HIPAA Compliance News

Is Citrix ShareFile HIPAA Compliant?

Posted by HIPAA Journal

ShareFile was bought by Citrix Systems in 2011 and the platform is marketed as a suitable data sync, file sharing, and collaboration tool for the healthcare industry, but is Citrix ShareFile HIPAA compliant?

What is Citrix ShareFile?

Citrix ShareFile is a secure file sharing, data storage and collaboration tool that allows large files to be easily shared within a company, with remote workers, and with external partners. The solution allows any authorized individual to instantly access stored documents via desktops and mobile devices.

For healthcare organizations this means the solution can be used to share large files such as DICOM images with researchers, remote healthcare workers, and business associates. The ShareFile patient portal can also be used to share PHI with patients.

Is Citrix ShareFile HIPAA Compliant?

Citrix will sign a business associate agreement with HIPAA covered entities and their business associates that covers the use of FileShare, although it is the responsibility of the covered entity to ensure that the solution is configured correctly and is used in a manner that does not violate HIPAA Rules.

The solution satisfies HIPAA requirements for data security, with appropriate access and authentication controls. Users connect to the solution via an encrypted secure SSL/TLS connection and data is protected at rest with AES 256-bit encryption. The solution also supports encryption on mobile devices. An audit trail is maintained with access logs recording who accessed files, when, and for how long and application errors and events are also logged.

So is Citrix ShareFile HIPAA compliant? The safeguards incorporated into the solution mean the solution does supports HIPAA compliance.

Where HIPAA Covered Entities Must Exercise Caution

Many firms advertise their platforms and software as HIPAA compliant, but that does not mean use does not carry risks. Software solution providers can only build in security and administrative controls that allow their solution to be used in a HIPAA compliant manner. It is the responsibility of users to make sure the solution is configured correctly and HIPAA Rules are not violated.

To avoid HIPAA violations:

  • Ensure a business associate agreement has been obtained prior to the solution being used for storing, syncing, or sharing ePHI
  • Covered entities must perform a risk analysis to determine any potential risks to the confidentiality, integrity, and availability of PHI
  • Ensure encryption is used when sending files to third parties
  • Policies and procedures (administrative safeguards) must be developed covering the use of the solution and staff must be trained
  • Access and authentication controls must be set to restrict access to PHI to only those individuals who are authorized to access information
  • Any PHI shared with third parties must be limited to the minimum necessary data for tasks to be performed
  • Appropriate security controls should be implemented on devices to ensure that in case of theft or loss, the devices cannot be used to gain access to PHI

Citrix offers guidance for covered entities on aspects of HIPAA Rules, how they apply to FileShare, and assistance to ensure HIPAA compliance while using the platform. The information can be accessed on this link.

The post Is Citrix ShareFile HIPAA Compliant? appeared first on HIPAA Journal.

Is eFileCabinet HIPAA Compliant?

Posted by HIPAA Journal

eFileCabinet is a document management and storage solution for businesses that offers on-site and cloud storage, but is the service suitable for the healthcare industry? Is eFileCabinet HIPAA compliant or will using the platform be considered a violation of HIPAA Rules?

What are Document Management Systems?

Document management systems allow organizations to carefully manage electronic documents and store them securely in one location. With huge volumes of documents being created, such systems take the stress out of document management and can help HIPAA covered entities share documents containing ePHI securely and avoid HIPAA violations.

There are many document management systems on the market, but not all support HIPAA compliance, so what about eFileCabinet? Is eFileCabinet HIPAA compliant?

eFileCabinet Security and Privacy Controls

Security controls include the encryption of data in transit and at rest with 256-bit encryption. Sensitive data can be securely shared with third-parties and remote employees via the company’s SecureDrawer feature. SecureDrawer allows files to be shared without having to send documents beyond the protection of the firewall. The files remain in the eFileCabinet system and are accessed through a secure, encrypted portal.

eFileCabinet allows user and role-based permissions to be set to limit access to sensitive information as well as restrict what users and user groups can do with documents containing ePHI. Controls can be set with varying levels of user authentication, from simple passwords to voice prints and facial recognition. Users are also automatically logged off after a period of inactivity.

