.508.
- Innovate and adapt – but use caution.
With the spread of COVID-19, providers may be looking for ways to help patients that will also decrease exposure and community spread, such as telemedicine. However, even as certain requirements are modified in the face of the pandemic, HIPAA as a whole has not been waived as of the time of this alert, and the only waivers of sanctions, penalties, and compliance requirements are those described above. Thus, any telemedicine encounter should be conducted in a HIPAA-compliant way within the bounds of the waivers. Further, covered entities and business associates should keep in mind that the requirements and safeguards of the HIPAA Privacy and Security Rules will likely return to full enforcement following the expiration of the waivers.
- Seek counsel where greater clarity is needed.
Providers should carefully review the HIPAA regulations and HHS’s guidance, and consider consulting qualified legal counsel if they are unsure about how HIPAA applies, such as whether a use or disclosure is permitted, whether an authorization is compliant, or whether a business associate agreement is required. Guidance from regulators is evolving as the situation continues to develop, and providers should stay informed and monitor for updates.
OCR’s HIPAA Telehealth FAQs During COVID-19 Crisis
Following its Notification of Enforcement Discretion for good faith provision of telehealth during the COVID-19 public health emergency, OCR issued FAQs guidance on March 20, 2020. OCR’s press release and FAQs can be accessed here. As healthcare providers increasingly switch to telehealth services in an attempt to minimize exposure during the COVID-19 pandemic, they should review the FAQs and other recent guidance carefully and apply the guidance in their practices. Providers also should bear in mind that these FAQs are limited to HIPAA’s applicability to telehealth services. State licensure and other laws and regulations, such as Medicare and Medicaid, also should be considered and may apply, depending on the circumstances involved.
FCC’s Guidance to Healthcare Providers Regarding Automated Calls & Text Messages During COVID-19 Pandemic
On March 20, 2020, the Federal Communications Commission (“FCC”) issued a Declaratory Ruling confirming that the COVID-19 pandemic constitutes an imminent health risk to the public and is now classified as an emergency under the Telephone Consumer Protection Act (“TCPA”), which permits certain callers to lawfully make automated calls and send text messages for health and safety reasons. As a result, hospitals, healthcare providers, and state and local health officials can lawfully communicate information through automated or pre-recorded calls to wireless telephone numbers to help educate the public and mitigate the spread of the novel coronavirus.
The TCPA was enacted in response to the substantial rise in volume of telemarketing calls and it remains one of the major federal statutes governing telecommunications commerce. The TCPA primarily regulates tools telemarketers use to make calls to consumers, such as automated telephone dialing systems and artificial and prerecorded voice recordings. The law covers calls for three types of telephone lines: (1) wireless, including SMS text messages and voice over internet protocol (“VoIP”) services; (2) landlines; and (3) fax lines.
The TCPA places prohibitions and restrictions on telemarketing calls and text messages to wireless and residential landlines, as well as robocalls to medical facilities and emergency number lines. To make an automated call or text message to a cell phone, an organization needs to obtain prior express consent of the individual receiving the message. Violations of the TCPA can result in statutory damages of at least $500, and up to $1,500 per call or text. However, the TCPA contains an exception for communications made for emergency purposes that are clearly time-sensitive and directly related to mitigation of a health or safety risk to the public.
In determining whether a call relating to the COVID-19 pandemic qualifies as a call made for an emergency purpose, the FCC looks to the identity of the caller and content of the call. In its March 2020 Declaratory Ruling, the FCC stated that for a call to qualify as an emergency relating to the coronavirus outbreak:
- The caller must be from a hospital, a healthcare provider, state or local health official, or other government official, as well as a person under the express direction of such an organization and acting on its behalf.
- The content of the call must be solely informational, made necessary as a result of the COVID-19 pandemic, and directly related to the imminent health or safety risk arising out of the coronavirus outbreak.
The FCC explained that calls or texts that comply with the emergency purpose exception are messages that provide vital and time-sensitive health information that individuals can expect and rely upon to stop the spread of the disease. A permissible example provided by the FCC includes a county official sending out messaging informing the public regarding a shelter-in place order, quarantines, school closures, or available medical testing information and sites. By contrast, calls containing advertising or marketing messages are not permissible and fail to meet the emergency purpose exception.
