HIPAA, Health Information Privacy & Security Compliance
At the Law Office of Kevin O’Mahony, we advise clients on the numerous privacy and security laws that physicians, healthcare providers and businesses working with healthcare providers must follow on a daily basis in their medical practices, healthcare entities or businesses. Implementing and following proper business and security practices that comply with state privacy laws on patient information, as well as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy, security and transactions rules, is essential for physicians and healthcare entities to avoid lawsuits, fines, penalties and damage awards.
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium — whether electronic, on paper or oral. The Privacy Rule calls this information protected health information (“PHI”). The HIPAA Privacy Rule requires that covered entities, their business associates and any subcontractors handling PHI apply appropriate administrative, technical and physical safeguards to protect the privacy of PHI in any form.
Covered entities are defined in the HIPAA Rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health & Human Services (“HHS”) has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations or persons.
The Health Information Technology for Economic and Clinical Health Act (“HITECH”) (enacted in 2009) was created to motivate the implementation of electronic health records (“EHR”) and supporting technology in the United States. Because this legislation anticipated a massive expansion in the exchange of electronic protected health information (“ePHI”), the HITECH Act widens the scope of privacy and security protections available under HIPAA. It also increases the potential legal liability for non-compliance, and provides for more enforcement.
Business Associate Agreements
A HIPAA Business Associate Agreement (“BAA”) is a contract between a HIPAA covered entity and a vendor used by that covered entity. A vendor of a HIPAA covered entity that needs to be provided with PHI to perform duties on behalf of the covered entity is called a business associate (“BA”) under HIPAA.
HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” A vendor is also classified as a BA if, as part of the services provided, ePHI passes through their systems. However, exclusions to this definition exist, and it may be the case that a covered entity’s relationship with a vendor changes over time.
A signed HIPAA Business Associate Agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI. And since the HITECH Act was passed and incorporated into HIPAA in 2013, subcontractors used by business associates are also required to comply with HIPAA. A business associate must likewise obtain a signed HIPAA business associate agreement from its subcontractors before access is given to PHI or ePHI. If subcontractors use vendors that require access to PHI or ePHI, they too need to enter into business associate agreements with their subcontractors.
The Business Associate Agreement is a contract that specifies the types of PHI that will be provided to the business associate (or subcontractor), the allowable uses and disclosures of PHI, the measures that must be implemented to protect that information, both at rest on-site and in transit (e.g., encryption), and the actions that the BA must take in the event of a security breach that exposes PHI. The contract should state that the BA (or subcontractor) must implement appropriate administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of ePHI and meet the requirements of the HIPAA Security Rule. Some of those measures may be stated in the BAA or they may be left to the discretion of the BA.
The BAA should also include the allowable uses and disclosures of PHI to meet the requirements of the HIPAA Privacy Rule. In the event that PHI is accessed by individuals unauthorized to view the information, such as an internal breach or cyberattack, the business associate is required to notify the covered entity of the breach and may be required to send notifications to individuals whose PHI has been compromised. The time frames and responsibilities for notifications should be detailed in the BAA.
A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by regulators for HIPAA violations. Both HHS’s Office for Civil Rights (“OCR”) and state attorneys general have the authority to issue financial penalties for violations of HIPAA Rules.
Unlike most contracts, a HIPAA business associate agreement does not necessarily indemnify a covered entity against financial penalties for a breach of PHI. If a covered entity fails to obtain “satisfactory assurances” that a BA is HIPAA-compliant prior to entering into a contract, and a breach of PHI subsequently occurs, the covered entity may be considered liable for the breach.
Covered entities can be fined for not having a HIPAA business associate agreement in place, or for having an incomplete agreement in place. This is true even though HITECH regulations state that BAs are obligated to comply with the HIPAA Security Rule, even if no HIPAA business associate agreement is executed.
In May 2019, the OCR issued a new fact sheet to highlight the provisions of HIPAA that apply to business associates and for which they can be held directly liable for non-compliance. The fact sheet spells out the specific requirements that could trigger OCR’s enforcement authority against business associates, including failing to comply with the HIPAA security rule, failing to provide breach notifications to a covered entity or another business associate, and impermissible uses and disclosures of protected health information. See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
HIPAA & HITECH Penalties
HIPAA penalties vary depending on the type of conduct involved. When enacted in 2009, HITECH established four categories for HIPAA violations, with penalty tiers commensurate with the level of culpability for each violation.
- Tier 1 violations are those where the person did not know (and, by exercising reasonable diligence, would not have known) that he or she violated the provision. Tier 1 violations were capped at $25,000 per calendar year.
- Tier 2 violations are those where “the violation was due to reasonable cause, and not willful neglect.” Tier 2 violations were capped at $100,000 per calendar year.
- Tier 3 violations are those due to willful neglect that is timely corrected. Tier 3 violations were capped at $250,000 per year.
- Tier 4 violations are those that occurred due to willful neglect that is not timely corrected. Tier 4 violations were capped at $1.5 million per year.
In 2013, the OCR implemented a final rule allowing for enhancements of HITECH’s penalty provisions. Under the enhanced penalty scheme, while the range of penalties for each violation continued to differ by tier, the total yearly cap for all violations under all tiers became $1.5 million (an amount which formerly was only applicable to the most serious violations). But in April 2019, HHS exercised its discretion to lower the annual cap for certain types of penalties (reducing the financial impact of HIPAA violations that fall into the lower tiers) as follows:
Minimum Penalty per Violation
Maximum Penalty per Violation
Annual Limit for Identical Violations
Person did not know, and by exercising reasonable diligence would not have known, that person violated HIPAA
$114 per recent inflation adjust.
$57,051 per recent
$28,525 per recent
The violation was due to reasonable cause, not willful neglect
$1,141 per recent
$57,051 per recent
$114,102 per recent
Person acted with willful neglect, but corrected the violation within 30 days
$11,182 per recent
$57,051 per recent
$285,255 per recent
Person acted with willful neglect and failed to correct the violation within 30 days
$57,051 per recent
$57,051 per recent
$1,711,533 per recent
While reduced annual caps are certainly good news, covered entities and business associates should keep in mind:
- The penalty amounts are subject to annual cost of living adjustments. So, in accordance with the Inflation Adjustment Act, HHS updated its regulations in November 2019 to reflect required annual inflation-related increases to civil monetary penalties, including those for certain violations of HIPAA’s “administrative simplification” provisions. Under the new rules, penalties for pre-February 18, 2009 violations of HIPAA’s administrative simplification provisions have increased to $159 per violation, with a $39,936 cap per calendar year. Penalties for violations occurring on or after February 18, 2009, where it is established that the covered entity or business associate did not know and could not reasonably have known of the violation, are now a minimum of $117 and a maximum of $58,490. If it is established that the violation was due to reasonable cause and not willful neglect, the minimum per violation increases to $1,170, with the maximum remaining at $58,490. If it is established that the violation was due to willful neglect but was corrected during the 30-day period running from the date the entity knew or should have known the violation had occurred, the penalties per violation are a minimum of $11,698 and a maximum of $58,490. If the violation was due to willful neglect and not corrected during the 30-day time period, the penalties per violation are $58,490 (minimum) and $1,754,698 (maximum). For all of these situations, the calendar year cap is now $1,754,698.
