Three Key Requirements Imposed by Colorado’s New Consumer Data Privacy Statute

Be careful what you ask for (and maintain) about Colorado residents…especially if you don’t have the proper data security policies in place. On September 1, 2018, Colorado’s new privacy law, HB 18-1128, goes into effect, imposing new requirements on any business or government entity that maintains, owns, or licenses personal identifying information about Colorado residents.

The new law imposes three key requirements on businesses subject to the rule:

  1. Reasonable security procedures and practices must be implemented that are proportionate to the nature of the personal identifying information maintained and the nature and size of the business’s operations.
  2. Written policies for the destruction and proper disposal of paper and electronic documents containing personal identifying information must be developed.
  3. Breach notification procedures must be followed, including adhering to a 30-day time period by which notification must be completed.

Business that do not already have written data disposal and security policies should act quickly to ensure that they are compliant with the nuances of the new law.

Colorado’s breach notification requirement imposes a more aggressive requirement for notifying affected residents than requirements under the Health Insurance Portability and Accountability Act (HIPAA) and virtually any other U.S. state. A business must provide written notification with certain information to affected residents in the most expedient time possible and without unreasonable delay, but not later than 30 days after the point in time when there is sufficient evidence to conclude that a security breach has occurred. For breaches believed to have affected 500 residents or more or 1000 residents or more, businesses must notify the Colorado Attorney General and certain consumer reporting agencies, respectively.

Reflective of the shift towards providing consumers with more control over their personal information, the bill is codified under the Colorado Consumer Protection Act (CCPA) and potentially creates a private right of recourse against businesses who misuse a resident’s information. CCPA causes of action oftentimes include assertion of a right to triple damages and reasonable attorneys’ fees. Additionally, the Colorado Attorney General may bring civil, or in some cases criminal, actions for violation of the law.

The frequently unforgiving nature of civil monetary penalties imposed by the HHS Office of Civil Rights (OCR) for HIPAA violations should be cautionary. But, not only is there great risk of exposure for unprepared or noncompliant businesses facing enforcement by state and federal regulatory agencies, now more than ever, individual or class action liability seems to be on the horizon. Last, but not least, businesses never envision themselves as “the ones” making headlines about their data breaches…until it happens…and happens quickly.

What if I already comply with other state or federal privacy laws?

The new law indicates that businesses already regulated by other state or federal law are in compliance if adhering to such regulator’s procedures for the protection and disposal of personal identifying information. If the business operates in interstate, international and/or online commerce involving Colorado residents, however, a thorough review of policies and procedures is recommended to ensure that various applicable laws are reconciled.

Recommendations:

Businesses subject to the privacy law should take the following steps, at a minimum, to ensure that they are prepared to comply.

  1. Entities should know and map the flow of data both internally and outside of their business, whether in paper or electronic format. Inventories of hardware and other electronic portable devices where electronic media is stored should be routinely tracked.
  2. Employees must be routinely trained in policies. Handbooks should be updated and whether to require nondisclosure and confidentiality agreements assessed. Appropriate protocols for the destruction and disposal of personal identifying information must be implemented for current and departing employees.
  3. Third-party service vendors should be identified and communicated with regularly to obtain assurances of compliance. Contractual documents should memorialize vendors’ obligations.
  4. Businesses, including HIPAA covered entities, should rework their data breach policies and ensure that third-party vendor agreements or business associate agreements reflect Colorado’s more stringent breach notification timeline of 30 days.

Conclusion:

There is no uniform mechanism for determining how best to implement the necessary measures. Legal counsel specializing in data privacy and security law are instrumental resources when ensuring that adequate measures are taken to navigate compliance with state and federal laws, especially in today’s rapidly changing environment.

Updated HIPAA Breach Reporting Tool Launched by HHS

“…a more positive, relevant resource of information for concerned consumers.”

On July 25, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), unveiled a revised Health Insurance Portability and Accountability Act (HIPAA) Breach Reporting Tool (HBRT) that provides consumers improved access to information on breach data, and also provides greater ease-of-use for organizations reporting incidents. The HBRT makes required reporting information public, such as name of the entity suffering the breach; state where the breach occurred; number of individuals affected; date of the breach; type of breach (e.g. hacking/IT incident, theft, loss, unauthorized access or disclosure); and the location of the breached information (e.g. laptop, paper records, desktop computer). HIPAA also requires health care providers and other covered entities to promptly notify individuals of a breach and, in some cases, notify the media.

HHS Secretary Tom Price, M.D., explained, “HHS heard from the public. . . .To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned citizens.”

The HRBT may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

Failure to Update Business Associate Agreement Leads to Health System’s Settlement with OCR

A hospital’s breach notification to the Department of Health and Human Services, Office of Civil Rights (“OCR”) led to a Resolution Agreement, payment of $400,000 and a Corrective Action Plan for an east coast health system. On September 23, 2016, OCR issued a press release advising that Woman & Infants Hospital of Rhode Island (“WIH”) a member of Care New England Health System (“CNE”) notified OCR of a reportable breach in November of 2012, stemming from its discovery that unencrypted backup tapes containing electronic Protected Health Information (“PHI”) were missing from two of its facilities. CNE provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH’s information systems, as its business associate. Although WIH had in place a business associate agreement (“BAA”) with CNE, it was dated from March of 2005 and had not been updated since implementation and enforcement of the HIPAA Omnibus Final Rule.

OCR’s investigation of WIH’s HIPAA Compliance program, triggered by the report of the missing tapes, uncovered the outdated BAAs. WIH updated their BAA on August 28, 2015, as a result of OCR’s investigation. OCR then determined that from September 23, 2014, the date enforcement of the Final Rule began, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. The settlement was reached without any admission of liability by CNE or WIH.

