St. Joseph stated that the records were stored on its internal computer network with incorrect security settings. Among other data, the patients’ name, diagnoses, medications, allergies, birth date, and race and gender were subject to unauthorized access. St. Joseph contended that the data was not readily available but rather required a complex or extensive search.

St. Joseph is apparently trying to mitigate the breach by securing the files and working to eliminate residual or archived information on the internet. The system also provided the patients free identity theft protection.

This case is another clear example of the need to continually audit your system’s security. Hiring a so-called “ethical hacker” to determine any security vulnerabilities would certainly be much less expensive than this notification and mitigation, even assuming that St. Joseph doesn’t also face a class action lawsuit, such as the one that Anthem Blue Cross faces from a similar breach. For more information, read the article by Howard Anderson, “Glitch Exposes Medical Records Online,” in Health Info Security.

The budget notes that this cut reflects improved efficiency at the OCR: “OCR instituted a number of process improvements and administrative efficiencies from FY 2002 through FY 2010, including improved staff skill sets and case management techniques.” The DHHS budget proposal also notes, “Those improvements have made OCR more efficient,” enabling the $2 million budget cut.If the proposed budget is approved, OCR will spend $39 million in FY 2013, down from $41 million in FY 2012, and will cut its staff by 4 percent to a total of 256.

Why isn’t this proposed budget good news? Even assuming that the improved efficiencies do not mean that OCR will be more effective in enforcing HIPAA with less money, this budget cut just gives OCR more reason to impose civil money penalties now that the HITECH Act means that the penalties go to OCR for its enforcement actions rather than to the U.S. Treasury in general. If anything, one might expect that the budget cut simply gives OCR more incentive to aggressively pursue complaints and impose large money penalties, such as the $4.3 million that Cignet Health was fined for failing to afford patients access to their PHI and for obstructing the OCR investigation into the matter. See my June 17, 2011, post.

No, a 5 percent budget cut for OCR doesn’t mean that you can let up on HIPAA compliance!

Accretive’s stolen laptop contained unencrypted patient data for 23,500 patients, including names, birth dates, SSNs, amounts owed, procedures performed, chronic conditions, and how the patient responded to treatment. The attorney general’s suit is based on the theory that the hospital should not have shared the medical information with Accretive as being a violation of the minimum necessary rule. In other words, why was all the clinical data necessary for debt collection?

At issue is whether Accretive should have encrypted or otherwise protected the data on the laptop because encryption remains an “addressable” security measure specification that needs to be implemented only when doing so is reasonable and appropriate. Of course, with the need to report unsecured—that is, unencrypted—data and with the much heavier penalties under the HITECH Act, encryption will be reasonable and appropriate almost all the time when the data could result in identity theft or other serious harm.

For background information and more details, especially for those of you interested in equity funds, see the Minnesota Public Radio news article and the press release on the official website of the Minnesota Attorney General.

OCR will inform entities selected for an audit (see sample audit notification letter) and ask them to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include a site visit and result in an audit report according to the HHS audit schedule timeline. During site visits, auditors will interview key personnel (such as CIO, privacy officer, legal counsel, and health information management director) and observe processes and operations to determine compliance. Following the site visit, auditors will develop and share with the entity a draft report of how the audit was conducted, what the findings were, and what actions the covered entity is taking in response to those findings. Between draft and final reports, the entity will have the opportunity to discuss concerns and describe corrective actions implemented to address them. The final report submitted to OCR will incorporate the steps that the entity has taken to resolve compliance issues identified by the audit.

Jon Tomes and I will report additional information about the audit program as it develops. For now, I’m urging all of my clients to review their current policies and procedures, to continue to conduct their periodic privacy and security training, and to review and update or develop additional policies and procedures as appropriate. For those of you who need to implement HIPAA compliant policies and procedures, my law partner, Jon Tomes, has taken the guesswork out of the process and has drafted 57 relevant Word® documents for you to customize for your organization on the HIPAA Documents Resource Center CD, 5^th ed., which accompanies The Compliance Guide to HIPAA and the DHHS Regulations, 5^th ed., also by Jonathan P. Tomes. If you need professional assistance with your compliance efforts, such as conducting a HIPAA-required risk analysis or making sure that your organization is ready for an HHS audit or investigation of a complaint or breach, please call Jon Tomes or me toll-free at 855-385-9367 or email us at jon@tomesdvorak.com or richard@tomesdvorak.com.

