Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

By Philip L. Gordon

Yesterday’s $1.5M “Resolution Agreement” between Blue Cross Blue Shield of Tennessee (“BCBST”) and the U.S. Department of Health and Human Services (“HHS”), the agency responsible for enforcing HIPAA, is the fourth major settlement announced by HHS in the past 15 months and the third to exceed seven figures. This settlement has several important messages for employers.

Before turning to those messages, here are the key facts as set forth in the Resolution Agreement. BCBST stored, in a network data closet, computer equipment which included servers and 57 hard drives. The hard drives were part of a system that recorded customer service calls and contained the protected health information (PHI) of more than one million participants, including member names, member ID numbers, diagnosis codes, dates of birth, and Social Security numbers. The network data closet “was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock.” The property management company for the leased spaced where the network data closet was located provided security services.

After BCBST vacated most of its office space, but while it still leased the space containing the network data closet, thieves stole the 57 hard drives from the closet. The hard drives were not encrypted. BCBST notified HHS of a security breach in accordance with the HITECH Act’s requirements.

• Print
• Trackbacks
• Share Link

By Ellen M. Giblin

On August 31, 2011, Governor Jerry Brown signed Senate Bill 24, amending California’s security breach notification law. That law was the nation’s first to require data owners to disclose a data breach to any California resident whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Senate Bill 24 applies to breaches occurring on or after January 1, 2012, and makes several important changes to the landmark law.

First, SB 24 enhances the security breach notifications sent to affected individuals. Whereas before the notice law did not impose any requirements for the content of the notice, the amended law requires that the notice contain specific information regarding the breach, including the following: (a) the name and contact information of the reporting person or business; (b) the types of personal information subject to the breach; (c) the date or date range of the breach; (d) whether notification was delayed due to law enforcement investigation; (e) a general description of the breach; and (f) the toll-free telephone numbers and addresses of the three major credit bureaus, if the breach exposed a social security number, driver’s license or California identification card number.

• Print
• Trackbacks
• Share Link

By Philip Gordon

Ever since the HIPAA Privacy Rule first went into effect for larger health plans in April 2003, HR professionals and in-house employment counsel often warn of the proverbial “HIPAA violation” when discussing employee medical information. However, one recent federal decision demonstrates that the greater risk for many employers is a violation of the ADA’s confidentiality requirement, that can protect even false information disclosed by an employee to an in-house physician. The second recent decision highlights a critical limitation on the ADA’s broad confidentiality requirement.

The first case arose out of General Dynamics’ decision to terminate the employment of Guillermo Blanco (Blanco) for failing to disclose his Attention Deficit Hyperactivity Disorder (ADHD) when he responded to the company’s post-offer, pre-hire Medical Surveillance History Questionnaire. According to Blanco’s complaint, the in-house physician with whom Blanco discussed his post-employment request for a reasonable accommodation accused Blanco of failing to disclose his ADHD on the medical questionnaire. Blanco further alleged that the in-house physician discussed Blanco’s allegedly false responses to the questionnaire with management in General Dynamics’ Labor Relations Department. Blanco claimed that General Dynamics terminated his employment as a result of the disclosure. 

• Print
• Trackbacks
• Share Link

By Ellen Giblin

The first anniversary of the effective date of 201 CMR 17.00 went by with little fanfare, then came the Final Judgment by Consent (“Judgment by Consent”) stating that a Boston-based restaurant chain engaged in “unfair or deceptive practices, in violation of Massachusetts General Laws c. 93A, §2” by accepting credit and debit cards from customers at its bars and restaurants after a known breach, yet failing to take reasonable steps to protect the personal information obtained from its patrons as required under 201 CMR 17.00.

