Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

The Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act Omnibus Rule, published in the Federal Register Jan. 25, makes many changes to the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule, with substantial impact on employers. While these changes do not alter the fundamental structure of HIPAA compliance, employers still face a relatively lengthy "to do" list to comply with all of the new requirements. Perhaps, even more importantly, once the revised regulations go into effect, employers will confront much higher enforcement risk and significantly increased exposure to six- and seven-figure civil monetary penalties.

To learn more about the Omnibus Rule, please see Littler's ASAP, What Do Employers Really Need to Know About the New HIPAA/HITECH Omnibus Final Rule?, by Philip Gordon.

• Print
• Trackbacks
• Share Link

By Philip Gordon

At approximately one-half the length of War and Peace, the recently published Omnibus Final Rule, which modifies the HIPAA Privacy, Security and Enforcement Rules and implements the HIPAA Breach Notification Rule, can overwhelm in-house employment, benefits, and privacy counsel as well as human resources and benefits professionals trying to discern the Rule’s practical implications for employers who sponsor HIPAA-covered plans, which are “covered entities” under HIPAA. Like most HIPAA-related guidance, the Omnibus Final Rule tends to focus on health care providers, with only a small portion of the ample regulatory commentary aimed at the employer community. Moreover, a detailed reading of the Omnibus Final Rule reveals dozens of technical changes with little or no practical impact on employers and numerous granular modifications that may be relevant to employers, if at all, only with limited frequency.

Stepping back from this superabundance of detail, we have identified the following five “big picture” takeaways for employers who sponsor HIPAA-covered plans:

• Print
• Trackbacks
• Share Link

The Department of Health and Human Services (HHS) on Thursday issued its much-anticipated final omnibus rule governing privacy for health information. This extensive rule spanning more than 500 pages comprises four final privacy-related regulations. Among other significant changes, the rule modifies the privacy, security, and enforcement regulations implementing the Health Insurance Portability and Accountability Act (HIPAA) to incorporate amendments made by the Health Information Technology for Economic and Clinical Health (HITECH) Act that provided increased protections for an individual’s health information. The new rule also amends HIPAA to address new privacy protections granted under Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA), which prohibits most health plans from using or disclosing genetic information for underwriting purposes. In addition, the rule modifies the HIPAA Enforcement Rule to include the increased and tiered civil money penalty structure provided by the HITECH Act, and establishes final regulations for the HITECH Act’s Breach Notification for Unsecured Protected Health Information rule.

Littler will be providing an in-depth analysis of the new rule and how it will impact both employer sponsors of group health plans and health care providers.

Photo credit: LilliDay

• Print
• Trackbacks
• Share Link

By Philip Gordon

In the decade since the HIPAA Privacy Rule went into effect, human resources professionals and employment counsel have increasingly grappled with medical confidentiality issues. While HIPAA certainly has heightened awareness of the need to handle employees’ health information with care, HIPAA (perhaps ironically) protects only a very narrow subset of such information, i.e., individually identifiable health information created or received by, or on behalf of, a HIPAA-covered health plan. By contrast, the EEOC has taken the position for years that the Americans with Disabilities Act’s (“ADA”) medical confidentiality provision protects all employee health information received by an employer other than the narrow subset of health benefits information subject to HIPAA. In a ruling handed down just two days before Thanksgiving, the Seventh Circuit rejected the EEOC’s interpretation of the ADA as overbroad, giving employers something to be thankful for.

The Seventh Circuit’s decision addressed the question whether Thrivent Financial for Lutherans (Thrivent) violated the ADA’s confidentiality provision by allegedly disclosing medical information about a former employee, Garry Messier, to Messier’s prospective employers. The case had its genesis on November 1, 2006, when Messier failed to report to work. Thrivent’s agent sent an e-mail to Messier asking him to “give John [his supervisor at Thrivent] a call” because John “need[ed] to know what [was] going on.” Rather than calling John, Messier sent him a lengthy e-mail which revealed that Messier had a “severe migraine,” had taken “Innitrex” to ameliorate the symptoms, is “bedridden” when he suffers migraines of this severity, and that the “migraines are an end result of the head trauma” suffered in a “major car accident in 1984.” Apparently recognizing that he might have crossed the line into TMI (“too much information”), Messier concluded, “Probably a lot more than either of you wanted to know, but I want to be totally honest with both of you.”

