By Cynthia Marcotte Stamer
The Department of Health and Human Services Office of Civil Rights (OCR) has begun disclosing on its website the employer and other health plans, health care providers, health care clearinghouses and their business associates (Covered Entities) that report breaches of unsecured protected health information (UPIC) affecting more than 500 individuals as required by new rules enacted as part of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This posting of Covered Entities reporting breaches comes just days after these and other Covered Entities became subject on February 17, 2010 to a host of other tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA) also enacted as part of the HITECH Act. As failing to comply with the amended rules effective February 17, 2010 can trigger obligations under the Breach Regulations and other exposures, prompt action to manage risk under both the Breach Regulations and the revised HIPAA rules is critical to minimize Covered Entity and business associate exposures under both these rules. With criminal, administrative and civil prosecutions of such violations increasing and likely to expand, timely action to manage compliance and other risks is warranted. Health plans and their business associates also should prepare for increased awareness and oversight of the adequacy of their medical information safeguards as these disclosures and other enforcement actions heighten interest and awareness of employees and others in these rules.
Covered Entity Breach Notification Requirements
OCR posted the initial list of Covered Entities disclosing these breaches on its website for the first time yesterday (February 22, 2010) to comply with breach notification requirements imposed by Section 164.408 of the interim “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here.
The Breach Regulation requires Covered Entities subject to the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals, OCR and certain other parties following a “breach” of “unsecured” protected health information occurring on or after September 23, 2009. The Breach Regulation implements new breach notification requirements added to HIPAA by Section 13402(e)(3) of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). It and the posting of Covered Entities reporting breaches of protected health information are part of the ongoing implementation and enforcement of new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under provisions of the HITECH Act and expanded remedies for violations signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).
You can review the list of Covered Entities that have reported breaches on the OCR website here. Learn more about the Breach Regulation requirements here.
Broader & Stricter Medical Privacy Mandates Effective 2/17/210
Just last Wednesday (February 17, 2010) Covered Entities and their business associates also became subject to tighter federal requirements for the use, access, protection and disclosure of protected health information under amendments to HIPAA’s Privacy & Security Standards enacted by the HITECH Act. The changes that became effective on February 17, 2010 generally require that Covered Entities and their business associates make specific changes to update their written policies, operational procedures, privacy notices, business associate agreements, training, and other management procedures in several respects. For more details, see here.
While the HITECH Act gave Covered Entities and business associates a year to complete the necessary arrangements to comply with these HITECH Act changes, many Covered Entities and business associates have remain unnecessarily exposed under these new requirements by not completing or otherwise failing to adequately implement the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, Covered Entities and their business associates should act quickly to review and update their policies, procedures, training, business associate and other services agreements, and other practices and procedures, as well as to implement the training, oversight, and other management necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.
Exposures Significant & Growing
Covered Entities and business associates failing to devote adequate attention and resources to managing HIPAA compliance and associated risks risk increasing peril. Aside from the potential implications that disclosures of violations may have on patients and others impacting their business, the legal risks of noncompliance for Covered Entities, business associates and others mishandling protected health information are real and growing.
Timely action to comply with the amended HIPAA requirements and Breach Regulations is important both to preserve critical trust in the business, to avoid triggering breach notifications that can undermine this trust and fuel legal complaints, and to avoid exposure to an expanding range of sanctions that can result when a violation occurs.
Amendments made under the HITECH Act have expanded the size and availability of remedies that can be imposed for HIPAA violations as well as the parties empowered to pursue these remedies. Wrongful use, access or disclosure of protected health information in violation of HIPAA subjects participating health plans, health care providers, health care clearinghouses, their business associates and other workforce members and others to civil penalties, criminal prosecution and, since February 17, 2009, civil lawsuits brought by state attorneys general on behalf of citizens of their states whose HIPAA rights were violated. Since September 23, 2009, health plans and other HIPAA Covered Entities as well as their business associates also became obligated to provide breach notification under new mandates imposed by the HITECH Act. Coupled with increased enforcement emphasis by regulators, these expansions to HIPAA’s remedy provisions increase the risk that Covered Entities or business associates violating HIPAA face investigation and sanction. Furthermore, the wrongful use, access or disclosure of protected health information or other confidential information also increasingly is the basis of civil or criminal actions brought under a variety of other federal and state laws.