Messages falling outside the scope of the emergency purpose exception include advertising for health insurance, commercial delivery services, or home testing kits. Calls made for debt collection purposes, even if the debt arises from healthcare treatment, also would not be considered an emergency purpose, as these messages are not time-sensitive and do not prevent or mitigate an imminent health or safety risk. The FCC also noted in its Declaratory Ruling that scammers are viewing the pandemic as an opportunity to prey upon consumers, with fraudulent robocalls and messages offering unapproved home testing kits, unproven vaccines, treatments and so-called “cures,” all of which are unlawful.
Healthcare providers wanting to send messages under the emergency purpose exception need to ensure that the message is solely informational and does not contain any marketing or advertising. Marketing or advertising messages require prior express consent of the recipient before such a message is sent.
In addition to TCPA requirements, healthcare providers also must comply with state laws and regulatory requirements regarding emergency messaging. To minimize risks of potential liability under the TCPA or state law, healthcare providers should bear in mind that the emergency purposes exception is context-specific and messages should be crafted to comply with the FCC’s Declaratory Ruling. Even if the message relates to products or services that can mitigate the spread of the novel coronavirus, communications should be sent for informational purposes only. Whenever possible, healthcare providers should also seek prior express consent of the recipients to receive the communications at issue. Healthcare providers should also continue to monitor for any additional guidance the FCC or other governmental agencies may provide regarding such text messages or calls.
COVID-19 Telehealth Program Guidance from FCC
The COVID-19 Telehealth Program will provide $200 million in funding, appropriated by Congress as part of the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, to help healthcare providers provide connected care services to patients at their homes or mobile locations in response to the COVID-19 pandemic. The FCC released a notice on April 8, 2020, providing clarification as to the scope of equipment and services it would consider eligible for funding under the program. According to an additional notice, the FCC began accepting applications on April 13, 2020. Interested healthcare providers must complete several steps to apply for funding through the COVID-19 Telehealth Program. To assist applicants in preparing their applications, the FCC has provided instructions and guidance available online.
HHS Allows Certain Video Chat Apps for Medical Consultations During COVID-19 Emergency
On March 30, 2020, HHS-OCR issued another announcement on its website, stating that “During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies.” “Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.” However, the Notice goes on to caution that “Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.” The full text of OCR’s Notice can be accessed here.
Physicians Using Zoom Face Security Scrutiny, Despite Regulatory Easing During Pandemic
Even after federal regulators relaxed enforcement, physicians still may face lawsuits or state actions for any patient privacy violations through use of tools such as Zoom Video Communication Inc.’s app. OCR has said that it won’t penalize providers for “good faith” telehealth use during the coronavirus pandemic that violates HIPAA’s Privacy Rule.
“We are empowering medical providers to serve patients wherever they are,” OCR director Roger Severino said in a notice of enforcement discretion. Under the notice, video apps such as Apple Inc.’s FaceTime, Facebook Inc.’s Messenger, or Google Hangouts can be used to chat with patients without first getting a business associate agreement, something that would be required under the HIPAA Privacy Rule. But the video apps still must protect patient data, including notes, treatments and lab reports, under HIPAA’s Security Rule.
The HIPAA security rule is still very much in effect and is expected to be followed. That means apps that don’t comply with HIPAA’s physical and technical safeguards to protect patient data could still face lawsuits, or state enforcement, despite the notice of enforcement discretion.
Privacy and cybersecurity experts have said that the notice of enforcement discretion “has been relied upon way too heavily” by providers and won’t necessarily spare them from litigation or regulatory actions. And the ease of use of Zoom has been particularly attractive, which has led some healthcare providers to make some arguably bad choices. But the privacy concerns and reported hacking intrusions that prompted some entities (including, for example, the New York City Department of Education, Tesla Inc. and the Taiwanese government) to stop using Zoom, also exist for physicians and other healthcare providers.
Phoenix Children’s Hospital and Bayada Home Health Care are among the providers that say on their websites that they use Zoom for telemedicine. And Zoom also promotes partnerships with Delta Dental, Magellan Healthcare, and other medical providers.
Many doctors like Zoom because they see it as HIPAA-compliant (based on OCR’s and Zoom’s own assessments), easy for patients to use, and inexpensive. Zoom offers a medical video conferencing account for as little as $200 per month, according to the company’s website.
However, physicians using video-conference technology must use “every privacy and security tool they have available” to keep patients’ trust, the AMA has said. And systems should have end-to-end encryption and shouldn’t store transmissions, according to the AMA.
OCR’s director has said the HHS guidance for telemedicine “depends on videos not being broadcast or made available to the general public.” Providers, he said, “should make use of available privacy and security features, such as requiring passwords and using encryption.”