Automated file retention satisfies HIPAA integrity control requirements, data backups are performed, and an audit trail is maintained with records kept of user access, what users have done with documents, and whether documents have been copied or downloaded.

Will eFileCabinet Sign a BAA with HIPAA Covered Entities and their Business Associates?

Privacy and security controls are only one part of HIPAA compliance. Even with all appropriate controls in place, a document management system is not a ‘HIPAA compliant’ service unless a business associate agreement (BAA) has entered into with the service provider. By providing a BAA, the service provider is confirming they have implemented all appropriate controls to ensure data security and are aware of their responsibilities with respect to HIPAA.  eFileCabinet is prepared to sign a BAA with HIPAA covered entities and their business associates.

However, it is up to the covered entity to ensure that all controls made available through eFileCabinet to support HIPAA compliance are configured correctly. Fail to set access controls appropriately, for example, and HIPAA Rules would be violated.

Is eFileCabinet HIPAA Compliant?

In our opinion, eFileCabinet has all the necessary security, access, and audit controls to ensure it can be used by healthcare organizations in a manner compliant with HIPAA Rules. eFileCabinet will also sign a business associate agreement with HIPAA covered entities and their business associates.

So, is eFileCabinet HIPAA compliant? Provided a business associate agreement has been entered into prior to the platform being used for storing or sharing ePHI, eFileCabinet can be considered a HIPAA compliant document management system.

The post Is eFileCabinet HIPAA Compliant? appeared first on HIPAA Journal.

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

Posted by HIPAA Journal

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses closes the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading.

FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations.

An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork.

That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In total, the records of 2,150 patients were included in the paperwork.

OCR determined that between January 28, 2015 and February 14, 2015, FileFax had impermissibly disclosed the PHI of 2,150 patients as a result of either: A) Leaving the records in an unlocked truck where they could be accessed by individuals unauthorized to view the information or; B) By granting permission to an individual to remove the PHI and leaving the unsecured paperwork outside its facility for the woman to collect.

Since FileFax is no longer in business – the firm was involuntarily dissolved by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be covered by the court appointed receiver, who liquidated the assets of FileFax and is holding the proceeds of that liquidation.

A corrective action plan has also been issued that requires the receiver to catalogue all remaining medical records and ensure the records are stored securely for the remainder of the retention period. Once that time period has elapsed, the receiver must ensure the records are securely and permanently destroyed in accordance with HIPAA Rules.

The settlement has been agreed with no admission of liability.

HIPAA Retention Requirements and Disposal of PHI

There are no HIPAA retention requirements – Covered entities and their business associates are not required to keep medical records after their business has ceased trading. However, that does not mean medical records and PHI can be disposed of immediately. Businesses are bound by state laws, which do require documents to be retained for a set period of time. For instance, in Florida, physicians must maintain medical records for 5 years after the last patient contact and in North Carolina hospitals must maintain records for 11 years following the last date of discharge.

During that time, HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure those records are secure and remain confidential. After the retention period is over, all PHI must be disposed of in a compliant manner.

In the case of paper records, disposal typically means shredding, burning, pulping, or pulverization. Whatever method chosen must render the documents indecipherable and incapable of reconstruction.

This HIPAA breach is similar to several others that have occurred over the past few years. Businesses have ceased trading and paper records containing the protected health information of patients have been dumped, abandoned, or left unsecured. There have also been cases where businesses have moved location and left paperwork behind, only for contractors performing a cleanup or refurb of the property to find the paperwork and dispose of it with regular trash.

The failure to secure PHI during the retention period and the incorrect disposal of records after that retention period is over are violations of HIPAA Rules that can attract a significant financial penalty.

“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino in a press release about the latest HIPAA settlement. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

The post $100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes appeared first on HIPAA Journal.

Is Box HIPAA Compliant?

Posted by HIPAA Journal

Is Box HIPAA compliant? Can Box be used by healthcare organizations for the storage of documents containing protected health information or would doing so be a violation of HIPAA Rules? An assessment of the security controls of the Box cloud storage and content management service and its suitability for use in healthcare.

What is Box?

