All posts in Enforcement

Increasing State HIPAA Enforcement: Highlights from 2018

Daniel Solove
Founder of TeachPrivacy

State HIPAA Enforcement - increasing 02

There have been quite a number of state HIPAA enforcement cases this year, and one expert points out a trend toward increasing state enforcement of HIPAA.

An article in Data Breach Today discusses a number of state HIPAA enforcement cases.  Here are some of the ones discussed:

Massachusetts — $75,000 settlement with McLean Hospital for a data breach involving 1,500 victims based on an employee who routinely took home unencrypted backup tapes with PHI.  From the state press release:

The AG’s complaint alleges that McLean, a psychiatric hospital in Belmont, allowed an employee to regularly take home eight unencrypted back-up tapes containing clinical and demographic information from the Harvard Brain Tissue Resource Center that the hospital possessed. The tapes contained personal information such as names, social security numbers, diagnoses and family histories. When the employee was terminated from her position at McLean in May 2015, she only returned four of the tapes, and the hospital was unable to recover the others.

New Jersey — $100,000 settlement with EmblemHealth for a 2016 breach involving 81,000 victims.  Details from the state’s press release:

The incident at issue took place on October 3, 2016 when EmblemHealth’s vendor sent a paper copy of EmblemHealth’s Medicare Part D Prescription Drug Plan’s Evidence of Coverage to 81,122 of its customers, including 6,443 who live in New Jersey.

The label affixed to the mailing improperly included each customer’s HICN, which incorporates the nine digits of the customer’s Social Security number, as well as an alphabetic or alphanumeric beneficiary identification code. (The number shown was identified as the “Package ID#” on the mailing label and did not include any separation between the digits.)

During its investigation, the Division found that following the departure of the EmblemHealth employee who typically prepared the Evidence of Coverage mailings, the task was assigned to a team manager of EmblemHealth’s Medicare Products Group, who received minimal training specific to the task and worked unsupervised. Before forwarding the data file to the print vendor, this team manager failed to remove the patient HICNs from the electronic data file.

Continue Reading

The Robocall Wars: The Rise of Robocalls and the TCPA Robocall Cops

Daniel Solove
Founder of TeachPrivacy

Robocalls and the TCPA Robocall Cops 02

Move over robocop, there’s a new constable in town — the robocall cop. In the past decade, robocalls have surged.  There has also been a dramatic rise in litigation about these calls under the Telephone Consumer Protection Act (TCPA). The TCPA litigation is led by a small group of serial litigators, people who have assumed the role of private enforcers of the TCPA.  This is a fascinating story about how privacy law combats the growing scourge of robocalls.  We are seeing the effective use of private litigation as an enforcement tool, but there are differing interpretations about the virtues of the robocall cops. Also wrapped up on the story is the issue of harm. 

Robocop and RobocallsRobocalls are rising at an alarming rate.  In the month of September 2017 alone, there were 2.4 billion robocalls.  The number keeps rising per month, and September 2018 gave birth to 4.1 billion robocalls.  At this rate, there may be billions and billions more robocalls than stars in the universe!  Robocalls are definitely a problem.  I’ve never heard of anyone who likes robocalls; the mosquito probably ranks higher in popularity.  But robocalls persist and proliferate.  Annually, in the United States, the number of robocalls exceeds 100 per person.  There are 4.5 million robocall complaints per year to the FTC.

Along with the rise of robocalls, litigation has also been increasing.  Lawsuits are perhaps a bit more popular than robocalls or mosquitos, but not by much.  The TCPA, 47 U.S.C. § 227, passed in 1991, requires various forms of prior consent for robocalls, which are calls made with what the TCPA refers to as an “automatic telephone dialing system” (ATDS).  Violations of the TCPA can be enforced through a private right of action, and there are statutory damages of $500 per violation ($1,500 for willful violations).  The number of TCPA lawsuits has skyrocketed, from 14 federal cases in 2007 to 4,392 federal cases in 2017.