Expanded HIPAA & Other Federal Prosecutions & Remedies
The expanded requirements imposed under the Breach Regulation and the other HITECH Act changes that took effect on February 17, 2010 follow the implementation changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, when President Obama signed the HITECH Act into law. The HITECH Act amendments to HIPAA’s remedies significantly increase the risk that health plans and other Covered Entities and their business associates will face civil lawsuits, civil or criminal penalties or other consequences for violating HIPAA. Noncompliance with these and other HIPAA requirements subjects Covered Entities and business associates to civil penalties, criminal prosecution, civil damage awards under lawsuits brought by state attorneys general, and other legal remedies. In addition, timely update written policies, procedures, business associate agreements, training and documentation is imperative in order for Covered Entities and their business associates to fulfill their breach notification obligations under new rules enacted as part of the HITECH Act.
HITECH Amendments Expand Liability Exposures
The expanded risks stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions. Among other things, the HITECH Act amended HIPAA to:
- Allow a State Attorney General to sue health plans or other Covered Entities, business associates or both that harm state citizens by committing HIPAA violations after February 16, 2009;
- Expand the mandate by OCR to investigate violations and audit compliance with HIPAA;
- Require Office of Civil Rights to impose civil sanctions against Covered Entities and business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
- Revise the criminal sanctions that the Department of Justice can seek against Covered Entities, their business associates and others for violations of HIPAA; and
- Amend HIPAA to make clear that HIPAA’s criminal sanctions also can imposed on business associates, workforce members and other persons that improperly use, access and disclose protected health information in violation of HIPAA.
State Attorney General Lawsuit Exposures
Covered Entities and their business associates now also need to be concerned about the potential that a state Attorney General may bring civil suit to remedy damages caused to state citizens by a breach of HIPAA.
The HITECH Act empowers a state attorney general to sue Covered Entities or business associates engaging in HIPAA violations that harms citizens of the state for statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs
A HIPAA civil lawsuit filed on January 13, 2010 demonstrates the willingness of at least some states to exercise the new authority created by the HITECH Act on February 17, 2009 to sue Covered Entities and business associates that violate HIPAA for civil damages.
On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net. The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers.
Stepped Up Federal Enforcement
Even before the HITECH Act amendments, however, OCR and Department of Justice already were stepping up HIPAA investigation and enforcement. The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA. See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information. Meanwhile, OCR also is emphasizing HIPAA enforcement. In February, 2009, for instance, OCR announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges. This announcement followed OCR’s announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges. OCR also has taken HIPAA enforcement actions against a broad range of other Covered Entities to redress HIPAA violations or other compliance concerns. To review examples of these other actions, see here. While not resulting in the significant payments involved in CVS or Providence, all Covered Entities involved in these and other enforcement actions or investigations have incurred significant legal and other defense costs, loss of community trust, or both.
In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can give rise to liability for health plans and other Covered Entities, business associates, employees and other members of their workforce and others improperly using, accessing or disclosing protected health information. Federal and state prosecutions may and increasingly do criminally prosecute individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws . See e.g., Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year. Additionally, State courts also increasingly are permitting individuals harmed by HIPAA violations to use HIPAA as the foundation of state law duties used to maintain state negligence, invasion of privacy, retaliation or other claims for damages. Read more here.
State Civil Lawsuits
Along side these governmental actions, state courts also increasingly are willing to allow individual plaintiffs to rely on violations of HIPAA as the basis for bringing state privacy, retaliation or other actions. While prior to the recent HITECH Act amendments, federal courts had ruled that private plaintiffs could not sue under HIPAA for damages they incurred from a Covered Entity’s violation of HIPAA, state courts have allowed private plaintiffs to use the obligations imposed by HIPAA as the basis of a Covered Entity’s duty for purposes of certain state law lawsuits. In Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim. Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit.
