Legal News

New Bill Proposes to Amend Iowa Breach Notification Act

Posted by HIPAA Journal

A new bill introduced by Iowa Attorney General Tom Miller will, if implemented, extend the definition of a data breach to include medical information, health insurance information and personal information that previously had to be combined with other individual identifiers before a breach was classified as a breach.

Since 2014, data breaches affecting more than five hundred Iowa residents have had to be reported to the director of the consumer protection division of the office of the Iowa Attorney General. More than 120 breaches have been notified in the past four years including those at Anthem Blue Cross, Banner Health and Medical Informatics Engineering.

The relatively low number of reported breaches implies that either the personal data of Iowa residents is remarkably secure, or that hacked entities are failing to notify the Attorney General´s office as required. AG Tom Miller intends to find out which by introducing an amendment to the state´s current Breach Notification Act that extends the definition of a data breach.

Medical and Health Insurance Information to be Included

Currently, entities experiencing a data breach only have to notify the Attorney General´s office if the data breached includes a social security number, a driver license number, or unique biometric data – or if the breach includes financial data that “in combination with any required expiration date, security code or password would permit access to an individual´s financial account”.

AG Miller´s amendment proposes to remove the “in combination with” requirement, so any breach of financial data is notifiable. It will also add medical information, health insurance information and personal information such as tax identification numbers to the list of notifiable breaches. There is also a proposal to change the current notification period of “without reasonable delay” to forty-five days.

Loopholes Closed over Encryption and Personal Harm Exclusions

Other proposed changes to the Iowa Breach Notification Act include closing some of the loopholes entities can use to avoid notifying the Attorney General´s office of a breach. Currently an entity does not have to report a breach if the accessed data is encrypted. If AG Miller´s proposals are enacted, this exclusion will only apply if data is encrypted to 128-bit standard or higher.

Entities can also avoid reporting a breach if it can be shown there is a reasonable likelihood the breach will not result in “financial harm” to individuals. The amendment proposes the removal of the word “financial” (so a breach with the potential for “any harm” now has to be notified) and stipulates that, if it is determined no harm is reasonably likely, a written justification of the determination should be sent to the Attorney General´s office within five days.

Will the Amendment Result in Better Protection for Iowa Residents?

Announcing the introduction of the amendment, assistant Iowa Attorney General Nathan Blake said; “We wanted to make sure the laws on the books are protecting consumers sufficiently.” However, rather than enhance consumer protection, the proposed amendment to the Iowa Breach Notification Act does little more than close loopholes that should not have been present in the original legislation.

The likely outcome is that Iowa residents will be no better protected against data theft than they are now, and that the number of data breaches reported in Iowa will increase. Quite possibly – in the long term – an increase in reported breaches may result in tougher data protection laws being introduced. However, in the short term, the only issue the amendment will resolve is whether there has been significant under-reporting of data breaches in Iowa since 2014.

The post New Bill Proposes to Amend Iowa Breach Notification Act appeared first on HIPAA Journal.

Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case

Posted by HIPAA Journal

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones.

Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis.

The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $115 million settlement with the New York Attorney General to resolve violations of federal and state laws.

Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had their privacy violated by the September mailing.

The settlement agreement explains that more than 90% of patients diagnosed with HIV face discrimination and prejudice, and approximately one in eight individuals with HIV are denied health services as a result of the stigma associated with HIV and AIDS. A breach of HIV information can therefore have severe repercussions for the victims.

New York has implemented strict laws that require HIV information to be kept secure and confidential to ensure its residents are not discouraged from coming forward to be tested and treated for HIV. It is therefore important that action is taken against organizations and individuals who violate state laws by disclosing HIV information.

As a HIPAA-covered entity, Aetna is bound by the regulations and is required to implement safeguards to ensure the confidentiality of health and HIV information. Several laws in New York also require safeguards to be implemented to protect personal health information and personally identifiable information.

Not only were state and federal laws violated by the mailing, Aetna provided the personal health information of its members to outside counsel who in turn gave that information to a settlement administrator. While the outside counsel was a business associate of Aetna and had signed a business associate agreement, its subcontractor, the settlement administrator, was also a business associate yet no business associate agreement was entered into prior to the disclosure of PHI. A further violation of HIPAA Rules.

