White Collar Defense and Compliance : New Jersey White Collar Defense Lawyer & Attorney : Fox Rothschild Law Firm : Criminal Defense, Insider Trading, RICO, Consumer Fraud : New Jersey, New York City

Elizabeth Litten writes:

The federal Office of Civil Rights (“OCR”) has publicized two tools that are available for OCR and individual State Attorneys General (“SAGs”) to deter and catch HIPAA privacy and security breaches that are similar to the red light cameras designed to deter and catch traffic violations. 

If a Covered Entity (“CE”) or Business Associate (“BA”) has already experienced a breach of Protected Health Information (“PHI”), it has probably already taken (or has been required by regulators to take) steps to prevent future breaches. However, all CEs and BAs should be aware of the tools available to the federal and state governments to check HIPAA compliance, investigate potential breaches, and bring enforcement actions for a variety of HIPAA violations, including, but not limited to, PHI breaches. 

Linda Sanches, OCR Senior Advisor and the lead on HIPAA Compliance Audits, recently presented on the progress of the 2012 HIPAA Privacy and Security Audit Program (the “Audit Program”) being conducted for OCR by KPMG, Inc.  One stated objective of the Audit Program is to “[e]ncourage renewed attention to compliance activities.” The Audit Program is being conducted utilizing Generally Accepted Government Auditing Standards (aka “Yellow Book Standards”).

While OCR states that the Audit Program is not meant to be “punitive,” it also notes that the Audit Program currently being conducted will “feed into decisions” related to future audits. OCR lists “Non-Compliance Risks” as including loss of contracts, criminal and civil investigation, federal penalties and state fines, public harm and reputational risk, legal costs, and costs of notification.  

In particular, three of the tips to avoid the painful and expensive consequences of HIPAA violations, which were listed on the last slide of Ms. Sanches’ presentation, struck me as particularly noteworthy for their obviousness and simplicity:

1) Determine your various lines of business that are affected by HIPAA.

2) Map/Flow PHI movement within your organization, as well as flows to/from third parties.

3) Find all of your PHI.

Yes, if you are a CE or BA and don’t know where your PHI resides or travels, you may already be on the road to HIPAA violations without even realizing it. 

As another enforcement tool, OCR has published guidance for SAGs looking to investigate HIPAA violations and drum up revenue for the state and individuals affected by the violations. CEs and BAs can view this guidance and see how states can investigate and prosecute potential HIPAA violations, as well as how OCR and SAGs can estimate potential penalties that may be imposed:

SAG Penalty Estimate

•Amount of penalty = [number of violations] X [up to $100] per violation; and

• A SAG may obtain damages as high as $100 per violation and up to $25,000 for violations of the same requirement in a calendar year.

OCR Penalty Estimate

• OCR may collect civil money penalties of up to $50,000 per violation, depending on the

level of culpability; and

Attorneys 13

• The calendar year OCR maximum is $1.5 million, for a single CE, for violation of identical provisions.

One example of HIPAA violations, which did not involve a PHI security breach, worthy of SAG prosecution involves a pharmacy’s

disclosure of the PHI of 1,500 customers to a business associate, which the pharmacy paid to make a treatment communication on its behalf. The pharmacy did not limit the PHI it disclosed to the minimum necessary, and did not include the required information about this practice in its notice of privacy practices that the pharmacy distributed to all 1,500 customers.

The unfortunate pharmacy in this example is described as having otherwise compliant HIPAA policies and procedures, but is subject to a state penalty of $50,000 and an OCR penalty of up to $3 million.

The astronomical penalties that are potentially assessable by OCR and SAGs for HIPAA violations should act as a red light or at least a bright amber light of caution to those who may already be approaching or on the road to HIPAA violations. All CEs and BAs should heed the OCR warnings and guidelines.

(Elizabeth G. Litten, Esq., author of this entry, is a partner with Fox Rothschild LLP, based in our Princeton, NJ office. She has concentrated her practice in health law for more than 20 years, with a focus on representing New Jersey-licensed providers and payers and counseling clients on federal health care issues. She is a regular contributor to the firm’s HIPAA, HITECH and Health Information Technology blog.)

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog series, the requirements under HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches.

