Category Archives: HIPAA and HITECH

Stanford Health Privacy Breach Highlights Downstream Vendor Risks, Issues

In an earlier post I described a HIPAA privacy breach that occurred when a spreadsheet detailing the emergency room treatment of nearly 20,000 patients of Stanford Hospital was posted online, for the better part of a year, at a “homework for hire” website, The New York Times has published an article tracing the breach to a job applicant who received the spreadsheet from a one-person marketing agency hired by the Hospital’s third party billing contractor.

The spreadsheet was originally transmitted in encrypted format from the Hospital to the marketing agent, who had represented himself as a vice-president of the billing contractor and was in fact the hospital’s main contact for the billing contractor. In fact, he was not an executive of the billing contractor, but the billing contractor nonetheless condoned his use of that title in order to get access to various health executives and generate customers for its billing services. The marketing agent unencrypted the spreadsheet and provided it to the job applicant with the request that she demonstrate her skills converting it to bar graphs and charts. Without recognizing that the names and treatment codes on the spreadsheet were “real world” data, the job applicant then sought help with the assignment by posting the spreadsheet on, where it was discovered almost a year later by the parent of a Hospital patient named in the chart.

In other words, the breach was not attributable to a Hospital employee, or an employee of the Hospital’s business associate, the billing contractor, but to a “downstream vendor” or “subcontractor” of the billing contractor, and not even to an employee of the downstream vendor but to a mere job applicant. One of the patients disclosed in the spreadsheet has since sued Stanford Hospital and the billing vendor in L.A. County Superior Court, seeking damages of $1,000 for each of the 20,000 affected individuals.

This is a frightening object lesson for covered entities – the Stanford Hospitals of the world – and for business associates such as the billing contractor – about the risks presented by “downstream” vendors, and the need to ensure that their handling and use of protected health information and e-PHI meets HIPAA and applicable state law privacy and data security standards. HIPAA as amended by HITECH now demands that business associates vouch in this manner for their downstream vendors in their business associate agreements. Clearly, to do so, the parties first must clearly identify downstream vendor relationships, and not disguise the vendor’s staff as business associate employees, as occurred in the Stanford case. Even where the vendors clearly are identified, business associates should also address, in business associate agreements, whether the covered entity can share data directly with the downstream vendors, and if so, under what conditions. The Stanford case is unusual due to the disguising of the marketing agent’s true status, but it suggests that business associates might always want to be at least notified of such communications, if this is administratively practical. Or, they might want to vouch for privacy/security compliance only when data passes through them to the downstream vendor, but require the covered entity to be responsible for breaches resulting from its direct communications with the downstream vendors.

Trying to stay ahead of the technological curve in data transmission is almost impossible, but we can learn from others’ mistakes and take whatever steps are necessary not to repeat them.

Leave a comment

Filed under HIPAA and HITECH

Outside Contractor the Weak Link in Stanford Health Data Security Breach

August 8th’s New York Times contains an article that details a HIPAA data security breach traced to an outside billing and payment data contractor for the Stanford Hospital in Palo Alto, California. The item that was disclosed was a detailed spreadsheet, prepared by the billing contractor, tracking the emergency room treatment of 20,000 individuals seen at the hospital during a 6-month period in 2009, including their names and diagnosis codes. Somehow, the spreadsheet made its way to a commercial Web site as an example of how to convert data into a bar graph. The site in question, “Student of Fortune,” provides online tutoring and help with homework to students for a fee. The spreadsheet was made publicly available in this manner for over a year before a patient brought it to the hospital’s attention. It is not clear how the spreadsheet was disclosed in this manner but the article suggests that investigation cleared hospital employees of any involvement.