• Print
• Trackbacks
• Share Link

By Philip Gordon and Inna Shelley

When the photographs and videos flooding social media include images of patients or the victims of an accident or crime, it gives human resources professionals, compliance officers and in-house employment counsel at health care facilities heartburn and forces them to spring into action. In the past several years, dozens of snap-happy health care workers have been fired for using smartphones to photograph patients and then upload the images to their social media page. One startling illustration of this phenomenon occurred when emergency room workers and staff at a medical center in California photographed an urgent care patient’s gruesome stab wounds and posted the photos on the web. In another example, an Oregon nursing assistant received an eight-day prison sentence after posting graphic photographs of nursing home residents on her social media site. Given these types of stories, it is not surprising that, according to a PricewaterhouseCoopers study published in April 2012, 63% of health care consumers expressed concern about personal health information being shared in public.

Many health care workers mistakenly believe that posting a patient’s image on a social media site does not violate HIPAA’s privacy requirements if the post excludes the patient’s name and other identifying information. To the contrary, an image that includes a patient’s face is not de-identified under HIPAA. Even when the face is obscured, the image still could be entitled to protection under HIPAA if the patient reasonably could be identified, for example, where the image reveals a distinguishing tattoo or scar.

• Print
• Trackbacks
• Share Link

The Attorney General for the Commonwealth of Massachusetts reached an agreement with South Shore Hospital over claims the hospital failed to protect confidential health information for hundreds of thousands of consumers. The Attorney General filed the lawsuit under both state information security laws and the federal Health Insurance Portability and Accountability Act (HIPAA).

The problem arose when the hospital shipped three boxes containing more than 400 unencrypted back-up tapes to an off-site vendor. The hospital had contracted with the vendor to erase the tapes and resell them. The tapes contained significant amounts of confidential information such as patients’ names, Social Security numbers, bank account numbers and medical diagnoses. Only one of the three boxes arrived at its intended destination.

To learn more about the settlement, please continue reading at Littler's Healthcare Employment Counsel.

• Print
• Trackbacks
• Share Link

By Philip L. Gordon

Yesterday’s $1.5M “Resolution Agreement” between Blue Cross Blue Shield of Tennessee (“BCBST”) and the U.S. Department of Health and Human Services (“HHS”), the agency responsible for enforcing HIPAA, is the fourth major settlement announced by HHS in the past 15 months and the third to exceed seven figures. This settlement has several important messages for employers.

Before turning to those messages, here are the key facts as set forth in the Resolution Agreement. BCBST stored, in a network data closet, computer equipment which included servers and 57 hard drives. The hard drives were part of a system that recorded customer service calls and contained the protected health information (PHI) of more than one million participants, including member names, member ID numbers, diagnosis codes, dates of birth, and Social Security numbers. The network data closet “was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock.” The property management company for the leased spaced where the network data closet was located provided security services.

After BCBST vacated most of its office space, but while it still leased the space containing the network data closet, thieves stole the 57 hard drives from the closet. The hard drives were not encrypted. BCBST notified HHS of a security breach in accordance with the HITECH Act’s requirements.

• Print
• Trackbacks
• Share Link

By Ellen M. Giblin

On August 31, 2011, Governor Jerry Brown signed Senate Bill 24, amending California’s security breach notification law. That law was the nation’s first to require data owners to disclose a data breach to any California resident whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Senate Bill 24 applies to breaches occurring on or after January 1, 2012, and makes several important changes to the landmark law.

First, SB 24 enhances the security breach notifications sent to affected individuals. Whereas before the notice law did not impose any requirements for the content of the notice, the amended law requires that the notice contain specific information regarding the breach, including the following: (a) the name and contact information of the reporting person or business; (b) the types of personal information subject to the breach; (c) the date or date range of the breach; (d) whether notification was delayed due to law enforcement investigation; (e) a general description of the breach; and (f) the toll-free telephone numbers and addresses of the three major credit bureaus, if the breach exposed a social security number, driver’s license or California identification card number.

• Print
• Trackbacks
• Share Link

By Philip Gordon

Ever since the HIPAA Privacy Rule first went into effect for larger health plans in April 2003, HR professionals and in-house employment counsel often warn of the proverbial “HIPAA violation” when discussing employee medical information. However, one recent federal decision demonstrates that the greater risk for many employers is a violation of the ADA’s confidentiality requirement, that can protect even false information disclosed by an employee to an in-house physician. The second recent decision highlights a critical limitation on the ADA’s broad confidentiality requirement.

The first case arose out of General Dynamics’ decision to terminate the employment of Guillermo Blanco (Blanco) for failing to disclose his Attention Deficit Hyperactivity Disorder (ADHD) when he responded to the company’s post-offer, pre-hire Medical Surveillance History Questionnaire. According to Blanco’s complaint, the in-house physician with whom Blanco discussed his post-employment request for a reasonable accommodation accused Blanco of failing to disclose his ADHD on the medical questionnaire. Blanco further alleged that the in-house physician discussed Blanco’s allegedly false responses to the questionnaire with management in General Dynamics’ Labor Relations Department. Blanco claimed that General Dynamics terminated his employment as a result of the disclosure. 