An earlier posting on December 13, 2010 (the “2010 Posting”) reported that, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “2010 Press Release”) that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

As reported by Ben Keller from London, Indiana Attorney General Greg Zoeller announced on July 5, 2011 in a press release (the “2011 Press Release”) that WellPoint agreed to pay $100,000 after the company failed to notify customers and the state Attorney General “without unreasonable delay” of a data breach that occurred between October 2009 and March 2010. In response to a request by Mr. Keller to comment for the article, I was quoted as follows:

By settling with WellPoint Inc., the Attorney General of Indiana joins the Attorneys General of Connecticut and Vermont in recovering a substantial sum for the state. . . . [U]nlike Connecticut and Vermont, the Attorney General of Indiana however proceeded solely under a state law enacted by Indiana in 2009. With this variety of successes, it is likely that more Attorneys General will become aggressive in this area in the future.

This posting will endeavor to make some additional observations about the Indiana case. As reported in the 2010 Posting, the Connecticut case proceeded under the federal HIPAA/HITECH statute, while Mr. Zoeller proceeded only under an Indiana state law. Subsequent to the 2010 Posting, this blog series reported on a settlement in Vermont in January 2011 that was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts.

In summary, there have now been three reported settlements by Attorneys General for PHI security breaches:

(i) one that proceeded solely under the federal HIPAA/HITECH statute (Connecticut);

(ii) another that proceeded under both the federal HIPAA/HITECH statute and state law (Vermont); and

(iii) a third one that proceeded solely under state law (Indiana).

The 2010 Posting also raised the question as to why Mr. Zoeller had proceeded only under the Indiana state law and not under HIPAA/HITECH as well. The 2011 Press Release sheds some light on the matter:

In 2009, Zoeller advocated for passing a new state law the Legislature enacted that session that now requires companies, in the event of a security breach, to notify consumers and the Attorney General's Office without unreasonable delay. Companies who detect an internal breach should make a written disclosure to the Attorney General's Identity Theft Unit.

It is clear that Mr. Zoeller wanted to achieve a successful result under the state statute for which he had personally urged passage. However, while the 2010 Posting reported that Mr. Zoeller was seeking $300,000 in civil penalties from WellPoint, he settled for $100,000 in penalties, plus, among other sanctions, the requirements that WellPoint provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach and that WellPoint reimburse any WellPoint consumer up to $50,000 for any losses that result from identity theft due to the breach.

As stated earlier, it can be expected that other attorneys general around the country will follow suit in vigorously investigating PHI security breaches and seeking civil monetary payments and other sanctions under HIPAA/HITECH and/or state law. Such actions can generate revenues for the state, act as a deterrent to others and generate positive media coverage for successful attorneys general.

Prompt, decisive and compliant action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches.
 

(Michael J. Kline, the author of this entry and a co-author of this blog, is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics.)

• Print
• Comments
• Trackbacks
• Share Link

As reported previously (see here), the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing direct intervention by attorneys general with respect to enforcement actions regarding such breaches. Last week for the first time, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) exacted heavy financial obligations from (i) Cignet Health and its affiliates (“Cignet”) on February 22, 2011, with a $4.3 million civil monetary penalty assessment (“CMP”) for violations of the HIPAA Privacy Rule and (ii) the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (collectively, “Mass General” ) on February 24, 2011, for a settlement that includes a payment to the U.S. government of $1,000,000 by Mass General for potential violations of HIPAA.

This is the first time that the OCR has publicized its activities in enforcement actions involving heavy monetary payments. Until now, as discussed above, the publicized enforcement activity for monetary recoveries from covered entities under HIPAA/HITECH has been by attorneys general in Connecticut, Indiana and Vermont.

The cases of Cignet and Mass General are efforts by the OCR to demonstrate its seriousness in taking action against violations or alleged violations of HIPAA/HITECH. In the OCR press release relating to Cignet (the “Cignet Press Release”), Kathleen Sibelius, Secretary Of HHS stated the following:

Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.

In the OCR press release relating to Mass General (the “Mass General Press Release”), OCR Director Georgina Verdugo was quoted as follows: “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

The close proximity of the two OCR actions and press releases is noteworthy. According to the Cignet Press Release, the Cignet case involved 41 patients, while, according to the Mass General Press Release, the Mass General case involved 192 patients. Each of these numbers is far fewer than the threshold of 500 affected individuals for listing on the HHS website (the “HHS List”). Some of the 241 incidents reported on the current HHS List involve hundreds of thousands, or even more than one million, affected individuals. It is clear that OCR felt it necessary to make examples of Cignet and Mass General.

The two cases are very different in that the Cignet Health payment involves a CMP imposed by OCR for violations that the OCR found Cignet to have committed, including, according to the Cignet Press Release, the fact that “. . . Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.” Therefore, the heavy CMP on Cignet would appear to based in major part on OCR’s view that Cignet flouted the authority of OCR to investigate alleged HIPAA Privacy violations.

