Published by Al Saikali

August 2012

For years, health care providers have worked hard to comply with the HIPAA Security Rule that requires implementation of administrative, technical, and physical safeguards to secure protected health information (PHI).  This recent study by Jorge Rey and Tyler Quinn at Kaufman, Rossin & Co. analyzes data breaches reported to the U.S. Department of Health and Human services between January 1, 2010, and December 31, 2011, in an effort to help health care providers and their vendors (business associates) develop more effective risk assessments.

What Caused PHI Data Breaches?

The study showed that theft comprised approximately 53% of data breaches, other “unauthorized access” caused approximately 20% of data breaches, loss of data caused approximately 15% of data breaches, while hacking and improper disposal of information comprised a very small number of data breaches (6% each).

Where Was The PHI Compromised?

The study further found that laptops, paper, and “other” media (portable electronic devices, backup tapes, CD’s, and X-ray films) were evenly split as locations of data breaches, with approximately 25% each.  Desktop computers and servers were the next most likely location for PHI breaches (approximately 10% to 15%), while email (approximately 2%) and electronic medical records (1%) were the least frequently breached locations of PHI.  The “other” category grew dramatically from 2010 to 2011, signifying the increased use of portable electronic devices among health care providers.

Conclusion

The study found that, overall, reported data breaches of PHI declined from 2010 to 2011, indicating that “[c]overed entities and business associates seem to have a better understanding of where e-PHI resides, and many have implemented safeguards to protect it.”  The bad news, however, is that the number of individuals whose PHI was compromised nearly doubled from 2010 to 2011.  Importantly, one of every five breaches occurred at or due to a business associate, indicating that health care providers need to do more to assess and monitor their vendors’ security weaknesses.

The study ends with a very helpful “Risk Score Tool” or checklist to help health care providers measure whether they are implementing effective safeguards for the PHI they collect and maintain.  I highly recommend this study to anyone in the health care industry who is interested in security and privacy issues that arise from the collection, storage, and use of PHI.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

On September 1, 2012, a new law will go into effect in Texas that imposes new requirements on organizations that maintain protected heath information (PHI).  The new legislation, HB 300, imposes even tighter standards than required by the federal Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Who Does HB 300 Apply To?

Like HIPAA and HITECH, HB 300 applies to “covered entities.”  But the definition of a covered entity under HB 300 is broader than the definition of a covered entity under HIPAA (expanded by HITECH).  A “covered entity” under HB 300 is any individual, business or organization that:

  • Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI;
  • Comes into possession of PHI;
  • Obtains or stores PHI; or
  • Is an employee, agent, or contractor of a person described in the above three categories, if they create, receive, obtain, maintain, use, or transmit PHI.

In short, HB 300 would theoretically apply to entities such as law firms that maintain medical records in prosecuting/defending lawsuits, schools that maintain or use PHI, and information management entities that transfer and sell PHI.

What Does HB 300 Require?

HB 300 imposes a number of requirements on covered entities, including but not limited to:

Employee Training – Covered entities must train their employees regarding federal and state law related to the protection of PHI.  The training must be specifically tailored for the employee’s responsibilities and the ways in which the covered entity uses PHI.  New employees must be trained within 60 days of their hire dates, training should take place at least once every two years, and upon the completion of a training program, the employee must sign a statement verifying the employee’s attendance at the training program.  The covered entities must maintain these signed employee statements.  In contrast, HIPAA requires training only within a reasonable period of time after an employee is hired or whenever there are material changes to privacy policies.

Patient Record Requests – HB 300 requires covered entities to provide patients with electronic copies of their electronic health records within 15 business days of the patient’s written request.  This requirement differs from HIPAA, which allows covered entities 30 days to respond to such requests.

Disclosure of PHI – HB 300 prohibits the sale of PHI.  Additionally, a covered entity may only disclose PHI to another covered entity for the purpose of treatment, payment, health care operation, performing an insurance or health maintenance organization function, or as otherwise authorized or required by state or federal law.  If disclosure is made, then the covered entity must give notice to patients about the disclosure.

