HIPAA Enforcement: Employee Access and BAAs Matter

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement - Employee Access 01

Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company failed to deactivate a former employee’s access to a web-based calendar that contained the protected health information (PHI) of 557 patients.  The company also failed to obtain a business associate agreement (BAA) with the calendar company (Google).

Continue Reading

Largest COPPA Penalty Ever – NY AG Settles with Oath (Formerly AOL)

Daniel Solove
Founder of TeachPrivacy

COPPA - TeachPrivacy Privacy Awareness Training 01

On December 4, 2018, New York Attorney General Barbara D. Underwood announced a $4.95 million settlement with Oath, Inc. (formerly known as AOL), for violating the Children’s Online Privacy Protection Act (COPPA). This is the largest penalty in a COPPA enforcement case in U.S. history.

Continue Reading

Vendor Management Matters: HIPAA Enforcement for $500K for Lack of a Business Associate Agreement

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement - Business Associate Agreement 01

Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company shared protected health information (PHI) with an unknown vendor without a business associate agreement (BAA).  According to the Resolution Agreement, “ACH impermissibly disclosed the PHI of 9,255 of its patients to a third party for billing processing services without the protections of a business associate agreement in place.”  The PHI later turned up on the vendor’s website.

This was clearly an unforced error in compliance — and an expensive one!   So easy to avoid too!  Providing PHI to a vendor without a business associate agreement is like going to work without your clothes on.  Vendor management is incredibly important, and organizations that fail to have proper agreements with their vendors that receive personal data are often punished severely by many privacy laws beyond HIPAA. The GDPR requires vendor agreements, and the FTC has found that companies engage in an unfair practice under the FTC Act Section 5 when they lack an adequate vendor agreement.

The main lesson from most privacy enforcement cases, whether HIPAA or otherwise: Do the basics!  So many cases involve failing to do obvious things.  There’s not much muddy ground in the land of enforcement.

The press release can be viewed here.  The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

Speaking at the FTC Hearing on Data Security on December 12

Daniel Solove
Founder of TeachPrivacy

12/13/18 Update: Here is the video from the session described below.

On Wednesday, December 12, 2018, I’ll be speaking at the Data Security hearing, part of the FTC Hearings on Competition and Consumer Protection in the 21st Century.  My panel begins at 1:00 PM:

The U.S. Approach to Consumer Data Security

Wednesday, December 12, 2018 from 1:00 PM to 2:30 PM

Participants:

Chris Calabrese
Center for Democracy & Technology

Daniel J. Solove
George Washington University Law School

David Thaw
University of Pittsburgh

Janis Kestenbaum
Perkins Coie LLP

Lisa J. Sotto
Hunton Andrews Kurth LLP

Moderator: James Cooper
Federal Trade Commission, Bureau of Consumer Protection

I previously spoke at an earlier hearing in this series back in September on a panel about consumer privacy protection (video / transcript).  The upcoming hearing focuses on data security.

Continue Reading

The Persistent Problems with Access to Records Under HIPAA

Daniel Solove
Founder of TeachPrivacy

HIPAA Access to Medical Records

A study released last month in Jama Open Network entitled Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records demonstrates that compliance with HIPAA’s right to access medical records remains woeful.  In the second half of 2017, researchers contacted 83 US hospitals and conducted a simulated patient experience to ask for medical records. Among the hospitals, the researchers found that “there was discordance between information provided on authorization forms and that obtained from the simulated patient telephone calls in terms of requestable information, formats of release, and costs.”  On forms, “only 53% provided patients the option to acquire the entire medical record.”  The study concluded that “Requesting medical records remains a complicated and burdensome process for patients despite policy efforts and regulation to make medical records more readily available to patients. Our results revealed inconsistencies in information provided by medical records authorization forms and by medical records departments in select US hospitals, as well as potentially unaffordable costs and processing times that were not compliant with federal regulations.”

I addressed this topic in a blog post about 2 years ago. At that time, I said:

HIPAA doesn’t handle patient access to medical records very well. There are many misunderstandings about patient access under HIPAA that make it quite difficult for patients to obtain their medical information quickly and conveniently. Getting records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. I often scratch my head at why fax is still used today — it’s one step more advanced than carrier pigeon.  Many covered entities do not send records by email, and getting electronic copies can be quite difficult. Many healthcare providers still maintain paper records in handwriting, and healthcare lags far behind most other industries in the extent to which it has moved to digital records.

Sadly, as this study confirms, little has changed.

Continue Reading

Yes, HIPAA Requires Medical Records to Be Emailed to Patients if Requested

Daniel Solove
Founder of TeachPrivacy

Email Medical Records

Have you ever asked your healthcare provider to send you medical records by email?  Most likely, you’ve received the reply: “We can’t do that.  We can only fax them to you or provide you with a paper copy.”  This answer is wrong.

HIPAA’s right for individuals to access their health information, 45 CFR § 164.524, provides:

The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual.

Continue Reading

HIPAA Enforcement Case – Allergy Associates

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

Allergy Associates of Hartford has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. The incident occurred in February 2015.  A patient reached out to a local TV station about a dispute with a doctor at Allergy Associates. When the reporter contacted the doctor for comment, the doctor improperly disclosed the patient’s PHI.  After Allergy Associates learned that HHS was investigating this incident, no disciplinary action was taken against the doctor.  According to the Resolution Agreement:

(1) Allergy Associates impermissibly disclosed the Complainant’s PHI to an unauthorized third party. See 45 C.F.R. § 164.502(a).

(2) Allergy Associates failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity’s privacy policies and procedures and the Privacy Rule. See 45 C.F.R. §164.530(e)(l).

According to the HHS press release:

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

The press release can be viewed here.  The Notice of Proposed Determination can be viewed here. The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

The Mail Machine Ate My Thumb Drive

Daniel Solove
Founder of TeachPrivacy

USB zDrive - Thumb DriveIn the annals of what must be one of the most ridiculous data security incidents, a law firm employee sent a client file on an unencrypted thumb drive in the mail.  The file contained Social Security information and other financial data.

Seriously?

Envelope

The envelope arrived without the USB drive. The firm contacted the post office.

What happened next is most bizarre.  Here’s an excerpt from the law firm’s letter notifying the state attorney general:

Continue Reading

HIPAA Cartoon: Notice of Privacy Practices

Daniel Solove
Founder of TeachPrivacy

Cartoon HIPAA Notice - TeachPrivacy HIPAA Training 02 medium

This HIPAA cartoon involves the notice of privacy practices (NPP) under HIPAA.  HIPAA has a set of detailed requirements for the NPP.  See 45 CFR 164.520 for the text of HIPAA’s requirement for NPPs.

The biggest challenge regarding privacy notices is that hardly anyone actually reads the notice, and notices are often a chore to read.

There is a Hobson’s choice when it comes to such notices, whether under HIPAA or otherwise.  As I wrote in Privacy Self-Management and the Consent Dilemma, 126 Harvard Law Review 1880 (2013): “[M]aking [notices] simple and easy to understand conflicts with fully informing people about the consequences of giving up data, which are quite complex if explained in sufficient detail to be meaningful.  People need a deeper understanding and background to make informed choices.”  Sadly, there’s no easy way to win on this one.

Continue Reading