Texas Expands and Redefines HIPAA

The fact that HIPAA traces its origins back to 1996, seems almost insignificant. In fact, in the various presentations I have seen or participated in that begin with the history of HIPAA, my general reaction is – why bother, who cares about its origins.

However, I can identify one particular point about HIPAA’s origins that is of current interest.

The origins of HIPAA and the privacy of patient records began at a time when the digital world was relatively in its infancy, and the general focus of the law was on paper records.  The HITECH component was later added in an attempt to catch up with the then emerging digital technology.

However, HIPAA legislation starts with and focuses on information that is in the possession of a covered entity.

The HIPAA definition of a Covered entity is:

  1. A health plan.
  2. A health care clearinghouse.
  3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter of the Omnibus rule.

Typically, this straightforward definition is meant to mean a doctor or healthcare provider, or the entities referenced in (1) and (2) that by their nature receive or transmit health information. However, there are many other individuals and/or entities that are provided with an individual’s medical records. Obviously, the privacy and HIPAA coverage is extended to Business Associates and subcontractors with the caveat that they are downstream from Covered Entities. Medical information that does not flow from a Covered Entity may be covered by laws regarding the privacy of information, but they would not necessarily be covered by HIPAA, HITECH or the Omnibus Rule.

This gap seems to be mostly attributable to the genesis and development of HIPAA.

Based on the general understanding of HIPAA and its definition of a “Covered Entity” a plaintiff’s personal injury law firm that came into possession of its client’s medical records would not be subject to HIPAA. While the attorney might be subject to other restrictions on the privacy of legal records, as a general proposition those rules are not as restrictive as HIPAA, do not require a risk analysis, do not require privacy security and breach protocols and do not necessarily have the fines associated with HIPAA violations.

Texas recently passed revisions to the Texas Medical Records Privacy Act which in section 181 incorporates HIPAA but broadens the definition of a covered entity as follows:

“Covered entity” means any person who:

(A) for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;

(B) comes into possession of protected health information;

(C) obtains or stores protected health information under this chapter; or

(D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

It seems that based on the expanded definition, Texas plaintiff’s personal injury attorneys would be subject to the additional requirements and/or restrictions and increased fines. Obviously, this expanded definition goes well beyond plaintiff’s personal injury attorneys. Examples might be cloud-based storage companies that become subject to the Texas law, software applications that store and/or utilize an individual’s medical records supplied directly by the individual, and the list goes on.

There may be other state laws which further expand the requirements of individuals or entities that possess ePHI, however these additional states are beyond the scope of this post.

Obviously, it is important to carefully read the Texas statute in its entirety, and understand its applicability on a case specific basis. However there is very little doubt that it dramatically expands the people and/or entities that are subject to HIPAA equivalent analysis, safeguards, and protection of ePHI and ePHI.

In addition, the importance of reviewing individual state laws is becoming more important and raises the question if the federal government will broaden the applicability of the current Omnibus Rule.

What do you think?


DISCLAIMER – This post and the analysis submitted are not a legal conclusion and should not be construed as such but are presented for discussion and informational purposes.

I am not admitted to practice in the state of Texas, I am not certain that my analysis is correct under Texas law, and invite any practitioners who disagree with my analysis to comment and explain why this analysis is incorrect. As always, legal advice and training should be obtained from licensed professionals within the jurisdiction. This post and the analysis submitted are not legal conclusions and should not be construed as such but are presented for discussion and informational purposes.


HIPAA – Critical Hypocrisy or Critical to the Operation of Government


In reviewing the various reports of HIPAA breaches as a subset of the almost every day occurrence of significant data breaches, and the recent reports of significant data breaches of information that is either entrusted to the government (e.g. medical and/or credit information) or information that the government is both logically and legally responsible for safekeeping, there seems to be a significant disconnect. With respect to HIPAA, the current regulatory environment seeks a very high level of compliance with significant fines and governmental interventions in the case of a breach, but when the government drops the ball, the most we can expect is OOPS, and maybe not even that.

