HIPAA, Health Information Privacy & Security Compliance
At the Law Office of Kevin O’Mahony, we advise clients on the numerous privacy and security laws that physicians, healthcare providers and businesses working with healthcare providers must follow on a daily basis in their medical practices, healthcare entities or businesses. Implementing and following proper business and security practices that comply with state privacy laws on patient information, as well as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy, security and transactions rules, is essential for physicians and healthcare entities to avoid lawsuits, fines, penalties and damage awards.
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium — whether electronic, on paper or oral. The Privacy Rule calls this information protected health information (“PHI”). The HIPAA Privacy Rule requires that covered entities, their business associates and any subcontractors handling PHI apply appropriate administrative, technical and physical safeguards to protect the privacy of PHI in any form.
Covered entities are defined in the HIPAA Rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health & Human Services (“HHS”) has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations or persons.
The Health Information Technology for Economic and Clinical Health Act (“HITECH”) (enacted in 2009) was created to motivate the implementation of electronic health records (“EHR”) and supporting technology in the United States. Because this legislation anticipated a massive expansion in the exchange of electronic protected health information (“ePHI”), the HITECH Act widens the scope of privacy and security protections available under HIPAA. It also increases the potential legal liability for non-compliance, and provides for more enforcement.
Business Associate Agreements
A HIPAA Business Associate Agreement (“BAA”) is a contract between a HIPAA covered entity and a vendor used by that covered entity. A vendor of a HIPAA covered entity that needs to be provided with PHI to perform duties on behalf of the covered entity is called a business associate (“BA”) under HIPAA.
HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” A vendor is also classified as a BA if, as part of the services provided, ePHI passes through their systems. However, exclusions to this definition exist, and it may be the case that a covered entity’s relationship with a vendor changes over time.
A signed HIPAA Business Associate Agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI. And since the HITECH Act was passed and incorporated into HIPAA in 2013, subcontractors used by business associates are also required to comply with HIPAA. A business associate must likewise obtain a signed HIPAA business associate agreement from its subcontractors before access is given to PHI or ePHI. If subcontractors use vendors that require access to PHI or ePHI, they too need to enter into business associate agreements with their subcontractors.
The Business Associate Agreement is a contract that specifies the types of PHI that will be provided to the business associate (or subcontractor), the allowable uses and disclosures of PHI, the measures that must be implemented to protect that information, both at rest on-site and in transit (e.g., encryption), and the actions that the BA must take in the event of a security breach that exposes PHI. The contract should state that the BA (or subcontractor) must implement appropriate administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of ePHI and meet the requirements of the HIPAA Security Rule. Some of those measures may be stated in the BAA or they may be left to the discretion of the BA.
The BAA should also include the allowable uses and disclosures of PHI to meet the requirements of the HIPAA Privacy Rule. In the event that PHI is accessed by individuals unauthorized to view the information, such as an internal breach or cyberattack, the business associate is required to notify the covered entity of the breach and may be required to send notifications to individuals whose PHI has been compromised. The time frames and responsibilities for notifications should be detailed in the BAA.
A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by regulators for HIPAA violations. Both HHS’s Office for Civil Rights (“OCR”) and state attorneys general have the authority to issue financial penalties for violations of HIPAA Rules.
Unlike most contracts, a HIPAA business associate agreement does not necessarily indemnify a covered entity against financial penalties for a breach of PHI. If a covered entity fails to obtain “satisfactory assurances” that a BA is HIPAA-compliant prior to entering into a contract, and a breach of PHI subsequently occurs, the covered entity may be considered liable for the breach.
Covered entities can be fined for not having a HIPAA business associate agreement in place, or for having an incomplete agreement in place. This is true even though HITECH regulations state that BAs are obligated to comply with the HIPAA Security Rule, even if no HIPAA business associate agreement is executed.
In May 2019, the OCR issued a new fact sheet to highlight the provisions of HIPAA that apply to business associates and for which they can be held directly liable for non-compliance. The fact sheet spells out the specific requirements that could trigger OCR’s enforcement authority against business associates, including failing to comply with the HIPAA security rule, failing to provide breach notifications to a covered entity or another business associate, and impermissible uses and disclosures of protected health information. See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
HIPAA & HITECH Penalties
HIPAA penalties vary depending on the type of conduct involved. When enacted in 2009, HITECH established four categories for HIPAA violations, with penalty tiers commensurate with the level of culpability for each violation.