Cybersecurity experts, however, say the Zoom product lacks end-to-end encryption, at least currently. And until Zoom reconfigures its product to include that feature, it is not truly HIPAA-compliant. Nonetheless, HHS in its notice listed Zoom as one of the services providers could use without apparent enforcement risk.
Thus far in its public statements, Zoom does not directly address end-to-end encryption, although it says its product complies with HIPAA. Zoom configures account settings differently for medical providers than for its generally-available commercial product. Cloud recording is disabled, in-meeting chat and file transfer are turned off, and participant identities are not logged or reported, it has said.
Patients, however, say they feel more comfortable using apps with stricter protocols and more secure channels such as FaceTime or Microsoft Corp.’s Teams, said Cynthia Fisher, founder and chairman of PatientRightsAdvocate.org. Members of her group are voicing concerns about the Zoom app’s continued use, she said.
State attorneys general have also taken note, based on consumer concerns. For instance, Connecticut Attorney General William Tong has been in discussions with Zoom about their privacy and security features, “including in the healthcare sector,” said a spokeswoman for his office. And Iowa Attorney General Tom Miller is “monitoring” Zoom’s privacy and security practices “surrounding telehealth” and other applications, the communications director for his office said.
On May 7, 2020, New York Attorney General Letitia James reached an agreement with Zoom Video Communications, Inc. to provide enhanced privacy and security protections for Zoom’s 300 million users. As previously reported, AG James had sent a letter to Zoom seeking information regarding the security measures Zoom had put in place to handle surging traffic and expressing concerns about the increased activity of hackers on Zoom’s platform. Under the terms of the letter agreement, among other things, Zoom will conduct risk assessments and software code reviews to identify vulnerabilities, enhance encryption protocols, enable privacy controls for free accounts, cease sharing user data with Facebook by disabling users’ ability to log into Zoom from Facebook, and disable its LinkedIn Navigator feature, which shares profiles of users even for users that want to stay anonymous. Also on May 7, 2020, Zoom Video Communications announced it is buying security firm Keybase in an effort to shore up security for its video meetings. Keybase will help Zoom implement end-to-end encryption, a type of security which means Zoom has no access to the contents of encrypted data.
Besides state government enforcement, providers also face the risk that patients who believe a video consultation violated their privacy could sue, plaintiffs’ attorneys have said. Healthcare professionals faced suits before the coronavirus pandemic for flaws tied to technology use, and some have been filed after the pandemic began.
For example, a home healthcare provider and a cloud-computing company were sued on April 6, 2020 in a Pennsylvania federal court after a ransomware attack allegedly harmed at least 156,409 patients. The affected patients raised claims under Pennsylvania’s consumer protection law, citing HIPAA’s security rule. (The case is ongoing, as of this writing). Lawsuits also could be brought under California’s Consumer Privacy Act if the security around telehealth platforms is lacking. And other states’ consumer protection and privacy laws, including Georgia’s, could be cited as bases for lawsuits.
It is important to bear in mind that OCR’s exercise of enforcement discretion only applies to HIPAA and OCR’s enforcement of it. So potential plaintiffs still could sue under state law if they believe their personal data is not being properly protected.
Legal enforcement actions also may follow when video conferencing app vendors are business associates of healthcare providers. Under HIPAA, business associates are subject to the same patient data protection responsibilities as healthcare providers. Tech companies under business associate agreements, therefore, are subject to HHS enforcement in the event of a security failure. And liability exposure may exist because the provider of the video conferencing tool may be acting in a business-associate role. So caution is still advised for healthcare providers when using these video-conferencing tools to examine, treat or communicate with patients – even with the apparent relaxation of governmental regulations during the pandemic.
New COVID-19 Guidance for Disclosure of PHI to First Responders & Public Health Authorities
On March 24, 2020, HHS’s OCR issued guidance on how covered entities may disclose PHI about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with HIPAA. The guidance explains the circumstances under which a covered entity may disclose PHI such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples. The guidance also clarifies the regulatory permissions that covered entities may use to disclose PHI to first responders and others so they can take extra precautions or use personal protective equipment. The guidance also includes a reminder that generally, covered entities must make reasonable efforts to limit the PHI used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.
Instances where covered entities may make disclosures of PHI to law enforcement, paramedics, other first responders, and public health authorities without patient consent include: (1) when the disclosure is needed to provide treatment; (2) when such notification is required by law; (3) to notify a public health authority in order to prevent or control spread of disease; (4) when first responders may be at risk of infection; (5) when the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public; and (6) when responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual. Details are available here. Also, in response to questions from first responders about the ability of a first responder agency or transporting EMS agency to know the COVID-19 status of those they care for, the Georgia Department of Public Health issued this letter to clarify previous guidance.
