This blog covers privacy, security, health information technology and e-discovery related topics. The primary goal of this blog is to raise public awareness of legal issues pertaining to the use of law and technology.
Your use of this Blog does not create an attorney-client relationship. Your e-mail or comments do not create an attorney-client relationship. We have no duty to keep confidential the information that is submitted to this blog. This blog is not a substitute for, nor does it constitute legal advice. Only an attorney who knows the details of your particular situation and is properly licensed in the applicable state (or states) is able to appropriately and properly address any legal issues you may have.
Attached is an updated summary of the major provisions of each state law that have enacted security breach statutes. In the event of a security breach, you should consult legal counsel to ascertain the appropriate method of notification and other requirements. To date — forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. States with no security breach laws include: Alabama, Kentucky, Mississippi, New Mexico, and South Dakota. Arkansas, California, Minnesota, and Texas now include health information within the scope of their respective security breach statutes by including health information within the definition of personal information. Eight states take an acquisition based approach when defining whether notice should be given, while the remaining states take a more pragmatic risk assessment of the likelihood of harm as controlling whether notice should be sent to consumers.
PITTSBURGH, SEPTEMBER 15, 2010 ‑ In the first HIPAA prosecution in the Western District of Pennsylvania, United States Attorney David J. Hickton announced today that a resident of Monroeville, Pa., has been indicted by a federal grand jury in Pittsburgh on charges of multiple illegal disclosures and use of patient individually identifiable health information for personal gain. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) law passed by Congress provides for national standards for electronic health care transactions, and protects patients from the unauthorized disclosure of personal medical information without their consent.
For the last ten years data privacy (confidentiality) has become the hot topic, however, data integrity will become the greatest obstacle to efficient and safe use of complex information systems. A component of data integrity is an appropriate document retention procedure to ensure appropriate retention and integrity of business documents. Experienced federal judges like Judge Grimm, a magistrate judge in Maryland known for his cogent e-discovery opinions has gone to great lengths to inform litigators to stop treating data like paper – and to teach experienced lawyers how to conduct the most basic steps of discovery. See e.g. Mayflower v. Mancia, 2008 WL 4595175 (D. Md.). Broadly speaking the above processes are essential components of the electronic document life-cycle and are implicit within the federal e-discovery rules. Appropriate management of information and records are driven by two primary sources: (a) statutory, regulatory and other legal principles (“the law”), and (b) professional standards. Federal, state and local regulations have given organizations considerable latitude in maintaining their records in either paper or electronic form. See, e.g., Paperwork Reduction Act (44 U.S.C.A. § 3501, et seq.) Many industries recommend that their members follow published standards and technical papers addressing records and information management issues. Records management is essential to maintaining the integrity of data and many industries already have established resources for professional guidance as to acceptable practices. (Figure 1 below is a recently released British Standard that addresses data integrity). Key considerations under US law are whether a given record management process will ensure the accuracy of the data while at the same time not making it more expensive to access and review the data in the event of litigation.
It is important to be aware of whether your insurance policy covers security incidents, especially, where insurance is a component of your risk management controls. A recent example illustrates this potential issue.
* Perpetual Storage (http://www.perpetualstorage.com/index_home.htm) an off-site storage facility, allegedly lost, by the action or inaction of one of its’ drivers, backup tapes belonging to the University of Utah, when the tapes were stolen from an employee’s car.
* Colorado Casualty is seeking a declaration that it is not responsible for covering the loss of $3.3 million associated with notifying 1.7 million people whose individually identifiable information was lost. (http://www.sltrib.com/education/ci_14978059).
* On June 1, 2008, an employee of Perpetual Storage picked up backup tapes containing information about 1.7 million people, 1.1 million of which contained social security numbers, in a secure vehicle to transport the backup tapes directly and immediately to the granite vault facility.
* Early on the morning of June 2nd the tapes were stolen from the vehicle of the Perpetual Storage employee. This year Colorado Casualty filed a declaratory judgment against Perpetual Storage, Inc. (“Perpetual Storage”) and the University of Utah (which operates a hospital).
On March 19th, HHS published a notice in the Federal Register that HHS intends to complete approximately 2500 surveys to assess public perception of Health Information Exchanges.[i] Public perception of the security of HIE’s is key to understanding how ONC will eventually regulate HIEs. On a macro level the National Health Information Network (NHIN) is a network of HIEs. At this time most states have received grants to implement an HIE. Recently, however, HHS has also announced a scaled down version of the Connect software to be used for limited transaction between providers. Generally, NHIN Connect software framework is designed to enable secure and interoperable electronic health information exchanges (HIE) with NHIN compliant organizations, including federal agencies, local-level health organizations, and healthcare participants in the private sector. However, the NHIN Direct initiative announced in January, 2010 may replace some HIEs that do not bring value added services to the market place.