- Tier 1 violations are those where the person did not know (and, by exercising reasonable diligence, would not have known) that he or she violated the provision. Tier 1 violations were capped at $25,000 per calendar year.
- Tier 2 violations are those where “the violation was due to reasonable cause, and not willful neglect.” Tier 2 violations were capped at $100,000 per calendar year.
- Tier 3 violations are those due to willful neglect that is timely corrected. Tier 3 violations were capped at $250,000 per year.
- Tier 4 violations are those that occurred due to willful neglect that is not timely corrected. Tier 4 violations were capped at $1.5 million per year.
In 2013, the OCR implemented a final rule allowing for enhancements of HITECH’s penalty provisions. Under the enhanced penalty scheme, while the range of penalties for each violation continued to differ by tier, the total yearly cap for all violations under all tiers became $1.5 million (an amount which formerly was only applicable to the most serious violations). But in April 2019, HHS exercised its discretion to lower the annual cap for certain types of penalties (reducing the financial impact of HIPAA violations that fall into the lower tiers) as follows:
Minimum Penalty per Violation
Maximum Penalty per Violation
Annual Limit for Identical Violations
Person did not know, and by exercising reasonable diligence would not have known, that person violated HIPAA
$114 per recent inflation adjust.
$57,051 per recent
$28,525 per recent
The violation was due to reasonable cause, not willful neglect
$1,141 per recent
$57,051 per recent
$114,102 per recent
Person acted with willful neglect, but corrected the violation within 30 days
$11,182 per recent
$57,051 per recent
$285,255 per recent
Person acted with willful neglect and failed to correct the violation within 30 days
$57,051 per recent
$57,051 per recent
$1,711,533 per recent
While reduced annual caps are certainly good news, covered entities and business associates should keep in mind:
- The penalty amounts are subject to annual cost of living adjustments. So, in accordance with the Inflation Adjustment Act, HHS updated its regulations in November 2019 to reflect required annual inflation-related increases to civil monetary penalties, including those for certain violations of HIPAA’s “administrative simplification” provisions. Under the new rules, penalties for pre-February 18, 2009 violations of HIPAA’s administrative simplification provisions have increased to $159 per violation, with a $39,936 cap per calendar year. Penalties for violations occurring on or after February 18, 2009, where it is established that the covered entity or business associate did not know and could not reasonably have known of the violation, are now a minimum of $117 and a maximum of $58,490. If it is established that the violation was due to reasonable cause and not willful neglect, the minimum per violation increases to $1,170, with the maximum remaining at $58,490. If it is established that the violation was due to willful neglect but was corrected during the 30-day period running from the date the entity knew or should have known the violation had occurred, the penalties per violation are a minimum of $11,698 and a maximum of $58,490. If the violation was due to willful neglect and not corrected during the 30-day time period, the penalties per violation are $58,490 (minimum) and $1,754,698 (maximum). For all of these situations, the calendar year cap is now $1,754,698.
- The new annual caps only apply to identical violations. A single act or omission may result in different violations that are not identical. For example, an impermissible disclosure may violate separate HIPAA requirements, each of which may trigger a different penalty and separate annual cap. Moreover, OCR may impose a separate penalty for each individual whose information was improperly accessed or disclosed. In the case of a continuing violation (e.g., the failure to implement a required safeguard or obtain a required business associate agreement), a separate violation occurs each day the covered entity or business associate is in violation of the provision.
- If an entity does not act with willful neglect and corrects the violation within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence, would have known of the violation, the OCR may not impose a penalty; such correction is an affirmative defense to penalties. However, if the entity acts with willful neglect, the relevant penalty is mandatory.
- A covered entity or business associate is vicariously liable for the violations of their respective agents, including workforce members or business associates acting within the scope of their agency under the federal common law of agency.
In other words, HIPAA penalties may add up quickly despite the reduced annual cap on identical types of violations. And covered entities and business associates must ensure that they continue to comply with HIPAA, avoid acting with “willful neglect” at all costs, and correct any violations within 30 days to invoke the affirmative defense to penalties.
