By Stephanie Cason

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, enacted on February 17, 2009, was designed to promote the widespread adoption and standardization of health information technology.  It supports this goal by adding amendments designed to strengthen the privacy and security protections of health information established by HIPAA and contained provisions that substantially expanded the HIPAA Privacy, Security, and Enforcement Rules.  The U.S. Department of Health and Human Services (“HHS”) published proposed regulations (the “Proposed Rule”) that will implement modifications to the HIPAA Privacy, Security, and Enforcement Rules under the HITECH Act.  The Proposed Rule was issued on July 8, 2010, and published in the Federal Register on July 14, 2010 with a 60-day comment period.

The HITECH Act and the Proposed Rule create a variety of new obligations for covered entities (“CEs”) and business associates (“BAs”) with some of the most significant changes being the expanded duties as well as penalties to which on BAs are now subject.  The HITECH Act required that HIPAA’s Security and Privacy Rules, as well as other aspects of HIPAA, be extended to BAs in much the same way as they apply to CEs; and a variety of changes in the Proposed Rule make it clear that the standards, requirements, and implementation specifications of HIPAA are applicable to BAs.  Prior to the HITECH Act, HIPAA applied to BAs only indirectly by way of the BA’s contractual obligations to the CE.  Additionally, the penalties for violations of the BA’s obligations were limited to damages that resulted from any contractual breach (unless the BA also happened to be a CE).  The HITECH Act and the Proposed Rule expand both the application of certain HIPAA requirements and penalties to BAs.

Additionally, the Proposed Rule expands the definition of “business associate,” to include, most significantly, subcontractors of BAs or “downstream business associates” who create, receive, or transmit protected health information (“PHI”).  Subcontractors who meet this criterion are now themselves considered BAs, and are therefore required to enter into business associate agreements and are subject to direct liability under the HIPAA rules.   The Proposed Rule additionally clarifies that CEs are required to enter into business associate agreements with their BA, but not directly with subcontractors.  Instead, it is now the responsibility of the BA who engages the subcontractor to enter into a BA agreement with that subcontractor.  The subcontractor business associate agreement must comply with the same requirements as agreements between CEs and BAs.

The HITECH Act has also put more teeth in HIPAA enforcement efforts by increasing civil penalties for HIPAA violations and, in certain cases, requiring formal investigations and mandatory penalties. HHS issued the Interim Final Rule (“IFR”), revising HIPAA to incorporate provisions required by the HITECH Act that immediately took effect and the Proposed Rule makes a variety of changes to facilitate this new penalty scheme.  The new penalty scheme establishes four categories of violations that reflect increasing levels of culpability and the corresponding tiers of civil money penalty amounts.  The Proposed Rule clarifies that HHS will investigate complaints when a review of the facts indicates a potential violation is due to willful neglect.  If a violation is found to have occurred due to willful neglect, a penalty will be imposed.

If a HIPAA violation occurs, procedures must be in place to adequately respond.  Legal counsel should also be used to ensure appropriate compliance with any requirements of HIPAA.  The best way to prevent liability under the new requirements is a showing of past compliance.  In order to do this, entities should take steps before a violation occurs to prevent violations and ensure that compliance is adequately documented.

In sum, the new HIPAA obligations imposed under the HITECH Act and the Proposed Rule seek to strengthen the privacy and security of PHI and the and effectiveness of HIPAA, and in doing so they expand obligations and liabilities to a wider range of entities.  The Proposed Rule provides CEs and BAs with 180 days after the effective date of issuance of the final regulations to come into compliance with most of the new requirements. However, the final regulations will not likely differ significantly from the Proposed Rule and entities should familiarize themselves with the new rules and begin to prepare now for changes.

About the Author

Stephanie A. Cason is an associate at Powers Pyle Sutter and Verville.  Her practice focuses on healthcare and education law and public policy.  She received her Juris Doctor, cum laude, from the University of Michigan Law School.  During law school, she served as selection committee member, publication committee member and administrative manager for the Michigan Journal of Gender and Law.  She was also the technology manager of the Organization of Public Interest Students.  Ms. Cason also holds an undergraduate degree in Political Science from Reed College where her senior thesis analyzed the USA Patriot Act.
Ms. Cason’s prior experience includes serving as a law clerk in the Federal Public Defender Office, a law clerk for Judge Katherine Tennyson in Portland, Oregon, and internships with the American Civil Liberties Union and the Oregon Law Center.

