The legal landscape surrounding privacy and data security continues to grow in complexity and scope. Increased enforcement activity and regulation at state and federal levels present challenges for businesses in every sector. These challenges carry particular weight for the health care industry, which must respond to an ever-changing regulatory environment or risk the possibility of significant civil or even criminal penalties. We outline below recent developments in privacy and data security laws and how they signal important considerations for the future.
Increased Enforcement by OCR
Two high-profile actions by the Office for Civil Rights (“OCR”) in early 2011 suggest that the federal government is delivering on promises of increased scrutiny and penalties with respect to potential federal privacy law violations. Massachusetts General Hospital faced allegations of federal privacy law violations when an employee left, and was unable to recover, a folder of patient records on a train while commuting to work. Massachusetts General Hospital worked with OCR to reach a monetary settlement of $1 million and to develop a Corrective Action Plan (“CAP”) that will be implemented over a period of three years. Key features of the CAP include development and implementation of policies covering the physical removal and transport of protected health information (“PHI”) and staff training on these policies, as well as an internal monitor to assess and to make periodic reports to OCR regarding the hospital’s compliance.
Shortly after the settlement with Massachusetts General Hospital, the Department of Health and Human Services (“HHS”) imposed a $4.3 million penalty on Cignet Health for refusing to give patients access to their medical records, as required by federal law. Although only slightly more than $1 million of this amount was specifically related to Cignet’s refusal to provide access, the additional $3 million was based on Cignet’s failure to cooperate with OCR’s investigation into the matter. The penalty imposed on Cignet is another sign of increased aggressiveness on the part of federal regulators in this area.
In addition, OCR has conducted audits of covered entities’ compliance with the HIPAA privacy and security rules. OCR audits have included a review of privacy and security practices, including physical, technical and administrative measures that covered entities have undertaken to protect patient information. These reviews underscore the importance of workforce training, remediation of known risks, and rigorous implementation of policies and procedures.
The Massachusetts General Hospital and Cignet incidents combined with OCR’s provider audits show that OCR is taking privacy violations seriously and expects early and full cooperation from any entity that is under investigation. It will be important for health care businesses to maintain an ongoing and updated understanding as to how OCR continues pursuit of its more comprehensive privacy and data security enforcement activities.
Federal Regulation and Legislation
New and proposed laws have the potential to provide additional incentives for increased enforcement activities by the federal government.
The Health Information Technology for Economic and Clinical Health (“HITECH”) Act expands the rights of individuals with respect to protection of and access to their PHI. For example, under HITECH, individuals have the right to access electronic copies of their PHI that health care providers and health plans maintain. In addition, while business associates’ liability historically has been predicated on business associate agreements, HITECH makes business associates directly liable for violations of certain privacy and security requirements imposed under HIPAA.
In addition to changes already in effect pursuant to the HITECH statute, a HITECH final rule is expected prior to the end of 2011, following HHS’s proposed rule from July 2010. The final rule is expected to focus upon HIPAA privacy and implement a number of additional requirements for covered entities and business associates, including an expanded definition of business associate, which would include subcontractors of business associates; more restrictive health care marketing rules; and a more narrowly construed minimum necessary rule to govern ways in which PHI can be used and disclosed. HHS has also indicated that it intends to issue a separate proposed rule regarding expanded accounting by covered entities of disclosures. In particular, the proposed rule may narrow or eliminate the exception that has saved covered entities from having to account for disclosures of PHI for treatment, payment or health care operations.
We expect that the volume of new requirements for covered entities and business associates under HITECH will provide additional motivation for increased government enforcement activity. We also expect that increased compliance responsibilities for business associates may lead to more heavily negotiated business associate agreements in areas relating to allocation of risk, indemnification, limits on liability and insurance.
Commercial Privacy Bill of Rights
A recent development that could have far-reaching implications is the Commercial Privacy Bill of Rights Act. Introduced in the Senate in April by Senators Kerry and McCain, this bill would establish new rules concerning companies’ collection, use and dissemination of certain types of consumer data, including personally identifiable information and unique identifiers associated with an individual or networked device. Central to the bill are provisions for data security and accountability; purpose specification and use limitation; individual participation; data minimization; and data integrity. The bill delegates enforcement authority to the Federal Trade Commission (“FTC”) as well as to state attorneys general. The FTC would also have responsibility for developing standards for “reasonable notice” to consumers, as well as approval of voluntary safe harbors. Another important feature of the bill is its requirement for “privacy by design,” pursuant to which companies must consider privacy standards for inclusion in the research and design phase of their products.