Without going through the litany of recent governmental breaches, I will highlight the White House’s recent confirmation that the Office of Personnel Management suffered a SECOND cyber attack in which the data of 4.2 million Federal employees was stolen. In addition, the April 2015 report of the Office of Inspector General (OIG) reported the results of its audit of the security controls of the Department of Health and Human Services (HHS) which identified numerous deficiencies.

Imagine a father heartily puffing on a cigar, and a mother vigorously inhaling the smoke from her cigarette lecturing their teen about the dangers of smoking, while at the same time (in the name of proper parenting skills) advising their child of the consequences they would administer if their child began smoking. I imagine that at least to some, this scene would seem somewhat hypocritical.

I fully understand that there must be limitations on the ability for private citizens to sue the government and/or its employees carrying out governmental functions (sovereign immunity), but the real question is the propriety of placing standards on private industry before one cleans up one’s own house.

You may find this to be HIPAA-Critical (hypocritical)or you may feel that there is a critical need for the protections that HIPAA mandates and therefore, immunity and consequence free breaches are appropriate.

Irrespective of the answer, to the extent we can trust the government with private medical information (PHI) for its healthcare exchange, and to the extent that, at some level, the government may be competing with medical providers (e.g. various forms of Medicaid) is it appropriate to have two standards?

What do you think?

HIPAA and the Law of Unintended Consequences


Identity theft is so prevalent that we are almost desensitized to its effects – unless of course we’re speaking about its victims who are left with the unenviable task of sifting through the rubble and trying to re-create their medical and/or credit identities. What is surprising is that the very laws that were enacted ( HIPAA etc. ) to protect patient privacy hinder the victims of medical/identity theft from accessing THEIR OWN medical records. The Wall Street Journal had an illuminating article regarding the rise of medical/identity theft ( How Identity Theft Sticks You With Hospital Bills ). There is no way to offer absolute protection under all circumstances. I am reminded of the tragedy that occurred when the captain and flight attendants could not gain access to the cabin of a German Wings flight, because the cabin was virtually impregnable as a safety measure against terrorists. The very measures that were put into effect to protect the passengers were the ones that ultimately cost them their lives. We cannot totally escape the Law of Unintended Consequences, but in making rules or drafting laws it is helpful to be aware of the potential for looming risks.

How Much Does a Data Breach Cost in Dollars and Cents?

Online Security

In my last few posts, I wrote about causes of HIPAA breaches and the possible course of a compliance agreement. ( “The Most Detailed and Costly Compliance Agreement You Are Ever Likely to See” , “Seven Noteworthy HIPAA Breaches & the Recent Enforcement Actions” , “The Seven Most Likely Causes of Major HIPAA Breaches” , “The Five Most Likely Types of Major HIPAA Breaches” ) A basic question though is how much does a data breach cost in dollars and cents?

I am reasonably certain that as with all statistical matters, depending on how you skew the numbers, there can be vastly different results. I recently came across a report by the Ponemon Institute/IBM dated May 2015, which deals with global data breaches (not restricted to healthcare and/or HIPAA breaches) which I believe is both timely and highly informative.

Some of the key findings of this report indicate that there has been a 23% increase in the total cost of data breaches since 2013 (understanding that this 2015 report represents 2014).

The simple study of 350 companies dealt with data breaches. The average cost of a breach increased from $3.52 to $3.79 million during a one year period.

An interesting finding was that 79% of C-level US and UK executives surveyed said that executive level involvement is necessary to achieve an effective incident response to a data breach and 70% believe that board level oversight is critical. The reason I point out this factoid is that too many small to medium companies approach HIPAA compliance (which to me is really a subset of the need for data security) with the belief that outsourcing compliance is enough.

All of the participating companies experienced a data breach ranging from a low of approximately 2,000 to slightly more than 100,000 compromised records. For the purposes of this study, a compromised record was one that identified the individual whose information was lost or stolen in a data breach. A breach was defined as an event in which an individual’s name plus a medical record and/or financial record or debit card is potentially put at risk. (Obviously, the report did not deal with the 19 identifiers relating to HIPAA.)