Healthcare organizations that fall under the definition of HIPAA covered entities should be very aware of their obligations under the data breach provisions of the HITECH Act. The reason being that there are now very substantial penalties for disregarding the security and privacy regulations, for lax detection of data breach incidents and for failing to notify affected individuals of an incident within a specified period of time.

One of the keys to meeting the notification requirement is completing and documenting a data breach incident “risk assessment” for each and every incident that is detected. The “rules” for carrying out this mandated assessment are specified by the department of Health and Human Services (HHS) in their rulemaking. This webinar will assist information security, compliance and privacy officers and professionals at hospitals, health insurers, and other covered entities in understanding what they need to do and how to go about doing it, when faced with a potential data breach incident.

A description of the webinar follows.

The HITECH Act requires HIPAA-covered entities to carry out a careful risk assessment, including an evaluation of potential harm, for every potential data breach incident. This risk assessment will assist organizations in deciding whether they are obligated to then notify affected individuals, the Department of Health and Human Services (HHS) and the media about data breach incidents.

Kirk Nahra, CIPP, a partner at the premier healthcare law firm Wiley Rein LLP, and Rick Kam, president and founder of ID Experts, will review and discuss the HHS rules for completing these mandated data breach incident risk assessments in order to ensure compliance and utilize evolving best practices.

Learn about considerations for HIPAA-covered entities in carrying out mandated HITECH data security breach incident risk assessments. To enroll to attend the webinar, click here.

In the past, a significant percentage of data breach incidents have been attributed to carelessness.  The lost laptop is one of the most common data breach causes, especially given how few use encryption technology and how common it is for employees to have access of private data.

With the economic meltdown of 2009, and the subsequently high unemployment rates,  there is now emerging a growing trend of data breaches caused by disaffected or displaced employees.

Recently noted by San Francisco Chronicle writer Alejandro Martínez-Cabrera in his article titled “How some ex-employees turn to cybercrime“:

“Corporations across all industries have been dealing with a steadily growing number of internal data breaches since the financial meltdown. A Verizon data loss report noted that individuals with insider knowledge of organizations accounted for 20 percent of all breaches last year, and that number has been increasing as economic malaises drag on, said Chris Novak, managing principal of Verizon Business’ Global Investigative Response Team.”

“Stolen data can range from employees’ health care records or clients’ credit card numbers to merger and acquisition plans, confidential agreements or valuable source code, said Rick Kam, president and co-founder of data breach prevention firm ID Experts.

Thieves can easily sell the information to cyber-criminal rings or use it as a bargaining chip to get a job with their former employer’s competitors. According to the Ponemon Institute study, 67 percent of respondents said they would use “their former company’s confidential, sensitive or proprietary information to leverage a new job.”

‘The issue of identity theft is all about opportunity,’ Kam said. ‘And our first instinct is to protect ourselves.’

In one case handled by Kam’s company six months ago, a disgruntled man went as far as trying to extort his former employer, a large health care provider, by threatening to release thousands of sensitive patient records that would have triggered an avalanche of lawsuits.”

HIMSS Analytics this past week released a study titled “Evaluating HITECH’s Impact on Healthcare Privacy and Security” that looks at healthcare providers and their business associates, relative to their awareness of the HITECH Act’s data breach provisions, as well as their experience with data breach incidents and concerns about preparedness and compliance with HITECH Act provisions.

This study, co-sponsored by ID Experts, the leader in identity breach protection, exposes some significant concerns.  It concludes that healthcare business associates, those organizations that provide services such as billing, credit bureaus, benefits management, legal services, claims processing, insurance brokers, data processing firms, pharmacy chains, accounting firms, temporary office personnel, and offshore transcription, are “unprepared for data breach”.

Further it notes that  “68 Percent of Provider Respondents Indicated that the HITECH Act’s Expanded Breach Notification Requirements will Result in More Discovery and Reporting of Incidents”.

