Legal News

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. The incident occurred during a recent mailing, when details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses.

The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed.

Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused.

The Legal Action Center and AIDS Law Project of Pennsylvania sent a letter to Aetna last week demanding the insurer stop sending mail that “illegally discloses” plan members are taking HIV medication.” Now, a class-action lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by both organizations and their legal team from Berger & Montague, P.C. The lawsuit demands that Aetna cease the practice of sending information relating to HIV medications in the mail and that it reforms procedures and pays damages.

In a recent press release, the AIDS Law Project explained that the disclosure has caused turmoil for some Aetna members whose HIV positive status was disclosed. The press release cited one example of a couple in Florida who have been forced to move home as a result of the disclosure out of fear and embarrassment.

In another example, the sister of a 52-year old man from Bucks County, PA found out he was taking HIV medication after viewing the information through the envelope. That man is the lead plaintiff in the class action lawsuit. In his case, he does not have HIV, but takes the medication as part of a regimen of pre-exposure prophylaxis to prevent him from contracting the virus.

The purpose of the Aetna correspondence was to address alleged privacy violations raised in two lawsuits in 2014 and 2015, which were filed after the company required customers to receive their HIV medications in the mail. The plaintiffs claimed such actions could breach their privacy. The cases were settled, and the letter was sent on July 28, 2017 in relation to the change in its HIV medication procedures.

When the press release was issued, six AIDS service organizations across the United States had received “dozens” of complaints from customers about the mailing.

Sally Friedman, legal director of the Legal Action Center said, “Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries. This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people’s most private health information.”

The post Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients appeared first on HIPAA Journal.

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. The incident occurred during a recent mailing, when details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses.

The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed.

Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused.

The Legal Action Center and AIDS Law Project of Pennsylvania sent a letter to Aetna last week demanding the insurer stop sending mail that “illegally discloses” plan members are taking HIV medication.” Now, a class-action lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by both organizations and their legal team from Berger & Montague, P.C. The lawsuit demands that Aetna cease the practice of sending information relating to HIV medications in the mail and that it reforms procedures and pays damages.

In a recent press release, the AIDS Law Project explained that the disclosure has caused turmoil for some Aetna members whose HIV positive status was disclosed. The press release cited one example of a couple in Florida who have been forced to move home as a result of the disclosure out of fear and embarrassment.

In another example, the sister of a 52-year old man from Bucks County, PA found out he was taking HIV medication after viewing the information through the envelope. That man is the lead plaintiff in the class action lawsuit. In his case, he does not have HIV, but takes the medication as part of a regimen of pre-exposure prophylaxis to prevent him from contracting the virus.

The purpose of the Aetna correspondence was to address alleged privacy violations raised in two lawsuits in 2014 and 2015, which were filed after the company required customers to receive their HIV medications in the mail. The plaintiffs claimed such actions could breach their privacy. The cases were settled, and the letter was sent on July 28, 2017 in relation to the change in its HIV medication procedures.

When the press release was issued, six AIDS service organizations across the United States had received “dozens” of complaints from customers about the mailing.

Sally Friedman, legal director of the Legal Action Center said, “Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries. This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people’s most private health information.”

The post Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients appeared first on HIPAA Journal.

Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware

Posted by HIPAA Journal

For the first time in the past 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws, with California also requiring the provision of credit monitoring services to breach victims.

Breach victims must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach. The new law also requires companies operating in the state to implement “reasonable” security measures to safeguard personal information – Delaware is the 14th state to require companies to adopt security measures to ensure sensitive information is protected.

The definition of ‘personal information’ has also been expanded and now includes usernames/email addresses in combination with a password/answers to security questions, password numbers, driver’s license numbers, mental health and physical condition, medical histories, health insurance policy numbers, subscriber identification numbers, medical treatment information, medical diagnoses, DNA profiles, unique biometric data (including fingerprints/retina scans), and tax payer identification numbers.