Whether the bill will become law remains to be seen. However, its introduction indicates that companies’ storage and use of consumer data is an area of growing concern for federal lawmakers.
Enforcement by State Attorneys General
Privacy and data security issues are also taking center stage at the state level. The HITECH Act allows state attorneys general to bring suit for violation of certain federal privacy laws. Connecticut Attorney General Richard Blumenthal was the first to exercise this new enforcement authority when he filed suit in 2010 against Health Net of Connecticut as a result of the disappearance of a portable data drive containing unencrypted medical records. Vermont’s attorney general also took action on behalf of the Vermont residents whose privacy was breached. Health Net settled with Connecticut for $250,000, agreed to adopt new security measures, and agreed to pay an additional $500,000 if the compromised data are found by November 2011 to have been accessed and misused. In January 2011, Health Net settled the Vermont suit for $55,000 and agreed to submit to a data-security audit and periodic report filing with the state for the next two years. OCR is actively seeking to coordinate with state attorneys general and has offered HIPAA enforcement training to facilitate greater enforcement by the states.
State Investigations of Data Breaches
In addition to exercising new authority under federal law, a number of states have enacted their own security breach notification laws that outline how and when a company must report a data breach to affected individuals. In both the Connecticut and Vermont suits referenced above, Health Net faced, in addition to alleged federal violations, charges of violating breach notification requirements under state laws. Indiana’s attorney general filed charges against WellPoint for an alleged data breach when applications for insurance coverage, which contained health information, were available on an unsecured web site and WellPoint allegedly failed to notify affected customers in a timely manner. A recent alleged data breach at a Health Net facility on the West Coast has also sparked an investigation by state agencies in both California and Oregon. These actions indicate states’ attention to data breaches.
Patient Information and Marketing
Another increasing trend concerns the use of patient information for the promotion of drugs. Vermont state law prohibits pharmaceutical companies from collecting and using drug prescription information for commercial marketing purposes. This law was challenged by several data collection companies and the industry group PhRMA, who argue that this prohibition violates First Amendment rights to free speech. The United States Supreme Court heard oral arguments in Sorrell v. IMS Health Inc. in April and a decision is pending. Similar to the Vermont law, proposed legislation in Maine would prohibit health care providers and health information exchanges from disclosing patient data for sales and marketing without patient consent.
Data collection and marketing use is also the subject of a recent class action filed in Pennsylvania state court. The complaint alleges that CVS Caremark Corporation used information obtained from CVS pharmacy services to promote specific medications to patients by sending letters to the patients’ physicians. The complaint also alleges that several pharmaceutical companies paid CVS Caremark to send these letters. Increased attention to the use of consumer data for pharmaceutical marketing purposes highlights another area that health care businesses should monitor.
Emerging Issues Related to Health Information Exchanges (“HIEs”)
As covered entities and business associates continue to build networks for electronic health information exchange, the industry confronts new challenges and risks related to the privacy and security of health information. Health care providers participating in HIEs, regional health information organizations and similar arrangements will need to address questions relating to compliance of such networks with the HIPAA privacy and security rules as well as state privacy laws, including those regarding disclosure of mental health, HIV, and genetic testing information. Issues will include appropriate consent and authorizations relating to the sharing of health information; compliance with network privacy and security procedures; and implementation of technical and administrative procedures to address the risk of data breaches within these new networks. HIE participants will also confront complex issues relating to the legislative initiatives discussed above and potential liability exposure of HIE members related to the conduct of the network and other members in the event of a data breach.
The shifting landscape in the area of privacy and data security signals higher stakes for the health care industry. Understanding these changes is complicated by the fact that still more changes, such as the final HITECH rulemaking, are expected soon. There will be more opportunities for liability as the financial incentives for “meaningful use” of electronic health records increase the use of these systems and thereby increase the risk of data breaches. Continued focus on enforcement and more state and federal regulation will require health care businesses to remain current and vigilant in their compliance.