Box is a cloud storage and content management service that supports collaboration and file-sharing. Users can share files, invite others to view, edit or upload content. Box can be used for personal use; however, businesses need to sign up for either a business, enterprise, or elite account.

Is Box Covered by the Conduit Exception Rule?

The HIPAA conduit exception rule was introduced to allow HIPAA covered entities to use certain communications channels without having to obtain a business associate agreement. The conduit exception rule applies to telecoms companies and Internet service providers that act as conduits through which data flows. Cloud storage services are not covered under the HIPAA conduit exception rule, even if those entities claim they never access any data uploaded to their cloud service. Therefore, cloud storage services can only be used if a business associate agreement is entered into with the service provider.

Box and the HIPAA Business Associate Agreement

Box is confident it has put appropriate security controls in place to ensure all customers’ data is secured, both in transit to Box and while stored in the cloud. The company was formed in 2004, although it took nine years for the company to make its move into the healthcare sphere. In April 2013, Box started signing business associate agreements with HIPAA covered entities and their business associates. Box only offers a BAA to HIPAA covered entities if they have an enterprise or elite account.

Box for Healthcare Launched

In addition to agreeing to sign a BAA and having its service verified as supporting HIPAA compliance by an independent auditor, the company has now launched its Box for Healthcare service. The Box for Healthcare service has been developed to integrate seamlessly with top healthcare vendors such as IBM, Microsoft, Apple, TigerText, eHealth Technologies, and EDCO Health apps. The service helps healthcare organizations coordinate care, collaborate with research organizations, and share information securely with third parties outside the protection of the firewall.

The service includes all the necessary security controls to comply with the HIPAA Security Rule including data encryption at rest and in transit, audit controls, and configurable administrative controls that allow customers to monitor access, usage and document edits by employees and third parties, and set appropriate access and authentication controls.

Is Box HIPAA Compliant?

Any cloud service can be used in a manner that violates HIPAA Rules, as HIPAA compliance is more about the people that use a product or service rather than the product or service itself. That said, Box has implemented a wide range of safeguards and controls to ensure data privacy and security. So, is Box HIPAA compliant?

Provided a BAA has been obtained before the platform is used to store documents containing PHI, Box can be considered a HIPAA compliant cloud storage provider. However, it is the responsibility of the covered entity to ensure that the service is configured correctly and HIPAA Rules are followed.

The post Is Box HIPAA Compliant? appeared first on HIPAA Journal.

Timothy Noonan Becomes OCR’s Top HIPAA Enforcer, Replacing Deputy Director Iliana Peters

Posted by HIPAA Journal

After just 4 months in the position of deputy director for health information privacy at the Department of Health and Human Services’ Office for Civil Rights, Iliana Peters has departed for the private sector.

Peters took over as deputy director following the departure of acting deputy director Deven McGraw in November, only to leave the post on February 2 to join the healthcare team at law firm Polsinelli.

This is the third major change of staff at the Department of Health and Human Services in a little over four months. First, there was the departure of HHS Secretary Tom Price in late September, McGraw left in October to join health tech startup Citizen, and now Iliana Peters has similarly quit for the private sector.

Peters has been working at the Office for Civil Rights for the past 12 years, including 5 years as a senior advisor. During her time at OCR Peters has worked closely with regional offices helping them enforce HIPAA Rules and has been instrumental in building up OCR’s HIPAA enforcement program.

Peters has trained regional OCR staff on HIPAA enforcement and the handling of cases and played a key role in OCR’s latest enforcement actions – the $3.5 million settlement with Fresenius Medical Care North America over five data breaches reported to OCR in 2012 and the $2.3 million settlement with 21st Century Oncology over its 2015 cyberattack.

Peters has also trained state attorneys general on HIPAA policies and played a key role in the development of OCR’s second phase of HIPAA compliance audits, as well helping with the development of guidance for HIPAA covered entities on HIPAA Privacy and Security Rules.

Now, instead of helping OCR punish organizations for HIPAA violations, Peters will be working on the other side and will be helping healthcare organizations avoid HIPAA violations and OCR penalties.

Peters has become a shareholder at Polsinelli and will be based at its Health Care Operations practice in Washington D.C. According to a February 7 Polsinelli press release. Peters will be helping to develop the law firm’s healthcare presence in DC.