Malicious or criminal attacks were 47% of the root causes as opposed to 42% a year earlier, and similarly the report shows an increased cost from $159 to $170 per record. The cost is highest in the United States, with an average of $230 per record.

The smaller the breach the greater the likelihood, and apparently, the higher the cost per record.

Costs relating to detection increased as well from $0.76 million to $0.99 million. The costs included forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.

The cost of the data breach ranges by industry, and while the average is $154, the average cost for a healthcare organization is $363.

The cost can vary based on the initial safeguards put in place.

While notification costs are relatively low, the cost associated with lost business is increasing.

The general attitude of NIMBY (Not in my backyard) seems to be a common mindset with small to medium Covered Entities (CEs) and/or Business Associates (BAs) – this only happens to the other guy. The threat of a data breach is real.

In communication I had with the FBI Cyber Crime and US Attorney prosecutors, the question they pose is not IF you will have a breach, but rather WHEN you will have a breach. The key is preparation and implementing safeguards.

When virtually every company surveyed had a breach of some size, it is fair to assume that this mindset (even absent the significant regulatory issues) is misguided.

Seven Noteworthy HIPAA Breaches & the Recent Enforcement Actions


The following unlucky seven were subject to substantial fines. The costs associated with defending the audit, negotiating the settlement and the cost of implementing the invariable forward-going consent agreements/corporate action plans (CAP), however, are separate and above (and often higher) than the reported fine.

These cases range from relatively small to admittedly large breaches, from the unlikely event to situations that could happen to any entity without implementation of well thought out and vigorously monitored policies and procedures.

In my next post, I will detail one of the most burdensome consent agreements I have ever seen, namely, the Corporate Integrity Agreement between the Office of Inspector General of the Department of Health and Human Services and Nason Medical Center.

It is evident that the ever increasing enforcement of HIPAA and the Omnibus Rule, as well as both the increased use of electronic data and the commonplace reports of mass data breaches are forcing Covered Entities (CE) and their business associates (BA) to increase the resources dedicated to compliance with the Omnibus Rule.

1. Cornell Prescription Pharmacy ($125,000)

The Denver compounding pharmacy will pay this fine after HHS learned of the potential HIPAA violations from a television news report that PHI was improperly disposed of after a garbage dumpster with un-shredded PHI was discovered. Cornell also agreed to develop and implement a comprehensive set of policies and procedures to comply with HIPAA rules, and to provide staff training. OCR Director Jocelyn Samuels stated that “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

2. Anchorage Community Mental Health Services, Inc. ($150,000)

Malware compromised the security of ePHI due to a failure to update software patches as well as unsupported software.

HHS Office for Civil Rights (OCR) received notification from ACMHS, a non-profit, regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. It was later determined that ACMHS had not timely installed patches to its software as mandated by its very own policies and procedures. The takeaway is that entities are not only required to follow the regulations, but they are also being held accountable for compliance with their own policies and procedures.

3. Parkview Health System ($800,000)

OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. Parkview entered into a one year corrective action plan without admission of any wrongdoing.

4. NY Presbyterian Hospital and Columbia University Medical Center ($4.8 million)

An investigation revealed that a breach was caused when a physician employed by Columbia University Medical Center who developed applications for both New York Presbyterian Hospital and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. The noteworthy point is that it seems that the person who caused the breach had all the right intentions but the result was catastrophic.

Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on Internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the Internet. Another noteworthy point is that knowledge of a breach is often only discovered by the breaching entity after receiving reports from third parties. This general situation was confirmed to me by an FBI cybercrime agent.

In addition to the impermissible disclosure of ePHI on the Internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU paid $1,500,000, with both entities agreeing to a substantive corrective action plan which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.

5. Concentra Health Services ($1,725,220)

OCR opened an investigation following a reported breach that an unencrypted laptop containing the ePHI of 870 individuals was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.

The investigation found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were “incomplete and inconsistent over time,” according to an HHS press release, leaving patient PHI vulnerable throughout the organization.

Essentially, Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices).