The office of the attorney general determined Aetna’s two mailings violated 45 C.F.R § 164.502; 42 U.S.C. § 1320d-5 of HIPAA, N.Y General Business Law § 349, N.Y Public Health Law § 18(6), and N.Y Executive Law § 63(12).

The settlement agreement also draws attention to the fact that Aetna had reported a further three HIPAA breaches to the Office for Civil Rights in the past 24 months, which in total impacted more than 25,000 individuals.

In addition to the financial penalty, Aetna has agreed to update its policies, procedures and controls to enhance the privacy protections for its members and protect them from negligent disclosures of personal health information and personally identifiable information through its mailings.

“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” said Attorney General Eric T. Schneiderman. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”

This may not be the last financial penalty Aetna has to cover in relation to the mailings. This $115 million settlement only resolves the privacy violations of 2,460 Aetna members in New York state. The mailing was sent to around 13,000 Aetna members across the United States. It is possible that other states will similarly take action over the privacy violations. The Department of Health and Human Services’ Office for Civil Rights is also investigating the data breach and may choose to penalize the insurer for violating HIPAA Rules.

The post Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case appeared first on HIPAA Journal.

Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records

Posted by HIPAA Journal

The Topeka, KS-based healthcare company Pearlie Mae’s Compassion and Care LLC and its owners have been fined by the Kansas Attorney General for failing to protect patient and employee records. The healthcare provider has agreed to pay a civil monetary of $8,750.

The HITECH Act gave attorneys general the authority to enforce HIPAA rules and take action against HIPAA-covered entities and business associates that are discovered not to be in compliance with HIPAA regulations. Only a handful of state attorneys general have exercised those rights, with many opting to pursue privacy violations under state laws.

In this case, Attorney General Derek Schmidt issued the civil monetary penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act.

Special agents of the Kansas attorney general’s office were assisting the Topeka Police Department execute a search warrant in June 2017 at the home of Ann Marie Kaiser, one of the owners of Pearlie Mae’s Compassion and Care. Kaiser’s home was used as an office location for the company. While at the property, the agents noticed unsecured medical records in open view.

The paperwork included personal information, which includes, social security numbers, driver’s license numbers, financial account numbers, which could be used to harm the persons whose information is compromised. Such information could have been viewed by anyone in the property, including individuals unauthorized to access the information.

The civil penalty was issued for the failure to maintain reasonable procedures and practices appropriate to the nature of information held, the failure to exercise reasonable care to protect personal information, and the failure to take reasonable steps to destroy records when they were no longer required – violations of K.S.A. 50-6,139b(b)(l) and K.S.A. 50-6,139b(b)(2).

In addition to covering the financial penalty, Pearlie Mae’s has agreed to update its policies and procedures to ensure compliance with the Wayne Owen Act and will also cover the costs – $1,250 – incurred by the Attorney general office during its investigation.

The post Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records appeared first on HIPAA Journal.

Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill

Posted by HIPAA Journal

The Senate Attorney Judiciary Committee in South Dakota has overwhelmingly voted in favor of introducing data breach notification legislation. The bill, introduced by the Committee on Judiciary at the request of the Attorney General Marty Jackley, advanced after a 7-0 vote.

Currently there are only two states in the US that have yet to introduce data breach legislation to protect state residents. With South Dakota now looking likely to introduce new protections for state residents, Alabama looks like it will be the only state lacking a data breach notification law.

The Bill – South Dakota Senate Bill No. 62 – requires notifications to be issued to state residents and the Attorney General following a breach that impacts 250 or more state residents. The breach notifications would need to be issued without unnecessary delay and no later than 45 days following the discovery of a breach, unless a delay is requested by law enforcement.

Breach notifications would not be required if the breached entity, along with the attorney general, determines that consumers would be unlikely to be harmed as a result of the breach.

A breach is defined as “The acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.”

The law would apply to personal information, which is limited to the full name or initial and last name in conjunction with the following data elements:

Social Security number, driver’s license number, unique government ID number, medical information, health insurance information, employment ID number with associated security code, account or credit/debit card numbers in conjunction with security codes, passwords, PINs or access codes that would permit access to those accounts, biometric data used for authentication purposes, and email addresses, in combination with passwords/security question answers, or other information that permits access to an online account.