The hospital provided written notification to affected patients of the breach four days after learning it had occurred. This is within the 5-day time period required under California Health and Safety Code § 1280.15 (scroll down), governing health data security breaches occurring at California medical facilities. The hospital also paid for identify theft protection for the affected patients, even though the spreadsheet did not contain Social Security Numbers or other information commonly leading to identity theft. The Times article notes that in an earlier incident involving theft of a laptop from its Children’s Hospital, Stanford had waited 19 days to notify affected patients’ families, and even though no PHI was released in the incident the California Department of Public Health fined the hospital $250,000 for its delay.

Statistics quoted in the article attribute 20 percent of health data security breaches to outside contractors to the health care providers, insurers and other “covered entities” which were HIPAA’s original focus. HIPAA designates outside contractors whose role requires them regularly to maintain or access protected health information (PHI) as “business associates” and requires that they comply with HIPAA privacy rules to the same degree as the covered entity (hospital, insurer, etc.) they work for, and also enter into a “business associate agreement” to that effect.

Until recently, business associates’ duties and liability under HIPAA were limited to the written terms of their business associate agreements with covered entities. However, HITECH made business associates individually accountable under HIPAA for the first time. Further, proposed regulations under HITECH extend business associate status to downstream subcontractors of business associates, and require that they enter into written agreements with business associates confirming their duties under HIPAA. This brings within the sweep of HIPAA compliance entities — such as document shredders and other peripheral businessplace vendors and service providers — that prior HIPAA regulations had expressly carved out from compliance duties.

Bottom line this means a new level of scrutiny must be brought to service agreements between a business associate, on the one hand, and any other entity that routinely could be considered within the “chain of custody” of hard copy documentation or digital data comprising PHI. A weakness at any point in that chain may result in liability to the business associate and, as occurred in the Stanford Hospital/Student of Fortune matter, to the covered entity itself.

1 Comment

Filed under California Data Privacy, HIPAA and HITECH

Governor Brown Signs SB 24 Into Law, Clarifying Data Breach Notice Duties

Today Governor Jerry Brown signed into law an amendment to existing California Civil Code provisions governing notification duties in the event that the security of unencrypted personal data of California residents – including financial, health, and health insurance information – is breached or suspected to be breached. I posted a summary of the new law and its requirements on August 19 so click through or scroll down for the details. A press release from the office of sponsoring state Senator Joseph Simitian (D-Palo Alto) can be reviewed here.

This bill had no formal opponents and moved quickly through the legislative approval process, signaling California legislators’ strong interests in data privacy concerns. The original version of the now amended breach notification law, enacted in 2003, has since inspired 45 similar state laws, and likely influenced the federal health data breach notification duties under HIPAA as amended by HITECH. I expect more developments in the data privacy area that affect benefit plan sponsors, their vendors and brokers, and will keep you updated as they occur.

1 Comment

Filed under California Data Privacy, HIPAA and HITECH

California Legislature to Clarify, Expand Data Breach Notice Requirements

A bill that is close to final passage in Sacramento will clarify and slightly expand notification requirements upon a breach of unsecured personal data of California residents, including financial, health or health insurance information. Currently the law requires written or electronic breach notification, but does not mandate any particular content for notifications. Senate Bill 24 will amend California Civil Code § 1798.29 (applicable to state agencies) and § 1798.82 (applicable to private owners or licensors of data) to specify what information must be conveyed in notification of a breach. Specifically, the measure requires that the notification:

• Be written in plain language
• Be dated
• Include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach
• Include toll-free phone numbers for the major credit reporting agencies
• Describe whether notification was delayed due to law enforcement investigation.

Optional language that may be added to the notice includes information about what the notifying party has done to protect individuals whose information has been breached, and advice on steps affected individuals can take to protect against identity theft or other consequences of the breach.