“Iliana brings key insights into the government’s investigation, enforcement, and settlement processes and will enhance our ability to guide our clients in responding to ever-changing threats and risks,” said Polsinelli Health Care Department Chair Matt Murer. “We know that our clients look forward to having Iliana as a strategic member of their privacy and security teams.”

OCR’s southeast regional manager Timothy Noonan was appointed as acting deputy director for health information privacy at OCR on January 29, 2018. Noonan has spent the past four years working as the Southeast regional manager and has served as acting associate deputy director for regional operations and OCR’s acting director for centralized case management operations.

While the loss of Peters will certainly be felt at OCR, there is unlikely to be any easing of OCR’s HIPAA enforcement efforts. OCR’s regional offices have been well trained and will continue to ensure that HIPAA Rules are being followed and action is taken over serious violations of HIPAA Rules.

The post Timothy Noonan Becomes OCR’s Top HIPAA Enforcer, Replacing Deputy Director Iliana Peters appeared first on HIPAA Journal.

What is HIPAA Authorization?

Posted by HIPAA Journal

We are often asked to clarify certain elements of HIPAA Rules. One recent question relates to disclosures of protected health information (PHI) and medical records – ‘What is HIPAA authorization?’

What is HIPAA Authorization?

The HIPAA Privacy Rule (effective since April 14, 2003) introduced standards covering allowable uses and disclosures of health information, including to whom information can be disclosed and under what circumstances protected health information can be shared.

The HIPAA Privacy Rule permits the sharing of health information by healthcare providers, health plans, healthcare clearinghouses, business associates of HIPAA-covered entities, and other entities covered by HIPAA Rules under certain circumstances. In general terms, permitted uses and disclosures are for treatment, payment, or health care operations.

HIPAA authorization is consent obtained from a patient or health plan member that permits a covered entity or business associate to use or disclose PHI to an individual/entity for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule. Without HIPAA authorization, such a use or disclosure of PHI would violate HIPAA Rules and could attract a severe financial penalty and may even be determined to be a criminal act.

When is HIPAA Authorization Required?

45 CFR §164.508 details the uses and disclosures of PHI that require an authorization to be obtained from a patient/plan member before information can be shared or used. HIPAA authorization is required for:

  • Use or disclosure of PHI otherwise not permitted by the HIPAA Privacy Rule
  • Use or disclosure of PHI for marketing purposes except when communication occurs face to face between the covered entity and the individual or when the communication involves a promotional gift of nominal value.
  • Use or disclosure of psychotherapy notes other than for specific treatment, payment, or health care operations (see 45 CFR §164.508(a)(2)(i) and (a)(2)(ii))
  • Use or disclosure of substance abuse and treatment records
  • Use or disclosure of PHI for research purposes
  • Prior to the sale of protected health information

What Must Be Included on a HIPAA Authorization Form?

A HIPAA authorization is a detailed document in which specific uses and disclosures of protected health are explained in full.

By signing the authorization, an individual is giving consent to have their health information used or disclosed for the reasons stated on the authorization. Any use or disclosure by the covered entity or business associate must be consistent with what is stated on the form.

The authorization form must be written in plain language to ensure it can be easily understood and as a minimum, must contain the following elements:

  • Specific and meaningful information, including a description, of the information that will be used or disclosed
  • The name (or other specific identification) of the person or class of persons authorized to make the requested use or disclosure
  • The name(s) or other specific identification of the person or class of persons to whom information will be disclosed
  • A description of the purpose of the requested use or disclosure. In cases where a statement of the purpose is not provided, “at the request of the individual” is sufficient
  • A specific time frame for the authorization including an expiration date. In the case of uses and disclosures related to research, “at the end of the study” can be used or ‘none’ in the case of the creation of a research database or research repository
  • A date and signature from the individual giving the authorization. If the authorization is being given by an individual’s authorized representative, a description of the person’s authority to act on behalf of the individual must be detailed.

