All posts in Enforcement

Vendor Management Matters: HIPAA Enforcement for $500K for Lack of a Business Associate Agreement

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement - Business Associate Agreement 01

Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company shared protected health information (PHI) with an unknown vendor without a business associate agreement (BAA).  According to the Resolution Agreement, “ACH impermissibly disclosed the PHI of 9,255 of its patients to a third party for billing processing services without the protections of a business associate agreement in place.”  The PHI later turned up on the vendor’s website.

This was clearly an unforced error in compliance — and an expensive one!   So easy to avoid too!  Providing PHI to a vendor without a business associate agreement is like going to work without your clothes on.  Vendor management is incredibly important, and organizations that fail to have proper agreements with their vendors that receive personal data are often punished severely by many privacy laws beyond HIPAA. The GDPR requires vendor agreements, and the FTC has found that companies engage in an unfair practice under the FTC Act Section 5 when they lack an adequate vendor agreement.

The main lesson from most privacy enforcement cases, whether HIPAA or otherwise: Do the basics!  So many cases involve failing to do obvious things.  There’s not much muddy ground in the land of enforcement.

The press release can be viewed here.  The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

HIPAA Enforcement Case – Allergy Associates

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

Allergy Associates of Hartford has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. The incident occurred in February 2015.  A patient reached out to a local TV station about a dispute with a doctor at Allergy Associates. When the reporter contacted the doctor for comment, the doctor improperly disclosed the patient’s PHI.  After Allergy Associates learned that HHS was investigating this incident, no disciplinary action was taken against the doctor.  According to the Resolution Agreement:

(1) Allergy Associates impermissibly disclosed the Complainant’s PHI to an unauthorized third party. See 45 C.F.R. § 164.502(a).

(2) Allergy Associates failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity’s privacy policies and procedures and the Privacy Rule. See 45 C.F.R. §164.530(e)(l).

According to the HHS press release:

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

The press release can be viewed here.  The Notice of Proposed Determination can be viewed here. The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

Will the FTC Remain a Leader on Privacy and Security?

Daniel Solove
Founder of TeachPrivacy

FTC and Privacy and Security

In an unprecedented transition, the FTC just got a full slate of 5 new commissioners, three Republicans and two Democrats:

Joe Simons (Chairman) – R
Noah Phillips – R
Christine Wilson – R
Rohit Chopra – D
Rebecca Slaughter – D

FTC LogoIt is difficult to predict how the FTC will approach privacy.  The new commissioners will be inheriting some high-profile investigations (Equifax and Facebook), and they will also be inheriting the legacy of the FTC as serving as the leading privacy regulator in the United States.  There are some, such as Berin Szóka, who argue that the FTC’s power needs to be reigned in.   In contrast, I posit that just the opposite is in order: the FTC must pursue a bold enforcement agenda.

The reason is that we don’t live in an isolated world. The European Union (EU) has seized the scepter of leading regulator of multinational companies. Nearly every chief privacy officer at a large multinational company tells me that their focus is 90% or more on the General Data Protection Regulation (GDPR) — the massive and rigorous privacy regulation in the EU that will start being enforced on May 25 of this year.  Effectively, for many companies, the regulators they are paying attention to are across the pond.

The US shouldn’t let itself fade into irrelevance. For years, the FTC has been working to convince the EU that there really is meaningful privacy regulation in the US — and I believe that this effort made a difference.  Perhaps it didn’t convince all EU policymakers, but it definitely had an effect on some policymakers.  This was how the US was able to establish the Privacy Shield Framework, built in the smoldering ashes of the Safe Harbor Arrangement that the European Court of Justice demolished in one swift stroke.

Continue Reading

FTC v. AT&T Mobility

Daniel Solove
Founder of TeachPrivacy

FTC v. ATT Mobility

In a very important decision, FTC v. AT&T Mobility (9th Cir. 2018 en banc),  the U.S. Court of Appeals for the 9th Circuit en banc reversed an earlier panel decision that severely limited the FTC’s jurisdiction to protect privacy and data security.  I strongly criticized the panel decision in an previous blog post.

The FTC has taken the lead role in protecting privacy and data security through the FTC Act Section 5, 15 U.S.C. § 45, which prohibits “unfair or deceptive acts” affecting commerce.  Section 5(a)(2) contains a list of industries that are carved out from FTC jurisdiction. This list includes banks, airlines, and common carriers.  A “common carrier” is defined in the Communications Act of 1934, 47 U.S.C. § 153: “The term ‘common carrier’ or ‘carrier’ means any person engaged as a common carrier for hire, in interstate or foreign communication by wire or radio or interstate or foreign radio transmission of energy.”  Common carriers are regulated by the Federal Communications Commission (FCC).