Health & Mobile Apps
Health apps are application programs that offer health-related services for mobile devices such as smartphones, smartwatches, personal digital tablets, patient monitoring devices, wearable technology and other wireless devices. Because they are accessible to patients both at home and elsewhere, health apps are part of a burgeoning movement towards mobile health (“mHealth”) programs in healthcare. There are many varieties of health apps available for purchase from app stores. Some (such as fitness, weight loss, wellness and exercise trackers) are designed to help consumers make healthier choices in their everyday life by offering advice about fitness or nutrition. Others are aimed at physicians and other healthcare providers themselves, combining mHealth with electronic medical records (“EMR”), and allowing providers to keep accurate records that are easily accessible. And others help doctors and patients communicate remotely, such as apps for diabetics that automatically send glucose readings to their primary care physicians.
HIPAA does not provide full, comprehensive coverage over, or protection to, all medical/health/wellness information, regardless of the manner in which it is transmitted or by whom. HIPAA is limited to “covered entities” and their “business associates,” who share or transmit “protected health information” (“PHI” or “ePHI” for electronic information) concerning “covered transactions.” All of these terms are specifically defined by HIPAA, and most third-party healthcare apps do not qualify as a “covered entity” or a “business associate” having “PHI,” or engaging in a “covered transaction,” for purposes of triggering HIPAA’s requirements. But many do. And because HIPAA does apply to many healthcare apps, healthcare providers, mobile app developers, and other health-related businesses need to keep HIPAA Rules in mind whenever PHI is transmitted or disclosed to third parties.
Given the growing number of apps that patients may choose to receive and use their PHI, and the limited control covered entities and EHR system developer business associates have following patient-directed disclosure, HHS issued new guidance in the form of Frequently Asked Questions (“FAQs”) in April 2019. These FAQs clarified (at least to some extent) potential HIPAA liability for transmitting PHI among covered entities, their EHR system developers, and patient-designated apps. Here are the five FAQs and HHS’s answers:
- Q: Does a HIPAA covered entity that fulfills an individual’s request to transmit electronic protected health information (ePHI) to an application or other software (collectively “app”) bear liability under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) for the app’s use or disclosure of the health information it received?
A: The answer depends on the relationship between the covered entity and the app. Once health information is received from a covered entity, at the individual’s direction, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules. If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach.
If, on the other hand, the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.
- Q: What liability does a covered entity face if it fulfills an individual’s request to send their ePHI using an unsecure method to an app?
A: Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app. With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.
- Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?
A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.
If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.
- Q: Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
A: No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information that has been disclosed pursuant to the individual’s right of access. For instance, a covered entity is not permitted to deny an individual’s right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual’s ePHI for research or because the app does not encrypt the individual’s data when at rest. In addition, as discussed in Question 1 above, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.
- Q: Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?
HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).
However if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer, acting as the covered entity’s business associate), then a business associate agreement would be required.
More information about apps, business associates, and HIPAA is available at: https://hipaaqsportal.hhs.gov
See also OCR FAQ 2039, “What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party,” available at https://www.hhs.gov/hipaa/for-professionals/faq/2039/what-is-the-liability-of-a-covered-entity-in-responding/index.html.
Additionally, in 2019, the Consumer Technology Association, a trade association for the consumer technology industry, released new health data privacy guidelines. The guidelines are voluntary and intended to provide baseline recommendations for technology companies that handle personal health data. These guidelines, first developed in 2015, have been expanded and are based on privacy concepts currently present and developing in U.S. law, while recognizing the potential impact that international privacy laws have on U.S. companies. The guidelines can be accessed at: CTA-Privacy-Guidelines-Personal-Health-Wellness-Info
Recent HIPAA Settlement Shows Importance of Encrypting Mobile Devices That Contain Patient Data
In November 2019, OCR settled with the University of Rochester Medical Center (“URMC”) after URMC filed two separate breach reports, revealing that PHI had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop. OCR had conducted a previous investigation prior to these two breach reports concerning a similar breach at URMC involving a lost unencrypted flash drive. OCR’s investigation found that URMC failed to: conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt ePHI when it was reasonable and appropriate to do so.
Despite this investigation and URMC’s identification of the risks that lack of encryption would bring to URMC, the medical center did not change its practices, and continued to use unencrypted mobile devices. Under the settlement, URMC agreed to pay OCR $3 million and undertake a corrective action plan which includes two years of monitoring its compliance with the HIPAA rules.
This is just one of many HIPAA settlements based on the failure to encrypt mobile devices. Similar settlements have arisen from lost or stolen smartphones, computers, hard drives, and other electronic media that were not properly encrypted.
Encryption is an “addressable” standard under the HIPAA Security Rule, which generally requires covered entities and business associates to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information” and, for such data transmitted over a network, to “[i]mplement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)).
