What's the Cost of Losing a Laptop? $1.5 Million.

HHS announced today that it resolved a HIPAA security breach matter with two Massachusetts providers for $1.5 million.  In compliance with the Breach Notification Rule, the Massachusetts providers reported the theft of an unencrypted laptop containing ePHI.  Lest there be any lingering doubt as to the importance of compliance with the Security Rule, OCR Director Leon Rodriguez stated "In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices . . . This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”  In addition to the settlement payment, the Massachusetts providers agreed to a corrective action plan that will be overseen by an independent monitor for the next three years.


Be Smart About Using Your Smart Phone in Practice: Understand and Manage the Risks Involved in Using Smart Phones and Tablets in Medical Practice

Thousands of people lose or have their smart phones and other portable devices stolen every day. While most people worry only about the irritation of replacing their phone in such a situation, when a health care professional loses a portable device containing patient information, the irritation of replacing the phone is the least of their worries. With the government handing out million dollar plus penalties for the mistreatment of patient information, now is the time to ensure your practice is best positioned to deal with the inevitable loss of a smart phone.

To view the presentation slides from speakers Erin McAlpin Eiselein, Partner at Davis Graham & Stubbs LLP, and Dr. Marion Jenkins, CEO of QSE Technologies, which were presented last Thursday, July 14th, at a seminar and cover best practices for health care providers who use smart phones and tablets in their medical practice, please click here. Learn how to minimize risk and avoid potential liability under the federal and state privacy and security laws so that the loss of a phone does not turn into the loss of your practice.

First Lawsuit By State AG Under HITECH

Let the age of HIPAA lawsuits begin.  Yesterday, the Connecticut Attorney General sued Health Net of Connecticut, Inc. for a security breach involving patient medical and financial records.  This is the first state enforcement action against a covered entity for a HIPAA violation since HITECH extended enforcement ability to the state attorneys general.  It serves as a good reminder that covered entities and business associates need to have breach notification policies in place and comply with those policies in the event of a security breach. 

FTC and HHS Issue Breach Notification Rules for Electronic Health Information

As part of the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Congress directed the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) to issue rules requiring certain entities to notify consumers if there has been a breach in the security of their personal health information. 

The FTC rule applies to vendors of personal health records, which provide online repositories for storage and tracking of health information, and entities that offer third-party applications for personal health records. These applications could include, for example, a blood pressure cuff whose readings consumers can upload to their personal health record. 

The HHS rule, developed by the Office for Civil Rights (OCR), applies to healthcare providers and other HIPAA covered entities.

Under the rules, those entities subject to either rule must notify consumers if there is a “breach” involving their “unsecured” health information. Additionally, if a service provider or business associate of one of the entities has a breach of its own, it must notify the entity, which in turn must notify consumers.

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of protected health information, which results in the compromise of the security or privacy of such information.

Entities that secure their electronic health records through encryption or destruction are not required to provide notification in the event of a breach, as long as they follow HHS guidance on the proper methods of securing information. As an accompaniment to its rule, HHS issued an update to its current guidance (PDF) on acceptable encryption and destruction methodologies, which would render sensitive information unusable to unauthorized individuals. The policy on encryption is technical in nature and entities would be well-advised to have their IT consultants carefully review, and as deemed necessary, implement the HHS guidance.

Notification Requirements:  

In the event that a breach is discovered, an entity subject to either the FTC or HHS rule must comply with certain notification requirements, including the timing, method, and content of notification.

    • Timing: A consumer must be notified of a breach to the security of their information “without unreasonable delay” and in no case later than 60 days after the discovery of a breach.
    • Method: Written notification must be provided to the individual via first-class mail at the individual’s last known address, or if the individual agrees, by electronic mail. Where the entity lacks sufficient contact information, a substitute form of  notice “reasonably calculated” to reach the individual must be issued. If the insufficient information involves less than 10 individuals, notice may be made by an alternative form of written information or by telephone. If the entity lacks adequate information for more than 10 individuals, the substitute notice must be placed in a conspicuous posting for a 90-day period, either on the home page of the website of the entity involved, or in major print or broadcast media in areas where the affected individuals are likely to reside.
    • Content: Notice must include, to the extent possible:

1. A description of the types of information that were involved in the breach (e.g., social security number, date of birth, diagnosis);

2. Any steps individuals should take to protect themselves from potential harm that could result from the breach;

3. A brief description of the steps that the entity is taking to investigate the breach, mitigate harm caused by the breach, and to protect against any additional breaches; and

4. Contact information for individuals to ask questions or obtain additional information. This contact information must contain a toll-free telephone number, email address, website, or postal address.

In addition to the above requirements, breaches involving 500 or more people must provide notice to prominent media outlets serving the state or jurisdiction where the breach occurred. 

Finally, entities subject to either rule must provide notification to the FTC (for non-HIPAA covered entities) or HHS (entities covered by HIPAA). The FTC has provided a standard form(PDF) which can be used to report an incident. This form requests information on the type of breach, the manner in which the breach occurred, the information involved, and what steps the entity is taking to investigate the breach.

The FTC final rule(PDF) will be published in the Federal Register shortly, and will be effective 30 days after publication. The FTC will begin enforcement 180 days after publication.

The HHS interim final rule (PDF) is effective 30 days after publication in the Federal Register (which should be sometime in mid-late September) and includes a 60-day comment period.