Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

In its press release, HHS cryptically explains that the agency withdrew the regulations “to allow for further consideration, given the Department’s experience to date in administering the regulations.” The agency established no deadline for issuing new regulations, stating only that it “intend[s] to publish a final rule in the Federal Register in the coming months.” The agency also provided no guidance concerning its enforcement of the HITECH Act’s security breach notification requirements — which remain in effect despite the absence of regulations — while covered entities await the final rule’s publication.

The impetus behind the HHS’s withdrawal may have been opposition from Congress and from privacy and patient advocacy groups to the “harm standard” contained in the now-withdrawn regulations. Under that standard, a covered entity that discovered unauthorized access to, or acquisition, use or disclosure of, PHI was not required to provide notice of security breach unless the unauthorized conduct “pose[d] a significant risk of financial, reputational or other harm” to the subject of the information. Opponents of the “harm standard” contended that it added an unwarranted gloss to the HITECH Act’s plain language and was not sufficiently protective of patients’ and plan participants’ rights.

If HHS were to eliminate the “harm standard” in its to-be-issued final regulations, the upshot for employers and health care providers would be significant as just one example demonstrates. It is not uncommon for an employee in the health care sector who is involved in a dispute with her employer over performance to take patient records for possible future use in a lawsuit alleging that the employer’s discipline or termination was unfounded and resulted from discrimination. The employee’s acquisition of patient records potentially to advance her own claims of discrimination is an unauthorized acquisition of PHI. Were HHS to issue final regulations that omit a harm standard, health care employers in this situation likely would be required to provide notice of security breach even if the employer never used or disclosed the copied documents and ultimately returned or properly destroyed them. In short, elimination of the “harm standard” could dramatically increase not only the number of notices that employers and health care providers will be required to provide but also the attendant out-of-pocket expense and potential damage to business reputation.

The problem now for employers and health care providers during “the coming months” before HHS publishes a final rule is whether to analyze a security incident with or without a harm standard, a decision which often will be dispositive of the question whether notice will be necessary. On the one hand, HHS itself found — at least at one time — that the HITECH Act’s security breach notification requirement properly could be construed to include a harm standard, and the agency’s cryptic press release does not expressly or implicitly point to the “harm standard” as the reason for withdrawing the interim final regulations. On the other hand, the HITECH Act does not expressly include a harm standard, and given the opposition to the “harm standard,” one fairly can surmise that the final rule to be issued by HHS will not include a harm standard. At least until HHS issues additional clarification of its withdrawal or publishes the final rule, each employer and health care provider confronted by a security incident involving PHI will need to make its own judgment call on whether to ignore the harm standard and potentially “over-notify,” or to apply the standard to justify a decision not to provide notice but run the risk of an enforcement action.

This entry was written by Philip L. Gordon.

While the employee may bear the brunt of the criminal prosecution, the employee’s unauthorized conduct exposes the employer on at least three different levels. First, the U.S. Department of Health & Human Services (HHS) could pursue civil penalties against the employer. Since the Health Information Technology for Economic and Clinical Health (HITECH) Act supplemented HIPAA, effective February 17, 2010, civil penalties for HIPAA violations have been substantially enhanced. While HHS has yet to promulgate regulations construing the statutory penalty provisions, the minimum penalty for an employee’s unauthorized access to patient plan participant records apparently would be $1,000 per record reviewed if the employer had implemented measures to prevent the unauthorized access and $10,000 per record reviewed where the employer had failed to implement adequate protections. Second, although the federal courts unanimously agree that HIPAA provides no private right of action, the patient or plan participant whose records were viewed without authorization could assert common law, privacy-based claims, alleging vicarious liability on the employer’s part for the employee’s unauthorized access. Finally, the unauthorized access likely would constitute a security breach under HIPAA’s new security breach notification requirements. Were the snooping employee to access the records of 500 or more patients or plan participants, the employer would be required to notify not only the voyeur’s victims but also HHS and prominent media outlets in the state where the victims are located.

The jailing of the Chinese researcher highlights the fact that providers and employers no longer can be complacent about HIPAA compliance. Both health care providers and employers offering HIPAA-covered health benefits should revisit and, if necessary, update the policies they adopted when HIPAA first went into effect more than six years ago. Compliance efforts should focus, in particular, on preventing the types of conduct most likely to trigger security breach notification obligations, such as unauthorized access to and disclosures of health information and the loss or theft of equipment containing health information in unencrypted form. While technologies such as encryption and data loss prevention software can go a long way towards to reducing risk, providers should consider robust and frequent training programs that convey the message there is no such thing as “a littler harmless snooping” when it comes to patients’ and plan participants’ medical records.

This entry was written by Philip L. Gordon.