Meanwhile, disgruntled employees or other business partners also increasingly raise alleged HIPAA misconduct as a basis of their legal complaints. For instance, private plaintiffs employed by Covered Entities also are increasingly pointing to HIPAA as the basis for their retaliation or wrongful discharge claims. See, e.g., Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim. Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for Covered Entities and their business associates that fail to properly manage their HIPAA compliance obligations and risks.
Given these and other developments, Covered Entities and their business associates generally should resist the temptation to underestimate their potential HIPAA exposure for a variety of reasons. In fact, a number of factors demonstrate that the risks are significant and growing for Covered Entities, business associates and others that breach HIPAA’s mandates or otherwise inappropriately access protected health information.
Covered Entities & Business Associates Urged To Act Promptly To Manage Expanded HIPAA Risks & Obligations
As a consequence of these collective HITECH Act changes and growing HIPAA-related and other exposures, Covered Entities, their business associates and business associates generally will find it necessary or advisable among other things to:
- Conduct well-documented due diligence within the scope of attorney-client privilege on their own practices and procedures;
- Review the adequacy of the practices, policies and procedures of the Covered Entities, business associates, and others that may come into contact with protected health information;;
- Renegotiate their service provider agreements to detail the specific compliance obligations of each party relating to for auditing compliance, investigating potential breaches; providing required breach notifications; specify leadership and required cooperation in the event of a breach, charge, or other concern; indemnification and other liability allocations; and other related matters;
- Update policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility;
- Conduct well-documented training as necessary to ensure that business associates and other members of the Covered Entity’s workforce understand and are prepared to comply with the expanded requirements of HIPAA, can detect potential breaches or other compliance concerns, and understand and are prepared to follow appropriate procedures for reported suspected violations; and
- Pursue appropriate liability and other protection as appropriate to improve their ability to demonstrate both their commitment to compliance and their realistic efforts to ensure that these commitments are both appropriately documented on paper and operationalized in performance.
As part of these compliance and risk management efforts, most Covered Entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements. Proper management of the expanded compliance obligations and liability exposures created by the HITECH Act generally will necessitate that Covered Entities and their business associates focus significant attention on the reworking of their operating and contractual relationships including the definition of detailed procedures for monitoring, reporting, investigating, and resolving potential breaches or other compliance concerns.
Even before the impending HIPAA changes scheduled to take effect on February 17, 2010, a strong need for more detailed contracting and planning of these relationships already existed. Since the enactment of HIPAA, the practice of many Covered Entities and their business associates of appending generic “business associate” representations onto existing services contracts without specific tailoring and planning has created undesirable ambiguities in these agreements. Further updating and tailoring of these and other provisions of services agreements has become even more important over the past year in light of the new breach notification mandates that took effect under the HITECH Act in September, 2009, changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, and the impending extension by the HITECH Act to business associates of direct liability for compliance with HIPAA scheduled to occur on February 17, 2010.
These and other stepped up oversight and enforcement activities make it critical that all Covered Entities and their business associates update their policies and practices, conduct training, tighten their compliance and data breach monitoring processes, strengthen their internal controls and documentation, and take other steps to prepare to defend their actions under the newly strengthened Privacy Rules. Covered Entities and their business associates more than ever must ensure their ability to demonstrate to federal regulators the effectiveness of their HIPAA compliance efforts by both adopting the written policies and procedures required by HIPAA and continuously monitoring and administering these safeguards. Covered Entities should consider reviewing the adequacy of their current HIPAA Privacy and Security compliance practices taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.
For Assistance With Compliance Or Other Concerns
If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting the author of this article, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail here.
Ms. Stamer is nationally known for her work, training and presentations, and publications on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.
Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 22 years experience advising clients about health and other privacy and security matters. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.
Other Recent Developments
If you found this information of interest, you also may be interested in information about upcoming programs to be presented by Ms. Stamer, acquiring a copy of a recording or materials from previous programs she has presented, or arranging training for your organization. For more information about these opportunities, contact Ms. Stamer directly.
If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:
Curran Tomko Tarski LLP Can Help
If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.
A widely published author and speaker on HIPAA and other employee benefit and human resources related matters, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators. A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly. For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.
Other Information & Resources
We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here. Examples of other recent updates that may be of interest include:
For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.
©2010 Cynthia Marcotte Stamer. All rights reserved.