Consumer Information Website – The Texas Attorney General must maintain a website explaining consumer privacy rights regarding PHI under Texas and federal law, a list of the state agencies that regulate covered entities, detailed information about each agency’s complaint enforcement process, and contact information for each agency for reporting a violation of HB 300.

Audits of Covered Entities – Texas’s Health and Human Services Commission may request that the U.S. Secretary of Health and Human Services conduct an audit of a covered entity to determine compliance with HIPAA and the commission must periodically monitor and review the results of those audits.

What Are The Consequences For Violating The Law?

HB 300 imposes significant civil penalties, ranging from $5,000 to $1.5 million, on covered entities that fail to comply with its requirements.  The Texas Attorney General is responsible for pursuing these penalties.  In determining the amount of a penalty imposed, the court will consider the seriousness of the violation, the entity’s compliance history, the risk of harm to the patient, the amount necessary to deter future violations, and efforts made to correct the violation.

To the extent the violation arises from a failure to comply with the disclosure requirements of HB 300, factors that may limit a covered entity’s liability include whether the disclosed information was encrypted, whether the recipient did not use or release the PHI, and whether the covered entity had developed, implemented, and maintained security policies, including training of its employees responsible for the security of PHI.

What’s The Point?

The point is that your business needs to evaluate whether HB 300 applies to you.  Are you a covered entity under this new, broader definition?  Do you have training policies and procedures in place that meet the requirements of HB 300?  Are you ready to respond quickly to requests for PHI?  Even if the law doesn’t apply to you, best practices in your industry might make it wise to become compliant, as concerns about the privacy and security of PHI continue to grow.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Criminals are increasingly stealing tax refunds by obtaining personally identifiable information about individuals and using that information to file fraudulent tax refunds.  The IRS identified $6.5 billion in identity-related tax refund fraud last year.  CNN Presents recently investigated the crime and, as Randi Kaye explained in this news report, it is “one of the biggest, most brazen crimes in the U.S.” I highly recommend that you watch Kaye’s report and this report that details the great work that North Miami Beach Detective Craig Catlin and his team are doing here in Miami to fight this increasingly threatening crime.

Why should companies care about criminals who steal identities and then use that information to file fraudulent tax returns?  The short answer is that the criminals are getting the personally identifiable information from somewhere, and it may be from your company.  As the CNN report explains, criminals often obtain information (like social security numbers) from sources inside medical providers that maintain such sensitive information.  If one of these medical providers learns that information it maintains about its patients was compromised (i.e., accessed or used by an unauthorized individual) then it may have a duty to notify the individuals whose information was compromised.  It may also be obligated to report the compromise to state and federal government officials, which could in turn result in investigations, fines, and lawsuits against the provider.  Doesn’t seem fair to the medical provider, does it?  Particularly since the “bad actor” was a rogue employee.  But it is the law.

More importantly, these concerns are not exclusive to medical providers.  Any business that maintains personally identifiable information about its customers or employees (credit card numbers, dates of birth, social security numbers, etc.) is susceptible to these data breach risks.

In light of these risks, it is important that businesses implement strong safeguards to limit the risks associated with these data breaches.  Safeguards can include protecting the information through encryption and passwords, limiting access to sensitive information, performing thorough background checks of employees, monitoring access and use of personally identifiable information, and auditing security measures on a periodic basis to ensure that the highest security standards are maintained.  All of these safeguards should be clearly explained in a company policy about which employees are trained periodically. Many of these obligations are already required by law, depending on the information your organization maintains.

What is your company doing to evaluate, address, and minimize these risks?

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

A recent survey of corporate general counsel and directors by Corporate Board Member and FTI Consulting, Inc., provides some eye-opening findings about the importance of data security to U.S. companies and the ability of those companies to respond to a data breach.

On the one hand, the survey of approximately 13,400 corporate directors and general counsel found that data security was the top legal risk concern for both groups.  48% of corporate directors and 55% of general counsel identified data security as their top concern.  This level of concern about data security has doubled in the last four years.  In 2008, only 25% of directors and 23% of general counsel noted data security as an area of high concern.  The survey explains, “there is arguably no more insidious threat to a public company than that of cyber risk; it’s invisible, ever-changing, and pervasive—making it very difficult for boards to manage.  On top of that, it’s costly.”