Because the encryption implementation specification is addressable, it must be implemented if, after a risk assessment, the entity determines that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. (https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html).
Although encryption is not mandatory, it would be difficult to identify an “equivalent alternative measure” of protection so as to satisfy the addressable standard. Proper encryption allows covered entities and business associates to avoid HIPAA breach reports if the data or device is lost or stolen. The Breach Notification Rule only applies to the breach of “unsecured protected health information.” (45 CFR § 164.404(a)).
“Unsecured protected health information” means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act]. (45 CFR § 164.402). Encryption which satisfies HIPAA standards is not “unsecured”; accordingly, its loss does not require a breach report. (78 FR 5639 and 5644; 74 FR 42741-42, 42765). According to OCR, ePHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. (https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html; see also 74 FR 42742-43).
On the other hand, HHS commentary makes it clear that the loss or theft of an unencrypted device containing protected health information presumptively requires a breach report. (See, e.g., 78 FR 5671). For example, in its Breach Notification Rule commentary, HHS noted that “the most frequent form of data loss is the result of lost or stolen laptops and data bearing media such as hard drives. If the data on these devices is encrypted, then under the [Breach Notification Rule] definition of a breach, the event would not require the covered entity or the business associate to notify affected individuals.” (74 FR 42765). But “if laptops containing the unsecured protected health information of more than 500 residents of a particular city were stolen from a covered entity, notification under this section should be provided to prominent media outlets serving that city [in addition to individuals and HHS].” (Id. at 42752).
Significantly, “if a computer is lost or stolen, [HHS does] not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.” (Id. at 42745). Moreover, the failure to timely report the theft or loss of the unencrypted device would likely constitute “willful neglect”, resulting in mandatory HIPAA penalties ranging from $11,182 to $57,051 per individual whose information was on the laptop. (45 CFR §§ 102 and 160.404(a)).
In its commentary to the Enforcement Rule, HHS gave the following example of “willful neglect” for which an entity “will be held fully responsible”: “A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.” (75 FR 40879).
Consequently, key steps to be taken include the following:
- Implement HIPAA Safeguards. HIPAA covered entities and business associates should implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, as required by the Security Rule.
- Don’t delay. If you are a HIPAA covered entity or business associate, your legal and IT personnel should ensure that the safeguards are implemented entity-wide and without any undue delays. Your employees presumably travel for business and probably take work home. You therefore could be one lost device away from a disastrous data breach and a multi-million dollar fine.
- Encrypt your ePHI. An important technical safeguard is encryption of ePHI, which is not expressly, but effectively required under HIPAA, since only breaches of unsecured ePHI must be reported to the HHS. (See above and 45 C.F.R. § 164.408.)
- Don’t lose your encryption key. The encryption key should be stored separately from the ePHI. As specified in the HIPAA Security Rule, ePHI is encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.
- Hire expert help. For most covered entities and business associates, implementation of the Security Rule is outside the scope of their expertise, and security is usually not a do-it-yourself project. Hiring a reputable, skilled technology vendor to implement the physical safeguards, and hiring a knowledgeable outside legal counsel to ensure compliance with the Security Rule, as well as a certain level of privilege protection, can go a long way toward avoiding a reportable data breach. HHS and the OCR also provide numerous resources to assist covered entities and business associates in properly encrypting data.
Unfortunately, because medical information is lucrative and easy to exploit, patient records are likely to remain primary targets of hackers and cybercriminals for the foreseeable future. Compared to a stolen credit card number, for example, a stolen medical record offers much more personal information. And because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. Healthcare organizations therefore must ensure they have proper, up-to-date security measures in place, including data-breach response plans, ePHI encryption, and adequate employee training about the importance of security. Otherwise, they may face severe legal and financial consequences.
Business Associates’ Direct Liability Under HIPAA
In May 2019, the OCR released a fact sheet outlining and clarifying violations of HIPAA for which a business associate can be held directly liable. Published shortly after the release of the new guidance from OCR in the form of FAQs discussed above, the fact sheet was another example of OCR’s recent efforts to clarify its position and answer outstanding questions from the ever-changing healthcare industry.
In the May 2019 fact sheet, OCR first noted the history by which the application of certain aspects of HIPAA extended to business associates – the HITECH Act of 2009 and OCR’s 2013 Final Rule modifying the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, which further extended to business associates the need to comply directly with the HIPAA Security Rule and significant aspects of the HIPAA Privacy Rule. Since then, business associates have tried to comply with these HIPAA requirements, but with little guidance or certainty as to whether OCR will take action against them (as opposed to only covered entities) for HIPAA violations, and if so, the types of violations OCR will enforce against business associates.