The new law also slightly expands notice duties, by requiring that an electronic copy of the breach notification be sent to the Attorney General in each instance where a single breach affects more than 500 California residents. Additionally, it requires those making use of “substitute” notification to also notify the Office of Privacy Protection within the State and Consumer Services Agency (state agencies must instead notify the Office of Information Security within the California Technology Agency). Substitute notice may be provided upon demonstrating that the cost of providing notice would exceed $250,000, or where more than 500,000 individuals’ data is affected. In addition to the new agency notification duty, substitute notice requires all of the following:

• E-mail notice where valid e-mail addresses are available;
• Conspicuous posting of the notice on the breaching party’s web page; and
• Notification to statewide media.

Similar to rules under HIPAA/HITECH, notification is only required if unencrypted data is released, and notice is not required where the data exposure is limited to “good faith acquisition by an employee or agent of the business for purposes of the business.” Civil Code § 1798.82(g). Under both federal and state law, however, notice is required not only upon discovery of an actual security breach but also upon formation of a reasonable belief that a breach occurred.

Unlike HIPAA/HITECH, which specify a maximum 60-day notice period, the California law does not specify a notice time period, requiring only that it be provided “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, [ . . . ] or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Civil Code § 1798.82(a). A business that simply maintains data but does not own or license it must “immediately” provide notice of the breach to the owner or licensee of the data, which in turn will notify the affected individuals.

Finally, there are two “safe harbors” exist in regard to notification:

• Businesses that are “covered entities” under HIPAA need only satisfy HIPAA/HITECH notification duties to be deemed to have complied with the new notice content provisions under California law. Notification of the Attorney General must still be made if more than 500 California residents are affected by the breach, and all California notice duties would appear to apply to business associates under HIPAA.

• Businesses that provide notification under their own notice procedures as part of an information security policy are deemed to have complied with California notice requirements in total , so long as their internal procedures are “otherwise consistent with the timing requirements” of Civil Code §§ 1798.29 and 1798.82; i.e., notice is provided expediently and without unreasonable delay.

SB 24 was just approved on the Senate Floor by a vote of 34-4, has no formal opponents, and may go to the Governor’s desk by the end of the month, depending on the time needed to engross and enroll the bill. If the bill is not signed by September 9, Governor Brown will have an additional 30 days to sign it into law. Keep an eye out for a follow-up post confirming passage of the bill into law.

1 Comment

Filed under California Data Privacy, HIPAA and HITECH

Worker Inactivity: the Next Wellness Frontier?

Researchers and some employers are using technology to measure the incidence and health impact of worker inactivity due to long periods behind the wheel of a car, or in front of a computer.   This article from the online publication MIT Technology Review covers some of the measuring methods in use, including thumb-sized activity monitors called “Fitbits,” and accelerometers and inclinometers to measure active versus sedentary work time. Use of the latter two devices is teamed with blood chemistry analysis to determine the link between sedentary behavior and long-term health conditions including diabetes, high blood pressure and elevated blood cholesterol. The article also describes a few ways employers are trying to change office landscapes to encourage more physical activity, including testing of a $1,000 worktable that adjusts to workers’ standing or seated positions. (My thanks to Dave Baker for circulating the article in BenefitsLink Health & Welfare Plans Newsletter for August 15, 2011.)

It appears to be medically beyond dispute that protracted sedentary behavior takes a long-term toll on employee health, and that integrating moderate activity in the workplace may reduce the incidence of expensive chronic health conditions. I can’t help but remark, however, on the similarities between the studies described in the MIT articles, and author Gary Shteyngart’s vision of the workplace in a dystopian near-future, in his latest novel Super Sad True Love Story (Random House, 2010). In that future, employees’ blood chemistry levels are posted on a repurposed train schedule board, and co-workers jibe one another about less-than-stellar readings:

“Instead of the arrivi and partenze times of trains pulling in and out of Florence or Milan, the flip board displayed the names of Post-Human Services employees, along with the results of our latest physicals, our methylation and homocysteine levels, our testosterone and estrogen, our fasting insulin and triglycerides, and, most important, our ‘mood + stress indicators,’ which were always supposed to read ‘positive/playful/ready to contribute’ but which, with enough input from competitive co-workers, could be changed to ‘one moody betch today’ or ‘not a team playa this month.’”