Concentra did not make any admissions of liability but entered into a CAP – corrective action plan.

6. Adult & Pediatric Dermatology, P.C. ($150,000)

An investigation of Adult & Pediatric Dermatology was initiated upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that A&P Derm had not conducted an accurate and thorough risk analysis as part of its security management process. Further, it did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. It did not admit liability and entered into a CAP. The takeaway is that the use of thumb drives to store ePHI is inherently problematic and the use of unencrypted storage devices is courting disaster.

7. Affinity Health Plan, Inc. ($1,215,780)

OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its risk analysis as required by the Security Rule, and accordingly failed to implement policies and procedures when returning the hard drives to the companies from whom it leased its copiers. Affinity did not admit liability and entered into a short term CAP. The takeaway is the required scope, detail and individual nature of the required risk analysis.


About Mendel Zilberberg:

An attorney, visionary and entrepreneur admitted to practice in New York, New Jersey and Florida who has represented and counseled clients with nationwide interests in many areas of the healthcare arena.

The use of ePHI is growing exponentially, the likelihood of a breach is ever increasing, and the regulating authorities are ramping up their audit/enforcement programs. Covered Entities (CE) and Business Entities (BA) must understand the importance of maintaining the integrity of ePHI, compliance with the relevant regulations as well as thoroughly understand the potential consequences for non-compliance.

The Seven Most Likely Causes of Major HIPAA Breaches

Computer Security

While it is important to comply with all of the mandates of the Omnibus Rule, I think it is instructive to know from where the most vulnerable areas of breach of PHI arise.

In a recent presentation to a limited number of attorneys in which I participated, an investigator for the Office for Civil Rights (OCR) advised that with respect to breach notification of major HIPAA breaches (those in which the PHI of 500+ individuals had been disclosed), as of February 27, 2015, OCR’s records indicate that the following were the percentages attributable to the causes/circumstances for those breaches:

  1. Paper records 22%
  2. Laptop 21%
  3. Desktop computer 12%
  4. Network server 12%
  5. Portable Electronic device 11%
  6. Email 7%
  7. EMR 4%
  8. Other 11%

The Five Most Likely Types of Major HIPAA Breaches


While it is important to comply with all of the mandates of the Omnibus Rule, I think it is instructive to know from where the most vulnerable areas of breach of PHI arise.

In a recent presentation to a limited number of attorneys in which I participated, an investigator for the Office for Civil Rights (OCR) advised that with respect to breach notification of major HIPAA breaches (those in which the PHI of 500+ individuals had been disclosed), as of February 27, 2015, OCR’s records indicate that the following were the percentages attributable to the types of breaches:

  1. Theft 51%
  2. Unauthorized Access/Disclosure 19%
  3. Loss 9%
  4. Hacking /IT Incident 7%
  5. Improper Disposal 4%
  6. Other 9%
  7. Unknown 1%

HIPAA Audits – Imagine Tax Payments without IRS Audits


We can probably all agree that no one (except possibly accountants) looks forward to an IRS audit. At its most elemental level, there is virtually no upside, a possible downside and a deep feeling that, at best, it will disrupt our lives.

HIPAA audits are essentially no different.

One major difference is that for almost all taxpayers, the idea and the real possibility of an audit existed when they filled out their tax returns. With respect to HIPAA, initially enacted approximately 20 years ago, there was (and, in some cases, still is) some mental block or disconnect regarding audits, penalties, and fines for noncompliance — choose one.

For a little historical background, HIPAA was enacted as a broad Congressional attempt at healthcare reform; it was initially introduced in Congress as the Kennedy-Kassebaum Bill.  The landmark Act was passed in 1996 with two objectives.

  1. One was to ensure that individuals would be able to maintain their health insurance between jobs. This is the Health Insurance Portability part of the Act. Because of its successful implementation, it has become “part of the system” and does not get much coverage.
  2. The second part of the Act is the “Accountability” portion. This section is designed to ensure the security and confidentiality of patient information/data.

Over the years, there have been many additions, clarifications and new portions added to this legislation. All of the changes and details are far beyond the scope of this post; that said, I will list a few.