OCR’s fact sheet finally provided some clarity regarding business associates’ own liability under HIPAA. Citing the HITECH Act and the 2013 Final Rule, the fact sheet clearly states that “OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below” (emphasis in original). Specifically, business associates can be held directly liable under HIPAA for:
- Failure to provide the Secretary of HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including PHI, pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the HIPAA Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of ePHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the BAA) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into BAAs with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such BAAs.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s BAA.
In one telling example, OCR indicated it has enforcement authority directly over a business associate that has agreed in a BAA to satisfy individual rights (e.g., requests from individuals for access to copies of their medical records). Although OCR did not explicitly say it would enforce a business associate’s failure to sign a BAA with a covered entity, it said it would with respect to BAAs with business associate subcontractors. And OCR’s example confirms that the agency will hold business associates accountable for certain contractual obligations made with covered entities, even if such obligations otherwise exceed the scope of business associate requirements under HIPAA.
OCR’s clarification regarding the direct liability of business associates came as the agency’s enforcement against business associates has been rising. Just a few days before releasing the new fact sheet, OCR settled allegations of HIPAA Privacy Rule and Security Rule violations for $100,000 with a business associate that provides software and electronic medical record services to healthcare providers. In that case, the business associate self-disclosed to OCR a HIPAA breach following discovery that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million people. OCR’s investigation revealed that the business associate had not conducted a comprehensive risk analysis, as required by the Security Rule prior to the breach.
Recent HIPAA Enforcement Actions Show Exposure on Multiple Fronts
In June 2019, an unprecedented settlement was announced, arising from a federal lawsuit brought by 16 state attorneys general (“AGs”) in the U.S. District Court for the Northern District of Indiana. In that case, a medical software provider agreed to pay the states $900,000 for alleged violations of a combination of federal and state privacy laws. The settlement represented the resolution of the first-ever multistate data breach suit based on alleged violations of HIPAA, as well as state deceptive trade practices acts, state personal information protection acts, and state breach notifications acts. The case arose out of a 2015 data breach, in which an Indiana-based electronic health record software provider and its subsidiary (the “EHR Provider”) discovered that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million individuals whose healthcare providers used the EHR Provider’s software. The information exposed by the breach included names, dates of birth, Social Security numbers, and clinical information.
In the lawsuit, the state AGs asserted that the EHR Provider ran a web application with a security framework that allowed the breach to occur. The EHR Provider allegedly failed to take appropriate measures to protect its computer systems and failed to take reasonable steps to prevent breaches. The state AGs claimed that the EHR Provider, as a business associate under the provisions of HIPAA, was required to comply with the HIPAA Security Rule, and had failed in numerous instances to meet the Security Rule’s enumerated requirements.
Although the sheer number of individuals impacted by the breach was significant, the major takeaway from the case was the nationwide collective effort by the state AGs. In addition to using their statutory authority to enforce HIPAA, the state AGs also brought claims under their respective data breach and personal information protection statutes. The combined effect was a powerful case in which the EHR Provider was accused of 38 separate counts of state law violations, all emanating from the same breach. The settlement with the state AGs was finalized about one month after the EHR Provider agreed to pay $100,000 to the OCR, the federal agency tasked with enforcing HIPAA, for alleged HIPAA violations associated with the same breach. In addition to the monetary consequences, the EHR Provider also agreed to numerous injunctive provisions and a corrective action plan, requiring the company to implement and adhere to specific data security policies and procedures.
These settlements represent cautionary tales for the healthcare industry for several reasons. First, the affected entity in this instance was a business associate governed by HIPAA. The settlements show that to the extent a HIPAA-covered entity must take specific measures to protect the ePHI of its patients, the business associate that handles the information on the covered entity’s behalf also must do so. Business associates should assess their data security programs and ensure that they have procedures in place to monitor, detect and address data vulnerabilities and breaches, consistent with HIPAA Security Rule requirements. As demonstrated by the federal suit, business associates are not only on OCR’s radar, they also are on state radars. HIPAA-covered entities should also pay close attention to their business associates’ HIPAA compliance to ensure that they are adequately protecting the covered entity’s information.
