Privacy and Data Security Risks in Cloud Computing

Posted on February 5, 2010 by Hunton & Williams LLP

Cloud computing raises complex legal issues related to privacy and information security.  As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments.  In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use of cloud computing.

Tags: , , , , , , , , , , , , , , , , , , , , ,

Connecticut AG Files First HITECH Act Suit

Posted on January 15, 2010 by Hunton & Williams LLP

In a lawsuit he described as “[s]adly . . . historic,” Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. for allegedly failing to secure private patient medical records and financial information involving hundreds of thousands of Connecticut enrollees and promptly notify consumers endangered by the security breach.  The case marks the first action by a state attorney general under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to enforce provisions of the Health Insurance Portability and Accountability Act (“HIPAA”).  The suit also alleges a violation of Connecticut’s breach notification statute.

The complaint, filed January 12, 2010, alleges that on or about May 14, 2009 Health Net learned that a portable disk drive had disappeared from one of its offices.  The disk contained unencrypted protected health information, social security numbers and bank account numbers for approximately 1.5 million past and present enrollees, including 446,000 Connecticut residents.  Health Net did not begin notifying affected individuals until November 2009.

On January 13, 2010, the Attorney General filed a motion for a preliminary injunction.  The proposed injunction mandates that Health Net and related defendants (i) comply with the privacy, security and other requirements of HIPAA; (ii) take corrective action and make “all efforts” to protect affected citizens against identity theft and other harm; and (iii) conduct “effective training of all members of their respective workforces (including independent contractors) on the policies and procedures with respect to protected health information, and personal information as defined under state law, regarding the requirements of federal and state law.”
Tags: , , , , , , , , , , ,

HHS Issues Information Security Guidance Related to HITECH Act Breach Notice Obligations

Posted on April 20, 2009 by Hunton & Williams LLP

On April 17, the U.S. Department of Health and Human Services (HHS) issued proposed information security guidance, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 on February 17.  The HITECH Act requires covered entities and business associates, as well as vendors of personal health records, to provide notice of information security breaches affecting “unsecured protected health information” or “unsecured personal health record information,” respectively.  The HITECH Act further requires the Secretary of HHS to specify technologies and methodologies that would render protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals.  If covered entities, business associates and vendors of personal health records apply the technologies and methodologies specified in the guidance to protected health information, they will not be required to provide notice to affected individuals, HHS or the media, as otherwise required by the HITECH Act, in the event the information is breached.

Interestingly, the guidance specifies only two methods for securing PHI in a manner that would avoid the application of the HITECH Act’s breach notification provisions.  First, the guidance provides that PHI will be deemed unusable, unreadable or indecipherable if it has been encrypted, provided the encryption key has not also been breached.  In this regard, HHS has followed the lead of more than 45 state breach notification laws that likewise provide “safe harbors” for encrypted information.  HHS does, however, specify that encryption must comply with the HIPAA Security Rule’s provisions and further provides two specific examples of encryption that have been deemed to meet this standard: (1) for data at rest, encryption consistent with National Institute of Standards and Technology Special (NIST) Publication 800-111 and; (2) for data in transit, encryption that complies with Federal Information Processing Standard 140-2. 

Second, the guidance provides that PHI will be deemed unusable, unreadable or indecipherable if media on which it is stored or recorded has been destroyed by one of the following methods: (1) paper, film or other hard copy media have been shredded or destroyed such that PHI cannot be read or reconstructed; and (2) electronic media have been cleared, purged or destroyed consistent with NIST Special Publication 800-88 such that PHI cannot be retrieved. 

The guidance is clear that its recitation of information safeguards, though a proposal pending public comment, is intended to be exhaustive.  The guidance, developed jointly by the Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and Centers for Medicare and Medicaid Services, acknowledges that use of the technologies and methodologies described therein are not required but, if used, “create the functional equivalent of a safe harbor” with respect to the breach notification provision contained in the HITECH Act.  The guidance also notes that any other applicable requirements, such as mitigation requirements contained in the Privacy Rule and state breach notification laws, must be followed to the extent applicable, regardless of adherence to the guidance.

As above, this information security guidance relates to two sets of forthcoming breach notification regulations.  The first, applicable to covered entities and business associates, will be issued by HHS and the second, applicable to vendors of personal health records and certain other non-HIPAA covered entities, was issued by the Federal Trade Commission in proposed form on April 16.

Public comments on the HHS information security guidance are due by May 21, 2009.  HHS has specifically signaled interest in receiving comments regarding whether limited data sets of PHI should be considered, by definition, to render PHI unusable, unreadable or indecipherable such that the HITECH Act’s breach notification provisions would not apply. 

In addition to the guidance, HHS also issued a request for information soliciting public comment on the breach notification provisions of the HITECH Act to inform its future rulemaking and its annual updates to the guidance.  The guidance is available here  and both the guidance and the request for information are available here.
Tags: , , , , , , , , , , , , ,