Companies can avoid sending notifications and providing credit monitoring services if data is encrypted prior to a cyberattack or other security incident, unless it is reasonably believed the breach also resulted in the encryption key being compromised.

Rep. Paul Baumbach, D-Newark, who sponsored the bill, said the new legislation is ” A meaningful step forward in addressing these breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyberattack.”

House Bill 180 was passed earlier this month. The new law has an effective date of April 14, 2018.

The post Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware appeared first on HIPAA Journal.

$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

Posted by HIPAA Journal

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement.

Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York and 32 other states.

Nationwide will pay a total of $5.5 million, $103,736.78 of which will go to New York State. The settlement will cover the costs of the investigation and litigation, with the remaining funds used for consumer protection law enforcement and other purposes.

The investigation was launched following a 2012 breach of the sensitive data of 1.27 million individuals, some of whom were customers, although many had only obtained quotes from Nationwide and its subsidiary and did not go on to take out insurance policies.

In 2012, hackers infiltrated Nationwide’s systems and stole the personal information of consumers along with highly sensitive data such as Social Security numbers, driver’s license numbers, and credit scoring information.

The hackers gained access to its systems via a vulnerability in a third-party web application. While not all data breaches are the fault of the breached entity, in this case the breach could easily have been prevented. A patch to address the critical vulnerability had been released by the third-party software company three years earlier. Nationwide had failed to apply the patch. The patch was only applied after the breach occurred.

The data breach investigation was led by Attorneys General for Connecticut, the District of Columbia, Florida and Maryland. Connecticut Attorney General George Jepsen said, “It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols.”

Attorney General Schneiderman said, “Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” Schneiderman went on to say, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”

The settlement was agreed under a no-fault agreement. In addition to the financial penalty, Nationwide is required to ensure its software is kept up to date, including third-party software applications, and data security must be improved. Nationwide is also required to hire a technology officer to monitor and manage patches and software updates and update its policies and procedures for storing and maintaining consumers’ personal information.

Nationwide must also make clear to consumers that their personal information is retained, even if they do not sign up for insurance policies with the company or its subsidiaries.

Nationwide is not a HIPAA-covered entity, but the settlement does serve as a warning for healthcare organizations that fail to adopt security best practices. OCR is not the only regulator that can issue large fines for the failure to protect sensitive information.

This is just one of several actions taken by attorneys general for data breaches and the response to them. Earlier this year, CoPilot Provider Support Services Inc., was fined $130,000 by the New York Attorney General.

In that case, the fine was not for the breach but the lack of action afterwards. The breach occurred in October 2015, CoPilot contacted the FBI about the incident in February 2016, then delayed the issuing of breach notification letters until January 2017. The fine was not for a HIPAA violation, but a breach of General Business Law § 899-aa for unnecessarily delaying breach notifications to consumers.

The post $5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching appeared first on HIPAA Journal.

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes

Posted by HIPAA Journal

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient.

Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months.

Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use.

The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed about the medical histories of recovering addicts, while preserving the privacy of patients. The new bill states a “history of opioid use disorder should, only at the patient’s request, be prominently displayed in the medical records (including electronic health records).”

The Department of Health and Human Services will be required to publish guidelines on when healthcare providers are permitted to prominently display details of a patient’s history of opioid use on their medical record.

Jessie’s mother Kate Grubb said, “I am ever so grateful for the passage of Jessie’s Law; it eases a mother’s aching heart that this law will save other lives and give meaning to Jessie’s death.”

The bill will now proceed to the U.S. House of Representatives’ Committee on Energy and Commerce for consideration.

Legislation Proposed to Align Part 2 Regulations with HIPAA to Improve Patient Care

Congressmen Tim Murphy and Earl Blumenauer introduced a similar bill – The Overdose Prevention and Patient Safety (OPPS) Act (HR 3545) – late last month. The bill is intended to align 42 Code of Federal Regulations Part 2 (Part 2) with HIPAA rules and will ensure doctors have access to their patients’ complete medical histories, including details of addiction treatment. Details of addiction treatment are prohibited from being shared with doctors. However, without access to full medical records, tragic incidents such as what happened to Grubb could occur time and again.

