US Pharm. 2009;34(10):56-59.
A new self-reporting rule has gone into effect that requires health care providers to give notice to specified persons and entities when a breach of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rules occurs.1 The Department of Health and Human Services (HHS) issued rules on August 24, 2009, that took effect on September 23, 2009. However, enforcement of the rules, with applicable sanctions, will not occur until February 10, 2010. In the meantime, entities subject to the privacy rules are expected to develop voluntary compliance policies and work with HHS to ensure that those procedures meet the intent of the law.2 As an aid to helping organizations understand the intricacies of the rules, on August 29, 2009, HHS issued the HITECH Breach Notification Guidance.3 Provisions of this Guidance are discussed below. The breach notification regulations were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA) signed on February 17, 2009—the so-called federal stimulus bill.4 Title XIII of HITECH includes $22 billion to advance the use of health information technology.5
Security of Medical Records
Unauthorized access to medical records and subsequent disclosure to media outlets have been the subject of much publicity, especially when celebrities are involved. When the now deceased actress Farah Fawcett was treated at the University of California Los Angeles (UCLA) Medical Center for cancer, her records showed up in the National Enquirer and Globe tabloids even before she told family and friends about her condition.6 After an investigation, the UCLA Healthcare and Medical Sciences Service discovered that a worker not associated with Fawcett’s care had surreptitiously reviewed her records multiple times. That employee was terminated by the hospital system and has been criminally indicted for selling private medical information to commercial companies in exchange for a payment of $4,600.7,8 If convicted, the former records assistant could face up to 10 years in prison.9 Earlier, in 2008, the UCLA Medical Center fired 12 people and suspended six others after finding that approximately 20 staff members obtained confidential information about the medical treatment of pop singer Britney Spears.10 Six physicians also face disciplinary action for peeking at her records.11
In another case, California health regulators fined Kaiser Permanente’s Bellflower Hospital $250,000 for failing to keep employees from snooping in the medical records of Nadya Suleman, the mother who set off a media frenzy after giving birth to octuplets in January 2009.12 Within the past several months, HHS has obtained a settlement of $100,000 from a hospital system that suffered five reported security incidents in approximately 18 months.13 Many other examples of HIPAA violations that result in fines or penalties are readily available.14
In perhaps one of the largest recent HIPAA enforcement actions, on January 16, 2009, HHS reached agreement with CVS/pharmacy, the largest chain store pharmacy in the country, to settle claims that CVS violated the privacy of millions of its health care customers by dumping old labels, vials, and prescription drug records into garbage dumpsters without first de-identifying the information. CVS will pay $2.25 million and implement a detailed corrective action plan to ensure the security of patients’ private information.15 The agreement will apply to over 6,300 CVS retail pharmacies. In a coordinated action, CVS Caremark Corporation, the parent company of the pharmacy chain, also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act. The Office of Civil Rights (OCR) of HHS is responsible for investigating and enforcing the HIPAA privacy rules. Among other charges, the OCR claimed CVS failed to implement adequate policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process; it failed to adequately train employees on how to dispose of such information properly; and it did not maintain and implement a sanctions policy for members of its workforce who failed to comply with its disposal policies and procedures.
In an HHS press release dated August 19, 2009, Principal Deputy Director of the OCR Robinsue Frohboese said, “This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”16,17 Some research shows that e-mail and Internet communications are the primary sources of HIPAA breaches.18
HIPAA’s New Rules
HIPAA was enacted on August 21, 1996.19 Sections 261 through 264 of HIPAA require HHS to publicize standards for the electronic exchange, privacy, and security of health information.20 Collectively these are known as the Administrative Simplification provisions. These requirements were implemented by HHS with the passage of the privacy rules, formally known as The Standards for Privacy of Individually Identifiable Health Information.21 The standards address the use and disclosure of individuals’ health information—called protected health information (PHI)—by “covered entities” subject to the privacy rule. The standards also educate individuals to understand their privacy rights and control how their health information is used.22 PHI is properly used for treatment, payment, and other related transactions (TPO); for example, insurance processing and discussion or use of records by other attending practitioners. Within HHS, the OCR has responsibility for implementing and enforcing the privacy rules.23 These laws have been with us for some time now, and it is expected that all personnel associated with the practice of pharmacy would have a full working knowledge of the requirements.
The newer notification rules require covered entities to “tattle” on themselves if the organization, its employees, or its business associates intentionally or accidentally breach a HIPAA rule governing PHI. All providers subject to these rules must have a compliance policy in effect now, and the designated compliance officer is responsible for implementing and enforcing the policy.