- The new annual caps only apply to identical violations. A single act or omission may result in different violations that are not identical. For example, an impermissible disclosure may violate separate HIPAA requirements, each of which may trigger a different penalty and separate annual cap. Moreover, OCR may impose a separate penalty for each individual whose information was improperly accessed or disclosed. In the case of a continuing violation (e.g., the failure to implement a required safeguard or obtain a required business associate agreement), a separate violation occurs each day the covered entity or business associate is in violation of the provision.
- If an entity does not act with willful neglect and corrects the violation within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence, would have known of the violation, the OCR may not impose a penalty; such correction is an affirmative defense to penalties. However, if the entity acts with willful neglect, the relevant penalty is mandatory.
- A covered entity or business associate is vicariously liable for the violations of their respective agents, including workforce members or business associates acting within the scope of their agency under the federal common law of agency.
In other words, HIPAA penalties may add up quickly despite the reduced annual cap on identical types of violations. And covered entities and business associates must ensure that they continue to comply with HIPAA, avoid acting with “willful neglect” at all costs, and correct any violations within 30 days to invoke the affirmative defense to penalties.
Health & Mobile Apps
Health apps are application programs that offer health-related services for mobile devices such as smartphones, smartwatches, personal digital tablets, patient monitoring devices, wearable technology and other wireless devices. Because they are accessible to patients both at home and elsewhere, health apps are part of a burgeoning movement towards mobile health (“mHealth”) programs in healthcare. There are many varieties of health apps available for purchase from app stores. Some (such as fitness, weight loss, wellness and exercise trackers) are designed to help consumers make healthier choices in their everyday life by offering advice about fitness or nutrition. Others are aimed at physicians and other healthcare providers themselves, combining mHealth with electronic medical records (“EMR”), and allowing providers to keep accurate records that are easily accessible. And others help doctors and patients communicate remotely, such as apps for diabetics that automatically send glucose readings to their primary care physicians.
HIPAA does not provide full, comprehensive coverage over, or protection to, all medical/health/wellness information, regardless of the manner in which it is transmitted or by whom. HIPAA is limited to “covered entities” and their “business associates,” who share or transmit “protected health information” (“PHI” or “ePHI” for electronic information) concerning “covered transactions.” All of these terms are specifically defined by HIPAA, and most third-party healthcare apps do not qualify as a “covered entity” or a “business associate” having “PHI,” or engaging in a “covered transaction,” for purposes of triggering HIPAA’s requirements. But many do. And because HIPAA does apply to many healthcare apps, healthcare providers, mobile app developers, and other health-related businesses need to keep HIPAA Rules in mind whenever PHI is transmitted or disclosed to third parties.
Given the growing number of apps that patients may choose to receive and use their PHI, and the limited control covered entities and EHR system developer business associates have following patient-directed disclosure, HHS issued new guidance in the form of Frequently Asked Questions (“FAQs”) in April 2019. These FAQs clarified (at least to some extent) potential HIPAA liability for transmitting PHI among covered entities, their EHR system developers, and patient-designated apps. Here are the five FAQs and HHS’s answers:
- Q: Does a HIPAA covered entity that fulfills an individual’s request to transmit electronic protected health information (ePHI) to an application or other software (collectively “app”) bear liability under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) for the app’s use or disclosure of the health information it received?
A: The answer depends on the relationship between the covered entity and the app. Once health information is received from a covered entity, at the individual’s direction, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules. If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach.
If, on the other hand, the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.
- Q: What liability does a covered entity face if it fulfills an individual’s request to send their ePHI using an unsecure method to an app?
A: Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app. With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.
- Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?
A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.
If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.
- Q: Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
A: No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information that has been disclosed pursuant to the individual’s right of access. For instance, a covered entity is not permitted to deny an individual’s right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual’s ePHI for research or because the app does not encrypt the individual’s data when at rest. In addition, as discussed in Question 1 above, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.
- Q: Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?
HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).
However if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer, acting as the covered entity’s business associate), then a business associate agreement would be required.
More information about apps, business associates, and HIPAA is available at: https://hipaaqsportal.hhs.gov
See also OCR FAQ 2039, “What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party,” available at https://www.hhs.gov/hipaa/for-professionals/faq/2039/what-is-the-liability-of-a-covered-entity-in-responding/index.html.
Additionally, in 2019, the Consumer Technology Association, a trade association for the consumer technology industry, released new health data privacy guidelines. The guidelines are voluntary and intended to provide baseline recommendations for technology companies that handle personal health data. These guidelines, first developed in 2015, have been expanded and are based on privacy concepts currently present and developing in U.S. law, while recognizing the potential impact that international privacy laws have on U.S. companies. The guidelines can be accessed at: CTA-Privacy-Guidelines-Personal-Health-Wellness-Info
Recent HIPAA Settlement Shows Importance of Encrypting Mobile Devices That Contain Patient Data
In November 2019, OCR settled with the University of Rochester Medical Center (“URMC”) after URMC filed two separate breach reports, revealing that PHI had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop. OCR had conducted a previous investigation prior to these two breach reports concerning a similar breach at URMC involving a lost unencrypted flash drive. OCR’s investigation found that URMC failed to: conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt ePHI when it was reasonable and appropriate to do so.
Despite this investigation and URMC’s identification of the risks that lack of encryption would bring to URMC, the medical center did not change its practices, and continued to use unencrypted mobile devices. Under the settlement, URMC agreed to pay OCR $3 million and undertake a corrective action plan which includes two years of monitoring its compliance with the HIPAA rules.
This is just one of many HIPAA settlements based on the failure to encrypt mobile devices. Similar settlements have arisen from lost or stolen smartphones, computers, hard drives, and other electronic media that were not properly encrypted.
Encryption is an “addressable” standard under the HIPAA Security Rule, which generally requires covered entities and business associates to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information” and, for such data transmitted over a network, to “[i]mplement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)).
Because the encryption implementation specification is addressable, it must be implemented if, after a risk assessment, the entity determines that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. (https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html).
Although encryption is not mandatory, it would be difficult to identify an “equivalent alternative measure” of protection so as to satisfy the addressable standard. Proper encryption allows covered entities and business associates to avoid HIPAA breach reports if the data or device is lost or stolen. The Breach Notification Rule only applies to the breach of “unsecured protected health information.” (45 CFR § 164.404(a)).
“Unsecured protected health information” means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act]. (45 CFR § 164.402). Encryption which satisfies HIPAA standards is not “unsecured”; accordingly, its loss does not require a breach report. (78 FR 5639 and 5644; 74 FR 42741-42, 42765). According to OCR, ePHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. (https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html; see also 74 FR 42742-43).
