Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

The settlement with the FTC requires Rite Aid to establish a comprehensive information security program and to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the settlement order.  The order also bars future misrepresentations of the company’s security practices.  In addition to requiring a $1 million payment, the HHS settlement obligates Rite Aid pharmacies to establish policies and procedures for disposing of protected health information, create a training program for handling and disposing of patient information, conduct internal monitoring, and get an independent assessment of its compliance for three years.

This is the second case in which the FTC and HHS coordinated their investigations and settlements.  The agencies resolved similar allegations with CVS Caremark in February 2009, when CVS Caremark agreed to pay a record $2.25 million and implement remedial measures to settle the investigations.

Some of the major changes to the HIPAA Rules include:

• Adding “subcontractors” to the definition of “business associate” to provide that subcontractors that perform functions for or provide services to a business associate are also business associates to the extent they require access to protected health information (“PHI”);
• Requiring business associates to enter into written contracts with those subcontractors (previously, business associates were only required to “ensure” that subcontractors agree to the same restrictions on the use and disclosure of PHI);
• Applying the Security Rule and the Enforcement Rule penalty provisions directly to business associates;
• Revising the definition of “marketing” in the Privacy Rule to delineate which specific activities constitute marketing of PHI;
• Clarifying that a business associate is not making a permitted use or disclosure under the Privacy Rule if it does not apply the minimum necessary standard, where appropriate; and
• Requiring covered entities to obtain an authorization from an individual for any disclosure of the individual’s PHI in exchange for direct or indirect remuneration (with a few exceptions such as exchanges for public health activities).

HHS will be accepting comments to the notice of proposed rulemaking for a period of 60 days after the notice of proposed rulemaking is published in the Federal Register on July 14, 2010.

In addition to the changes to the HIPAA Rules, HHS announced a new privacy website designed to “provide further confidence in the expectations Americans have for the privacy of their personal information” and to “inspire added trust in HHS’ efforts to improve our nation’s health through safe and secure health information exchanges.”  HHS also announced enhancements to its breach notification website that will provide consumers with more information regarding breaches involving PHI and ongoing breach investigations.  Currently, the HHS breach notification website lists only basic details about breaches, such as the name of the covered entity at issue and the number of individuals affected by the relevant breach.
 

Holtzman stated that OCR is conducting compliance reviews for all HIPAA data breaches involving data for more than 500 individuals, and is working with covered entities to identify compliance issues that led to those breaches.  Marilou King, a senior attorney at the HHS Office of General Counsel, also mentioned that HHS is working to with a contractor to develop a process to audit coved entities for compliance with the HIPAA Privacy and Security Rules, and could utilize informal resolution agreements to address violations of the HIPAA Privacy and Security Rules.  Ms. King also mentioned that HHS intends to finalize soon the interim enforcement rule it released last year and issue a proposed rule regarding covered entities and business associates, as mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.

The recent comments by HHS officials followed OCR’s issuance of draft guidance on May 7, 2010, regarding the risk analysis requirement in the HIPAA Security Rule.  The guidance defines several key terms that are not expressly defined in the Security Rule, including “vulnerability,” “threat” and “risk,” although the guidance noted that the terms “do not modify or update the Security Rule and should not be interpreted inconsistently with the terms used in the Security Rule.”  More critically, the guidance “explains several elements a risk analysis must incorporate, regardless of the method employed.”  Those elements include: (1) defining the scope of the analysis, (2) identifying where electronic protected health information is stored, received, maintained or transmitted, (3) identifying and documenting potential threats and vulnerabilities, (4) assessing current security measures, (5) determining the likelihood of threat occurrence, (6) determining the potential impact of threat occurrence, (7) determining the level of risk, (8) finalizing the risk analysis documentation and (9) periodically reviewing and updating the risk analysis.