This implies that healthcare organization are experiencing data breach incidents that in the past have either gone unrecognized or unreported. And that the new law is likely to “expose” more incidents because of the compliance requirements and the potentially large penalties for non-compliance.It also notes that a lack of preparedness and concern on the part of healthcare providers’ business associates creates a very significant risk to the privacy of their patients.

by Doug Pollack

The Santa Fe Group, an industry consortium, announced today an identity crime victims’ bill of rights that proposes the rights that should be provided to all individuals and recommending an approach to legislation for adopting this bill of rights.

“The five basic rights address the need for legislation that enables individual victims of identity theft to access and correct personally identifiable information (PII) records. The Bill of Rights white paper, titled Victims’ Rights: Fighting Identity Crime on the Front Lines, is now available at http://santa-fe-group.com/whitepapers/register.php.”

The Identity Crime Victims Bill of Rights advocates improved protection and support for victims and includes:

• Assessment of the nature and extent of the crime that removes the procedural ‘Catch-22s’ when validating identity
• Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
• Freedom from harassment from collection agencies, law enforcement and others
• Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
• Restitution that includes repayment for financial losses and expenses

“The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts (www.idexpertscorp.com).

‘Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses,’ said Rick Kam, President of Portland-based ID Experts, a leader in data breach prevention and remediation. ‘We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.’”

The Santa Fe Group, ID Experts and other members of the Vendor Council will be holding meetings in Washington, DC later this spring in order to drum up support for this concept and related legislation.

Internet complaint boards have been busy and credit card fraud departments are scratching their heads. Thousands of customers across the country are reporting small (about 25 cents to 1 dollar) charges mysteriously appearing on their monthly statements. The Boston Globe carried the story here.

The charge shows up on statements as coming from “Adele Services” in Melville, N.Y. Of course, there is no business by that name in Melville, or anywhere in New York. According to The Boston Globe, “Two theories of what is going on have advanced on message boards and among consumer advocates: Someone is trying to find out whether an illegally obtained credit card number will work before making a bigger charge, or they’re trying to rip off tiny amounts from tons of people.”

So far, most reports indicate that no larger charges have appeared yet. However, the Better Business Bureau estimates the number of victims to be in the millions. It has not yet been determined how the card numbers became compromised. It has been mostly successful since most people are likely to overlook or ignore a small charge. As former Massachusetts assistant attorney general Edgar Dworsky, told The Boston Globe, “It’s easier to steal $1 from a million people than $1 million from one person.”

This is a great reminder of why it is important to examine your monthly statements closely, and to always question charges you do not recognize no matter how small. If you let it slide, that is exactly what they are hoping for. If you have one of these charges, call your financial institution and notify them of the disputed charge. Then file a complaint with the FTC (www.ftc.gov) and the FBI’s Internet Crime Complaint Center (www.ic3.gov). It is important to lodge a complaint, even if the charge is small, as a large number of similar complaints can launch a federal investigation.

by Doug Pollack

The Ponemon Institute today released a new study, sponsored by ID Experts, titled “Consumers Report Card on Data Breach Notification“. They describe the rationale and importance of this study as follows:

“It is well established that identity theft has become a very serious issue for Americans. But how well are organizations responding to consumers’ worries when their personal information is lost as the result of a data breach? We decided to conduct this study to find out if consumers who received notification about a data breach involving their personal information were satisfied with the organizations’ response and transparency. In other words, if the consumers had the ability to issue a report card on the current status of data breach notification would it be A for excellent or F for failing?”

The report provides a wealth of useful information to companies in order to effectively plan for a data breach response effort. Given an earlier Ponemon study estimate that around two-thirds of the $197 per person average cost of a data breach is in lost business and reputation, this report can assist companies in evaluating how elements of their data breach response effort can influence their customer retention rates and thereby attempt to reduce this very critical component of the cost equation.

Dr. Larry Ponemon states that:

“Data breach notifications are a failure if individuals do not have a clear understanding of their level of risk, available support, and the steps they need to take to respond to the loss of theft of their personal information. Our research strongly suggests that legal compliance is the primary goal of many companies’ notification efforts. This approach does not serve the best interests of consumers and contributes to a breakdown of trust that can impact a company monetarily as a result of increase in customer defection.”

To download a copy of this study, visit the ID Experts website and click on the New Ponemon Study link.