It is interesting to contrast this scenario with current conditions under which employers, through wellness programs, may collect employees’ biometrics and other health information. The laws governing an employer’s ability to do so, particularly in exchange for cash incentives, are evolving on a number of different fronts, including federal (and state) laws governing disability discrimination in the workplace, privacy of health information, and privacy of genetic information including family histories. (The applicable federal laws are, respectively, the Americans with Disabilities Act of 1990 (“ADA”); the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Genetic Information Nondiscrimination Act of 2008 (“GINA”).) Some basic parameters, sourced in regulations under these laws and in other EEOC guidance, are as follows:
• Employers may provide any level of financial incentive in connection with “participation-only” wellness programs that do not require achievement of certain results (such as lowered BMI or blood pressure).
• Financial incentives to participate in results-based wellness programs may not exceed 20% of the applicable premium (this percentage will rise to 30% under PPACA and possibly may increase to 50%).
• Results-based wellness programs must provide alternative options for persons whose disabilities or other health conditions keep them from achieving program goals.
• Participation in a “voluntary” wellness program that obtains medical data is not a violation of the ADA provided that employers maintain the data as confidential and do not misuse it.
• The EEOC has defined “voluntary” as neither requiring employees to participate nor penalizing employees for non-participation. It has also stated that financial inducements that are within the 20% rule are deemed to be “voluntary.”
• Disability-related questions must be “job related and consistent with business necessity” to satisfy the ADA, and generalized questions on various diseases that are typical of health risk assessments (HRAs) do not meet this standard.
• With specific regard to genetic information, including family history, the following rules apply:
o No financial inducement may be offered when such information is sought, nor may such information be collected “prior to or in connection with” enrollment in a group health plan. (The combined effect of these rules means that HRAs must either avoid any genetic information or family history inquiries altogether, or must be taken only after enrollment and without any financial incentive.)
o Further, health risk assessments should contain a disclaimer to discourage employees from volunteering family history or other genetic information in response to HRA questions. Final GINA regulations contain a template for the disclaimer.
o Employers must follow procedural requirements for the collection of genetic information: participants must grant prior, written authorization to the disclosure and the authorization must describe both the information being sought and the safeguards that are in place to protect against unlawful wellness programs.
• Employers may not receive any individualized health data from wellness providers, only aggregate information. However participant and their health care providers may receive individualized data resulting from wellness programs.
Most recently, a June 2011 opinion letter by EEOC Legal Counsel Peggy R. Mastroianni responded to two wellness program queries: (1) whether financial incentives for wellness program participation violated the ADA or GINA, (refused to take a position vis-a-vis ADA violation, and “Yes” re: GINA violation) and (2) whether family medical history provided voluntarily could be used to guide employees into disease management programs. In response to the latter question, the opinion letter reiterates that no financial incentive may be offered in exchange for genetic information, but that an employer that lawfully obtains genetic information (e.g., without a financial inducement, after enrollment in a health plan, and disclosed only on an aggregate basis) may provide a financial incentive to guide employees into disease management programs. You can read the opinion letter here. You can buy Gary Shteyngart’s novel many places, including local bookstores, and here.

Leave a comment

Filed under HIPAA and HITECH, Wellness Programs

Summary Chart of Health Plan Excise Taxes

Below is a link to a chart in which I have attempted accurately to summarize excise tax provisions that apply to a variety of group health plan errors including COBRA and HIPAA violations, and violation of PPACA requirements including nondiscrimination rules (subject to change pending issuance of regulations).   Comparable taxes apply to failure to make “comparable employer contributions” to HSAs or Archer MSAs; more information is available in final regulations under IRC Section 4980B et seq.

Health Plan Excise Tax Chart Updated

The chart is a summary only and provided for general informational and educational purposes.  It does not comprise legal advice to anyone.