HHS-OCR Eases HIPAA Enforcement for Good-Faith Disclosures of PHI for Public Health Purposes
On April 2, 2020, HHS announced it won’t enforce penalties for violations of certain provisions of the HIPAA privacy rule against healthcare providers or their business associates for good-faith disclosures of protected health information for public health purposes during the COVID-19 emergency. The HHS OCR said that it was exercising its enforcement discretion in making the policy change during the declared emergency period. The notification was issued to support federal and state agencies, including CMS and the CDC, that need access to COVID-19 related data including protected health information.
“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” OCR director Roger Severino said in a statement. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”
HIPAA’s privacy rule only allows business associates of HIPAA-covered entities to disclose protected health information for certain purposes under explicit terms of a written BAA. Under the temporary enforcement waiver, OCR won’t impose penalties for disclosure of protected health information if the business associate makes good-faith use or disclosure for public health activities and informs the covered entity within 10 business days. This enforcement moratorium does not extend to other requirements or prohibitions under the privacy rule, nor to any obligations under the HIPAA security and breach notification rules, OCR said.
On June 4, 2020, HHS established a list of data elements that must be reported to state or local public health departments for each COVID-19 test performed by a healthcare facility or provider, as well as a number of requested data elements. All physicians, laboratories, and other health providers are legally required to report an actual or suspected case of a notifiable disease in Georgia, including COVID-19. The legal authority for notifiable disease reporting is in both Georgia law (O.C.G.A. § 31-12-2(a); Ga. Comp. R. & Regs. 511-2-1-.01(h), -.02(1)) and federal law. That legal authority has been expanded for the COVID-19 pandemic to include reporting of negative test results and includes any individual, organization, or agency facilitating specimen collection and/or testing, including a specimen collection site or event. (See Public Law 116-136, § 18115(a), the Coronavirus Aid, Relief, and Economic Security (CARES) Act; Department of Health and Human Services, COVID-19 Pandemic Response, Laboratory Data Reporting: CARES Act Section 18115, June 4, 2020.)
In addition to traditional reporters to Public Health such as healthcare providers and laboratories, non-traditional reporters including, but not limited to, schools and universities, long-term care and assisted living facilities, Emergency Medical Services (“EMS”) and other first responder agencies, employers, and worksites must also report these test results. Healthcare providers and other individuals, organizations, and agencies do not incur liability for reporting to the Georgia Department of Public Health (“DPH”), as Georgia law specifically states that “[a]ny person . . . submitting in good faith reports or data to the department or county boards of health in compliance with the provisions of this Code section shall not be liable for any civil damages therefor.” O.C.G.A. § 31-12-2(d). DPH’s COVID-19 Test Reporting Guidance, which contains additional important details, can be viewed here.
Effective retroactively to December 11, 2020, OCR announced it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules on covered healthcare providers or their business associates in connection with the “good faith use” of online or web-based scheduling applications for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. This action is specific to the administration of COVID-19 vaccinations and lasts only for the duration of the public health emergency. Even with relaxed enforcement of the HIPAA requirements related to COVID-19 vaccinations, providers and business associates are still expected to use reasonable safeguards for the protection of protected health information, including the use of encryption.
HHS Workplace Guidance on HIPAA, COVID-19 Vaccination, Disclosures & Requests for Information
HHS recently announced workplace guidance on HIPAA’s applicability to disclosures and requests for information about whether a person has received a COVID-19 vaccine. The HIPAA Privacy Rule applies only to covered entities, including health plans, healthcare clearinghouses, healthcare providers that conduct standard electronic transactions, and, to some extent, their business associates. It does not apply to employers or employment records. The guidance also outlines how the HIPAA privacy rule would or would not apply in different circumstances.
Guidance from regulators continues to evolve as the situation develops and changes. So providers should stay informed and monitor for updates.
HHS Eases Enforcement of Interoperability Rules Amid COVID-19 Crisis
As a result of the COVID-19 public health emergency, the ONC and CMS, in conjunction with HHS-OIG, announced on April 21, 2020 a policy of enforcement discretion to allow compliance flexibilities regarding implementation of the interoperability final rules announced on March 9, 2020. Due to the COVID-19 emergency, CMS will give hospitals until July 1, 2021 to implement admission, discharge and transfer notification requirements once its final rule on interoperability and patient access is published in the May 1 Federal Register, the agency announced. The original deadline was January 1, 2021. Also, ONC will publish on May 1, 2020 its final rule implementing 21st Century Cures Act provisions on interoperability, information blocking and the Health IT Certification Program.