• Print
• Trackbacks
• Share Link

By Ellen Giblin

The first anniversary of the effective date of 201 CMR 17.00 went by with little fanfare, then came the Final Judgment by Consent (“Judgment by Consent”) stating that a Boston-based restaurant chain engaged in “unfair or deceptive practices, in violation of Massachusetts General Laws c. 93A, §2” by accepting credit and debit cards from customers at its bars and restaurants after a known breach, yet failing to take reasonable steps to protect the personal information obtained from its patrons as required under 201 CMR 17.00.

In support of its decree, the Judgment by Consent lists basic data security measures that the company failed to implement: (a) failing to change default usernames and passwords on its point-of-sale computer system, (b) allowing multiple employees to share common usernames and passwords, (c) failing to properly secure its remote access utilities and wireless network, (d) continuing to accept credit and debit cards from customers after the company knew that its systems were compromised but had not yet been secured, (e) storing payment card personal information in clear (i.e., unencrypted) text on its servers, and (f) failing to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

• Print
• Trackbacks
• Share Link

By Philip Gordon

Two days after announcing its first-ever HIPAA penalty, a whopping $4.3 million imposed against Cignet Health of Prince George’s County, Maryland, HHS announced that a large Massachusetts hospital had agreed to pay $1 million to avoid a penalty proceeding. Although the hospital did not admit liability and did not pay a penalty, the settlement demonstrates how the significant increase in available HIPAA penalties as a result of the HITECH Act’s enactment has provided HHS with substantial leverage when negotiating a resolution of alleged HIPAA violations. HHS’ settlement with the hospital also is important because it suggests that HHS may not be very forgiving in one area of particularly high risk: the physical removal of protected health information (PHI) from a covered entity’s premises.

The incident that ultimately led to the hospital’s $1 million settlement payment was innocent enough. According to the settlement agreement, which is public, and HHS’ press release announcing the settlement, an employee of the hospital’s outpatient practice took home, for work purposes, paper records containing the PHI of 192 patients, including patients with HIV/AIDS. The settlement agreement states that the “documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice's daily office schedules for three days containing the names and medical record numbers of 192 patients.” On her way into work on the subway, the employee placed the documents, bound by a rubber band, on the seat next to her and forgot them there when she exited the train. The records never were recovered.

• Print
• Share Link

By Philip L. Gordon

For the nearly eight years since the HIPAA Privacy Rule went into effect in April 2003, the U.S. Department of Health and Human Services (HHS) did not impose a single civil monetary penalty for HIPAA violations. The story behind HHS’s first penalty — a whopping $4.3 million imposed on February 22, 2011, against Cignet Health of Prince George’s County, Maryland (“Cignet”) —is a playbook on how employers and health care providers should not address HIPAA compliance and should not respond to HIPAA complaints. The tale also provides significant insight into how HHS interprets its power under the HITECH Act to determine the amount of a penalty.

According to HHS’ Notice of Proposed Determination (the “NPD”), to which Cignet did not respond, Cignet’s first mistake was its failure to respond to patients’ requests for access to their medical records. The HIPAA Privacy Rule establishes detailed procedures for handling access requests. The NPD does not identify the total number of patients whose requests went unanswered nor does it reveal why Cignet did not respond. The NPD does disclose that 41 patients filed complaints with HHS. The large number of complaints almost surely was a red flag for HHS.

Furthermore, the large number of complaints resulted in a substantial multiplier effect when HHS calculated the penalty of $1.3 million attributable to this aspect of Cignet’s non-compliance. More specifically, HHS found that each day of failing to respond to a request for access after the required time period had expired was a separate violation for each of the 41 complainants.

• Print
• Trackbacks
• Share Link

On August 4, we posted about uncertainty created by the U.S. Department of Health and Human Services' (HHS) decision to withdraw its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Since that time, HHS updated its website to state that, "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect." This means that the harm standard embodied in the Interim Final Rule is still in effect and that, until further notice, employers and providers must conduct the risk assessment discussed in our July 30 blog post. 

This entry was written by Philip L. Gordon.

Photo credit: cosmonaut

• Print
• Share Link

In a two-paragraph press release recently posted on its website, the U.S. Department of Health and Human Services (HHS) announced the withdrawal of its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The interim final regulations construed the security breach notification provisions contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended HIPAA effective February 17, 2010. The agency’s action could have significant implications for employers and health care providers and puts them in limbo until new regulations are published when responding to a security incident involving PHI.