The post immediately below goes into more detail about possible excise tax consequences of COBRA violations.

1 Comment


State Privacy Breach Laws May Trump HIPAA/HITECH

When HITECH amended HIPAA in 2009 it empowered state attorneys general to sue breaching parties to enforce the privacy and security rights of their respective state’s citizens. Prior to this time only the Department of Health and Human Services (DHHS) was permitted to enforce HIPAA. However, § 13410(e) of the HITECH Act limits the money damages that attorneys general can collect to $100 per individual affected, however not to exceed $25,000 for all violations of an identical requirement or prohibition during a calendar year.

Some state health privacy laws impose higher money penalties on breaching parties, and recently the Indiana Attorney General invoked state law, over HIPAA/HITECH, when prosecuting a privacy breach by insurer WellPoint, Inc. In that instance, the applicable Indiana statute permitted recovery of up to $150,000 per failure to disclose a health data security breach.

In the WellPoint breach, applications for individual health insurance policies containing Social Security numbers, financial and health information for 32,051 Indiana residents were accidentally made available on the internet for at least 137 days between October 2009 and March 2010. A member of the public notified WellPoint of the problem on February 22, and ultimately the individual filed a class action lawsuit against WellPoint on March 8. After being sued WellPoint quickly fixed the online problem, which had occurred during a system upgrade. However, WellPoint did not begin notifying its customers of the breach until June 18. And, when it did notify customers in Indiana, it did not notify the Attorney General, as required under state law.

WellPoint notified the DHHS of the breach in accordance with HITECH. However when Greg Zoeller, the Indiana Attorney General, filed suit against WellPoint in October 2010, it did so not under HITECH but under a provision of the Indiana Code allowing recovery of up to $150,000 per “deceptive act,” which term included a failure to disclose a breach of the security of personal data. The Indiana statute also allows recovery of the Attorney General’s reasonable investigation and prosecution costs.

Regarding this choice of law, a spokesperson for the Indiana Attorney General’s office stated:

“While the option to file under HITECH/HIPAA in federal court was considered, Indiana’s notification laws and enforcement options allow greater remedies . . . . [u]nder HITECH/HIPAA, the possible penalties maximum would have been $25,000 vs. $300,000 under Indiana law.” (Presumably the two “deceptive acts” were delayed notification of the public and failure to notify the Indiana AG).

WellPoint ultimately reached a settlement with the Attorney General on June 23, 2011, pursuant to which it will pay a $100,000 fine to a state fund providing restitution to defrauded consumers and will provide two years of credit monitoring and identity theft protection to affected individuals in Indiana. In addition, it will reimburse victims of identity theft for losses up to $50,000 per individual.

Prior to this case, the Connecticut Attorney General sued Health Net under HITECH/HIPAA following the insurer’s delayed notification of its loss of an unencrypted portable disk drive holding records for more than 500,000 insureds in Connecticut and more than 1.5 million nationwide. In that settlement HealthNet agreed to pay $250,000 in damages, provide two years of credit monitoring, $1 million of identity theft insurance and reimburse the costs of security credit freezes.

When HITECH first empowered attorneys general to prosecute data security breaches, little thought was given to the possibility that they might have more leverage under state laws than under the new federal statute. With state budgets stretched to the limit, this may prove more of a factor in which security breaches are prosecuted, and under which laws.

California law permits individuals to sue over breaches of their personal security data and recover up to $3,000 per violation as well as attorneys’ fees, but neither mandates the contents of security breach notices, nor requires notification of the California Attorney General. This may change, however, as a California Senate bill would specify the contents of breach notifications and, and for breaches affecting more than 500 California residents would require that breach notifications be sent electronically to the Attorney General. The Senate passed SB 24 in April 2011 and it is easily passing committee votes in the State Assembly. I will continue to update the progress of the bill in future posts.

Leave a comment

Filed under HIPAA and HITECH, Uncategorized