ONC’s National Coordinator for Health Information Technology, Don Rucker, MD, said: “ONC remains committed to ensuring that patients and providers can access electronic health information, when and where it matters most. During this critical time, we understand that resources need to be focused on fighting the COVID-19 pandemic. To support that important work and the information sharing efforts we are already seeing, ONC intends to exercise enforcement discretion for 3 months at the end of certain ONC Health IT Certification Program compliance dates associated with the ONC Cures Act Final Rule, to provide flexibility while ensuring the goals of the rule remain on track.”
CMS Administrator Seema Verma said: “Today’s action follows the extensive steps CMS has taken to ease burden on the healthcare industry as it fights COVID-19. Now more than ever, patients need secure access to their healthcare data. Hospitals should be doing everything in their power to ensure that patients get appropriate follow-up care. Nevertheless, in a pandemic of this magnitude, flexibility is paramount for a healthcare system under siege by COVID-19. Our action today will provide hospitals an additional 6 months to implement the new requirements.” HHS said that ONC, CMS and OIG will continue to monitor the implementation landscape to determine if further action is needed. (CMS’s announcement is here. ONC’s announcement is here. And OIG’s announcement is here.)
On January 21, 2021, President Joe Biden issued an executive order designed to ensure a data-driven response to the COVID-19 pandemic and future high-consequence public health threats. The White House seeks to better share COVID data across government agencies. To that end, the order directs the HHS Secretary to review the interoperability of public health data systems nationwide.
Sharing COVID data across the government would help direct vaccines and other resources to communities with the greatest need. And it would improve public understanding of the pandemic and limit the spread of misinformation or disinformation, according to the executive order.
But, as Bloomberg Law (1/28/21, Vittorio, Subscription Publication) reported, “Getting information collected on Covid outbreaks and responses from state and local health authorities to the federal government could pose a challenge to the Biden administration’s push to share data across agencies.” Communication between records systems used by physicians and hospitals is often difficult, since information may be maintained differently in different jurisdictions.
Further guidance on how to de-identify COVID-related data would be necessary to comply with the HIPAA privacy rules for sharing personal health information. So the order directs the head of the White House Office of Management and Budget to work with other federal officials to review the government’s current data approach and issue guidance on how to de-identify COVID information and make it open to the public as soon as possible.
De-identification under HIPAA typically involves removing or blocking information such as names, Social Security numbers, and other data that could be used to identify individuals. The order does not specify what COVID data it covers, but it presumably will include information on test results, treatments and vaccines, as well as demographic data used to measure the impact of the pandemic on different populations.
Guidance from regulators continues to evolve as the situation develops and changes. So providers should continue to monitor for updates.
Healthcare Providers Face Surge of Cyberattacks During Pandemic
In an analysis piece on April 15, 2020, the Washington Post reported that hospitals and healthcare providers, already stressed dealing with patient surges and health and economic fallout from the novel coronavirus pandemic, are getting slammed with cyberattacks and digital scams, as well. Among the most damaging are ransomware attacks that threaten to shut down entire hospitals or medical practices until they pay a fee that can cost millions of dollars.
Such attacks shut down computers at the Champaign-Urbana Public Health District in Illinois for three days in March and forced the district to pay $300,000 in ransom, as reported by the Pew Charitable Trust’s Stateline service. Another attack shut down computers at a university hospital in the Czech Republic, which was forced to turn away patients.
The attacks prompted the Department of Homeland Security and Interpol to warn of a “significant increase” in cyberattacks targeting hospitals and other healthcare providers around the world. Interpol issued a “purple notice” — basically a warning about a criminal trend and its methods — alerting police in 194 countries about the heightened ransomware threat.
The attacks are part of a surge in hacks and scams prompted by the coronavirus pandemic aimed at taking advantage of people’s dislocation and fears. But they’re particularly effective against hospitals and healthcare entities where intense pressure created by the pandemic might make workers more likely to hastily click a link they shouldn’t. As one government official put it, “people are stressed, and it might short-circuit the logic in their brain that says I shouldn’t click that.”
Even before the pandemic struck, hospitals and healthcare providers were among the top targets of ransomware attacks because they are among the organizations that can least afford to be knocked offline for even short periods of time. That can also mean that they are more likely to pay up, and cybercriminals know that.