HIPAA Requirements – Security
Compliance Date – April 20, 2005

The HIPAA Security Rule became effective on April 20, 2005. The Security Rule standards define how we are to ensure the integrity, confidentiality, and availability of our patients’ electronic protected health information (ePHI). The Security Rule requires that we have administrative, physical and technical safeguards for protecting ePHI.  Some (but clearly not all of the ) examples are:

Administrative Safeguards:

  1. Assigning or delegating security responsibility to an individual – Chief Security Officer.
  2. Training workforce members on security principles and organizational policies/procedures.
  3. Terminating workforce members’ access to information systems.
  4. Reporting and responding to security incidents.

Physical Safeguards:  mechanisms to protect electronic systems, equipment and the data they hold from threats, environmental hazards and unauthorized intrusion.

  1. Limiting physical access to information systems containing ePHI (i.e. server rooms).
  2. Preventing inappropriate viewing of ePHI on computers.
  3. Properly removing ePHI from computers before disposing or reusing them.
  4. Backing up and storing ePHI.

Technical Safeguards:  automated processes used to protect data and control access to data.

  1. Providing users with unique identifiers for accessing ePHI.
  2. Accessing ePHI during an emergency.
  3. Encrypting ePHI during transmission.
  4. Automatically logging off users after a determined time period.

Patient Privacy/Security and Technology
As we use technology to improve patient care, we are faced with additional challenges to protect patient information from unauthorized use and disclosure.

In February 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”). HITECH makes significant changes to HIPAA’s administrative simplification provisions pertaining to privacy and security, including notifying individuals (and in some instances, media outlets) when there has been a privacy/security breach.

Previously, covered entities (healthcare providers, health plans and healthcare clearinghouses) were obligated to mitigate harm caused by unauthorized disclosures of protected health information (“PHI”), but not required to give notice to the individuals whose information was inappropriately disclosed. With HITECH, covered entities and business associates are required to notify individuals when security breaches occur with respect to “unsecured” information. Unsecured information means information not protected through technology or methods designated by the Federal government. In addition, if the breach involves 500 or more individuals, notice to the U.S. Department of Health and Human Services and the media is also required. Depending on the number of people affected by the breach, the time to report the breach changes as well.

While very large healthcare providers have been forthcoming with respect to breach notification, and other providers have been caught when information was breached, we have not yet really had an audit process that would significantly motivate medical providers (especially smaller organizations) to deal with these laws/regulations with the same attention they might give their tax returns. It is only natural that people act based on the consequences of their actions. That is not to say that we should not take the laws seriously, but human nature is still human nature. If I am wrong, the IRS would have no need to audit taxpayers.

To that end, a pilot program was initiated to develop protocols and evaluate HIPAA COMPLIANCE of 115 covered entities. In addition, the methodologies employed in ascertaining compliance were also audited for their effectiveness. In the fourth quarter of 2011, 20 covered entities were selected and received a letter requesting documents, and thereafter on-site reviews began in the first quarter of 2012.

The audit protocol is available at


Subsequently, more entities were audited, and the result of the phase one findings (in this case, findings are not good) showed that approximately 11% of the 115 entities had no findings.  The 11% were comprised of two providers, two clearinghouses and nine health plans.

Additionally, 60% of the findings related to security, which were more than privacy and breach notification findings. This is actually reasonable considering that every entity has security obligations but not every entity has a breach or a breach notification issue. The same rationale applies to privacy issues.

Providers had 65% of the findings and observations although they were only 53% of the entities reviewed.

The frightening part is that the smaller entities had issues with everything.

With respect to security, two-thirds of the entities did not have complete or accurate risk assessments. The other problem areas for providers ran the gamut of issues.

In cases where there were breaches, notification to individuals was the biggest issue.

What we can expect in 2015?

OCR will contact approximately 550 to 800 covered entities for pre-audit surveys; it will use the survey results to select 350 covered entities for an audit. Those entities will have to identify their business associates and provide contact information, at which point OCR will select business associates for audit.