In support of its decree, the Judgment by Consent lists basic data security measures that the company failed to implement: (a) failing to change default usernames and passwords on its point-of-sale computer system, (b) allowing multiple employees to share common usernames and passwords, (c) failing to properly secure its remote access utilities and wireless network, (d) continuing to accept credit and debit cards from customers after the company knew that its systems were compromised but had not yet been secured, (e) storing payment card personal information in clear (i.e., unencrypted) text on its servers, and (f) failing to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

• Print
• Trackbacks
• Share Link

By Philip Gordon

Two days after announcing its first-ever HIPAA penalty, a whopping $4.3 million imposed against Cignet Health of Prince George’s County, Maryland, HHS announced that a large Massachusetts hospital had agreed to pay $1 million to avoid a penalty proceeding. Although the hospital did not admit liability and did not pay a penalty, the settlement demonstrates how the significant increase in available HIPAA penalties as a result of the HITECH Act’s enactment has provided HHS with substantial leverage when negotiating a resolution of alleged HIPAA violations. HHS’ settlement with the hospital also is important because it suggests that HHS may not be very forgiving in one area of particularly high risk: the physical removal of protected health information (PHI) from a covered entity’s premises.

The incident that ultimately led to the hospital’s $1 million settlement payment was innocent enough. According to the settlement agreement, which is public, and HHS’ press release announcing the settlement, an employee of the hospital’s outpatient practice took home, for work purposes, paper records containing the PHI of 192 patients, including patients with HIV/AIDS. The settlement agreement states that the “documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice's daily office schedules for three days containing the names and medical record numbers of 192 patients.” On her way into work on the subway, the employee placed the documents, bound by a rubber band, on the seat next to her and forgot them there when she exited the train. The records never were recovered.

• Print
• Share Link

By Philip L. Gordon

For the nearly eight years since the HIPAA Privacy Rule went into effect in April 2003, the U.S. Department of Health and Human Services (HHS) did not impose a single civil monetary penalty for HIPAA violations. The story behind HHS’s first penalty — a whopping $4.3 million imposed on February 22, 2011, against Cignet Health of Prince George’s County, Maryland (“Cignet”) —is a playbook on how employers and health care providers should not address HIPAA compliance and should not respond to HIPAA complaints. The tale also provides significant insight into how HHS interprets its power under the HITECH Act to determine the amount of a penalty.

According to HHS’ Notice of Proposed Determination (the “NPD”), to which Cignet did not respond, Cignet’s first mistake was its failure to respond to patients’ requests for access to their medical records. The HIPAA Privacy Rule establishes detailed procedures for handling access requests. The NPD does not identify the total number of patients whose requests went unanswered nor does it reveal why Cignet did not respond. The NPD does disclose that 41 patients filed complaints with HHS. The large number of complaints almost surely was a red flag for HHS.

Furthermore, the large number of complaints resulted in a substantial multiplier effect when HHS calculated the penalty of $1.3 million attributable to this aspect of Cignet’s non-compliance. More specifically, HHS found that each day of failing to respond to a request for access after the required time period had expired was a separate violation for each of the 41 complainants.

• Print
• Trackbacks
• Share Link

On August 4, we posted about uncertainty created by the U.S. Department of Health and Human Services' (HHS) decision to withdraw its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Since that time, HHS updated its website to state that, "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect." This means that the harm standard embodied in the Interim Final Rule is still in effect and that, until further notice, employers and providers must conduct the risk assessment discussed in our July 30 blog post. 

This entry was written by Philip L. Gordon.

Photo credit: cosmonaut

• Print
• Share Link

In a two-paragraph press release recently posted on its website, the U.S. Department of Health and Human Services (HHS) announced the withdrawal of its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The interim final regulations construed the security breach notification provisions contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended HIPAA effective February 17, 2010. The agency’s action could have significant implications for employers and health care providers and puts them in limbo until new regulations are published when responding to a security incident involving PHI.

• Print
• Trackbacks
• Share Link

While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and health care providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.

HIPAA’s recently promulgated security breach notification regulations require notice only if (a) there has been access to, or acquisition, use or disclosure of, protected health information (PHI) in violation of the HIPAA Privacy Rule; and (b) that violation “poses a significant risk of financial, reputational or other harm” to the subjects of the PHI. In the preamble to the security breach regulations, the U.S. Department of Health and Human Services (HHS) takes the position that a covered entity “will need to perform a risk assessment” to determine whether the second element of the notification standard has been satisfied. Besides identifying four factors that covered entities might consider in conducting this risk assessment, HHS provides no other guidance on how to assess risk. HHS does emphasize, however, that “[c]overed entities and business associates must document their risk assessments, so their they can demonstrate, if necessary, that no breach notification was required.” In other words, covered entities should expect that if HHS ever challenges a decision not to provide notice of a security breach, HHS’ first request will be for production of the covered entity’s risk assessment that decision.