Second, the increasing use of web-based applications for electronic health information management represents not only an opportunity for innovation and progress, but also a threat of increased exposure and liability. Transmission of ePHI via the Internet enables healthcare organizations to better treat and engage patients, and helps facilitate the beneficial exchange of medical information among providers. Utilized properly, this electronic network improves healthcare and makes its delivery more efficient. However, as the electronic network of patients and providers continues to grow, it becomes a more valuable and data-rich target for hackers. This means that covered entities and business associates participating in any given electronic network are exposed to potential hazards that may impact individuals in multiple states, and are subject to multiple state and federal laws and threats of enforcement action. Consequently, attention to data privacy and security must grow in scale with the size of the network managing the highly-regulated information.
Finally, the federal suit and settlements show that states are willing to utilize and combine their resources and efforts nationwide to hold health industry participants accountable for compliance with both federal and state laws when it comes to data protection and health information privacy. As already noted, electronic networks transmitting health information are growing. This growth means the activities of healthcare entities will reach more and more patients, which means handling highly-regulated information in more and more states. With the no-longer-theoretical prospect of multistate enforcement actions, it is essential that covered entities and business associates take measures to comply with HIPAA and applicable state laws wherever their businesses are conducted.
State Law Liability for Failure to Protect Confidentiality of Medical Records
As noted above, HIPAA is a federal statute providing for confidentiality of health and medical records under certain circumstances. HIPAA is administered by the federal Department of Health and Human Services (“HHS”), which can impose substantial fines for non-compliance. However, HIPAA provides no private, federal cause of action for a patient to sue a healthcare provider or business directly for damages.
If an HHS-OCR investigation concludes there was a possible criminal violation, OCR will forward the matter to the U.S. Department of Justice. If there’s a determination that a non-criminal violation occurred, the OCR will seek voluntary corrective action or will issue a formal finding of violation. OCR may impose civil monetary penalties as part of a negotiated resolution or file suit for damages. And, as noted above, penalties or damages for violating HIPAA can run into the millions of dollars. However, monetary penalties for such violations are paid to HHS, not to any injured individual or patient.
Nevertheless, alleged HIPAA violations may be remedied in state court under state tort or contract law as well. Although HIPAA does not provide a private right to sue for HIPAA violations, healthcare providers, businesses and business associates should bear in mind that remedies for non-compliance are not necessarily limited to federal agency fines or damages.
Recent state court decisions demonstrate this dual-liability-exposure reality. For example, in one state court case, a plaintiff-patient alleged that a healthcare provider mistakenly gave his records to another individual. The plaintiff-patient sued the provider to recover damages under a variety of state law theories, including negligence based on a state law duty of care informed by HIPAA.
The appellate court explained that although the negligence claim did not arise under HIPAA, the provider owed the plaintiff a state law duty of care to act as a reasonably prudent healthcare provider would under the circumstances. The court then found that the allegations in the complaint for wrongful disclosure of protected information were sufficient to survive a motion to dismiss, and allowed the case to proceed into discovery and perhaps trial phases.
Notably, the provider tried to argue that HIPAA preempted all such state law claims. But the court rejected that preemption argument, reasoning that allowing state law claims in this context does not interfere with government enforcement actions authorized by HIPAA. The court stated that “additional state law remedies encourage compliance with HIPAA by providing further means for patients to recover for harm suffered due to non-compliance.” The court concluded: “[W]e hold HIPAA’s requirements may inform the standard of care in state-law negligence actions, just as common industry practice may establish an alleged tortfeasor’s duty of care.” The court also kept alive a related punitive damages claim.
In another state case, the appellate court held that a patient may pursue her negligence claim against a hospital for improperly disclosing her medical information. In that case, the plaintiff-patient argued that the hospital violated its duty to protect the privacy, security and confidentiality of her health records, when it allowed the plaintiff’s employer to receive digital images of her X-rays without her consent. While acknowledging that HIPAA does not provide a private right of action, the patient argued that the statute could be used to establish the standard of care in a common law negligence action, and the court agreed.
To ensure that litigants don’t make an end-run around the lack of a private right of action under HIPAA, the court said there must first be an underlying common law duty. But the court noted that medical providers owe a duty of confidentiality to their patients. And, having found a common law duty, the court had “little trouble” holding that HIPAA and its implementing regulations could inform the standard of care in tort claims related to alleged breaches of the duty of confidentiality owed by medical providers to their patients.