On the other hand, HHS commentary makes it clear that the loss or theft of an unencrypted device containing protected health information presumptively requires a breach report. (See, e.g., 78 FR 5671). For example, in its Breach Notification Rule commentary, HHS noted that “the most frequent form of data loss is the result of lost or stolen laptops and data bearing media such as hard drives. If the data on these devices is encrypted, then under the [Breach Notification Rule] definition of a breach, the event would not require the covered entity or the business associate to notify affected individuals.” (74 FR 42765). But “if laptops containing the unsecured protected health information of more than 500 residents of a particular city were stolen from a covered entity, notification under this section should be provided to prominent media outlets serving that city [in addition to individuals and HHS].” (Id. at 42752).
Significantly, “if a computer is lost or stolen, [HHS does] not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.” (Id. at 42745). Moreover, the failure to timely report the theft or loss of the unencrypted device would likely constitute “willful neglect”, resulting in mandatory HIPAA penalties ranging from $11,182 to $57,051 per individual whose information was on the laptop. (45 CFR §§ 102 and 160.404(a)).
In its commentary to the Enforcement Rule, HHS gave the following example of “willful neglect” for which an entity “will be held fully responsible”: “A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.” (75 FR 40879).
Consequently, key steps to be taken include the following:
- Implement HIPAA Safeguards. HIPAA covered entities and business associates should implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, as required by the Security Rule.
- Don’t delay. If you are a HIPAA covered entity or business associate, your legal and IT personnel should ensure that the safeguards are implemented entity-wide and without any undue delays. Your employees presumably travel for business and probably take work home. You therefore could be one lost device away from a disastrous data breach and a multi-million dollar fine.
- Encrypt your ePHI. An important technical safeguard is encryption of ePHI, which is not expressly, but effectively required under HIPAA, since only breaches of unsecured ePHI must be reported to the HHS. (See above and 45 C.F.R. § 164.408.)
- Don’t lose your encryption key. The encryption key should be stored separately from the ePHI. As specified in the HIPAA Security Rule, ePHI is encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.
- Hire expert help. For most covered entities and business associates, implementation of the Security Rule is outside the scope of their expertise, and security is usually not a do-it-yourself project. Hiring a reputable, skilled technology vendor to implement the physical safeguards, and hiring a knowledgeable outside legal counsel to ensure compliance with the Security Rule, as well as a certain level of privilege protection, can go a long way toward avoiding a reportable data breach. HHS and the OCR also provide numerous resources to assist covered entities and business associates in properly encrypting data.
Unfortunately, because medical information is lucrative and easy to exploit, patient records are likely to remain primary targets of hackers and cybercriminals for the foreseeable future. Compared to a stolen credit card number, for example, a stolen medical record offers much more personal information. And because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. Healthcare organizations therefore must ensure they have proper, up-to-date security measures in place, including data-breach response plans, ePHI encryption, and adequate employee training about the importance of security. Otherwise, they may face severe legal and financial consequences.
Business Associates’ Direct Liability Under HIPAA
In May 2019, the OCR released a fact sheet outlining and clarifying violations of HIPAA for which a business associate can be held directly liable. Published shortly after the release of the new guidance from OCR in the form of FAQs discussed above, the fact sheet was another example of OCR’s recent efforts to clarify its position and answer outstanding questions from the ever-changing healthcare industry.
In the May 2019 fact sheet, OCR first noted the history by which the application of certain aspects of HIPAA extended to business associates – the HITECH Act of 2009 and OCR’s 2013 Final Rule modifying the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, which further extended to business associates the need to comply directly with the HIPAA Security Rule and significant aspects of the HIPAA Privacy Rule. Since then, business associates have tried to comply with these HIPAA requirements, but with little guidance or certainty as to whether OCR will take action against them (as opposed to only covered entities) for HIPAA violations, and if so, the types of violations OCR will enforce against business associates.
OCR’s fact sheet finally provided some clarity regarding business associates’ own liability under HIPAA. Citing the HITECH Act and the 2013 Final Rule, the fact sheet clearly states that “OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below” (emphasis in original). Specifically, business associates can be held directly liable under HIPAA for:
- Failure to provide the Secretary of HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including PHI, pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the HIPAA Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of ePHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the BAA) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into BAAs with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such BAAs.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s BAA.
In one telling example, OCR indicated it has enforcement authority directly over a business associate that has agreed in a BAA to satisfy individual rights (e.g., requests from individuals for access to copies of their medical records). Although OCR did not explicitly say it would enforce a business associate’s failure to sign a BAA with a covered entity, it said it would with respect to BAAs with business associate subcontractors. And OCR’s example confirms that the agency will hold business associates accountable for certain contractual obligations made with covered entities, even if such obligations otherwise exceed the scope of business associate requirements under HIPAA.
OCR’s clarification regarding the direct liability of business associates came as the agency’s enforcement against business associates has been rising. Just a few days before releasing the new fact sheet, OCR settled allegations of HIPAA Privacy Rule and Security Rule violations for $100,000 with a business associate that provides software and electronic medical record services to healthcare providers. In that case, the business associate self-disclosed to OCR a HIPAA breach following discovery that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million people. OCR’s investigation revealed that the business associate had not conducted a comprehensive risk analysis, as required by the Security Rule prior to the breach.
Recent HIPAA Enforcement Actions Show Exposure on Multiple Fronts
In June 2019, an unprecedented settlement was announced, arising from a federal lawsuit brought by 16 state attorneys general (“AGs”) in the U.S. District Court for the Northern District of Indiana. In that case, a medical software provider agreed to pay the states $900,000 for alleged violations of a combination of federal and state privacy laws. The settlement represented the resolution of the first-ever multistate data breach suit based on alleged violations of HIPAA, as well as state deceptive trade practices acts, state personal information protection acts, and state breach notifications acts. The case arose out of a 2015 data breach, in which an Indiana-based electronic health record software provider and its subsidiary (the “EHR Provider”) discovered that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million individuals whose healthcare providers used the EHR Provider’s software. The information exposed by the breach included names, dates of birth, Social Security numbers, and clinical information.
In the lawsuit, the state AGs asserted that the EHR Provider ran a web application with a security framework that allowed the breach to occur. The EHR Provider allegedly failed to take appropriate measures to protect its computer systems and failed to take reasonable steps to prevent breaches. The state AGs claimed that the EHR Provider, as a business associate under the provisions of HIPAA, was required to comply with the HIPAA Security Rule, and had failed in numerous instances to meet the Security Rule’s enumerated requirements.