Statements must also be included on the HIPAA authorization to notify the individual of:

The right to revoke the authorization in writing and either:

  1. Exceptions to the right to revoke and a description of how the right to revoke can be exercised; or
  2. The extent to which the information in A) is included in the organization’s notice of privacy practices

The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization by stating either:

  1. That the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization; or
  2. The consequences of a refusal to sign the authorization when the covered entity is permitted to condition treatment, enrollment in the health plan, or eligibility for benefits on a failure to obtain authorization.

The individual providing consent must be provided with a copy of the authorization form for their own records.

The post What is HIPAA Authorization? appeared first on HIPAA Journal.

Is HelloFax HIPAA Compliant?

Posted by HIPAA Journal

Is HelloFax HIPAA compliant? Can HelloFax be used by healthcare organizations to send files containing protected health information, or would doing so be considered a violation of HIPAA Rules? In this post we explore the protections in place and attempt to determine whether HelloFax can be considered a HIPAA compliant fax service.

The HIPAA Conduit Exception and Fax Transmissions

It is important to make a distinction between standard faxes and digital faxing services. Standard fax machines, those which are used to transmit a physical document from one fax machine to another, have long been used by healthcare organizations, and in many cases, to transmit documents containing protected health information.

Transmissions are sent without first entering into a business associate agreement – or BAA – with telecommunications companies. That is because telecoms firms, such as AT&T, are covered by the HIPAA conduit exception rule.

The HIPAA conduit exception is covered in more detail here, although in short, it details the types of communications services do not require a business associate agreement – Services that are merely conduits through which information flows.  Any information sent by standard fax, or is communicated over the telephone, is not subject to HIPAA laws in the same way that other communications channels such as SMS and VOIP are.

However, digital fax services such as HelloFax are not included under the HIPAA conduit exception rule, therefore, the use of the service for sending any documents containing PHI would be subject to HIPAA Rules. So, is HelloFax HIPAA compliant, and can it be used by healthcare organizations and other entities bound by HIPAA Rules?

Is HelloFax HIPAA Compliant?

It is important to note that no software, product, or service can be considered truly HIPAA compliant, as HIPAA compliance depends on users of the software, product, or service. It is more a case of whether a product or service can be used in a HIPAA compliant manner without violating the HIPAA Privacy or Security Rules.

In order for any communications channel to be considered by a HIPAA-covered entity or business associate of a covered entity, it is necessary to ensure that appropriate safeguards are in place to ensure the confidentiality, integrity, and availability of PHI.

In this regard, HelloFax ticks the right boxes. Fax transmissions are protected with end-to-end encryption from sender to receiver. The method of encryption used for data in transit and at rest is AES-256-bit, which certainly meets the minimum standards for data encryption required by HIPAA.

In addition, each unique key is encrypted with a regularly rotated master key, so even if the hard drive on the machine on which the fax was sent/received was accessed, it would not be possible to view data. HelloFax also has strict controls in place to ensure its data center is physically secured. The company claims it has “bank-grade” physical and digital security.

While security appears not to be an issue, there is the issue of the business associate agreement, which is a requirement. There is no mention of a BAA on the main website at the time of writing, although there is a post in the company blog – dated May 17, 2017 – confirming that the service is now SOC 2 and HIPAA compliant. HelloFax has been independently verified as meeting HIPAA security standards by an (unnamed) independent third-party. HelloSign will sign a BAA with HIPAA-covered entities who wish to use its HelloFax service.

HelloSign states, “For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), HelloSign can also support HIPAA compliance. HelloSign now has the ability to sign a Business Associate Agreement (BAA) with any of our customers in the healthcare, pharmaceutical, and insurance industries. Under a BAA we are bound to operate specific controls to protect your electronic protected health information (ePHI).”

So, is HelloFax HIPAA compliant? In our opinion, HelloFax is not covered by the HIPAA conduit exception rule, so provided a business associate agreement has been obtained, and users ensure access controls are implemented, HelloFax can be considered a HIPAA compliant fax service.

The post Is HelloFax HIPAA Compliant? appeared first on HIPAA Journal.

Is iCloud HIPAA Compliant?

Posted by HIPAA Journal

Is iCloud HIPAA compliant? Can healthcare organizations use iCloud for storing files containing electronic protected health information (ePHI) or sharing ePHI with third-parties? This article assesses whether iCloud is a HIPAA compliant cloud service.