The Office for Civil Rights (“OCR”), which enforces HIPAA’s Privacy and Security Rules, has stated publicly that it is carefully evaluating how to proceed with HIPAA enforcement.  For example, Section 13411 of the HITECH Act requires HHS to “provide for periodic audits to ensure that covered entities and business associates” are complying with the HITECH Act and its implementing regulations.  At the 18th Annual National HIPAA Summit in early February, Sue McAndrew, the OCR’s Deputy Director for Health Information Privacy, explained that there are “1,000 ways” to conduct HIPAA audits and that OCR is working with a HIPAA expert to “map out essentially the range of options” to determine how best to effectively conduct HIPAA audits.

Despite the delay in enforcement, covered entities and business associates should take necessary actions to comply with the HITECH Act’s requirements.  Please see our client alert on HITECH compliance for more information.

The interim final rule amends HIPAA’s enforcement regulations.  Specifically, the rule incorporates the HITECH Act’s categories of violations, tiered ranges of civil penalty amounts, and revised limitations on the Secretary of HHS’s authority to impose civil penalties for violations of HIPAA's rules.  Pursuant to the interim final rule, covered entities may be subject to tiers of penalties as described below:

• If a covered entity did not know and, by exercising reasonable diligence, would not have known that it was in violation, the minimum civil penalty is $100 per violation.
• If a violation was the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity (despite the exercise of ordinary business care and prudence) to comply, the minimum penalty is $1000 per violation.
• The minimum penalty for a violation that is the result of willful neglect and subsequently corrected is $10,000.
• The minimum penalty for a violation that is the result of willful neglect and is not corrected is $50,000.
• The maximum penalty amount for multiple violations is set at $1.5 million per calendar year.

HHS will be accepting comments on the interim final rule until December 29, 2009.  Read our earlier blog posting for further information regarding the HITECH Act.

Access a copy of the interim final rule.

The FTC Final Rule requires PHR vendors and PHR related entities to notify U.S. citizens and residents if their PHR identifiable health information is subject to a security breach, and requires additional notification of the FTC and prominent media outlets for breaches that affect 500 or more individuals.  Third party service providers must notify the PHR vendor, or PHR related entities to which they provide services, of any breaches they discover.  To facilitate the notification process, the FTC has developed a standard form entitled “Notice of Breach of Health Information” that PHR vendors and PHR related entities can complete and send to the FTC.  Both the form and the FTC Final Rule are available on the FTC’s website.
 
On August 19, 2009, as required by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), the Department of Health and Human Services ("HHS") issued an interim final rule ("HHS Interim Final Rule") addressing security breaches of unsecured protected health information ("PHI").  The regulations will apply to all breaches occurring on or after September 23, 2009 that are discovered by covered entities and business associates, but the HHS Interim Final Rule indicates that HHS will not impose sanctions for failure to notify with respect to breaches that are discovered within the first 180 days after the effective date. 

Notably, unlike the FTC Final Rule, the HHS Interim Final Rule includes a harm threshold limiting the breach notification requirement to breaches that present a significant risk of harm.  This disparity may be due to the fact that breaches common to HIPAA-covered entities, such as those involving disclosures to other HIPAA-covered entities, are less likely to result in actual harm than the kinds of breaches suffered by the service providers and vendors covered under the FTC's Final Rule.  Similar to the FTC Final Rule, the HHS Interim Final Rule requires covered entities to (1) notify individuals if their PHI is subject to a security breach, and (2) notify the Secretary of HHS and prominent media outlets in the event of a breach that affects 500 or more individuals.  Business associates must notify the covered entity to which they provide services of any breaches they discover.  Finally, the HHS Interim Final Rule updated the  information security guidance issued by HHS in April 2009 to emphasize encryption and destruction as the only methods for securing PHI in a manner consistent with the HITECH Act’s breach notification provisions.  The HHS Interim Final Rule is available on the HHS website.

Interestingly, the guidance specifies only two methods for securing PHI in a manner that would avoid the application of the HITECH Act’s breach notification provisions.  First, the guidance provides that PHI will be deemed unusable, unreadable or indecipherable if it has been encrypted, provided the encryption key has not also been breached.  In this regard, HHS has followed the lead of more than 45 state breach notification laws that likewise provide “safe harbors” for encrypted information.  HHS does, however, specify that encryption must comply with the HIPAA Security Rule’s provisions and further provides two specific examples of encryption that have been deemed to meet this standard: (1) for data at rest, encryption consistent with National Institute of Standards and Technology Special ("NIST") Publication 800-111 and; (2) for data in transit, encryption that complies with Federal Information Processing Standard 140-2. 