OCR plans to conduct on-site audits as well as desk audits which will be presumably staffed by OCR.

Entities will have two weeks to respond to data requests. All information submitted must be current as of the date of the request. Therefore, after an entity receives a request, it should not then begin to review and update its HIPAA policies and practices. Failure to respond to the request may lead to referral for a compliance review.

It is difficult to know how quickly this will be rolled out in 2015.

There are many entities that should be preparing themselves, as there are many law firms, consultancies and other entities that are gearing up to provide assistance to (virtually) the full vertical of medical coverage that could be subject to this ever-increasing audit regimen.

From a practical perspective, the more audits, the more fines, the more money, the greater expansion of audits.

A word of caution — this article is not meant to offer any legal advice, does not represent the totality of legal/regulatory requirements, the scope of the audits, compliance or remedial measures that entities should take.  In addition there may be state laws and regulations that come into play.

The real concern is that the smaller practices or covered entities may be caught totally off guard. These laws are an important component of the operations of these entities. In sum, it is the new reality.


There are a number of events that recently occurred which, taken together, should make any individual or any company that is subject to an “associate agreement” or any “covered entity” possessing PHI, (as well as their respective attorneys) take pause.

1. Anchorage Community Mental Health Services (ACMHS) notified OCR regarding the breach of unsecured PHI relating to malware that compromised the security of its IT systems. The breach affected 2,743 individuals. Apparently, there was a finding that ACMHS had adopted security rules, policies and procedures in 2005, but based on its Resolution Agreement with the government, it was found that ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities as to the confidentiality, integrity and availability of its E-PHI. Aside from the various undertakings in the Resolution Agreement, ACMHS is subject to a $150K fine.

2. Sony Pictures Entertainment (SPE), the victim of a cyber-attack, has realized that based on the more than 200 GB of data that has already been released by the hackers, there have been more than 30,000 HR records compromised. Accordingly, Sony has released a notification letter that is extremely broad. The following language was included: “Although [SPE] is in the process of investigating the scope of the cyber-attack, SPE believes that the following types of personal identifiable information that you provided to SPE may have been obtained by unauthorized individuals: (i) name, (ii) address, (iii) Social Security number, driver’s license number, passport number and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information. In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans.”

HIPAA- HITECH breaches have now moved from allowing employees to improperly access and disseminate PHI, or the loss or theft of a laptop left in a car, to the vulnerabilities that “rich targets” for hackers such as major corporations present. I think it is fair to assume that the hackers’ primary target was not health records.

3. To further supplement the problem, on November 11, 2013, the Connecticut Supreme Court ruled in Byrne v. Avery Center for Obstetrics and Gynecology, P.C. that HIPAA does not necessarily preclude a private action (brought by the victim or victims) for negligence on the part of the covered entity, and that the HIPAA regulations may (at least theoretically) be used in determining the applicable standard of care. Simply stated, the idea of a class action for a single violation of HIPPA, e.g. the loss or theft of a hard drive or thumb drive, or the mass dissemination of one person’s personal information over the internet after that person’s PHI was the subject of a single breach of HIPAA could subject the health provider or their associates to damages that are well beyond anything ever contemplated by HIPAA. In the case of the former, a class action by many thousands of individuals is a real possibility. In the latter case, imagine if the medical records of a single high profile person, e.g. famous executive or actor/actress, was obtained in violation of HIPAA, and then was disseminated on the internet. In either case, the legal fees and damages (as well as the settlement value) could be staggering.

What these three seemingly unassociated issues seem to point towards is that taken together, covered entities and their associates may become responsible for failure to adequately protect their PHI in the event that malware enters their system, or their systems are hacked, at a time when even major corporations that have and use significant resources to protect their data, can be hacked. In addition, the release of HR data which could easily implicate HIPAA could render these entities not only prime targets for hackers, but major marks for class-action or high value negligence lawsuits.

It seems clear to me that the level of vulnerability, responsibility and accountability has recently risen to a higher degree of significance.

© 2019

Theme by Anders NorenUp ↑

Enjoy this blog? Please spread the word :)