Continue Reading

HIPAA Enforcement: Employee Access and BAAs Matter

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement - Employee Access 01

Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company failed to deactivate a former employee’s access to a web-based calendar that contained the protected health information (PHI) of 557 patients.  The company also failed to obtain a business associate agreement (BAA) with the calendar company (Google).

Continue Reading

Largest COPPA Penalty Ever – NY AG Settles with Oath (Formerly AOL)

Daniel Solove
Founder of TeachPrivacy

COPPA - TeachPrivacy Privacy Awareness Training 01

On December 4, 2018, New York Attorney General Barbara D. Underwood announced a $4.95 million settlement with Oath, Inc. (formerly known as AOL), for violating the Children’s Online Privacy Protection Act (COPPA). This is the largest penalty in a COPPA enforcement case in U.S. history.

Continue Reading

Vendor Management Matters: HIPAA Enforcement for $500K for Lack of a Business Associate Agreement

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement - Business Associate Agreement 01

Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company shared protected health information (PHI) with an unknown vendor without a business associate agreement (BAA).  According to the Resolution Agreement, “ACH impermissibly disclosed the PHI of 9,255 of its patients to a third party for billing processing services without the protections of a business associate agreement in place.”  The PHI later turned up on the vendor’s website.

This was clearly an unforced error in compliance — and an expensive one!   So easy to avoid too!  Providing PHI to a vendor without a business associate agreement is like going to work without your clothes on.  Vendor management is incredibly important, and organizations that fail to have proper agreements with their vendors that receive personal data are often punished severely by many privacy laws beyond HIPAA. The GDPR requires vendor agreements, and the FTC has found that companies engage in an unfair practice under the FTC Act Section 5 when they lack an adequate vendor agreement.

The main lesson from most privacy enforcement cases, whether HIPAA or otherwise: Do the basics!  So many cases involve failing to do obvious things.  There’s not much muddy ground in the land of enforcement.

The press release can be viewed here.  The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

HIPAA Enforcement Case – Allergy Associates

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

Allergy Associates of Hartford has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. The incident occurred in February 2015.  A patient reached out to a local TV station about a dispute with a doctor at Allergy Associates. When the reporter contacted the doctor for comment, the doctor improperly disclosed the patient’s PHI.  After Allergy Associates learned that HHS was investigating this incident, no disciplinary action was taken against the doctor.  According to the Resolution Agreement:

(1) Allergy Associates impermissibly disclosed the Complainant’s PHI to an unauthorized third party. See 45 C.F.R. § 164.502(a).

(2) Allergy Associates failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity’s privacy policies and procedures and the Privacy Rule. See 45 C.F.R. §164.530(e)(l).

According to the HHS press release:

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

The press release can be viewed here.  The Notice of Proposed Determination can be viewed here. The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

Will the FTC Remain a Leader on Privacy and Security?

Daniel Solove
Founder of TeachPrivacy

FTC and Privacy and Security

In an unprecedented transition, the FTC just got a full slate of 5 new commissioners, three Republicans and two Democrats:

Joe Simons (Chairman) – R
Noah Phillips – R
Christine Wilson – R
Rohit Chopra – D
Rebecca Slaughter – D

FTC LogoIt is difficult to predict how the FTC will approach privacy.  The new commissioners will be inheriting some high-profile investigations (Equifax and Facebook), and they will also be inheriting the legacy of the FTC as serving as the leading privacy regulator in the United States.  There are some, such as Berin Szóka, who argue that the FTC’s power needs to be reigned in.   In contrast, I posit that just the opposite is in order: the FTC must pursue a bold enforcement agenda.

The reason is that we don’t live in an isolated world. The European Union (EU) has seized the scepter of leading regulator of multinational companies. Nearly every chief privacy officer at a large multinational company tells me that their focus is 90% or more on the General Data Protection Regulation (GDPR) — the massive and rigorous privacy regulation in the EU that will start being enforced on May 25 of this year.  Effectively, for many companies, the regulators they are paying attention to are across the pond.