On the other hand, according to the Mass General Press Release, Mass General settled for a $1,000,000 payment and other compliance actions for “potential violations of the HIPAA Privacy Rule.” It is clear that Mass General, while having an incident that affected almost five times as many individuals as that of Cignet, exhibited a spirit of cooperation with OCR and, therefore, settled for less than one-fourth of the CMP imposed on Cignet and was not found by OCR to have committed a violation.

The juxtaposition of the two cases by OCR shows that cooperation may achieve significant benefits for alleged HIPAA violators, while those who fail to cooperate can be severely punished. The importance of these two cases warrant further discussion in future blog entries.
 

(Michael J. Kline, Esq., the author of this entry and author of an on-going analysis of the concerns of Madoff stakeholders, is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics)

• Print
• Share Link

As reported previously on this blog (here and here) relative to cases brought by former Connecticut Attorney General Richard Blumenthal  (the “Connecticut Action”) and Indiana Attorney General Greg Zoeller (the “Indiana Action”), the HIPAA/HITECH statutes and regulations regarding public disclosure of security breaches of Protected Health Information (“PHI”) have encouraged direct intervention by state attorneys general with respect to such breaches. The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. It was also pointed out in the earlier blog postings that nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches.

On January 18, 2011, Attorney General William Sorrell of Vermont and his office (collectively, the “Vermont Attorney General”) announced in a press release (the “Press Release”) that it had settled a lawsuit (the “Vermont Action”), by means of a consent decree which requires court approval, against Health Net, Inc., and Health Net of the Northeast, Inc. (collectively, “Health Net”). The Vermont Action involves a number of the same issues to which the Connecticut Action
against Health Net related, including an alleged failure to promptly notify consumers endangered by the breach.

The settlement in the Vermont Action (the “Vermont Settlement”) would require Health Net to pay $55,000 to Vermont, submit to a data-security audit, and file reports with Vermont regarding information security programs for the next two years. Presumably the lower settlement amount in Vermont is attributable to the fact that, as the Press Release stated, 525 Vermonters were affected by the alleged PHI security breach, which may be contrasted to nearly 500,000 Connecticut enrollees that were the subject of the Connecticut Action.

Significantly, the Vermont Action, which was filed in the U.S. District Court for the District of Vermont, unlike the Connecticut Action and the Indiana Action, was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. The Press Release stated that the Vermont Settlement is “Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009.”

So far, state attorneys general have limited their enforcement activity under HIPAA/HITECH to cases where alleged unreasonable and lengthy delays in notifying affected individuals by insurers were present. Insurers may be attractive targets because they are perceived by the public as large, highly profitable and relatively faceless entities. It will be interesting to see when the first lawsuit is filed by an attorney general against a provider, such as a physician practice group or community hospital and what is the basis for such a lawsuit.

In any event, it can be expected that other attorneys general around the country will heighten their investigations of PHI security breaches and seek civil monetary payments under HIPAA/HITECH and/or state law. Perhaps more will even be heard from attorneys general who believe that citizens of their respective states have been affected by the alleged Health Net and/or Wellpoint PHI security breaches.

Prompt, decisive and positive action is required of providers, as well as insurers, to limit potential damages, rehabilitate relations with clients and the public reduce the likelihood of litigation and penalties.
 

(With appreciation to Michael J. Kline, Esq., the author of this entry and a co-author of this blog.  Mr. Kline is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics.)

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches.

The earlier posting reported that Richard Blumenthal, Attorney General, and now United States Senator-elect, in Connecticut, has been especially prominent in investigating PHI security breaches affecting individuals in his state. He also distinguished himself by successfully recovering for Connecticut the first state settlement for PHI security breaches under HIPAA/HITECH in an amount of $250,000.

The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations.

It was pointed out in the earlier blog posting that nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches. In this regard, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “Press Release”) that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

Significantly, the lawsuit, which seeks $300,000 in civil penalties, is not being brought under HIPAA/HITECH but, according to the Press Release, under Indiana state law, which “requires businesses to notify both the individuals potentially affected by a data breach, as well as the Attorney General's office without unreasonable delay.”

According to the Press Release, WellPoint was notified as early as February 22, 2010 and again on March 8, 2010 that health insurance application records containing personal information, such as social security numbers, financial information and health records, were accessible through its public website. However, Greg Zoeller, the Indiana Attorney General, alleges that WellPoint did not begin notifying customers of the security breach until June 18, 2010 (over 100 days after WellPoint reportedly learned of the breach). The Press Release continues that, following news reports of the breach, the Attorney General's office submitted an inquiry to WellPoint and received a response on July 30, 2010 (at least 144 days after WellPoint reportedly learned of the breach). The Press Release states that the WellPoint “delays in notice both to customers and to the Attorney General's office are considered unreasonable.”