Hospitals and other healthcare providers are not necessarily more susceptible to ransomware attacks. However, an attack can have severely detrimental consequences for them, such as the loss of patient records, and treatment delays or cancellations. And healthcare providers, like other employers, are especially vulnerable to hacking during the pandemic because more non-essential staff are working remotely. That makes it harder to patch their laptops and mobile devices against threats, and they may be relying on unfamiliar networking tools to connect with co-workers.
Moreover, it’s not just large organizations that are targets. In fact, about 70 percent of cyberattacks against healthcare providers in recent years focused on smaller providers likely to have weaker digital defenses, an April 9, 2020 briefing by cybersecurity firm RiskIQ found. And experts expect that the coronavirus/covid-themed attacks will continue as long as they are effective.
One bit of good news came on April 14, 2020, however, when Microsoft announced that it will offer hospitals and other healthcare entities free access to an advanced security system called “AccountGuard.” The service offers the protection to hospitals, clinics and medical labs, as well as pharmaceutical, life sciences and medical device companies that are researching, developing or manufacturing coronavirus-related treatments. The service means that Microsoft will closely monitor email traffic and other avenues hackers typically use and alert the organizations about any hacking efforts by nation-states and criminal groups. “Every patient deserves the best possible healthcare treatment, and we all need to thank and applaud the truly heroic work by those risking their own health to help those who are sick,” said Microsoft’s Corporate Vice President Tom Burt. “Their work is challenging enough but is being made more difficult by cyberattacks.”
Indeed, a SecurityScorecard/DarkOwl report released on September 10, 2020, which examined more than 30,000 healthcare organizations from September 2019 to April 2020, “found that telehealth systems have experienced an enormous increase in targeted attacks” since the pandemic began. Although the report suggests that “the healthcare industry slightly improved its security posture this year compared to last,” it warns that “increased provider reliance on telehealth since the COVID-19 pandemic now presents a new slate of risks to patient data.” (An article summarizing the report appears here.)
So although some governmental regulations may be temporarily relaxed while the pandemic rages, the cybersecurity threats only increase. And healthcare providers must do all they can to protect patients’ privacy, even as they fight a deadly infectious disease with scarce resources available.
Cybersecurity Guidelines for Telehealth & Remote Patient Monitoring
The National Cybersecurity Center of Excellence (“NCCoE”), part of the National Institute of Standards and Technology (“NIST”), recently published a guidance document titled “Securing Telehealth Remote Patient Monitoring Ecosystem.” The NCCoE guide offers best practices to implement cybersecurity and privacy controls and policies for remote patient monitoring and telehealth. Best-practice security behaviors include encrypting data, keeping software updated, running antivirus software, using two-factor authentication and following local cybersecurity regulations. NIST accepted public comments on the guidance document through December 18, 2020.
In April 2021, the Healthcare and Public Health Sector Coordinating Council issued a report to help healthcare leaders assess and mitigate cybersecurity risks associated with telehealth. The council encourages stakeholders to adopt the recommendations as appropriate for their risk profile to protect patients and their PHI.
How We Can Help & Services We Provide
We advise and assist healthcare providers, mobile app developers and other health-related businesses with their implementation of measures necessary to comply with the complex requirements imposed on healthcare providers and their vendors by the HIPAA Privacy and Security and HITECH Act requirements, as well as state privacy laws and regulations. Our services include:
- Advice and legal assistance in connection with protecting the confidentiality of patients’ medical records and PHI.
- Drafting and negotiating Business Associate Agreements and Subcontractor BAAs from Covered Entities’, Business Associates’ and Subcontractors’ perspectives.
- Assisting both healthcare providers and healthcare vendors in integrating requirements of the security and privacy rules in their operational documents.
- Providing advice, guidance and assistance to clients as they conduct privacy and security assessments and audits, develop compliance plans, and implement policies, procedures and forms for compliance.
- Advising and assisting clients as they choose appropriate consultants to help them prepare, improve and implement necessary policies and procedures, and respond to audits.
- Assisting on incident response and breach reporting, including counseling on OCR compliance reviews, HIPAA audits or other government investigations.
- Representing healthcare clients in legal actions alleging violations of federal or state privacy laws or regulations.
Our law firm is experienced in counseling and assisting healthcare clients regarding medical privacy and security matters in a cost-effective manner. We have broad experience counseling clients regarding how they can meet the requirements of the various federal and state privacy and security rules in their day-to-day business activities. And we can assist if a legal action is brought alleging a violation. Please call or email us if you wish to schedule a consultation.