Despite the increasingly high level of concern about data security, however, there is significant reason to believe that companies are not prepared to respond to a data breach.  For example, one-third of general counsel respondents stated that their boards are not effective at managing cyber risk.  Similarly, only 42% of directors said their company has a formal, written crisis management plan to manage a cyber breach or attack should one occur (27% said their company had no plan and 31% did not know whether their company even had a plan).  Yet 77% of directors and general counsel believe their company is prepared to detect a cyber attack.

In other words, a disconnect exists between the significance corporate entities are placing on data security and their lack of preparedness to respond to the risks associated with data security.  T.K. Kerstetter, President of Corporate Board Member believes that the disconnect between the lack of written plans and the perception of preparedness is cause for concern, and certainly an area to monitor in the years ahead.  Mr. Kerstetter stated (and I could not agree more) that “it is going to take several well-publicized security breaches before a supermajority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster.”

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Today, the Federal Trade Commission levied a $22.5 million penalty against Google, the largest civil penalty by the FTC against a single defendant.  Here is a copy of the Stipulated Order entered into between the FTC and Google.  The penalty stems from an FTC Complaint alleging that Google violated “privacy promises” it agrees to as part of a 2011 consent order it entered into with the FTC.

In 2011, the FTC sued Google after Google initially assured Gmail users it would not use their information for any purpose other than to provide email service.  The FTC claimed that Google did not honor that promise, so an order was entered requiring Google to adopt comprehensive privacy protections for consumers and civil penalties if Google did not abide by the agreement.

Today’s settlement stems from an FTC allegation that Google subsequently misled consumers about the use of tracking cookies in Apple’s Safari Internet browser.  “Cookies” are small files stored on a computer that hold data specific to a particular user and website, so that when the user visits a certain website, that site delivers a page tailored to the user.  By placing a cookie on a person’s computer, an ad network can collect information about the person’s browsing habits and then use that information to display advertisements targeted to the person’s interests.  In this case, Google used the “DoubleClick Advertising Cookie” to collect information about users’ browsing activity.

Some people prefer to disable cookies from monitoring websites they visit.  Increasingly, companies are giving consumers ways to control such monitoring.  Apple’s Safari program generally blocks cookies in almost all situations.  One situation in which cookies are not blocked is when the user submits information in an online form on a website.  (For example, a Safari user who submitted a mailing address via a form embedded in a page when buying something online).  In such a situation, Safari accepts the cookie and allows additional cookies from that same site.

What Happened Here?

In this case, the FTC alleged that Google violated the 2011 consent order by representing to consumers that it would not place tracking cookies or serve targeted ads based on those cookies, but then it delivered tracking cookies and targeted ads to some users.  Specifically, users would allow one cookie from Google’s advertising cookie service, which opened the door for all cookies from that advertising cookie service to be accepted.

Google informed users that if they wanted to opt out of its system where Google’s advertising cookies were automatically accepted, the users need not take any action due to Safari’s default cookie-blocking settings.  According to the FTC, however, Google sidestepped Safari’s default cookie-blocking settings by taking advantage of Safari’s narrow exception for forms.  Google “tricked” the user’s browser into believing that the user was submitting information through a form, allowing Google to place a temporary cookie in the user’s computer.  Once the temporary cookie was installed, the user’s computer would then accept all cookies that Google had originally said would be blocked, which the FTC alleged was a violation of the consumer privacy protections imposed by the 2011 consent order.

What Are The Takeaways For The Business Community?

There are a few takeaways from today’s settlement announcement.  First, if your company enters into an agreement with the FTC regarding future conduct, you should be careful to ensure you remain in compliance.  The FTC takes the violation of a consent order very seriously.  Second, be up front, open, and honest with consumers who use your product about the measures you are taking to protect their privacy and the procedures they should follow to change their privacy settings.  Finally, if you make promises to consumers about how their information will be accessed, maintained, or used, be sure to keep those promises.

As FTC Chairman, Jon Leibowitz, stated today, “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”  I would add that the negative publicity that could follow from FTC action such as this can be as harmful to a company as the monetary penalty itself.

 

DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.