Second, the guidance provides that PHI will be deemed unusable, unreadable or indecipherable if media on which it is stored or recorded has been destroyed by one of the following methods: (1) paper, film or other hard copy media have been shredded or destroyed such that PHI cannot be read or reconstructed; and (2) electronic media have been cleared, purged or destroyed consistent with NIST Special Publication 800-88 such that PHI cannot be retrieved. 

The guidance is clear that its recitation of information safeguards, though a proposal pending public comment, is intended to be exhaustive.  The guidance, developed jointly by the Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and Centers for Medicare and Medicaid Services, acknowledges that use of the technologies and methodologies described therein are not required but, if used, “create the functional equivalent of a safe harbor” with respect to the breach notification provision contained in the HITECH Act.  The guidance also notes that any other applicable requirements, such as mitigation requirements contained in the Privacy Rule and state breach notification laws, must be followed to the extent applicable, regardless of adherence to the guidance.

As above, this information security guidance relates to two sets of forthcoming breach notification regulations.  The first, applicable to covered entities and business associates, will be issued by HHS and the second, applicable to vendors of personal health records and certain other non-HIPAA covered entities, was issued by the Federal Trade Commission in proposed form on April 16.

Public comments on the HHS information security guidance are due by May 21, 2009.  HHS has specifically signaled interest in receiving comments regarding whether limited data sets of PHI should be considered, by definition, to render PHI unusable, unreadable or indecipherable such that the HITECH Act’s breach notification provisions would not apply. 

In addition to the guidance, HHS also issued a request for information soliciting public comment on the breach notification provisions of the HITECH Act to inform its future rulemaking and its annual updates to the guidance.  The guidance is available here  and both the guidance and the request for information are available here.

In 2006, media exposés revealed that CVS employees disposed of prescription drug bottles with labels containing patient information, pharmacy orders, and other items potentially containing PHI in unsecured dumpsters that could be accessed by anyone.  These exposés prompted a joint investigation between the OCR and the FTC which the agencies allege confirmed the allegations against CVS and resulted in the payment of the resolution amount, the CAP, and the FTC Consent Order.

The CAP, which applies for three years, requires CVS to: (1) develop privacy policies and procedures that provide for administrative and physical safeguards for the disposal of all non-electronic PHI; (2) implement a training program that instructs employees on how to adequately dispose of PHI; (3) develop plans to monitor compliance and report any noncompliance with the privacy policies and procedures; and (4) engage an independent third-party to conduct an assessment of CVS’s compliance with the privacy policies and procedures.  The CAP also requires CVS to provide an initial “Implementation Report” as well as an annual “Periodic Report” to the OCR and to retain all documents related to compliance with the CAP for six years.  The Consent Order with the FTC, which applies for twenty years, requires CVS to establish and implement a comprehensive information security program designed to protect the security, confidentiality, and integrity of customer personal information and to engage an independent third party to conduct an initial assessment of CVS’ compliance with its privacy procedures (which can be the same assessment required by the CAP) as well as biennial assessments thereafter for the remainder of the twenty-year duration of the Consent Order.

The CVS settlement is just one of several recent developments that may herald the dawn of a new era of increased HIPAA enforcement.  Last November, the HHS Office of Inspector General published a report that encouraged the Centers for Medicare and Medicaid Services (“CMS”), which enforces HIPAA’s Security Rule, to conduct more frequent compliance reviews of HIPAA-covered entities.  This week, President Obama signed the economic stimulus package into law, which requires HIPAA-covered entities to notify affected individuals, HHS and the media of information security breaches, and also substantially revises HIPAA, providing for steeper fines and enabling state Attorneys General to bring enforcement actions for HIPAA violations.