The matter might have ended there but for the hospital’s termination of its contract with the pathology group that worked in the lab. The pathologists allege that the contract termination constituted retaliation for their pushing the hospital to disclose the incident. It appears that after the contract termination, the pathologists reported the incident to government officials.

While we do not question the motives of the New Hampshire pathologists, this incident demonstrates the importance for employers of documenting any decision not to provide security breach notification when a security incident occurs. Under many state security breach notification laws as well as HIPAA’s new security breach notification requirements, notice is required only if a security incident poses a material risk of harm to the individuals whose information has been compromised. Whether a material risk of harm exists often is a judgment call.

An employee who is aware of a security incident and a related decision not to provide notice could easily second guess that decision after being disciplined or terminated. As in the New Hampshire incident, a complaint about a decision not to notify could trigger an investigation by federal or state authorities months or years after the incident occurred. Without contemporaneous and thorough documentation of the decision-making process, an employer could have difficulty responding to an investigator’s demands for an explanation of the decision not to notify affected individuals or, where required, state or federal agencies.

This entry was written by Philip L. Gordon

Q: Do the HIPAA security breach requirements that you discussed during the webinar apply to employers who have fully insured plans or only to employers who have self-insured plans?

A: Most employers with fully insured plans receive only summary health information and enrollment and disenrollment information from the health insurer. This information is considered protected health information (PHI); however, given the very small amount of PHI that an employer with a fully insured plan receives, the likelihood of a breach involving that information is low. Also, because the insurance company that provides the health insurance is not acting as the employer’s agent, the insurance company, not the employer, would be required to provide the notice for a breach of PHI maintained by the insurer. Fully insured employers should keep in mind that if they do offer a health care reimbursement flexible spending account, they are likely to have a significant amount of PHI on-site, and if a third-party administrator suffers a breach, the employer would be ultimately responsible for ensuring that the plan participants are notified.

Q: How do the HIPAA regulations define the term “business associate,” and what are the requirements for the employer or health care provider if a business associate experiences a security breach?

A: A business associate is a vendor who provides services for a health plan or health care provider using PHI. Some examples of business associates include billing services, debt collection agencies, third-party administrators, insurance brokers, pharmacy benefits managers, accountants, attorneys, and auditors. An employer or health care provider can disclose PHI to a business associate without the subject’s prior authorization but only if there is a written agreement (known as a “business associate agreement”) in place with the business associate. The business associate agreement is required to include at a minimum certain provisions listed in the HIPAA regulations that are intended to protect the confidentiality of PHI and ensure that individuals can exercise their HIPAA-mandated rights with respect to their PHI.

If a business associate experiences a breach, the business associate is required to notify the employer/health plan or the health care provider and identify the plan participants or patients whose PHI has been compromised. Employers and health care providers should consider supplementing this statutory notice requirement through contractual provisions in the business associate agreement that require the business associate to provide additional information about the breach, such as the date it occurred, the date it was discovered, what happened, what steps the business associate took to end the breach, and what steps the business associate will take to prevent a recurrence.

Q: Should we have a business associate agreement with the company that we use to shred protected health information (PHI)? Also, our payroll provider houses information on contributions for our healthcare reimbursement flexible spending account. Should we have a business associate agreement with them?

A: Your organization should have a business associate agreement with that shredding company. Information on contributions to a health care reimbursement flexible spending account is PHI, so your organization also should have a business associate agreement with the payroll provider.

Q: Is de-identified protected health information (PHI) subject to the breach notification requirements?

A: No. Once PHI has been de-identified, the information no longer is protected by HIPAA. As a result, a security breach involving de-identified PHI does not trigger a breach notification obligation. You should note, however, that HIPAA establishes a very high standard for de-identification. The regulations require the removal of all identifiers — including, for example, residential address, telephone number, e-mail address, Social Security number, driver’s license number, health insurance number, and medical records number — not only of the employee or patient but also of the employer and family members.

Q: Does the Genetic Information Non-Discrimination Act of 2009 (GINA) to permit the collection of family medical history for a health risk assessment that is part of an employee wellness program?
 

A: As we discussed during the webinar, family medical history is “genetic information” subject to GINA. Under GINA, an employer generally is prohibited from deliberately acquiring genetic information, including family medical history. However, GINA does have an exception that permits the collection of genetic information for an employer-provided wellness program. The following requirements must be met for this exception to apply: (a) the employee provides prior, knowing, voluntary, written authorization; (b) only the employee and the license health care professional or certified genetic counselor receives the results of the health risk assessment; (c) the results of the health risk assessment are used only for purposes of the wellness program; and (d) the results are not provided to the employer.

This entry was written by Philip L. Gordon.