If, however, you have not previously obtained such a waiver, a communication from the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“DHHS”) would seem to provide support for denying such access: “[A]ny requirement for disclosure of protected health information pursuant to the Privacy Rule is subject to Section 1172(e) of HIPAA, ‘Protection of Trade Secrets.’ As such, we confirm that it would not be a violation of the Privacy Rule for a covered entity to refrain from providing access to an individual’s protected health information, to the extent that doing so would result in a disclosure of trade secrets.” Harcourt Assessment’s HIPAA Position Statement at http://kspope.com/assess/harcourt-hipaa.php. Notwithstanding this guidance, obtaining a waiver in writing from the client at the intake or before administering the test may be prudent.

As I had mentioned in the earlier post, Subcommittee Chairman Al Franken (D-MN) told officials from the Department of Health and Human Services (“DHHS”) and the Department of Justice (“DOJ”) that “the overall record of [HIPAA] enforcement is simply not satisfactory.”

Witnesses included U.S. Attorney Loretta Lynch and Leon Rodriguez, Director of the HHS Office for Civil Rights (“OCR”). Both officials underscored their agencies’ commitment to enforcing medical privacy laws. Lynch testified about DOJ’s efforts to enforce HIPAA’s criminal provisions, while Rodriguez cited OCR cases against Massachusetts General Hospital and CVS/Rite Aid that led to $1 million and $2.25 million fines.

Franken responded that, although DOJ and OCR may be increasing enforcement, the lack of enforcement in the vast majority of cases was “simply not satisfactory” with only one formal fine and six settlements out of more than 20,000 complaints. DHHS had referred 495 HIPAA complaints to DOJ, but these referrals had led to only 16 HIPAA prosecutions.

Franken found the lack of final HITECH regulations to be significant problem. See “Your Health and Your Privacy: Protecting Health Information in a Digital World” on the United States Senate Committee on the Judiciary website for more information.

Committee member Senator Coburn noted that he has sponsored a bill, S. 1535, the Personal Data Protection and Breach Accountability Act, that would extend HIPAA protections to health data held by companies that are not currently covered by HIPAA and increase the penalties for violations. See the article on the AISHealth website at http://aishealth.com/archive/hipaa1211-02. The full text of the bill is at http://www.govtrack.us/congress/billtext.xpd?bill=s112-1535.

The FBI press release said, “Brown was sentenced to five years and 10 months in prison, to be followed by three years of supervised release, and ordered to pay restitution totaling $1,063,004. On September 14, 2011, Brown pled guilty to 16 counts of health care fraud, as well as one count of wrongful disclosure of individually identifiable health information, in violation of the Health Insurance Portability and Accountability Act (“HIPAA”).”

For background information on this case, you may want to read a couple of my earlier blog postings. In my August 9, 2011, blog post titled “Who Is an ‘Other Individual’ That Can Be Prosecuted for a HIPAA Crime?” I mentioned the indictment of Brown, who had impersonated a doctor to commit the health care fraud and criminal HIPAA violation. In my September 17, 2011, blog post titled “Another HIPAA Guilty Plea,” I discuss Brown’s guilty plea in particular and the expansion of HIPAA criminal liability in general from formerly only covered entities to now also “other individuals.”

The lawsuit alleges that Sutter violated state requirements to adequately protect the confidentiality of medical information and to notify affected persons within 30 days. California law, unlike HIPAA, requires notification of all breaches whereas HIPAA requires notification of only unsecured (readable) protected health information (“PHI”) if the covered entity’s risk analysis of the breach demonstrates a risk of compromise of the PHI’s security, integrity, or privacy.