On March 22nd http://www.healthreform.gov, an official U.S. Government Web site managed by the U.S. Department of Health & Human Services, announced “The passage of health insurance reform legislation represents a historic victory for the American people. America’s families and businesses will not only get relief from skyrocketing health care costs but will now have more control over their health care. No longer will the insurance companies get the final say when it comes to rates and rights. ” The Reconciliation Bill, ‘‘Health Care and Education Affordability Reconciliation
4 Act of 2010″, is available at
http://docs.house.gov/rules/hr4872/111_hr4872_amndsub.pdf. This Bill was agreed to by both the Senate and House and will be signed into law by the President this week.[i] I am, probably like most Americans a little worried/ curious how things will evolved form here. Last winter when my wife had to wait in line for six hours at the Virginia Department of Public Health on two separate occasions, for our twin daughters 14 months old to receive their H1N1 vaccination, causes me to wonder what exactly health reform will mean for the quality and efficient health care. There are hidden costs of waiting in line for health care, these costs may be more then some of the more sick can endure. Health care is partly a supply and demand problem — with something like universal health care some thought should be given to where and how we can train many new caregivers at a reasonable cost. Forty-five thousand dollars per year for a physician (4 years), or for a physician assistant (2 years) is a large sum of money.
Configuration management remains a challenging issue especially for small and mid-size organizations. With the complex dependencies of modern applications a modification to an organization browser, a security patch of the operating system, and even hard-ware upgrades can introduce incompatibilities or security vulnerabilities into your organization’s information system. Today NIST announced the publication of Initial Public Draft Special Publication 800-128, Guide for Security Configuration Management of Information Systems. This publication provides guidelines for managing the configuration of information system architectures and associated components for secure processing, storing, and transmitting of information. Security configuration management is an important function for establishing and maintaining secure information system configurations, and provides important support for managing organizational risks in information systems. This publication beyond providing an excellent resource includes two invaluable appendices.
One of the most common (and high risk) user installed software found on the enterprise desktop computer is P2P[i] file-sharing software. This software can be detected with networking scanning software like Nessus.[ii]
Unlike, other software, P2P file-sharing software is very effective at circumventing an organization’s security perimeter. In most organizations measures in-place to prevent users from installing software are easily circumvented: (1) by installing and running the device from a USB key, (2) using the local Administrator account to install the software because the local Administrator account has not been set after the last re-image or the local administrator account password is known to users, or (3) IT installs the software at the request of a user. Recently, the Department of Health and Human Services (“HHS “)has been very proactive in getting the message out that portable media, laptops, and other similar devices that contain electronic protected health information (e-PHI) must be encrypted. However, despite numerous alleged disclosures of e-PHI on P2P networks, HHS is failing to inform patients, covered entities, and business associates of covered entities about the risks of peer-to-peer (P2P) file sharing and the inadvertent sharing of documents containing e-PHI.
On March 15, 2010, ONC completed the announcement of State Health Information (State HIE) Exchange Cooperative Agreement Program awardees. The first announcement of awards were on February 12th, 2010. These awards are meant as seed money for State HIE’s which are expected to reach financial independent within 2 to 4 years. The Awardees will be evaluated on various criteria over a four year period. The criteria are detailed in http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10741_888442_0_0_18/FOA_State%20Health%20Information%20Exchange%20Cooperative%20Agreement%20Program_Sept3_updated%20funding%20formula.doc. A PDF of this same document is available here: FOA_State Health Information Exchange Cooperative Agreement Program_Sept3_updated funding formula. Generally, HIEs are intended to transmit healthcare information electronically across organizations within a region, community or hospital system. HIE generally allow for the movement of clinical information among disparate health systems. Various gateways and interface utilities are used to translate data from disparate information systems.
HIMSS is the largest health care technology conference in the United States. This year the conference was held in Atlanta, the conference brought $25 million to Atlanta. The tone of HIMSS 2010 was cautiously optimistic in light of the uncertainty surrounding threatened Governments legislative actions. Vendors are working hard to meet recently promulgated regulatory requirements for EHR systems; some of legislated requirements for EHRs are not essential or likely to be used by most physicians. The government is positioned as the primary funding source for EHR and HIE technology. Grants for HIE implementation total almost 400 million dollars, with a promise of more grants to come. Implementation models for state HIE’s vary from a federated model to states with loosely associated local HIE’s. Thus far a strong centralized structure seems to be the most effective implementation method.
Under the HITECH breach notification requirements, covered entities must notify HHS of all reportable breaches. HHS recently released a list of breaches, including the covered entity, the business associate, number of individuals affected, and the location of the information lost. More than 35 HIPAA covered entities have reported breaches involving more than 500 individuals’ PHI since September 2009. The theft/loss of laptops, desktop and portable media by far represent the majority of the security breaches reported thus far. A summary of breaches reported thus far appears below.
ONC 2nd Annoucement for HIE Grants and a Review of Program Requirements
On March 15, 2010, ONC completed the announcement of State Health Information (State HIE) Exchange Cooperative Agreement Program awardees. The first announcement of awards were on February 12th, 2010. These awards are meant as seed money for State HIE’s which are expected to reach financial independent within 2 to 4 years. The Awardees will be evaluated on various criteria over a four year period. The criteria are detailed in http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10741_888442_0_0_18/FOA_State%20Health%20Information%20Exchange%20Cooperative%20Agreement%20Program_Sept3_updated%20funding%20formula.doc. A PDF of this same document is available here: FOA_State Health Information Exchange Cooperative Agreement Program_Sept3_updated funding formula. Generally, HIEs are intended to transmit healthcare information electronically across organizations within a region, community or hospital system. HIE generally allow for the movement of clinical information among disparate health systems. Various gateways and interface utilities are used to translate data from disparate information systems.
Click to continue reading “ONC 2nd Annoucement for HIE Grants and a Review of Program Requirements”