Although the sheer number of individuals impacted by the breach was significant, the major takeaway from the case was the nationwide collective effort by the state AGs. In addition to using their statutory authority to enforce HIPAA, the state AGs also brought claims under their respective data breach and personal information protection statutes. The combined effect was a powerful case in which the EHR Provider was accused of 38 separate counts of state law violations, all emanating from the same breach. The settlement with the state AGs was finalized about one month after the EHR Provider agreed to pay $100,000 to the OCR, the federal agency tasked with enforcing HIPAA, for alleged HIPAA violations associated with the same breach. In addition to the monetary consequences, the EHR Provider also agreed to numerous injunctive provisions and a corrective action plan, requiring the company to implement and adhere to specific data security policies and procedures.
These settlements represent cautionary tales for the healthcare industry for several reasons. First, the affected entity in this instance was a business associate governed by HIPAA. The settlements show that to the extent a HIPAA-covered entity must take specific measures to protect the ePHI of its patients, the business associate that handles the information on the covered entity’s behalf also must do so. Business associates should assess their data security programs and ensure that they have procedures in place to monitor, detect and address data vulnerabilities and breaches, consistent with HIPAA Security Rule requirements. As demonstrated by the federal suit, business associates are not only on OCR’s radar, they also are on state radars. HIPAA-covered entities should also pay close attention to their business associates’ HIPAA compliance to ensure that they are adequately protecting the covered entity’s information.
Second, the increasing use of web-based applications for electronic health information management represents not only an opportunity for innovation and progress, but also a threat of increased exposure and liability. Transmission of ePHI via the Internet enables healthcare organizations to better treat and engage patients, and helps facilitate the beneficial exchange of medical information among providers. Utilized properly, this electronic network improves healthcare and makes its delivery more efficient. However, as the electronic network of patients and providers continues to grow, it becomes a more valuable and data-rich target for hackers. This means that covered entities and business associates participating in any given electronic network are exposed to potential hazards that may impact individuals in multiple states, and are subject to multiple state and federal laws and threats of enforcement action. Consequently, attention to data privacy and security must grow in scale with the size of the network managing the highly-regulated information.
Finally, the federal suit and settlements show that states are willing to utilize and combine their resources and efforts nationwide to hold health industry participants accountable for compliance with both federal and state laws when it comes to data protection and health information privacy. As already noted, electronic networks transmitting health information are growing. This growth means the activities of healthcare entities will reach more and more patients, which means handling highly-regulated information in more and more states. With the no-longer-theoretical prospect of multistate enforcement actions, it is essential that covered entities and business associates take measures to comply with HIPAA and applicable state laws wherever their businesses are conducted.
Georgia Ambulance Company Pays to Settle Allegations of HIPAA Violations
In December 2019, West Georgia Ambulance, Inc. (“WGA”) agreed to pay OCR $65,000 to adopt a corrective action plan to settle potential violations of the HIPAA Security Rule. WGA is an ambulance company that provides emergency and non-emergency ambulance services in Carroll County, Georgia.
OCR began its investigation after WGA filed a breach report in 2013 following the loss of an unencrypted laptop containing the PHI of 500 individuals. OCR’s investigation revealed longstanding noncompliance with HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. OCR also alleged that despite OCR’s investigation and technical assistance, WGA did not take meaningful steps to address its systemic failures.
State Law Liability for Failure to Protect Confidentiality of Medical Records
As noted above, HIPAA is a federal statute providing for confidentiality of health and medical records under certain circumstances. HIPAA is administered by the federal Department of Health and Human Services (“HHS”), which can impose substantial fines for non-compliance. However, HIPAA provides no private, federal cause of action for a patient to sue a healthcare provider or business directly for damages.
If an HHS-OCR investigation concludes there was a possible criminal violation, OCR will forward the matter to the U.S. Department of Justice. If there’s a determination that a non-criminal violation occurred, the OCR will seek voluntary corrective action or will issue a formal finding of violation. OCR may impose civil monetary penalties as part of a negotiated resolution or file suit for damages. And, as noted above, penalties or damages for violating HIPAA can run into the millions of dollars. However, monetary penalties for such violations are paid to HHS, not to any injured individual or patient.
Nevertheless, alleged HIPAA violations may be remedied in state court under state tort or contract law as well. Although HIPAA does not provide a private right to sue for HIPAA violations, healthcare providers, businesses and business associates should bear in mind that remedies for non-compliance are not necessarily limited to federal agency fines or damages.
Recent state court decisions demonstrate this dual-liability-exposure reality. For example, in one state court case, a plaintiff-patient alleged that a healthcare provider mistakenly gave his records to another individual. The plaintiff-patient sued the provider to recover damages under a variety of state law theories, including negligence based on a state law duty of care informed by HIPAA.
The appellate court explained that although the negligence claim did not arise under HIPAA, the provider owed the plaintiff a state law duty of care to act as a reasonably prudent healthcare provider would under the circumstances. The court then found that the allegations in the complaint for wrongful disclosure of protected information were sufficient to survive a motion to dismiss, and allowed the case to proceed into discovery and perhaps trial phases.
Notably, the provider tried to argue that HIPAA preempted all such state law claims. But the court rejected that preemption argument, reasoning that allowing state law claims in this context does not interfere with government enforcement actions authorized by HIPAA. The court stated that “additional state law remedies encourage compliance with HIPAA by providing further means for patients to recover for harm suffered due to non-compliance.” The court concluded: “[W]e hold HIPAA’s requirements may inform the standard of care in state-law negligence actions, just as common industry practice may establish an alleged tortfeasor’s duty of care.” The court also kept alive a related punitive damages claim.
In another state case, the appellate court held that a patient may pursue her negligence claim against a hospital for improperly disclosing her medical information. In that case, the plaintiff-patient argued that the hospital violated its duty to protect the privacy, security and confidentiality of her health records, when it allowed the plaintiff’s employer to receive digital images of her X-rays without her consent. While acknowledging that HIPAA does not provide a private right of action, the patient argued that the statute could be used to establish the standard of care in a common law negligence action, and the court agreed.
To ensure that litigants don’t make an end-run around the lack of a private right of action under HIPAA, the court said there must first be an underlying common law duty. But the court noted that medical providers owe a duty of confidentiality to their patients. And, having found a common law duty, the court had “little trouble” holding that HIPAA and its implementing regulations could inform the standard of care in tort claims related to alleged breaches of the duty of confidentiality owed by medical providers to their patients.
The takeaway from these and other state cases is that alleged HIPAA violations may be remedied by state lawsuits in addition to HHS fines. While the case law to date makes it clear that individuals cannot bring a case based solely on violations of HIPAA, claims related to privacy of health information may still be viable under state law.
Certain states (including Georgia) have privacy laws creating private causes of action in tort or negligence. So, while an individual plaintiff bringing claims solely for violations of HIPAA almost certainly will fail in federal court, healthcare providers and businesses are not necessarily off the hook for liability to individuals for health information privacy violations under state law theories.