The US shouldn’t let itself fade into irrelevance. For years, the FTC has been working to convince the EU that there really is meaningful privacy regulation in the US — and I believe that this effort made a difference.  Perhaps it didn’t convince all EU policymakers, but it definitely had an effect on some policymakers.  This was how the US was able to establish the Privacy Shield Framework, built in the smoldering ashes of the Safe Harbor Arrangement that the European Court of Justice demolished in one swift stroke.

Continue Reading

FTC v. AT&T Mobility

Daniel Solove
Founder of TeachPrivacy

FTC v. ATT Mobility

In a very important decision, FTC v. AT&T Mobility (9th Cir. 2018 en banc),  the U.S. Court of Appeals for the 9th Circuit en banc reversed an earlier panel decision that severely limited the FTC’s jurisdiction to protect privacy and data security.  I strongly criticized the panel decision in an previous blog post.

The FTC has taken the lead role in protecting privacy and data security through the FTC Act Section 5, 15 U.S.C. § 45, which prohibits “unfair or deceptive acts” affecting commerce.  Section 5(a)(2) contains a list of industries that are carved out from FTC jurisdiction. This list includes banks, airlines, and common carriers.  A “common carrier” is defined in the Communications Act of 1934, 47 U.S.C. § 153: “The term ‘common carrier’ or ‘carrier’ means any person engaged as a common carrier for hire, in interstate or foreign communication by wire or radio or interstate or foreign radio transmission of energy.”  Common carriers are regulated by the Federal Communications Commission (FCC).

In FTC v. AT&T Mobility the FTC brought a Section 5 enforcement action against AT&T for a part of AT&T’s business that was not regulated by the FCC.  However, the 9th Circuit panel concluded that the common carrier exception to FTC jurisdiction was status-based — it applied to common carriers no matter what activities they were engaged in.  This means that if a company engages in a non-minor amount of common carrier activities, then everything that it does, including many activities beyond its functions as a common carrier, fall outside the FTC’s power to regulate under Section 5.  Because these are non-common-carrier activities, the FCC often can’t regulate them either.  This opens up an odd no man’s land where a company can engage in certain activities and escape regulatory enforcement while other companies engaging in the same activities cannot.

Here’s what I wrote about why the earlier 9th Circuit panel decision was problematic:

Continue Reading

HIPAA Enforcement Case – Filefax

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement to settle HIPAA violations with Filefax, located in Northbrook, Illinois. One aspect was different than their usual settlement process in that Filefax closed the business down during the OCR investigation and was no longer operating when the settlement was reached. OCR announced that Filefax could not avoid their obligations under HIPAA even though they were no longer running the company. The receiver that is liquidating the company’s assets agreed to pay $100,000 to settle the potential HIPAA violations made by the company while open.

Their HIPAA violations stemmed from an anonymous complaint stating that the medical records of approximately 2,150 patients, which contained protected health information (PHI), received by Filefax had been taken to a shredding/recycling facility and sold. The OCR investigation found over a period of several weeks the PHI had been left unsecured outside Filefox and had been removed from the facility by an unauthorized person.

The press release can be viewed here.  The Resolution Agreement can be viewed here.

Also of Interest

HIPAA Enforcement Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Lessons from 2016, the Biggest HIPAA Enforcement Year on Record

Is HIPAA Enforcement Too Lax?

Continue Reading

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties.  In 2016, the total in penalties was roughly the same amount but from 15 organizations.

Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2017:

HIPAA Enforcement Chart

Lessons from 2017

Devices, devices, devices . . .

Quite a number of cases involved failure to implement safeguards for PHI on mobile devices.  The best fix is to superglue devices to staff.  Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.

Act quickly.

Several cases involved failing to provide timely notice or to act promptly after problems were discovered.  In politics, it’s often not the scandal, but the coverup that fells politicians.  In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.

Continue Reading