Rep. Murphy said, “The Overdose Prevention and Patient Safety Act will allow doctors to deliver optimal, lifesaving medical care, while maintaining the highest level of privacy for the patient.” Murphy also explained that while sharing sensitive information on substance use will help patients get the care they need; patient privacy must be protected. “We do not want patients with substance use disorders to be made vulnerable as a result of seeking treatment for addiction, this legislation strengthens protections of their records.”

The Overdose Prevention and Patient Safety Act reads, “Any record…that has been used or disclosed to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient in violation of paragraphs (1) or (2), shall be excluded from evidence in any proposed or actual proceedings relating to such criminal charges or investigation and absent good cause shown shall result in the automatic dismissal of any proceedings for which the content of the record was offered.”

A coalition of more than 30 healthcare stakeholders wrote to Reps Murphy and Blumenauer to express support for the bill. In the letter, the coalition points out that while the Substance Abuse and Mental Health Services Administration (SAMHSA) recently released a final rule that will modernize Part 2, the final rule does not go far enough.

The post U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes appeared first on HIPAA Journal.

Maryland Data Breach Notification Law Updated

Posted by HIPAA Journal

Maryland data breach notification law has been updated, with the definition of personal information expanded. The current data breach notification statute in Maryland does not include health insurance information or data covered under the definition of the Health Insurance Portability and Accountability Act (HIPAA), although from January 1, 2018 that will change.

Maryland data breach notification law – specifically the Maryland Personal Information Protection Act – requires breach notification letters to be sent to all Maryland residents affected by a breach of personal information. Those notifications must be issued as soon as it is practicable to do so, but no later than 45 days after the discovery of a data breach that has resulted in personal information being misused or if it is likely that data could be misused.

The current definition of personal information includes a Maryland resident’s first and last name or initial and last name along with either a driver’s license number, Social Security number, financial account number, credit or debit card number (with a security code, expiry date or password that would allow the card to be used) or taxpayer identification number.

The new definition of personal information also includes, passport numbers, other federal government-issued ID numbers, state identification card numbers, any information covered by HIPAA laws, biometric data, an email address in combination with a password or security question that permits access to the account, and health insurance policy information, certificate numbers, or subscriber ID numbers in combination with an identifier that allows the information to be used.

Businesses must implement and maintain reasonable security procedures and practices to protect the confidentiality of personal information. If personal information is disclosed to a third party, the business must state in its contracts with those third parties that reasonable security procedures and practices must be implemented and maintained.

However, “reasonable security procedures and practices” have not been defined in the new statue.

The post Maryland Data Breach Notification Law Updated appeared first on HIPAA Journal.

CareFirst Can Be Sued for Breach, Rules Court of Appeals

Posted by HIPAA Journal

The D.C. Circuit Court of Appeals has ruled that CareFirst can be sued for a 2014 data breach that saw the PHI of more than 1 million members exposed and potentially stolen.

Following the announcement of the data breach, a lawsuit was filed by seven plaintiffs to recover damages, although in August last year the case was dismissed by a district court judge for lack of standing.

The plaintiffs alleged that the breach had occurred as a result of the carelessness of CareFirst, and as a direct result of that carelessness, they faced an increased risk of suffering identity theft and fraud.

The district court judge dismissed the case as the plaintiffs failed to establish harm, or a significant threat of future harm. The judge explained that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.”

However, the three-judge panel overturned the previous ruling claiming the interpretation of the law was ‘unduly narrow’, explaining that all the plaintiffs were required to establish at that point was their allegations were plausible and there was potential for future harm as a result of the breach.

The district court ruling was based on the fact that the plaintiffs had failed to establish how it would be possible for their identities to be stolen by the hackers if their Social Security numbers and/or credit card numbers were not stolen in the attack. CareFirst maintained that Social Security numbers and financial information were not compromised and were stored in a part of the network that was not compromised.