A patient may be able to bring a civil lawsuit for violation of Georgia’s state medical records disclosure law, or under Georgia’s invasion of privacy or negligence law, for example. And personal medical records are protected by Georgia’s constitutional right to privacy also. Other state law theories of recovery for unauthorized disclosures include breach of contract (or an implied contract) for confidentiality, and intentional infliction of emotional distress.
The challenge to successfully waging these types of claims is that a patient must show documented and provable damages — that is, specifically and quantifiably how he or she was harmed by the disclosure or release of information. Examples of documented losses include medical or counseling bills, credit protection or identity theft insurance, costs related to stolen identity, lost pay for time off, and other expenses that resulted directly from the breach of the patient’s privacy. But if the required elements can be established, a healthcare provider or business may be liable for damages under state law, regardless of whether HHS-OCR found a HIPAA violation.
Georgia Supreme Court Rules Case Arising From Patient Records Hack May Proceed
In December 2019, in Collins v. Athens Orthopedic Clinic, PA, the Georgia Supreme Court revived a class action involving claims by at least 200,000 current and former patients of a medical clinic whose personal information (including names, addresses, Social Security numbers and insurance information) was stolen in a 2016 data breach. In overturning the Georgia Court of Appeals and a trial judge, the Georgia Supreme Court found that there was sufficient potential for future harm to allow the case to proceed.
The case began when Athens Orthopedic Clinic learned in June 2016 that someone self-identified as “Dark Overlord” hacked its computer system. The clinic subsequently notified its patients about the hack, but not until approximately two months later.
The hackers demanded a ransom but the clinic refused to pay. After the clinic refused to pay the demanded ransom, some of the stolen patient information was offered for sale on the dark web, and at least some of the patients’ information was later made available on the dark web. Some patient information also appeared on Pastebin, a data-storage and sharing website.
At least one plaintiff actually had fraudulent charges made to her credit card after the breach. And all the plaintiffs claimed that the hack made them possible targets of identity theft and fraud, and that they had been damaged by having to place fraud alerts on their credit reports.
In January 2017, three plaintiffs filed a putative class action in Clarke County Superior Court, claiming violation of the Georgia Uniform Deceptive Trade Practices Act, breach of implied contract, unjust enrichment and negligence. The plaintiffs’ claimed damages included past and future costs for credit monitoring and identity theft protection, credit freezes on their accounts, and injunctive relief.
In June 2017, however, a Cobb County Superior Court judge dismissed the case with little discussion on a motion to dismiss. And in 2018, a divided Georgia Court of Appeals panel affirmed the dismissal. In upholding the trial judge, the Court of Appeals ruled that the plaintiffs’ claimed damages were too speculative to provide standing. Specifically, the Court of Appeals said that “while credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us because the plaintiffs seek only to recover for an increased risk of harm.” Such “prophylactic measures” are “insufficient to state a cognizable claim under Georgia law.”
However, now-Chief Judge Christopher McFadden dissented, arguing that the plaintiffs had sufficiently pleaded facts to survive a motion to dismiss, because their “allegations of future injury show a substantial risk that harm will occur.” In his dissent, Judge McFadden wrote that neither Georgia appellate courts nor the U.S. Court of Appeals for the Eleventh Circuit “have decided whether a data breach, with little more, amounts to an injury in fact for purposes of standing.” “But federal courts have uniformly applied a rule that a substantial risk of future harm is sufficient to show an injury in fact for purposes of standing.” “And applying that rule here, leads to the conclusion that the plaintiffs have standing.”
In its December 2019 Collins decision, the Georgia Supreme Court agreed with Judge McFadden’s dissent. In doing so, the court first acknowledged that prior appellate rulings dealing with stolen personal data generally held that plaintiffs had to show the information “had actually fallen into criminal hands” and had been used to harm them in order to show a “legally cognizable injury.” But the Georgia Supreme Court said “this case, which was dismissed on the pleadings despite allegations of large-scale criminal activity, falls into a different category of data-exposure cases.”
“Here, the plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is ‘imminent and substantial.’” “This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach.”
The Georgia Supreme Court opinion said that the plaintiffs’ claims were more than sufficient to survive a motion to dismiss, as they alleged that “all class members now face the ‘imminent and substantial risk’ of identity theft given criminals’ ability to use the stolen data to assume the class members’ identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names.” “Assuming the truth of these allegations, as we must at this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers.” The allegations of future injury “show a substantial risk that harm will occur. The allegations thus suffice to establish standing,” according to the court.
The Georgia Supreme Court’s Collins decision indicates that where “plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is ‘imminent and substantial,’” it “amounts to a factual allegation about the likelihood that any given [plaintiff] will have her identity stolen as a result of the data breach.” So, under Collins, pleading such facts apparently will be sufficient to survive a motion to dismiss, because such “allegations of future injury show a substantial risk that harm will occur.” That said, for such claims to succeed, patients almost certainly will still have to show some documented and provable damages – i.e., specifically, quantifiably, how they have been harmed by the disclosure or release of the information.
Liability for Failing to Properly Respond to Patients’ Records Requests
In 2019, OCR announced its HIPAA “Right of Access Initiative,” promising to vigorously enforce patients’ rights to receive copies of their medical records promptly and without being overcharged. In September 2019, OCR announced that it entered into a Resolution Agreement with a Florida medical center (“Medical Center”) following allegations that the Medical Center failed to respond to a patient’s request for medical records in a timely fashion and in violation of the patient’s right to access such records under HIPAA. While the $85,000 settlement amount was relatively small in comparison to the seven-figure settlements that OCR entered into in recent years, the enforcement action was notable for being the first related to OCR’s Right of Access Initiative launched earlier in 2019.
OCR initiated an investigation into the Medical Center following its receipt of a complaint from a mother who requested access to her unborn baby’s medical records under the HIPAA right of access. The HIPAA right of access extends to personal representatives of the patient, such as parents of minor children. The mother first requested access to her baby’s medical records in October 2017, at which point the Medical Center informed the mother that the records could not be found. The mother’s attorney subsequently requested the records on her behalf in January 2018 and again in February 2018. The Medical Center did not provide the mother with a complete set of records until August 2018, after she had already submitted her complaint to OCR and OCR’s investigation had commenced.
According to the Resolution Agreement, OCR’s investigation revealed that the Medical Center failed to provide the mother with access to protected health information pursuant to the HIPAA right of access set forth at 45 C.F.R. § 164.524, which requires covered entities to provide individuals with access to their medical records and other protected health information maintained in a designated record set within 30 days of the individual’s request for such records.
In addition to the $85,000 monetary settlement, the Medical Center agreed to a one-year Corrective Action Plan (“CAP”) that requires the Medical Center to, among other things, revise and implement policies and procedures regarding patient access to medical records and train its workforce on such policies. Notably, the CAP also reached to the Medical Center’s business associates involved in receiving or fulfilling medical records requests in several ways. First, the Medical Center’s business associates must certify compliance with the Medical Center’s revised policies and undergo training on such policies. Second, the Medical Center must provide OCR with the names of its business associates involved in receiving or fulfilling medical records requests, and copies of its business associate agreements with such vendors. Third, in addition to reporting to OCR each instance where its own workforce member fails to comply with its revised policies, the Medical Center also must report to OCR each instance of a business associate failing to comply with the policies.