The breach notifications would need to be made in writing or electronically if the breach victim is usually contacted in that manner. If the cost of notification exceeds $250,000 or more than 500,000 individuals have been impacted, or if insufficient contact information is held on the breach victims, a substitute breach notice would be acceptable. Substitute notices would need to include an email notice – if a valid email address is held, a conspicuous posting on the entity’s website, and a notice to statewide media. Breaches impacting more than 250,000 individuals would also require notification to be provided to credit reporting agencies.

If passed, the South Dakota Attorney General would be authorized to bring an action against the breached entity over the failure to comply with the law. The maximum civil penalty would be $10,000 per day, per violation. Attorney’s fees and other costs associated with the action would also be recoverable.

The South Dakota breach notification law would apply to all entities doing business in the state of South Dakota, although entities in compliance with federal laws that have breach reporting requirements would be deemed to be in compliance with the requirements of the proposed law.

The post Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill appeared first on HIPAA Journal.

Colorado Considers New Privacy and Data Breach Legislation

Posted by HIPAA Journal

Colorado is the latest state to consider changing its privacy and data breach notification laws to improve protections for state residents. The legislation has been proposed by a bipartisan group of legislators, and if passed, would make considerable changes to existing state laws.

The proposed legislation applies to personally identifying information. The changes would see the following information included in the definition of PII:

Full name or last name and initial in combination with any of the following data elements: Personal ID numbers, Social Security numbers, state ID numbers, state or government driver’s license numbers, passport numbers, biometric data, passwords and pass codes, employment, student and military IDs, financial transaction devices, health information, and health insurance information.

Usernames/email addresses, financial account numbers, and credit/debit card numbers are also included, if they are compromised along with other information that allows account access or use. A breach would not be deemed to have occurred if the PII is encrypted, unless the key to unlock the encryption is also compromised.

Organizations that store the PII of state residents would be required to implement controls to ensure the privacy and confidentiality of PII. The proposed legislation does not include details of the types of security protections, procedures, and practices that must be implemented to keep personally identifiable information secure, only that the security measures be “appropriate to the nature of the personally identifying information and the nature and size of the business and its operations.”

Any entity that wishes to disclose PII to a third party must communicate to that entity that the PII must be protected and secured at all times, including the use of technology, procedures and practices. They must be appropriate to the sensitivity of the data and be reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction.

If PII is no longer required, the information must be securely and permanently destroyed, whether the information is in paper form or stored on electronic devices. Policies covering the destruction of data are required in writing.

For paper records, this would likely mean burning, pulping, pulverizing, or shredding. For electric devices, data would need to be securely erased to prevent reconstruction. Typical methods include degaussing – the exposure of the device to strong magnetic fields, the use of software to overwrite media to prevent reconstruction of data, or destroying the media by pulverization, disintegration, melting, shredding, or incineration.

In the event of a breach of PII, the maximum time limit for issuing notifications would be 45 days from the discovery of a breach. Currently there is no stipulated maximum time frame for issuing notifications. Notifications must currently be issued “in the most expedient time and without unreasonable delay.”

A notification would also need to be sent to the state attorney general no later than 7 days following the discovery of a breach that impacts 500 or more individuals.

As is the case in California and several other states, the legislation stipulates the content that must be included in the breach notification letters.  The date of the breach must be communicated, or a reasonable estimate if it is not known, a description of the PII that has been compromised, contact information, a toll-free number to call for further information, contact details of consumer reporting agencies and the FTC, and information on how credit freezes and security alerts can be set.

The legislation would also authorize the Colorado Attorney General to initiate criminal investigations and legal proceedings against organizations that fail to comply with the legislation

The post Colorado Considers New Privacy and Data Breach Legislation appeared first on HIPAA Journal.

Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach

Posted by HIPAA Journal

Aetna has agreed to settle a class action lawsuit filed by victims of a mailing error that resulted in details of HIV medications prescribed to patients being visible through the clear plastic windows of the envelopes. Aetna was not directly responsible for the mailing, instead an error was made by a third-party vendor.