Recognize that the penalties for failure to comply with the new laws could be very significant. Under the older HIPAA enforcement rule, originally published in 2006, providers who violated HIPAA could be assessed a maximum civil monetary penalty of $100 per violation, up to $25,000 during a calendar year for identical violations.24 Under the new ARRA, there will be a three-tier system for determining the penalty. The previous rate of $100 per violation/$25,000 per year will apply for innocent mistakes (if the provider did not know, and would not have known if exercising reasonable diligence, that the violation occurred). If it was not an innocent mistake, but the provider was not guilty of willful neglect, the penalty goes up to $1,000 per violation, not to exceed $100,000 per year. For violations due to “willful neglect,” the penalty can be as much as $50,000 per violation, not to exceed $1.5 million per year.25 To illustrate the difference between the old and new rules, assume that a computer with the unencrypted PHI of 10 patients is lost or stolen. Under the old rule, the maximum penalty would have been $1,000. With the new rules in effect, the maximum penalty could be between $10,000 and $500,000 depending on whether or not loss of the computer is determined to be willful neglect.
So what has to be reported? Covered entities must notify patients, the government (HHS), and sometimes the media when they discover breaches of PHI that were not properly secured through encryption or destruction.26 Similarly, business associates must notify covered entities of breaches involving the covered entities’ PHI. A breach is defined as “the unauthorized acquisition, access, use, or disclosure of PHI.”27 Unsecured PHI means information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology and methodology specified in the HHS Guidance. If PHI has been properly “de-identified,” inadvertent or unauthorized disclosure will not be considered a breach and thus does not trigger the breach notification mandates. Health information is considered de-identified if it does not identify an individual, if there is no reasonable basis to believe the information can be used to identify an individual, and if the covered entity or business associate complies with the privacy rule specifications for de-identifying information.
Disclosure of properly secured data through use of accepted encryption techniques is exempted from the notification mandates. Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning to the data without use of a confidential process or encryption key. It is important to understand that if the confidential process or encryption key is discovered or improperly disclosed, this would constitute a breach if any PHI were improperly accessed. The Guidance suggests that encryption breaches are best avoided if the confidential process or encryption key is kept on devices or at locations separate from where the PHI is stored. Destruction of hard-copy PHI is accomplished by shredding or destroying the data in such a manner that it cannot be read or otherwise reconstructed.
The real trick will be determining whether a reportable breach has occurred or if there has only been a minor infraction that does not rise to the level of a reportable duty. For example, a pharmacist counsels a patient on the proper use of a medication in a separate room or area designed to enhance privacy. If someone else walks by and overhears a small or insignificant amount of PHI, this would be considered an “incidental disclosure” that would not have to be reported. On the other hand, a breach that “compromises the security or privacy” of PHI must be reported under HITECH. The regulations clarify that PHI is compromised if it “poses a significant risk of financial, reputational, or other harm to the individual.” HHS also directs covered entities and business associates “to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure.”28,29 In other words, the regulations do not impose “strict liability” for insignificant infringements. Rather, the standard of care is more likened to “negligence” factors: Would a reasonable patient in the same or similar circumstances be likely to sustain a foreseeable risk of significant harm?
Handling Breaches
Here is a three-step procedure, hopefully not too oversimplified, to help in deciding whether or not to disclose a HIPAA breach:
1) Was there an impermissible use or disclosure of PHI under the privacy rule?
2) Does the impermissible use or disclosure pose a significant risk of financial, reputational, or other harm to the individual?
3) Are the exceptions to the definition of “breach” or the notification requirement inapplicable to the impermissible use or disclosure?
If the answer is no to any of the questions, you should not have to report perceived problems. But make no mistake here, the burden is on the covered entity to make the decision whether or not a reasonable person acting in the same or similar circumstances would objectively believe that reporting is necessary. This means that a compliance program must include detailed record-keeping procedures that are followed to justify why you did or did not think reporting would be required.
One of the exceptions mentioned in the three-step analysis discussed above is a “good faith” defense to charges of an unlawful disclosure of PHI. This works only if the disclosure is, in fact, made in good faith: that it was done unintentionally; that it was committed by someone under the authority of the covered entity (e.g., an employee, a student intern, or a business associate); that it was done while the individual was acting under the normal scope of authority associated with the job; and that no additional prohibited disclosure of PHI occurred as a result of the accidental disclosure. Good faith also applies if a disclosure is made to someone who could not reasonably be expected to retain the information.