Significantly, HIPAA/HITECH has a more objective and rigid standard than the “unreasonable delay” of the Indiana statute. Under HIPAA/HITECH, the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” [Emphasis supplied] WellPoint would clearly not be within the 60-day limit for notification under the HIPAA/HITECH requirements.

It is not clear what led Mr. Zoeller to determine to proceed under state law rather than HIPAA/HITECH, especially given the objective outside limit of 60 days under HIPAA/HITECH and the abovementioned success of Mr. Blumenthal in Connecticut. Perhaps the decision was made in order to bring the action in the Indiana state courts rather than the federal courts, or there are facts and circumstances that may favor use of the state law. It is also possible that the Indiana Attorney General may want to reserve the possibility of proceeding in the federal courts under HIPAA/HITECH later in the event that the current state action does not proceed favorably.

In any event, it can be expected that other attorneys general around the country will follow suit in vigorously investigating PHI security breaches and seeking civil monetary payments under HIPAA/HITECH and/or state law. In this regard, it will be interesting to see how the attorneys general will exercise their discretion in selecting entities from whom they will seek penalties. The two reported cases in Connecticut and Indiana deal with HealthNet and Wellpoint, respectively, which are insurers, not providers. As a political and media matter, insurers would appear to be much safer targets than highly respected non-profit teaching or community hospitals or small physician practices.

Nonetheless, both insurers and providers must be on constant alert to minimize fallout if a PHI security breach occurs. Prompt, decisive and positive action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for undue delay in notification of PHI security breaches.

(With appreciation to Michael J. Kline, Esq., the author of this entry and the author of an on-going analysis on this blog site of the concerns of Madoff stakeholders. Mr. Kline is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics.)

• Print
• Share Link

The requirements under the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH" and collectively with HIPAA, "HIPAA/HITECH") statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have continuously been bringing to light new breaches of PHI involving highly respected and sophisticated providers. With the authorization by HITECH of enforcement of HIPAA/HITECH violations by state attorneys general, direct intervention by attorneys general have been taking place.

Richard Blumenthal, the Attorney General of Connecticut and a candidate for U.S. Senate, has been especially prominent in his prompt launching of investigations of PHI security breaches affecting individuals in his state.

For example, on August 18, 2010, Yale School of Medicine reported that it had begun notifying approximately 1,000 individuals whose clinical health information was contained on a laptop computer that was stolen. On the heels of that disclosure, Attorney General Blumenthal announced “My office has begun an investigation to identify the cause of the breach and assure ongoing protections for patients.”

One day later on August 19, 2010, ctwatchdog.com reported that Mr. Blumenthal had announced an investigation into another security breach, this time at the University of Connecticut where a laptop containing private financial information on 10,174 applicants was stolen.

These new disclosures by Mr. Blumenthal are only the latest in his parade of investigations of PHI security breaches. The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time.

Under HITECH, state attorneys general are authorized to bring civil suits in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. The attorneys general can sue for injunctive relief and/or damages and attorney fees. Moreover, nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting PHI security breaches.

In July 2010 Mr. Blumenthal distinguished himself in an earlier case by successfully recovering for Connecticut the first state settlement under HIPAA/HITECH  in an amount of $250,000 with healthcare insurer HealthNet and its affiliates over health data security breaches. Mr. Blumenthal had charged Health Net with failing in May 2009 (i) to protect properly private patient medical records and financial information on nearly 500,000 Connecticut enrollees and (ii) to promptly notify consumers endangered by the breach.

The actions, visibility and financial success from Mr. Blumenthal’s numerous PHI security breach investigations in Connecticut are likely to stir other attorneys general around the country to follow suit. These actions can be very disruptive for providers and insurers who suffer a PHI security breach. HIPAA/HITECH gives such providers and insurers up to 60 days for internal investigation before requiring a report to the U.S. Department of Health and Human Services and public disclosure respecting a PHI breach involving 500 or more individuals.  However, early publicity by an attorney general prior to the passing of the 60-day period may force a public response by a provider or insurer before it has completed its own internal investigation and preparation of an orderly public disclosure and response. Prompt, decisive and proactive action will be required of such a provider or insurer to maximize damage control and rehabilitate relations with clients and the public in advance of the expiration of the 60-day HIPAA/HITECH period.

(With appreciation to Michael J. Kline, Esq., the author of this entry and the author of an on-going analysis on this blog site of the concerns of Madoff stakeholders. Mr. Kline is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics)
 

• Print
• Share Link