OCR’s Second Settlement Under HIPAA Right of Access Initiative
In December 2019, OCR announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. Under the terms of the settlement, Korunda Medical, LLC agreed to pay $85,000 to settle a potential violation of HIPAA’s right of access.
According to HHS, “Korunda is a Florida-based company that provides comprehensive primary care and interventional pain management to approximately 2,000 patients annually.” In March 2019, OCR received a complaint that “Korunda [had] failed to forward a patient’s medical records in electronic format to a third party” after multiple requests by the patient. Based on the complaint, OCR provided Korunda with assistance on how to correct the issues and closed the complaint. Despite OCR’s assistance, Korunda continued to fail to provide the requested records, which resulted in another complaint to OCR. In May 2019, after OCR’s second intervention, Korunda provided the requested records, free-of-charge and in the requested format.
A news release, quoting OCR’s Director, stated that “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.” The resolution agreement can be accessed here.
Takeaways from Right of Access Settlements
OCR has made clear through these settlements that it intends to hold covered entities and business associates accountable for providing patients with access to their medical records under HIPAA. Healthcare providers and business associates should ensure that they have the written policies and procedures, as well as the operational infrastructure, needed to respond to medical records requests in a manner that complies with both HIPAA and applicable state law.
While HIPAA sets a “floor” of requirements regarding patients’ rights to access medical records, the laws in many states are more stringent than HIPAA on this issue, particularly with respect to how quickly records must be provided. In Georgia, a physician must provide medical records to a patient within 30 days of the receipt of a records request. But in California, for example, physicians must provide patients with copies of requested medical records within only 15 days of the patient’s request, shortening HIPAA’s 30-day time frame. Additionally, many states establish specific fee schedules that further limit the HIPAA “reasonable, cost-based fee” that healthcare providers may charge for fulfilling a records request. So healthcare providers and business associates must also take note of the state laws on access requests that may apply in addition to HIPAA.
HHS Reverses Position Regarding Access & Copy Fees for Third-Party Requests for Medical Records After Court Invalidates Portion of HIPAA Regulations & Guidance
In January 2020, the U.S. District Court for the District of Columbia issued a ruling in Ciox Health, LLC v. Azar, et. al., invalidating portions of the Modifications to the HIPAA Privacy, Security and Enforcement Rules and the 2016 guidance issued by HHS’s OCR addressing the assessment of fees for copies of electronic and paper health records to third parties. Under HIPAA’s Privacy Rule, providers generally must provide a patient with the right to access his or her own PHI and can charge a “reasonable, cost-based fee” for providing such copies. OCR guidance expanded this obligation, requiring providers to provide copies of patients’ medical records to third parties when requested by a patient while charging the same reasonable, cost-based fee. The court ruled that OCR overstepped its statutory authority by imposing the fee cap on records to be provided to third parties, even when requested by a patient. However, the court did not rule on what fee is permissible, leaving that issue for resolution through rulemaking comment and review.
With this decision and HHS’s change in position, covered entities and their business associates received relief from the sometimes significant financial burden of producing copies of voluminous medical records to third parties, such as lawyers and insurance companies. Specifically, the court vacated HHS’s 2013 rule compelling delivery of medical records to third parties regardless of the records’ format (instead scaling it back to align with the statutory scope of the HITECH Act, which is limited to electronic health records), and also vacated the 2016 guidance which applied strict HIPAA fee limits to records delivered to third parties pursuant to a patient-directed request. On January 28, 2020, HHS announced the reversal of its position on these two key points.
By way of background, the implementing regulations for HIPAA at 45 C.F.R. 164.524 establish an individual’s right to access PHI and set requirements for the permissible fee that can be charged for such production. Following the enactment of the HITECH Act in 2009, HHS revised these regulations in 2013. One aspect of these revisions was the promulgation of 45 C.F.R. 164.524(c)(3)(ii), which required that a covered entity must provide a copy of PHI directly to a third party designated by the individual (i.e., a “third-party directive”). Although HHS promulgated this regulation pursuant to the HITECH Act, which limited third-party directives to PHI in electronic health records (“EHRs”), HHS’s regulations did not include that important limit, instead applying third-party directive requirements to access requests for all PHI in any format.
In 2016, HHS issued extensive guidance on the patient right of access provisions, including third party directives. In the guidance, HHS did three things relevant here. Specifically, it:
- applied the HIPAA fee limits at 45 C.F.R. 164.524(c)(4) to third-party directives;
- laid out three methods for calculating the fees that may be charged; and
- limited what activities may be included as “labor costs” in calculating the fees.
Following this regulation and guidance, third-party directives soared, driven largely by requests from plaintiffs’ attorneys. This, in turn, resulted in a significant increase in costs for covered entities and their business associates engaged in producing copies of patient records. Ciox Health, LLC (“Ciox”), a release of information vendor that contracts with hospitals and other healthcare providers to fulfill requests for copies of medical records, filed suit against HHS in the U.S. District Court for the District of Columbia in January 2018. In its suit, Ciox challenged the regulation and guidance cited above.
Key Takeaways from the court’s 2020 Ciox decision include the following:
- Third-Party Directives Apply to PHI in Electronic Health Records Only. Going forward, third-party directives are scaled back to only apply to requests for electronic copies of PHI maintained in EHRs, in alignment with the scope of the HITECH Act, which provides at 42 U.S.C. § 17935(e)(1): “[I]n the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual . . . the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.”
- Fee Limits Apply to Direct Patient Requests Only. HIPAA’s fee limits for copies now apply only to an individual’s request for access to his or her own records and do not apply to requests to transmit records to a third party. Note, however, that state or other law may impose limits and should be read alongside HIPAA to determine the appropriate fees to charge, both for direct patient requests and third-party requests.
- Methods of Calculating Fees and Limits on Labor Activities are Unchanged. The court left intact HHS’s guidance on the three methods HHS discusses as options by which fees may be calculated when responding to a patient’s request for records (i.e., actual cost, average cost, and optional flat fee for electronic copies of electronic records), as well as what activities may be included in labor cost calculations.
As a result of this decision and HHS’s response, covered entities and business associates responding to requests for medical records should bear in mind the following:
- Responding to Direct Patient Requests. Covered entities and business associates must still follow the HIPAA regulations and HHS guidance regarding responding to a patient’s request for copies of his or her own records (e.g., covered entities must respond to a patient’s request within 30 days and, when providing copies, must limit the fee charged to the individual to a “reasonable, cost-based fee,” among other requirements).
- Responding to Third-Party Directives for Electronic Records. If a patient directs a covered entity to send electronic copies of PHI maintained in EHRs directly to a third party, the covered entity must comply. However, HIPAA no longer imposes fee limits for such transmission (though state or other law could apply).