For some of the patients, the letters had slipped inside the envelope revealing the patient had been prescribed HIV drugs. In many cases, those envelopes were viewed by flat mates, family members, neighbors, friends, and other individuals, thus disclosing each patient’s HIV information. Is not known how many patients had their HIV information disclosed, although the mailing was sent to 13,487 individuals. Some of the patients were being prescribed medications to treat HIV, others were taking the medication as Pre-exposure Prophylaxis (PrEP) to prevent contracting the disease.

Many of the patients who were outed as a result of the breach have faced considerable hardship and discrimination. Several patients have had to seek alternative accommodation after been forced to leave their homes by flat mates and relatives. Others have had personal and family relationships severely damaged as a result of the disclosure.

The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C., filed a lawsuit in August seeking damages for the victims of the breach. That lawsuit has been settled for $17,161,200 by Aetna, pending Court approval, with no admission of liability. The settlement also requires Aetna to update its policies and procedures to ensure similar privacy breaches are prevented in the future.

There were two alleged breaches of privacy. There was an improper disclosure of protected health information to Aetna’s legal counsel in July, in addition to the mailing of the Benefit Notices that revealed patients were taking HIV medications. Those privacy breaches violated the Health Insurance Portability and Accountability Act (HIPAA) and several state laws according to the lawsuit.

Individuals who had their PHI improperly disclosed will receive a base payment of $75, while class members who were sent the envelopes with the clear plastic windows will receive a base payment of $500. There are almost 1,600 individuals who will receive the $75 payment and almost 12,000 who will receive a payment of $500.

A fund has also been set up for individuals who have suffered additional harm or losses as a result of the disclosure. Those individuals can apply for additional funds by completing a claim form documenting the financial and non-financial harm they have suffered as a result of the privacy breach.

“Through our outreach efforts, immediate relief program, and this settlement we have worked to address the potential impact to members following this unfortunate incident,” said a spokesperson for Aetna. “In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

The post Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach appeared first on HIPAA Journal.

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

Posted by HIPAA Journal

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records.

CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit.

CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee is hurting its business. CIOX Health wants the HHS to reverse the changes made to HIPAA in 2013 and 2016 with respect to how much can be charged and the provision of copies of any type of medical information.

While the flat fee of $6.50 is the maximum that can be charged, it should be noted that the maximum fee only applies if the healthcare provider or company chooses that option. HIPAA does not prevent healthcare organizations from charging more. If they choose not to charge a flat fee, they are permitted to charge patients “actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The HHS confirmed this in May 2016 in response to questions asked via its web portal.

Tremendous Financial Burdens on Healthcare Providers

In the lawsuit, CIOX Health says, “HHS’s continued application and enforcement of these rules impose tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical records industry that services them.”

These changes to HIPAA Rules “threaten to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss.”

The changes to the types of health information that must be provided on request now includes medical information in any form whatsoever, including electronic medical records in EHR systems, but also paper records and films that have been transferred to third parties.

In the case of electronic records, they can be located in several different virtual locations, while paper records and films may be stored in several different physical locations. Providing copies of complete record sets requires staff to be sent to each of those locations to retrieve the records, and even accessing multiple virtual locations is a time consuming and costly process. Records must also be verified and compiled, which all takes time.

CIOX Health serves more than 16,000 physician practices and processes tens of millions of requests for copies of medical records every year. The restrictions on charges has potentially hurt its business, according to the lawsuit.

This is not the only legal action that CIOX Health is involved in which is related to providing patients with copies of their medical records. CIOX is the co-defendant in a November 2017 lawsuit that claims more than 60 Indiana hospitals have been failing to provide copies of medical records to patients within 3 days, as required by the HITECH Act, even though they accepted payments and claimed that they were meeting HITECT Act requirements. The defendants are also alleged to have overcharged patients for copies of medical records.

The post HHS Sued by CIOX Health Over Unlawful HIPAA Regulations appeared first on HIPAA Journal.

Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations

Posted by HIPAA Journal

There is no private cause of action in the Health Insurance Portability and Accountability Act, so patients are not permitted to sue healthcare providers for privacy violations.

However, there have been rulings in several states, including New York, Missouri, and Massachusetts, allowing patients to file lawsuits against healthcare providers over unauthorized and negligent disclosures of medical records.