Another exemption is permitted for normal business practices. PHI is used for TPO without violation of the privacy rules. The inadvertent disclosure of PHI by an individual authorized to access PHI at a facility operated by a covered entity or business associate to another person at the same covered entity or business associate is allowed so long as the disclosed information is not further used or disclosed in a prohibited manner under the privacy rules.
The breach notification provisions are triggered by the discovery of a breach of unsecured PHI. The breach is considered discovered on the day it is recognized or reasonably should be known by the covered entity. Knowledge can be imputed or implied when the facts of a breach situation should reasonably be known by someone acting in similar circumstances. The “ostrich defense” (i.e., sticking your head in the sand to avoid knowing what you should know) does not work here. The covered entity is required, as part of the compliance policy, to have methods in place that will disclose breaches as they occur.
A covered entity must give actual written notice using “plain language” by first-class mail (or through e-mail if so desired by an individual) to the affected individual or individuals whose unsecured PHI has been accessed, acquired, used, or disclosed as the result of a breach without reasonable delay, and no later than 60 days after the breach was or should have been discovered. With respect to content, the notification must include a brief description of the events surrounding the breach, the date of the breach, types of information involved, steps individuals should take to protect themselves from harm, steps the covered entity is taking to investigate and mitigate the harm, and contact procedures for those seeking more information.30 If a patient is deceased, the covered entity must give notice to the next of kin or personal representatives if their addresses are known or reasonably available. In the event a covered entity does not have enough information to contact individuals, substitute notification is permitted. Substitute notification requires posting relevant information on the organization’s home Web site or by conspicuous notice published in major print or broadcast media in the geographic area where the affected individuals are likely to reside. If fewer than 10 patients are involved in a breach, substitute notice may include telephone calls or other electronic methods including e-mail, even though a patient might not have given advance permission to use electronic communications. If more than 10 patients are involved in a breach, substitute notification requires the covered entity to post a notice of PHI breaches “conspicuously” on the organization’s home Web page for a minimum of 90 days or to advertise in major print or broadcast media. A toll-free telephone number must be made available for at least 90 days so that individuals can call and determine if their PHI has been breached and what options they may have.
If breach of PHI involves more than 500 individuals, the covered entity must give notice to all of the individuals and HHS at the same time. Publication of the breach in news media will also be required in such cases. If a breach involves fewer than 500 people, the covered entity must keep an internal log of each breach and what was done to report the breach. Documentation of breaches and the actions taken must be reported to HHS on an annual basis within 60 days after the end of the calendar year. Breach notification to individuals may be delayed if a law enforcement agency determines that such notification could interfere with a criminal investigation or pose a threat to national security.
Be aware that state confidentiality laws may also govern medical privacy considerations. In a
Michigan case, Doe v. American Medical Pharmacies,31 a pharmacy employee loudly blurted a patient’s HIV status in a crowded waiting room. The court of appeals upheld a jury award of $100,000 for slander, invasion of privacy, intentional infliction of emotional distress, and violation of a Michigan statute that protects the confidentiality of HIV results.32 Like HIPAA, the confidentiality statute allows for fines and/or criminal sanctions. Similarly, a 1991 case from Michigan recognized that the psychiatrist–patient privilege statute and the confidentiality portions of the medical licensing statute create a legal duty. The failure of a psychiatrist to comply with these statutes was considered by the court to be a breach of the legal duty, and, therefore, actionable as medical malpractice.33
A mental health confidentiality statute was also used in a West Virginia case against West Virginia University Medical Corporation, resulting in a $2.3 million jury verdict. The statute was successfully used to establish a provider’s legal duty. The plaintiffs in this case were three mental health patients whose information was disclosed in a bar by a records clerk.34 In California, a man sued Longs Pharmacy for invasion of privacy and violations of state regulations regarding the confidentiality of medical information after a pharmacist revealed to the man’s ex-wife and sons that the medicine the man was taking was for AIDS. The case settled before trial and the settlement remains confidential.35
Hundreds of cases such as these exist. More should be expected now that ARRA gives state attorneys general the right to bring enforcement actions for breach of the HIPAA notification rules.
Conclusion
There are, of course, a myriad of additional regulations and laws governing these issues. The important part is to recognize that these new rules are going into effect and that your HIPAA compliance program needs to incorporate all of the necessary procedures to follow when PHI is disclosed in an un authorized manner. Your compliance officer or person responsible for compliance must be informed of these new standards and take the steps needed to educate all persons within your operation about what to do when something goes wrong.