- Responding to All Other Requests. As the healthcare industry adjusts to the revised requirements for third-party directives, covered entities and business associates may still receive third-party directives for copies of paper records. If a patient directs a covered entity to send paper records directly to a third party, the covered entity should inform the individual of the need to receive a valid authorization or comply with an applicable exception under HIPAA (e.g., providing records to another healthcare provider for treatment) before releasing the records. Similarly, for all requests that originate from a third party (i.e., not at the patient’s direction), the covered entity also must receive a valid authorization or comply with an applicable exception under HIPAA before releasing the records.
Frequently Asked Questions About Medical Records
Common questions physicians and medical groups have about medical records, and answers provided by the Medical Association of Georgia, include the following:
Can a physician withhold a patient’s medical record for a past due balance for services rendered?
No, medical records should not be withheld for any reason. AMA E-3.3.1 (See also: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html; and https://www.hhs.gov/about/news/2019/09/09/ocr-settles-first-case-hipaa-right-access-initiative.html.)
Physicians (or other providers) must furnish a complete and current copy of a patient’s medical record to the patient or to a person authorized (by the patient) to have access to medical record under an advanced directive or durable power of attorney. O.C.G.A. § 31-33-2
Can a physician withhold a patient’s record until the patient pays for copies of the records?
Yes, a physician may require payment for the costs of medical records prior to providing them to patient. O.C.G.A. § 31-33-3 (See also the HHS webpages cited above.)
How quickly must a physician release requested medical records?
A physician must provide medical records to a patient within 30 days of the receipt of a records request. O.C.G.A. § 31-33-2
A covered entity must act on a request for access to medical records within 30 days. A physician must either grant access to medical records or give a justified denial of access within 30 days of receipt of the request for release. HIPAA – 45 CFR § 164.524(b)(2) (See also the HHS webpages cited above.)
How long must a physician retain medical records?
A physician must retain medical records for at least 10 years. This does not apply to an individual provider who has retired or sold his or her practice if the provider has notified the patient of retirement/sale and offered to provide the patient’s record to another provider of the patient’s choice and, if requested, to the patient. O.C.G.A. § 31-33-2
What must a physician do with medical records upon retiring or selling a practice?
In Georgia, a physician is required to maintain a patient’s complete treatment records for at least 10 years from the date of the patient’s last office visit. O.C.G.A. § 31-33-2
These requirements do not apply to a physician who has retired or sold his or her medical practice if…
- The physician has notified his or her patients of retirement or sale of practice by mail – offering to provide the patient’s records to another provider of the patient’s choice and, if requested, to the patient.
- The physician has published a notice – containing the date of retirement or sale – that offers to provide the patient’s records to another provider of the patient’s choice and, if requested, to the patient.
- The physician has posted a sign announcing retirement or sale of the practice. The sign must be placed 30 days prior to retirement or sale of the practice and must remain posted until the date of retirement or sale.
- The physician has placed both the notice and sign required by Ga. Medical Board Rule 360-3-.02(16)(c) and has advised patients of their opportunity to transfer or receive their records.
A physician should always seek advice from their private counsel or their malpractice insurance carrier. Ga. Medical Board Rule 360-3-.02
“A patient’s records may be necessary to the patient in the future not only for medical care but also for employment, insurance, litigation, or other reasons. When a physician retires or dies, patients should be notified and urged to find a new physician and should be informed that upon authorization, records will be sent to the new physician. Records which may be of value to a patient and which are not forwarded to a new physician should be retained, either by the treating physician, another physician, or such other person lawfully permitted to act as a custodian of the records. The patients of a physician who leaves a group practice should be notified that the physician is leaving the group. Patients of the physician should also be informed of the physician’s new address and offered the opportunity to have their medical records forwarded to the departing physician at his or her new practice location. It is unethical to withhold such information upon request of a patient. If the responsibility for notifying patients falls to the departing physician rather than to the group, the group should not interfere with the discharge of these duties by withholding patient lists or other necessary information.” AMA E-7.03; see also https://www.privatepracticepreparedness.com/content/american-medical-association-ama
Does a physician have to give medical records to third party without a subpoena or court order?
No, a physician should not release a patient’s medical records to a third party without a proper release by the patient or legally authorized individual in accordance with Georgia law, a court order, a subpoena signed by a judge, or certification that the party has placed the opposing party on notice with opportunity to object. A physician may release medical records if there is no objection from the patient after 20 days.
What should a physician do if a patient steals their own medical records?
HIPAA specifies that the data contained within a medical record belongs to the patient, but the physical form containing the data belongs to the entity responsible for maintaining the record (i.e., the physician). If a patient takes medical records without permission and will not return them upon request, the act should be treated as a normal theft and the physician should contact the police.
Does a physician have to keep a paper copy of electronically stored medical records?
No, a provider is not required to maintain separate paper copies of electronically stored records. O.C.G.A. §31-33-8(b)
Do the same laws that apply to paper copies apply to electronic medical records?
Yes, all provisions of Chapter 33 of Title 31 of the Georgia Code, including fees, apply to electronic medical records. O.C.G.A. § 31-33-8(c)
What happens to my patients’ medical records when I leave a group?
Medical records belong to the practice. Unless your employment agreement provides otherwise, you may be able to notify patients that you are leaving the practice and notify them of your new address. However, you should be very clear about what you are allowed to do regarding notification of patients when leaving the practice. It is recommended that you discuss/negotiate the process by which you will exit the practice. Request the right to notify your patients of your new address of your departure and information on how to contact you at your new location.
Patients are not prohibited from requesting that their medical record be forwarded to another physician, but a physician should be careful to avoid a breach of an employment agreement or a breach of privacy or patient confidentiality in accessing, copying, or taking patient records. AMA E-7.03; see also https://www.privatepracticepreparedness.com/content/american-medical-association-ama
Can a physician release a patient’s medical records and health information to an insurance company or third party payer without the patients consent and/or knowledge?
Yes. The amended HIPAA Privacy Rule gives health plans and self-insured employers broad authority (“regulatory permission”) to get information without a patient’s consent. Health plans and employers are also authorized to obtain, use and disclose an individual’s health information without their consent for the purpose of:
1. Conducting due diligence that’s related to the sale or transfer of assets;
2. Certain types of marketing;
3. Business planning and development;
4. Business management and general administrative activities; and
5. Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance (45 CFR 164.501)
Medical practices must (are also required to) provide every patient with a notice that lets them know how their personal health information will be used and disclosed. (45 CFR 164.520) See https://www.mag.org/georgia/Public/Resources/Medical_Records.aspx.
Texting Between Providers & Patients
For obvious reasons, the health technology industry wants to make it easier for patients to text with their providers regarding healthcare issues and services. Texting and other electronic communications between healthcare providers and patients can save time and money and improve patient health.