Of course, although the notification rules are different, the filing under state law does not mean that the breach was not a HIPAA breach, as well. If Sutter had done a risk analysis and determined that the breach did not pose one of those risks so it was not reportable under HIPAA, that action might provide a defense in the state court case because the plaintiffs would have to prove damages—that is, that the breach caused harm.

Regardless of whether the stolen computer was a desktop or a laptop, Sutter Health (and the patients) would be in far better shape had the PHI been encrypted. Encryption would have placed it within the “safe harbor” that makes the compromise of the equipment or media nonreportable to DHHS. See my November 15, 2011, blog posting about the need for physicians to encrypt PHI.

Because of this and other breaches, I have written a new policy on the movement of PHI to ensure that it is adequately protected. The new Sample Movement of PHI Policy is now posted in the Premium Member Section of this website.

Now that my latest book is out, How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, I might suggest that perusing it now at one’s leisure before a breach happens would be wise because a lot of harm could occur while one is obtaining the book and digesting its guidance in the aftermath of a breach and the ensuing panic.

UCLA recently had to pay an $865,000 fine for improper access to celebrity records and has had to fire employees for such improper access in the past.

Yes, this data was encrypted, but with an unsecure password it might as well not have been. The importance of encryption (with the password secured) is that, if the hard drive had been encrypted and the password not compromised, the data would have been “secured”—not readable—and no breach requiring reporting to either the subjects of the breach or to the Department of Health and Human Services (“DHHS”) would have occurred. Nor would the theft of secure data required mitigation, such things as purchasing credit reports or identity theft insurance in cases in which the subjects of the breach are at risk of identity theft.

This year, Massachusetts General had to pay a $1 million fine for an employee’s negligence in leaving paper records on a subway. If those paper records had been scanned into an encrypted memory stick and the encrypted memory stick had been left on the subway instead of paper records, no breach justifying such a large fine would have occurred.

DHHS regulations specify that the only technologies that render data “secure” are encryption and destruction consistent with the National Institute for Standards and Technology (“NIST”) guidelines.

When you consider the cost of a breach of unsecured protected health information (“PHI”), including possible fines by DHHS, the cost of notifying the subjects of the breach, the bad publicity of being posted on the DHHS website as a “big breacher,” and the like, encryption of any portable device that could be lost or stolen going to and from work or any personal computer used at home would seem absolutely necessary for HIPAA compliance. The 2009 Ponemon Institute Study found that the average cost of a breach was $204 per compromised record.

Consequently, I require all my HIPAA clients to have work-at-home policies and policies governing movement of PHI and to encrypt all devices taken or used offsite.

Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, testified that the health care industry appears to be rarely encrypting data, which may easily lead to a breach if one loses a laptop, for example.

Kari Myrold, privacy officer at Hennepin County Medical Center in Minneapolis, said that many health care providers do not take data encryption seriously. She said that, until the federal government strengthens enforcement of health data breach protections, providers are unlikely to adequately protect data.

Senator Al Franken (D-Minn.), chair of the subcommittee, apparently not as a comedian, said that federal enforcement of current rules against data breaches is “simply not satisfactory.” According to Franken, only one of the 22,500 data breach complaints received by HHS has resulted in civil monetary penalties. Although that statement may not be exactly accurate because a number of covered entities have entered into settlements to avoid civil money penalties, it should further convince covered entity that the time to get compliant is now.

Meanwhile, Sen. Tom Coburn (R-Okla.), a physician, questioned whether the adoption of EHRs is worth the security risks.

Leon Rodriguez, the Director of the DHHS Office for Civil Rights, told the senators that the federal economic stimulus package in the HITECH Act increased the amount of civil penalties for a health data breach from $100 per violation to as much as $50,000 or more per violation. He added that he believes that the increased penalties have reinvigorated covered entities’ compliance efforts.

It’s time to take HIPAA compliance seriously, guys! Get your risk analysis done and your security squared away now before Congress makes HIPAA compliance way more onerous and expensive.