Following a ruling by the Connecticut Supreme Court last week, Connecticut residents will be permitted to file lawsuits for damages following negligent disclosures of medical records that have resulted in harm.

The legal precedent was set by the Supreme Court in the case Byrne v. Avery Center for Obstetrics & Gynecology.

Emily Byrne filed a lawsuit against Avery Center for Obstetrics and Gynecology (ACOG) after her medical records were disclosed to a man seeking custody of her child in a paternity suit.

ACOG was issued with a subpoena to appear before an attorney and supply Byrne’s medical records. ACOG did not challenge the subpoena, made no attempt to limit disclosure, and simply mailed a copy of Byrne’s medical file to the New Haven Regional Children’s Probate Court, where the records were made available to the man seeking custody of her child.

Byrne and her attorney, Bruce L. Elstein of Trumbull, claimed this amounted to negligence and breach of contract. ACOG claimed that under HIPAA Rules, patient consent was not required before medical records were disclosed in response to a subpoena.

Byrne argued that HIPAA creates a standard of care for patient medical records, and Avery violated that standard by releasing her records. Byrne lost the case in the Superior Court, which ruled that HIPAA does not permit private suits to be filed against healthcare providers for HIPAA violations. Byrne appealed, and the case was heard by the Supreme Court, which ruled in 2014 that HIPAA could be used as a standard of care for common law claims.

The case went before the Supreme Court for a second time after the trial court deferred the case as no courts had addressed the issue of negligence.  The Supreme Court disagreed with ACOG’s argument that patient consent is not required before medical records are disclosed in response to a subpoena, saying federal laws require the provider to have “satisfactory assurances” that a patient has been given notice about the request.

In this case, satisfactory assurances had not been obtained. Justice Dennis G. Eveleigh wrote, “the defendant did not even comply with the face of the subpoena.”

In the ruling, Justice Eveleigh wrote, “The dispositive issue in this appeal is whether a patient has a civil remedy against a physician if that physician, without the patient’s consent, discloses confidential information obtained in the course of the physician-patient relationship.’’

“We agree with the majority of jurisdictions that have considered the issue, and conclude that the nature of the physician-patient relationship warrants recognition of a common-law cause of action for breach of the duty of confidentiality in the context of that relationship.”

“Finally, we have a remedy in Connecticut that recognizes that there is a duty of confidentiality, the breach of which can lead to compensation for damages,” said Elstein.

The post Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations appeared first on HIPAA Journal.

Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000

Posted by HIPAA Journal

A data breach experienced by New Hampshire-based Multi-State Billing Services (MBS) has resulted in a $100,000 settlement with the Massachusetts attorney general’s office.

MBS is a Medicaid billing company that provides processing services for 13 public school districts in Massachusetts –  Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional.

In 2014, MBS learned that a password-protected, unencrypted laptop computer containing the sensitive personal information of Medicaid recipients had been stolen from a company employee. Data stored on the device included names, Social Security numbers, Medicaid numbers, and birth dates. As a result of the laptop theft, more than 2,600 Massachusetts children had their sensitive information exposed.

Following the data breach, MBS notified all affected individuals and offered to reimburse costs related to security freezes for three years following the breach. Security was also enhanced, including the use of encryption on all portable computers used to store the sensitive information of Medicaid recipients.

The Massachusetts attorney general’s office investigated the breach and determined that insufficient protections had been employed to ensure this type of breach did not occur. Under state law, companies doing business in Massachusetts must take “reasonable steps to safeguard the personal information from unauthorized access or use.” Had those measures been implemented prior to the laptop theft, a breach of sensitive information could have been avoided.

Specifically, MBS had failed to develop, implement, and maintain a written security information program, and did not ensure sensitive personal information stored on portable electronic devices was encrypted. MBS had also failed to train staff how to reasonably safeguard personal information.

A consent judgement against MBS was obtained by Massachusetts attorney General Maura Healey. That judgement requires MBS to pay a financial penalty and develop, implement, and maintain a comprehensive information security program and train staff how to handle and safeguard personal information.

Attorney general Healey said, “This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others.”

The post Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000 appeared first on HIPAA Journal.