Cloud storage services are a convenient way of sharing and storing data. Since files uploaded to the cloud can be accessed from multiple devices in any location with an Internet connection, information is always at hand when it is needed.

There are many cloud storage services to choose from, many of which are suitable for use by healthcare providers for storing and sharing ePHI. They include robust access and authentication controls and data uploaded to and stored in the cloud is encrypted. Logs are also maintained so it is possible to tell who accessed data, when access occurred, and what users did with the data once access was granted.

iCloud is a cloud storage service that owners of Apple devices can easily access through their iPhones, iPads, and Macs. iCloud has robust authentication and access controls, and data is encrypted in storage and during transfer. The level of encryption used by Apple certainly meets the minimum standard demanded by HIPAA. iCloud certainly appears to tick all the right boxes in terms of security, but is iCloud HIPAA compliant?

Will Apple Sign a Business Associate Agreement with HIPAA Covered Entities?

Cloud storage services are not covered by the HIPAA Conduit Exception Rule and are therefore classed as business associates. As a business associate, the service provider is required to enter into a contract with a HIPAA covered entity – in the form of a business associate agreement – before its service can be used in connection with any ePHI.

It is the responsibility of the covered entity to ensure a BAA is obtained prior to the use of any cloud service for sharing, storing, or transmitting ePHI.

That business associate agreement must explain the responsibilities the service provider has with respect to any ePHI uploaded to its cloud storage platform. The BAA should also explain the uses and disclosures of PHI, and the need to alert the covered entity of any breaches that expose data.

If a BAA is not obtained from Apple, its iCloud service cannot be used with any ePHI. So, will Apple sign a BAA with HIPAA covered entities?

Apple could not have made it any clearer in its iCloud terms and conditions that the use of iCloud by HIPAA-covered entities or their business associates for storing or sharing ePHI is not permitted, and that doing so would be a violation of HIPAA Rules.

“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”

Is iCloud HIPAA Compliant?

It doesn’t matter what security controls are in place to ensure ePHI cannot be accessed by unauthorized individuals. If a communications channel is not covered by the conduit exception rule and the service provider will not enter into a contract with a HIPAA covered entity in the form of a business associate agreement, the service cannot be used with any ePHI. So, is iCloud HIPAA compliant? Until such point that Apple decides to sign a BAA, iCloud is not a HIPAA compliant cloud service and should not be used by healthcare organizations for sharing, storing, or transmitting ePHI.

The post Is iCloud HIPAA Compliant? appeared first on HIPAA Journal.

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

Posted by HIPAA Journal

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information.

CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules.

CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings.

CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident.

The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million.

A lawsuit was filed by the CVS Pharmacy seeking indemnification from the mail service under the terms of its BAA and common law principles. CVS Pharmacy alleges the mismailing was due to negligence by its subcontractor, and the $1.8 payment was made as a direct result of that negligence. CVS Pharmacy maintains the breach was fully under the control of its subcontractor.

CVS Pharmacy alleged the mail service owed it a duty of reasonable care and that duty of care was breached. Since PHI was improperly disclosed and the HIPAA Privacy Rule was violated, CVS Pharmacy was required to send notifications to the 41 plan members, which the complainant claims caused damage its reputation.

The mail service sought to dismiss the claim of negligence, and in its motion to dismiss the lawsuit, challenged the validity of the contractual obligation CVS Pharmacy had to the health plan that required the $1.8 million payment. The mail service also contended that its indemnification provisions were not intended to cover this type of payment.

However, the federal court declined to dismiss the CVS Pharmacy’s lawsuit. The court ruled that the indemnification provisions of the subcontractor were broad enough to encompass CVS Pharmacy’s payment to the health plan, and the subcontractor had no right to challenge the contractual obligation since it was not a party or third-party beneficiary to the contact. The court also ruled that CVS Pharmacy sufficiently alleged negligence based on the breach of duty.

Losses were also suffered as a result of that negligence, as CVS Pharmacy had to make a sizeable payment to the health plan in addition to covering the cost of issuing notifications to the plan members whose PHI was disclosed. Consequently, the motion to dismiss the case was denied.

The post Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss appeared first on HIPAA Journal.