In the past, state and federal auditing environments have not been very aggressive in ensuring compliance with HIPAA and the HITECH Act, but that is changing. Government regulators are increasing their audit frequency and fine amounts.
Although many health facilities have invested in high-tech records management systems (EMR/HER), those systems do not encompass the entire information and data environment within a health facility, and sensitive information often finds its way into and onto systems outside the reach of EMR/HER systems. This brings with it increased exposures to security breach and liability.
I recently spoke with Chad P. Brouillard, Attorney at Foster & Eldridge, LLP, about achieving the balance between eDiscovery mandates and health provider-specific privacy obligations. In part one of this two part interview, we discuss the implications of HIPAA and HITECH, in particular. We also look at a few recent cases and unpack the data breach lessons learned in each of them:
Amber Scorah: What are some of the implications of HIPAA and HITECH on eDiscovery?
Chad Brouillard: These two areas are somewhat separate but interrelated, in essence, because of HIPAA we have protected health information which is being stored electronically. So you have, in terms of eDiscovery, electronically stored information, which may also be characterized as PHI or EPHI, Electronically Protected Health Information.
In essence, in our practice area, when we deal with health care matters, when dealing with eDiscovery you have this separate layer of concern regarding the privacy and protection of patient information. When you’re disclosing to the other side, or you’re responding to subpoenas or administrative requests, you’ve always got to keep in mind that you’re dealing with protected health information and this layer of, if not privileged, confidential information which just cannot be disclosed to a third party’s absence or protection.
Amber Scorah: Let’s talk about a few recent cases—could you tell us what were the data breach lessons learned from each of these? Let’s start with HHS vs. Blue Cross Blue Shield of Tennessee:
Chad Brouillard: This was very recent. In March of 2012, HHS announced that they had settled a case with Blue Cross Blue Shield of Tennessee, relative to data breach. I think this was the first case that was based on self-reporting by a covering entity. In essence the settlement and the complaint from HHS vs. Blue Cross Blue Shield were based on mandatory reporting in the security rules to the HHS regulations.
In this case, Blue Cross Blue Shield of Tennessee had a leased facility in which they were storing some technical equipment. The equipment included 57 hard drives, and they happened to be unencrypted and contained EPHI (Electronic Patient Health Information). After the incident was self-reported, the HHS basically looked at it and determined that the breach was potentially so wide-spread, and affected such a large number of potential patients, that they wanted to look a little bit more closely at Blue Cross Blue Shield in terms of their security practices. They did find some deficiencies, which led both to a corrective plan of action and to a $1.5 billion dollar settlement for breach of HIPAA, privacy, and security rules.
Obviously this case raises issues of proper physical safeguards, for one. I find the theft of Electronic Storage Devices that may contain patient information is one of the most rampant forms of data breach. Very often it’s arguable that the theft isn’t seemingly motivated by a desire to access protected health information, usually it’s just someone trying to obtain the hardware and resell it. But that being said, if you have stored data being retained on these drives in an insecure fashion, that doesn’t help out your covered entity. You now have the potential for data breach and it is necessary to both report to HHS and engage in a whole host of notification procedures.
So, this case was very instructive in terms of a) it’s a very common scenario. This happens to hospitals, this happens to practice groups, this happens in solo physician practices, where you might have the theft of a smart phone, or a hard drive, a laptop from somebody’s trunk. It’s a fairly common occurrence but it can lead to data breach reporting.
Amber Scorah: What about the South Shore Hospital Consent Judgment with the Massachusetts Attorney General’s office?
Chad Brouillard: This is also another interesting case, and highlights another trend in terms of enforcement. Not only do you have the federal initiative and HHS and OCR becoming involved in security breach enforcement but you also have the state’s Attorney General Office getting involved. That’s contemplated under the federal rules, and they’re very often very separate state considerations.
This one matter about South Shore Hospital, which occurred in my own home state, illustrates those points nicely. In essence, it was a situation where the South Shore Hospital was transferring patient records to a business associate. There were several boxes of data archives that they were sending to a vendor, including computer back-up tapes. These tapes should have been erased and resold. However, the subcontractor providing the data solution only received one of the boxes and two of the boxes were never recovered. It had potentially involved up to 800,000 patients’ confidential health information.
Under the Federal HIPPA Security Rule and the Data Breach Rules, this would be a problem and reportable. But interestingly enough, because of the type of information that was contained, which included social security numbers and credit card information potentially, it triggered another state law, a Massachusetts state law that protects that type of personal information. So, a fairly complicated case in that it involves not only breach of privacy and security rules, but also state law as well. Clearly that’s how the Attorney General’s Office was viewing it here in Massachusetts.
The other reason I think it’s a very significant case, for our purposes, is that it is one in which the topic has to do with the duties of not only the underlying covered entity, but also business associates and what policies and procedures that the contractor had in place to track and protect such PHI, including the type that was lost in these data tapes.
So the Attorney General’s office essentially did the same thing that you would expect HHS or OCR to do, which is to take a look at their security protocols and have them come up with a corrective plan. A lot of this – both in this case and the former – they not only find that there is an underlying breach of security, but they also find that the policies and procedures were sometimes not appropriate and also that the covered entity had lapsed in not training its workforce in issues regarding safeguarding privacy as well as they could have. So, another good case—this one came to light in May of 2012— in terms of the final settlement with the AG’s offices. This is all pretty recent fresh stuff.
Amber Scorah: How about the Alaska Department of Health and Social Services resolution agreement?
Chad Brouillard: In that case you have HHS this time looking at a state version of HHS who apparently violated the security rule by not locking down their Electronic Storage Devices, and apparently these devices had PHI, but weren’t encrypted or didn’t have proper media controls.
I think what’s most significant about this case is the government gave a good list of deviations, including failure to complete a risk analysis which is primary, failure to implement sufficient risk management measures, again failure to do security training for workforce (this comes up again and again) and then a failure to implement device and media control and device and media encryption.
We’re definitely seeing a pattern of the loss or theft of devices or stored medium and the failure to encrypt the same or to otherwise protect the same, so that’s really a growing trend. I think that trend is going to continue given the prevalence of M-Health, or Mobile Health Devices which potentially are mobile and outside the hard governance structure of the hospital and which often might have a hybrid use in being a portable device for physicians using their smart phone, but storing this EPHI. I think these three cases are really good at illustrating where this is all going.
Chad P. Brouillard, Esq. is a speaker at the upcoming IQPC eDiscovery Conference – West Coast, September 10-12, 2012 in San Francisco. For more information or to register, email email@example.com or visit www.e-discoveryevent.com.