The takeaway from these and other state cases is that alleged HIPAA violations may be remedied by state lawsuits in addition to HHS fines. While the case law to date makes it clear that individuals cannot bring a case based solely on violations of HIPAA, claims related to privacy of health information may still be viable under state law.
Certain states (including Georgia) have privacy laws creating private causes of action in tort or negligence. So, while an individual plaintiff bringing claims solely for violations of HIPAA almost certainly will fail in federal court, healthcare providers and businesses are not necessarily off the hook for liability to individuals for health information privacy violations under state law theories.
A patient may be able to bring a civil lawsuit for violation of Georgia’s state medical records disclosure law, or under Georgia’s invasion of privacy or negligence law, for example. And personal medical records are protected by Georgia’s constitutional right to privacy also. Other state law theories of recovery for unauthorized disclosures include breach of contract (or an implied contract) for confidentiality, and intentional infliction of emotional distress.
The challenge to successfully waging these types of claims is that a patient must show documented and provable damages — that is, specifically and quantifiably how he or she was harmed by the disclosure or release of information. Examples of documented losses include medical or counseling bills, credit protection or identity theft insurance, costs related to stolen identity, lost pay for time off, and other expenses that resulted directly from the breach of the patient’s privacy. But if the required elements can be established, a healthcare provider or business may be liable for damages under state law, regardless of whether HHS-OCR found a HIPAA violation.
Frequently Asked Questions About Medical Records
Common questions physicians and medical groups have about medical records, and answers provided by the Medical Association of Georgia, include the following:
Can a physician withhold a patient’s medical record for a past due balance for services rendered?
No, medical records should not be withheld for any reason. AMA E-3.3.1 (See also: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html; and https://www.hhs.gov/about/news/2019/09/09/ocr-settles-first-case-hipaa-right-access-initiative.html.)
Physicians (or other providers) must furnish a complete and current copy of a patient’s medical record to the patient or to a person authorized (by the patient) to have access to medical record under an advanced directive or durable power of attorney. O.C.G.A. § 31-33-2
Can a physician withhold a patient’s record until the patient pays for copies of the records?
Yes, a physician may require payment for the costs of medical records prior to providing them to patient. O.C.G.A. § 31-33-3 (See also the HHS webpages cited above.)
How quickly must a physician release requested medical records?
A physician must provide medical records to a patient within 30 days of the receipt of a records request. O.C.G.A. § 31-33-2
A covered entity must act on a request for access to medical records within 30 days. A physician must either grant access to medical records or give a justified denial of access within 30 days of receipt of the request for release. HIPAA – 45 CFR § 164.524(b)(2) (See also the HHS webpages cited above.)
How long must a physician retain medical records?
A physician must retain medical records for at least 10 years. This does not apply to an individual provider who has retired or sold his or her practice if the provider has notified the patient of retirement/sale and offered to provide the patient’s record to another provider of the patient’s choice and, if requested, to the patient. O.C.G.A. § 31-33-2
What must a physician do with medical records upon retiring or selling a practice?
In Georgia, a physician is required to maintain a patient’s complete treatment records for at least 10 years from the date of the patient’s last office visit. O.C.G.A. § 31-33-2
These requirements do not apply to a physician who has retired or sold his or her medical practice if…
- The physician has notified his or her patients of retirement or sale of practice by mail – offering to provide the patient’s records to another provider of the patient’s choice and, if requested, to the patient.
- The physician has published a notice – containing the date of retirement or sale – that offers to provide the patient’s records to another provider of the patient’s choice and, if requested, to the patient.
- The physician has posted a sign announcing retirement or sale of the practice. The sign must be placed 30 days prior to retirement or sale of the practice and must remain posted until the date of retirement or sale.
- The physician has placed both the notice and sign required by Ga. Medical Board Rule 360-3-.02(16)(c) and has advised patients of their opportunity to transfer or receive their records.
A physician should always seek advice from their private counsel or their malpractice insurance carrier. Ga. Medical Board Rule 360-3-.02
“A patient’s records may be necessary to the patient in the future not only for medical care but also for employment, insurance, litigation, or other reasons. When a physician retires or dies, patients should be notified and urged to find a new physician and should be informed that upon authorization, records will be sent to the new physician. Records which may be of value to a patient and which are not forwarded to a new physician should be retained, either by the treating physician, another physician, or such other person lawfully permitted to act as a custodian of the records. The patients of a physician who leaves a group practice should be notified that the physician is leaving the group. Patients of the physician should also be informed of the physician’s new address and offered the opportunity to have their medical records forwarded to the departing physician at his or her new practice location. It is unethical to withhold such information upon request of a patient. If the responsibility for notifying patients falls to the departing physician rather than to the group, the group should not interfere with the discharge of these duties by withholding patient lists or other necessary information.” AMA E-7.03; see also https://www.privatepracticepreparedness.com/content/american-medical-association-ama
Does a physician have to give medical records to third party without a subpoena or court order?