Court of Appeals Judge Thomas Griffith explained that the conclusion drawn by the district court “rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach.” However, while that was the opinion of CareFirst, it was not the opinion of the plaintiffs, who did include Social Security numbers and financial information in their description of the information that was stolen in the CareFirst cyberattack. That does not mean that those data elements were stolen, only that the plaintiffs alleged that Social Security numbers and financial data had been compromised.

The plaintiffs also alleged separately that the types of information which CareFirst said were compromised – email addresses, names, birth dates and CareFirst account numbers – may not be of use to an identity thief on their own, but did create “a material risk of identity theft.” The appeals court believed the claim was plausible and that the theft of such information could open the door to medical identity theft.

While medical identity theft would result in financial harm for the insurer, fraudulent claims against insurance policies could potentially cause harm to the plaintiffs. The fraudulent claims would go on their accounts and this could be held against the plaintiffs, disqualifying them from certain types of employment or preventing them from taking out life insurance. Social Security numbers would not be required for harm to be caused were that to be the case.

That is not the only lawsuit to be filed against CareFirst for the 2014 breach. In July last year, a case filed by two plaintiffs was similarly dismissed for lack of standing by a Maryland Court. The case was dismissed as the plaintiffs failed to demonstrate harm had been suffered. While it is possible to allege an injury based on future harm, the threatened injury must be impending to constitute an injury in fact. However, the judge ruled that “the injury is too speculative to be certainly impending.” While the decision was appealed, the case was voluntarily dropped by the plaintiffs.

The post CareFirst Can Be Sued for Breach, Rules Court of Appeals appeared first on HIPAA Journal.

Massive Healthcare Fraud Takedown Sees 412 Charged for $1.3 Billion in Fraudulent Billings

Posted by HIPAA Journal

Last week, the United States Department of Justice announced the largest healthcare fraud action to date. 412 individuals were charged, including 115 doctors, nurses and other medical professionals for their roles in healthcare fraud schemes. 120 doctors and other medical professionals were charged for prescribing opioids and other dangerous narcotics. The HHS has also initiated suspension actions against 295 doctors, nurses and pharmacists.

The charges aggressively targeted individuals responsible for fraudulent Medicaid, Medicaid and TRICARE billings, although this year also saw a focus on doctors and other medical professionals that have been fueling the opioid epidemic by illegally distributing opioids and pother powerful narcotics. Approximately 91 Americans lose their lives each day due to opioid overdoses.

The bust was a joint operation by the Department of Justice, FBI, Medicaid Fraud Strike Force, DEA, U.S Attorney’s Office and the Department of Health and Human Services. A joint announcement about the bust was made by Attorney General Jeff Sessions and HHS Secretary Tom Price.

Healthcare fraud costs the taxpayer billions of dollars each year. The individuals involved in fraudulent billings are alleged to have obtained $1.3 billion. Price said, “The United States is home to the world’s best medical professionals, but their ability to provide affordable, high-quality care to their patients is jeopardized every time a criminal commits healthcare fraud.”

The takedown beats last year’s bust when 301 individuals were charged with fraudulently obtaining $900 million through Medicare and Medicaid billings. In 2015, federal authorities charged 243 individuals for fraudulently billing $712 million.

In the most part, the charges related to billings for treatments that were medically unnecessary and treatments that were billed but never provided. In many cases, kickbacks were paid to obtain beneficiary information to enable fraudulent claims to be submitted.

This year saw a large number of doctors charged for their roles in the schemes. According to the Department of Justice announcement, “Aggressively pursuing corrupt medical professionals not only has a deterrent effect on other medical professionals, but also ensures that their licenses can no longer be used to bilk the system.”

The takedown saw arrests across 41 districts although the state with the highest number of arrests was Florida. 77 individuals in South Florida were charged with offenses relating to various fraud schemes. Those schemes involved $141 million in fraudulent claims to Medicaid, Medicare and TRICARE. Two individuals were charged with fraudulently billing $58 million in fraudulent insurance claims for drug treatment services. Ten individuals in the Middle District of Florida were charged with fraud offenses that netted $14 million, with one individual defrauding the TRICARE program out of $4 million.