• Print
• Trackbacks
• Share Link

While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and health care providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.

HIPAA’s recently promulgated security breach notification regulations require notice only if (a) there has been access to, or acquisition, use or disclosure of, protected health information (PHI) in violation of the HIPAA Privacy Rule; and (b) that violation “poses a significant risk of financial, reputational or other harm” to the subjects of the PHI. In the preamble to the security breach regulations, the U.S. Department of Health and Human Services (HHS) takes the position that a covered entity “will need to perform a risk assessment” to determine whether the second element of the notification standard has been satisfied. Besides identifying four factors that covered entities might consider in conducting this risk assessment, HHS provides no other guidance on how to assess risk. HHS does emphasize, however, that “[c]overed entities and business associates must document their risk assessments, so their they can demonstrate, if necessary, that no breach notification was required.” In other words, covered entities should expect that if HHS ever challenges a decision not to provide notice of a security breach, HHS’ first request will be for production of the covered entity’s risk assessment that decision.

The decision whether to provide notice of a security breach could be momentous for a covered entity. Under HIPAA’s security breach notification regulations, if the incident involves more than five hundred individuals in the same state, the covered entity would be required to report the breach to HHS, which will post the report on its Web site and notify “prominent media outlets,” which may choose to publicize the breach. As a result, notification of even a relatively small breach could expose the covered entity to class action litigation, damaging media coverage, and collateral damage to patient or employee relationships, in addition to the cost of providing notice and incident response services to affected individuals. Given these potential adverse consequences, a covered entity often will have an overriding interest in finding that a HIPAA violation did not create a material risk of harm and, therefore, does not require notification.

• Print
• Share Link

The U.S. Department of Health and Human Services (HHS) published on July 14, 2010, a voluminous Notice of Proposed Rulemaking (NPRM), containing dozens of proposed amendments to three sets of Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations: the Privacy Rule; the Security Rule; and the Enforcement Rule. The proposed amendments are directed principally at implementing the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which amended HIPAA and wen into effect on February 17, 2010. A careful review of the NPRM for its impact on employers who sponsor HIPAA-covered plans reveals that, if the proposed changes were adopted, employers would be required to revise their business associate agreements, their HIPAA notice of privacy practices, and their policies for responding to access requests. The NPRM also provides employers with a roadmap for avoiding civil monetary penalties. To learn more about the NPRM and its implications for employers, please continue reading Littler's ASAP, What Do Employers with HIPAA-Covered Health Plans Really Need to Know About Recently Proposed Revisions to HIPAA Regulations?, by Philip L. Gordon.

• Print
• Trackbacks
• Share Link

A visiting cardiothoracic surgeon from China, working as a researcher at UCLA School of Medicine, became the first person sentenced to prison for unauthorized access to medical records in violation of HIPAA. The few criminal convictions for HIPAA violations to date have involved monetary gain, such as a hospice worker’s use of patient records to commit identity theft or the sale of a celebrity’s medical records to a tabloid. This most recent conviction is remarkable because money was not a factor and the viewing of celebrity records was only part of the illegal conduct. According to court records, the criminal prosecution also was based on the researcher’s review of his immediate supervisor’s and former co-workers’ medical records.

Random curiosity — a/k/a snooping — poses a risk of criminal HIPAA violations not only at hospitals and health care providers. Virtually every employer has some form of medical information subject to HIPAA in their paper files or on their information systems because HIPAA applies to self-insured group health, dental, vision, pharmacy benefit, and long-term care plans; health care reimbursement flexible spending accounts; and employee assistance programs. Consequently, an employee who reviews a co-worker’s explanation of benefits while waiting for a benefits administrator to finish a call or a human resources manager who accesses a third-party administrator’s portal to review claims information unrelated to any job duties arguably is now at risk of criminal prosecution.

• Print
• Trackbacks
• Share Link

Focused on weathering the blizzard of amendments to business associate agreements required by the HITECH Act, employers understandably could lose sight of the April 14, 2010 deadline for providing the “triennial reminder” required by the HIPAA Privacy Rule. Under that regulation, employers who sponsor one or more HIPAA-covered plans must, no less frequently than once every three years, “notify individuals then covered by the plan of the availability of the [plan’s] notice [of privacy practices] and how to obtain the notice.” For small health plans, i.e., those with annual receipts of $5 million or less, the original HIPAA compliance date was April 14, 2004, meaning that 2010 is a triennial reminder year. HIPAA-covered plans for which an employer would be required to provide the triennial reminder include self-insured group health, dental or vision plans; a health care reimbursement flexible spending account; a pharmacy benefits plan; a long-term care (not long-term disability) plan; and an employee assistance program.

• Print
• Trackbacks
• Share Link