The decision whether to provide notice of a security breach could be momentous for a covered entity. Under HIPAA’s security breach notification regulations, if the incident involves more than five hundred individuals in the same state, the covered entity would be required to report the breach to HHS, which will post the report on its Web site and notify “prominent media outlets,” which may choose to publicize the breach. As a result, notification of even a relatively small breach could expose the covered entity to class action litigation, damaging media coverage, and collateral damage to patient or employee relationships, in addition to the cost of providing notice and incident response services to affected individuals. Given these potential adverse consequences, a covered entity often will have an overriding interest in finding that a HIPAA violation did not create a material risk of harm and, therefore, does not require notification.

• Print
• Share Link

The U.S. Department of Health and Human Services (HHS) published on July 14, 2010, a voluminous Notice of Proposed Rulemaking (NPRM), containing dozens of proposed amendments to three sets of Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations: the Privacy Rule; the Security Rule; and the Enforcement Rule. The proposed amendments are directed principally at implementing the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which amended HIPAA and wen into effect on February 17, 2010. A careful review of the NPRM for its impact on employers who sponsor HIPAA-covered plans reveals that, if the proposed changes were adopted, employers would be required to revise their business associate agreements, their HIPAA notice of privacy practices, and their policies for responding to access requests. The NPRM also provides employers with a roadmap for avoiding civil monetary penalties. To learn more about the NPRM and its implications for employers, please continue reading Littler's ASAP, What Do Employers with HIPAA-Covered Health Plans Really Need to Know About Recently Proposed Revisions to HIPAA Regulations?, by Philip L. Gordon.

• Print
• Trackbacks
• Share Link

A visiting cardiothoracic surgeon from China, working as a researcher at UCLA School of Medicine, became the first person sentenced to prison for unauthorized access to medical records in violation of HIPAA. The few criminal convictions for HIPAA violations to date have involved monetary gain, such as a hospice worker’s use of patient records to commit identity theft or the sale of a celebrity’s medical records to a tabloid. This most recent conviction is remarkable because money was not a factor and the viewing of celebrity records was only part of the illegal conduct. According to court records, the criminal prosecution also was based on the researcher’s review of his immediate supervisor’s and former co-workers’ medical records.

Random curiosity — a/k/a snooping — poses a risk of criminal HIPAA violations not only at hospitals and health care providers. Virtually every employer has some form of medical information subject to HIPAA in their paper files or on their information systems because HIPAA applies to self-insured group health, dental, vision, pharmacy benefit, and long-term care plans; health care reimbursement flexible spending accounts; and employee assistance programs. Consequently, an employee who reviews a co-worker’s explanation of benefits while waiting for a benefits administrator to finish a call or a human resources manager who accesses a third-party administrator’s portal to review claims information unrelated to any job duties arguably is now at risk of criminal prosecution.

• Print
• Trackbacks
• Share Link

Focused on weathering the blizzard of amendments to business associate agreements required by the HITECH Act, employers understandably could lose sight of the April 14, 2010 deadline for providing the “triennial reminder” required by the HIPAA Privacy Rule. Under that regulation, employers who sponsor one or more HIPAA-covered plans must, no less frequently than once every three years, “notify individuals then covered by the plan of the availability of the [plan’s] notice [of privacy practices] and how to obtain the notice.” For small health plans, i.e., those with annual receipts of $5 million or less, the original HIPAA compliance date was April 14, 2004, meaning that 2010 is a triennial reminder year. HIPAA-covered plans for which an employer would be required to provide the triennial reminder include self-insured group health, dental or vision plans; a health care reimbursement flexible spending account; a pharmacy benefits plan; a long-term care (not long-term disability) plan; and an employee assistance program.

• Print
• Trackbacks
• Share Link