32 individuals from the Eastern District of Michigan were charged for offenses related to healthcare fraud, providing kickbacks, drug diversion and money laundering and for billing $218 million for unnecessary medical procedures and procedures that were never provided. One of the cases involved nine defendants, including six doctors, that were prescribing controlled substances that were subsequently sold on the street and $164 million was billed to Medicare for unnecessary procedures and procedures that were never provided.

26 individuals in the Southern District of Texas were charged, with their cases involving more than $66 million in fraudulent billing. One physician and clinic owner were charged for issuing medically unnecessary prescriptions of hydrocodone to patients. The clinic was seeing between 60-70 individuals each day and paying $300 in cash per visit.

17 individuals from the Central District of California were charged for defrauding Medicare out of $147 million, two of which were involved in a scheme that fraudulently charged $41.5 million to Medicare and a private insurer.

In Southern Louisiana, 7 individuals were charged in connection with $207 million in fraudulent billings and a pharmacist was charged with submitting and causing the submission of fraudulent and false claims to TRICARE for $192 million.

Price said, “The historic results of this year’s national takedown represent significant progress toward protecting the integrity and sustainability of Medicare and Medicaid, which we will continue to build upon in the years to come.”

The post Massive Healthcare Fraud Takedown Sees 412 Charged for $1.3 Billion in Fraudulent Billings appeared first on HIPAA Journal.

Indiana Senate Passes New Law on Abandoned Medical Records

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information.

HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely.

For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or incineration.

For physical PHI, OCR recommends shredding, burning, pulping, or pulverization to render PHI unreadable and indecipherable and to ensure the data cannot be reconstructed.

If PHI is not disposed of in accordance with HIPAA Rules, covered entities can face heavy financial penalties. Those penalties are decided by OCR, although state attorneys general can also fine covered entities since the introduction of the Health Information Technology for Clinical and Economic Health (HITECH) Act.

While state attorneys general can take action against covered entities for HIPAA violations that impact state residents, few have exercised that right – Only Connecticut, Vermont, Massachusetts, New York and Indiana all done so since the passing of the HITECH Act.

Even though few states are taking action against covered entities for HIPAA violations as allowed by the HITECH Act, many states have introduced laws to protect state residents in the event of a data breach.

In Indiana, a new state law has been recently passed that allows action to be taken against organizations that fail to dispose of medical records securely.

Indiana Updates Legislation Covering Abandoned Medical Records

In Indiana, legislation has previously been introduced covering ‘abandoned records’. If medical records are abandoned, such as being dumped or disposed of without first rendering them unreadable, action can be taken against the organization concerned.

Abandoned records are those which have been “voluntarily surrendered, relinquished, or disclaimed by the health care provider or regulated professional, with no intention of reclaiming or regaining possession.” The state law previously only covered physical records, although a new Senate Bill (SB 549) has recently been unanimously passed that has expanded the definition to also include ePHI stored in databases. The definition of ‘abandoned records’ has also been expanded to include those that have been “recklessly or negligently treated such that an unauthorized person could obtain access or possession” to those records.”

While there are exceptions under SB 549 for organizations that maintain their own data security procedures under HIPAA and other federal legislation, the new law closes a loophole for organizations that are no longer HIPAA covered entities. In recent years, there have been numerous cases of healthcare organizations going out of business and subsequently abandoning patients’ files. SB 549 allows the state attorney general to take action against HIPAA covered entities that have gone out of business if they are discovered to have abandoned PHI or disposed of ePHI incorrectly.

The new legislation came into effect on July 1, 2017. The new law allows the Indiana attorney general to file actions against the organization concerned and recover the cost of securing and disposing of the abandoned records. That should serve as a deterrent and will help to keep state residents’ PHI private.

The post Indiana Senate Passes New Law on Abandoned Medical Records appeared first on HIPAA Journal.