Patients demand that their healthcare providers keep up with the latest technology. But HIPAA and other privacy and security concerns have stood in the way of significant progress. Healthcare providers and companies are hesitant because penalties for HIPAA violations can be severe.
Advocates pitch texting as convenient for patients and providers and a way to boost the quality of care provided at little cost. But making that happen in a secure manner is harder than simply hitting send on a mobile device or PC.
Health privacy laws generally require the sender (and, by extension, telephone and internet service providers) to take steps to ensure that any patient data sent via text message is protected. Text messages are usually not encrypted or protected, so using them to send sensitive patient data violates HIPAA.
Another risk is that patients may change their phone numbers without updating their physicians or other healthcare providers. Telephone numbers can also be reassigned in ways that email addresses typically are not. Thus, the risk of sending personal information to the wrong recipient is greater via text than email.
“Access controls are very important because you never know who is looking at the phones. So providers would need a protocol to ensure they are texting the right person and complying with rules regarding the ‘minimum necessary,’ which means that only the bare minimum amount of protected health information should be included in texts,” notes the general counsel of a telehealth startup that provides healthcare services to patients and their families.
HIPAA only covers data collected by healthcare providers, health plans and clearinghouse billing systems in the industry. But those requirements extend to business associates, which can include telephone companies and internet service providers if they handle or transmit PHI. So another hurdle is getting phone carriers to sign multiple different business associate agreements with countless covered entities under HIPAA.
“Patients can’t always text physicians because AT&T and other phone companies don’t have HIPAA in place, so our model brings you into this secure chat room,” said a CEO of a company which bills itself as offering HIPAA-compliant communications outside of doctors’ offices. But that company executive quickly added that more “common sense on this HIPAA conversation is going to need to be a part of the solution going forward.”
Telemedicine companies and physician groups have urged HHS to provide guidance on how providers and patients can legally text one another under HIPAA. The American Medical Association, for example, believes that creating guidance around texting would both ease anxiety in the medical industry and help patients.
HHS has said that it plans to offer guidance on text messaging and HIPAA. But few details are currently available, and there is no firm timeline for progress.
HHS issued a request for information in 2018 for the healthcare industry to describe how HIPAA slows progress to value-based healthcare. In response, the agency received nearly 1,500 comments. And the agency continues to weigh options for regulatory guidance.
In the meantime, texting in healthcare requires taking all steps necessary to protect patient data, while also trying to satisfy the needs of patients demanding access to their providers and health information in the most convenient and efficient manner possible. This means trying to securely use and transmit sensitive information via technologies that are constantly evolving.
Texting patient information among members of a healthcare team is allowed if it is sent through a secure platform, according to CMS. But sending information electronically through a computer is the preferred method for now, while texting with patients remains risky.
While HIPAA does not specifically prohibit sending PHI by text, in order for texting to be HIPAA-compliant, texting safeguards have to be in place to ensure the confidentiality of PHI when it is at rest and in transit. There also have to be controls in place for who can access PHI, and what authorized personnel do with PHI when they access it.
There are numerous reasons why it is far safer for covered entities to simply prohibit texting PHI rather than allow it. These include, but are not limited to, lack of access controls, lack of audit controls, and lack of encryption.
Although encryption is an “addressable” requirement of the HIPAA Security Rule, it is the only feasible way to ensure the security of PHI in transit. With regard to access controls, anyone can pick up an unattended mobile device and read messages on it. Moreover, mobile devices can be lost or stolen, which not only potentially exposes PHI to unauthorized access, the information in the messages can be used to commit insurance fraud or identity theft.
That is why the HIPAA rules for text messaging (or any other form of electronic communication) state that audit controls are necessary to record when PHI is created, modified, accessed, shared or deleted. Unfortunately, it currently is impossible to implement audit trails for HIPAA-compliant text messaging because the technology does not exist that can audit every possible operating system.
Even if there were a way to overcome the HIPAA texting rules for access controls and audit controls, that would not make text messaging HIPAA-compliant. There also has to be a way to prevent the interception of plain text messages, or extraction of plain text messages, from carriers’ servers – which is why encryption of PHI in transit is strongly recommended.
Nevertheless, texting patient information to patients may be allowed by HIPAA, provided the covered entity has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient’s consent to communicate by text. But both the warning and the consent must be documented.
Another way in which text messaging may be HIPAA-compliant is when the covered entity has implemented a solution such as a HIPAA-compliant messaging app that has the necessary controls and encryption to support HIPAA-compliant texting. But even when these apps are used, it is still necessary to comply with the minimum necessary standard and the physical, technical and administrative safeguards of the HIPAA Security Rule.
Pushing against the desire to ease regulatory burdens is the alarming fact that more than 41 million people were impacted by health records breaches in 2019 — the highest number in the last four years, according to HHS’s OCR. And hackers keep finding new ways to circumvent security measures that are put in place.
So the security threats are real and rapidly growing. Despite the risks, companies continue to innovate, and healthcare is moving in the direction of increased text communications. But as the industry awaits further regulatory guidance, healthcare providers need to be cautious, and when in doubt seek counsel before hitting send.
HIPAA Compliance Programs
According to HHS’s OIG, the seven fundamental elements of an effective compliance program are:
- Implementing written policies, procedures and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
Each of the seven elements requires robust, organization-wide enforcement and documentation. And many HIPAA standards require annual review as well. See, e.g., https://oig.hhs.gov/compliance/provider-compliance-training/files/Compliance101tips508.pdf.
How We Can Help & Services We Provide
We advise and assist healthcare providers, mobile app developers and other health-related businesses with their implementation of measures necessary to comply with the complex requirements imposed on healthcare providers and their vendors by the HIPAA Privacy and Security and HITECH Act requirements, as well as state privacy laws and regulations. Our services include:
- Advice and legal assistance in connection with protecting the confidentiality of patients’ medical records and PHI.
- Drafting and negotiating Business Associate Agreements and Subcontractor BAAs from Covered Entities’, Business Associates’ and Subcontractors’ perspectives.
- Assisting both healthcare providers and healthcare vendors in integrating requirements of the security and privacy rules in their operational documents.
- Providing advice, guidance and assistance to clients as they conduct privacy and security assessments and audits, develop compliance plans, and implement policies, procedures and forms for compliance.
- Advising and assisting clients as they choose appropriate consultants to help them prepare, improve and implement necessary policies and procedures, and respond to audits.
- Assisting on incident response and breach reporting, including counseling on OCR compliance reviews, HIPAA audits or other government investigations.
- Representing healthcare clients in legal actions alleging violations of federal or state privacy laws or regulations.
Our law firm is experienced in counseling and assisting healthcare clients regarding medical privacy and security matters in a cost-effective manner. We have broad experience counseling clients regarding how they can meet the requirements of the various federal and state privacy and security rules in their day-to-day business activities. And we can assist if a legal action is brought alleging a violation. Please call or email us if you wish to schedule a consultation.