No, a physician should not release a patient’s medical records to a third party without a proper release by the patient or legally authorized individual in accordance with Georgia law, a court order, a subpoena signed by a judge, or certification that the party has placed the opposing party on notice with opportunity to object. A physician may release medical records if there is no objection from the patient after 20 days.
What should a physician do if a patient steals their own medical records?
HIPAA specifies that the data contained within a medical record belongs to the patient, but the physical form containing the data belongs to the entity responsible for maintaining the record (i.e., the physician). If a patient takes medical records without permission and will not return them upon request, the act should be treated as a normal theft and the physician should contact the police.
Does a physician have to keep a paper copy of electronically stored medical records?
No, a provider is not required to maintain separate paper copies of electronically stored records. O.C.G.A. §31-33-8(b)
Do the same laws that apply to paper copies apply to electronic medical records?
Yes, all provisions of Chapter 33 of Title 31 of the Georgia Code, including fees, apply to electronic medical records. O.C.G.A. § 31-33-8(c)
What happens to my patients’ medical records when I leave a group?
Medical records belong to the practice. Unless your employment agreement provides otherwise, you may be able to notify patients that you are leaving the practice and notify them of your new address. However, you should be very clear about what you are allowed to do regarding notification of patients when leaving the practice. It is recommended that you discuss/negotiate the process by which you will exit the practice. Request the right to notify your patients of your new address of your departure and information on how to contact you at your new location.
Patients are not prohibited from requesting that their medical record be forwarded to another physician, but a physician should be careful to avoid a breach of an employment agreement or a breach of privacy or patient confidentiality in accessing, copying, or taking patient records. AMA E-7.03; see also https://www.privatepracticepreparedness.com/content/american-medical-association-ama
Can a physician release a patient’s medical records and health information to an insurance company or third party payer without the patients consent and/or knowledge?
Yes. The amended HIPAA Privacy Rule gives health plans and self-insured employers broad authority (“regulatory permission”) to get information without a patient’s consent. Health plans and employers are also authorized to obtain, use and disclose an individual’s health information without their consent for the purpose of:
1. Conducting due diligence that’s related to the sale or transfer of assets;
2. Certain types of marketing;
3. Business planning and development;
4. Business management and general administrative activities; and
5. Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance (45 CFR 164.501)
Medical practices must (are also required to) provide every patient with a notice that lets them know how their personal health information will be used and disclosed. (45 CFR 164.520) See https://www.mag.org/georgia/Public/Resources/Medical_Records.aspx.
How We Can Help & Services We Provide
We advise and assist healthcare providers, mobile app developers and other health-related businesses with their implementation of measures necessary to comply with the complex requirements imposed on healthcare providers and their vendors by the HIPAA Privacy and Security and HITECH Act requirements, as well as state privacy laws and regulations. Our services include:
- Advice and legal assistance in connection with protecting the confidentiality of patients’ medical records and PHI.
- Drafting and negotiating Business Associate Agreements and Subcontractor BAAs from Covered Entities’, Business Associates’ and Subcontractors’ perspectives.
- Assisting both healthcare providers and healthcare vendors in integrating requirements of the security and privacy rules in their operational documents.
- Providing advice, guidance and assistance to clients as they conduct privacy and security assessments and audits, develop compliance plans, and implement policies, procedures and forms for compliance.
- Advising and assisting clients as they choose appropriate consultants to help them prepare, improve and implement necessary policies and procedures, and respond to audits.
- Assisting on incident response and breach reporting, including counseling on OCR compliance reviews, HIPAA audits or other government investigations.
- Representing healthcare clients in legal actions alleging violations of federal or state privacy laws or regulations.
Our law firm is experienced in counseling and assisting healthcare clients regarding medical privacy and security matters in a cost-effective manner. We have broad experience counseling clients regarding how they can meet the requirements of the various federal and state privacy and security rules in their day-to-day business activities. And we can assist if a legal action is brought alleging a violation. Please call or email us if you wish to schedule a consultation.