REFERENCES
2. HITECH breach notification interim final rule. Health Information Privacy. U.S. Department of Health and Human Services (HHS). www.hhs.gov/ocr/privacy/hipaa/
3. HITECH act breach notification guidance and request for public comment. HHS. April 17, 2009. www.hhs.gov/ocr/privacy/hipaa/
4. Hall, Render, Killian, Heath, and Lyman. New HIPAA breach notification rule. Impact Series. April 13, 2009. www.hallrender.com/library/
5. Bentley L. Recovery act extends HIPAA reach, adds data breach notification rules. ITBusinessEdge. March 18, 2009. www.itbusinessedge.com/cm/
6. Ornstein C. UCLA staffer looked through Farrah Fawcett’s medical records. LA Times. April 3, 2008. http://articles.latimes.com/
7. Farrah Fawcett’s medical records improperly accessed. April 3, 2008. www.contactmusic.com/news.nsf/
8. UCLA employee indicted for celebrity privacy violations: hospital employee sells celebrity medical info to tabloids. May 8, 2008. www.medlaw.com/healthlaw/
9. Commins J. Fawcett’s cancer battle highlights need for privacy. HealthLeaders Media. May 11, 2009. www.healthleadersmedia.com/
10. See note 7, supra.
11. Ornstein C. UCLA workers snooped in Spears’ medical records. LA Times. March 15, 2008. http://articles.latimes.com/
12. Ornstein C. Kaiser Hospital fined $250,000 for privacy breach in octuplet case. LA Times. May 15, 2009. www.latimes.com/news/local/la-
13. Gordon PL. Recent enforcement actions and significant amendments to the HIPAA privacy rule compel employers to revisit their HIPAA compliance efforts. ASAP. March 2009. www.littler.com/
14. All case examples. Health Information Privacy. HHS. www.hhs.gov/ocr/privacy/hipaa/
15. Resolution agreement: CVS pays $2.25 million & toughens disposal practices to settle HIPAA privacy case. Health Information Privacy. HHS. www.hhs.gov/ocr/privacy/hipaa/
16. HHS issues rule requiring individuals be notified of breaches of their health information. HHS. August 19, 2009. http://www.hhs.gov/news/press/
17. See also note 2, supra.
18. Proofpoint report on outbound email security and data loss prevention: outbound email and data loss prevention in today’s enterprise, 2009. www.proofpoint.com/id/
19. PL 104-191, amending Title XI of the Social Security Act, 42 USC § 1301 et seq.
20. HIPAA made simple: pharmacist’s survival guide. Pharmacist’s Letter. 2002. http://bop.accessidaho.org/
21. 45 CFR § 164.502(a).
22. OCR Privacy Brief. Summary of the HIPAA privacy rule: HIPAA compliance assistance. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf. Accessed September 8, 2009.
23. The final regulations were published on August 4, 2002. 45 CFR Part 160 and 164, Subparts A and E. 74 FR 19006.
24. HIPAA administrative simplification: enforcement. Final rule. Fed Regist. 2006;71:8389-8433.
25. King P. HIPAA EMR security and the stimulus plan. www.netdoc.com/Physician-
26. 45 CFR § 164.514(b). www.federalregister.gov/
27. Publications: HIPAA breach notification interim final rule. Syfarth Shaw LLP. August 26, 2009. http://seyfarth.com/index.cfm/
28. See note 27, supra.
29. Bianchi AJ. No time to waste: HHS issues HIPAA breach notification rules. Information Management Online. August 31, 2009. www.information-management.
30. Froggatt JT. New HIPAA breach notification rule for group health plans creates another compliance obligation for employers. Martindale-Hubbell. August 26, 2009. www.martindale.com/
31. 2002 WL 857766 (Mich App) (unpublished).
32. MCLA § 333.5131.
33. Saur v. Probes, MD, 190 Mich App 636.
34. Judge’s Charge to Jury in CLA, MC and JP v. WVa Univ Med Corp, Circuit Court of Monongalia County, West Virginia, Division No. 2, Civil Action No. 99-C-509 and West Virginia Code §27-3-1. As cited in: Wachler A. HIPAA privacy and security enforcement: assessing and reducing risks. April 14, 2003. www.sooperarticles.com/law-
35. Goodyear C. HIV-positive Bakersfield man sues Longs Drugs pharmacy: told family of infection, suit says. SF Chronicle. February 5, 1998. www.aegis.com/news/sc/1998/
To comment on this article, contact rdavidson@jobson.com.