In FTC v. AT&T Mobility the FTC brought a Section 5 enforcement action against AT&T for a part of AT&T’s business that was not regulated by the FCC.  However, the 9th Circuit panel concluded that the common carrier exception to FTC jurisdiction was status-based — it applied to common carriers no matter what activities they were engaged in.  This means that if a company engages in a non-minor amount of common carrier activities, then everything that it does, including many activities beyond its functions as a common carrier, fall outside the FTC’s power to regulate under Section 5.  Because these are non-common-carrier activities, the FCC often can’t regulate them either.  This opens up an odd no man’s land where a company can engage in certain activities and escape regulatory enforcement while other companies engaging in the same activities cannot.

Here’s what I wrote about why the earlier 9th Circuit panel decision was problematic:

Continue Reading

HIPAA Enforcement Case – Filefax

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement to settle HIPAA violations with Filefax, located in Northbrook, Illinois. One aspect was different than their usual settlement process in that Filefax closed the business down during the OCR investigation and was no longer operating when the settlement was reached. OCR announced that Filefax could not avoid their obligations under HIPAA even though they were no longer running the company. The receiver that is liquidating the company’s assets agreed to pay $100,000 to settle the potential HIPAA violations made by the company while open.

Their HIPAA violations stemmed from an anonymous complaint stating that the medical records of approximately 2,150 patients, which contained protected health information (PHI), received by Filefax had been taken to a shredding/recycling facility and sold. The OCR investigation found over a period of several weeks the PHI had been left unsecured outside Filefox and had been removed from the facility by an unauthorized person.

The press release can be viewed here.  The Resolution Agreement can be viewed here.

Also of Interest

HIPAA Enforcement Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Lessons from 2016, the Biggest HIPAA Enforcement Year on Record

Is HIPAA Enforcement Too Lax?

Continue Reading

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties.  In 2016, the total in penalties was roughly the same amount but from 15 organizations.

Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2017:

HIPAA Enforcement Chart

Lessons from 2017

Devices, devices, devices . . .

Quite a number of cases involved failure to implement safeguards for PHI on mobile devices.  The best fix is to superglue devices to staff.  Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.

Act quickly.

Several cases involved failing to provide timely notice or to act promptly after problems were discovered.  In politics, it’s often not the scandal, but the coverup that fells politicians.  In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.

Continue Reading

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Daniel Solove
Founder of TeachPrivacy

 

 

Recently, HIPAA enforcement over data breaches is increasing – a lot. This year has seen some of the largest monetary penalties. Why is this happening?

I had the chance to interview Katherine Keefe, who leads the Beazley Breach Response (BBR) Services Group.  I am particularly interested in the insurer’s perspective, so I interviewed Katherine.

Continue Reading

The Future of the FTC on Privacy and Security

Daniel Solove
Founder of TeachPrivacy

Future of the FTC

Co-authored by Professor Woodrow Hartzog

The Federal Trade Commission is the most important federal agency regulating privacy and security. Its actions and guidance play a significant role in setting the privacy agenda for the entire country. With the Trump Administration about to take control, and three of the five Commissioner seats open, including the Chairperson, a lot could change at the FTC. But dramatic change is not common at the agency. What will likely happen with the FTC’s privacy and security enforcement over the next four years?

Continue Reading

A Gaping Hole in Consumer Privacy Protection Law

Daniel Solove
Founder of TeachPrivacy

A Gaping Hole in Consumer Privacy Protection Law

Recently, the U.S. Court of Appeals for the 9th Circuit issued a decision with profound implications for consumer privacy protection law. In FTC v. AT&T Mobility (9th Cir. Aug. 29, 2016), a 3-judge panel of the 9th Circuit held that the Federal Trade Commission (FTC) lacks jurisdiction over companies that engage in common carrier activity. The result is that there is now a gaping hole in consumer privacy protection law.

Continue Reading

Spot the Privacy and Security Risks Training Game

Daniel Solove
Founder of TeachPrivacy

Spot the Risks Privacy and Information Security Awareness Training

I’m pleased to announce a new training program:  Spot the Risks: Privacy and Security. The program is a Where’s Waldo style risk-spotting game that takes about 5 minutes to complete.  Trainees are asked to spot the risks in an office.  Feedback is provided about each risk so trainees learn many of the most important best practices.

Continue Reading