The settlement is a jolt to many covered entities and their business associates for a number of reasons. The key take-aways are: (1) There is an inference in the OCR’s actions that a well worded BAA, wherein the business associates agrees to abide by the specifications required by the Privacy and Security Rules, is sufficient to satisfy the covered entity’s obligation to obtain “satisfactory assurances” the business associate will appropriately safeguard the PHI (meaning those often lengthy and burdensome security questionnaires or audits business associates are being asked to complete may be unnecessary and not required); (2) documentation of intent and action, including policies, procedures and BAAs, is extremely important in establishing HIPAA Compliance (i.e., the fact that the mistake occurred—tapes went missing—is being treated as the result of the absence of a written agreement, justifying the enforcement action, when in reality it is likely, or at least conceivable, that human error, inadvertence or lack of attention is the root cause and this could have occurred even if an updated BAA was in place and being followed); and (3) policies, procedures and continuous training and retraining of the workforce handling PHI is imperative to a successful HIPAA compliance program, and remains on the radar of any OCR investigation.

A copy of the Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih.
OCR’s sample BAA may be found at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Ransomware: Preparing for the Storm That’s A Brewin’

On July 11, 2016, the Office for Civil Rights (“OCR”) published guidelines for ransomware attack prevention and recovery, including the role HIPAA has in assisting covered entities and business associates prevent and recover from such attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. According to the OCR report, there have been 4,000 daily ransomware attacks since early 2016, up 300% from 2015. Earlier this week a healthcare IT Security Consultant told me the chatter he hears is the hackers are working on stronger, more aggressive, more deadly hacks to unleash, and he fears a hacking storm a brewin’. Time to get serious and batten down the hatches, folks!

The OCR report describes what a ransomware attack is, and explains that maintaining strict HIPAA Security Rule compliance can help prevent the introduction of malware, including ransomware. Some of the required security measures discussed include:

  • Implementing a security management process, which includes conducting a risk analysis and taking steps to mitigate or remediate identified threats and vulnerabilities;
  • Implementing processes to guard against and detect malicious software;
  • Training users on malicious software protection; and
  • Implementing access controls.

Ransomware gets into your system, denies you access to your data (usually through encryption), and then directs you to pay a ransom to the hacker in order to receive a decryption key. For this reason, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to surviving a ransomware attack. HIPAA compliance helps protect entities because the Security Rule requires covered entities and business associates to implement a data backup plan as part of an overall contingency plan, which includes periodic testing of the plan to be sure it works.

The presence of ransomware – or any malware – is considered a security incident and triggers the need to initiate security incident response and reporting procedures. Based upon an analysis of the investigation results, breach notification may be required. Additionally, if there is an impermissible disclosure of protected health information (“PHI”) in violation of the privacy rule, there is a presumed breach which may trigger notification. Whether or not the presence of ransomware would be a breach under HIPAA Rules is thus fact specific. However, unless the entity demonstrates there is a “…low probability that the PHI has been compromised,” a breach of PHI is presumed to have occurred and the entity must comply with the applicable breach notification provisions.

Further information and a copy of the OCR report can be found here.

Shared Patient Videos Lead to Class Action against Sharp Grossmont Hospital

On May 24, 2016, a class-action complaint was filed against Sharp Healthcare in San Diego, California, alleging violations of the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the complaint alleges that Sharp secretly recorded approximately 15,000 videos of patients in Sharp’s year-long attempt to build a case against an anesthesiologist allegedly stealing the drug Propofol. Sharp allowed security guards to review the recordings, and released 14 of the recordings to the anesthesiologist’s defense attorney. Many of the videos depicted unconscious patients, nudity, Cesarean sections, or other surgeries.

The named plaintiff, Melissa Escalera, was allegedly filmed during a Cesarean section. The class potentially includes more than 1,000 patients secretly recorded by Sharp between July 2012 and June 2013. The complaint seeks class certification and damages for breach of fiduciary duty, breach of confidentiality, unlawful recording of confidential information, negligent creation and maintenance of medical information, unlawful disclosure of medical information, invasion of privacy, and distribution of private sexually explicit materials.

We will continue to monitor this story as it develops.

Investigation Underway After Sharp Grossmont Hospital Shared Private Patient Videos With Third Party

On May 12, 2016, Sharp HealthCare issued a statement regarding its inadvertent dissemination of videos depicting fourteen female patients undergoing obstetric surgeries. Sharp provided the videos to a local attorney defending a physician who is accused of stealing sedative medication from Sharp Grossmont Hospital in San Diego, California.

The privacy breach may constitute a violation of California’s Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act (HIPAA), both of which prohibit the disclosure or use of medical information without patient authorization. The hospital argues that a clause in its Admission Agreement authorized the surveillance:

You consent to all hospital services rendered under the general and special instructions of your physician(s), and to the taking of photographs and videos of you for medical treatment, scientific, education, quality improvement, safety, identification or research purposes, at the discretion of the hospital and your caregivers and as permitted by law.

However, the patients are sure to assert that even if the surveillance was authorized, the provision cannot reasonably be interpreted as authorization for disclosing the so-called surveillance to a third party.

Sharp has notified the California Department of Public Health and the Department of Health and Human Services Office for Civil Rights, who will investigate the breach. If the California Department of Public Health determines that the breach constituted a violation of CMIA, the hospital could be fined up to $250,000. (Civ. Code, § 53.36.)  HIPAA imposes similar – but more costly – fines for violations.

We will continue to monitor this story as it develops.

Text Messaging and HIPAA Compliance Risks

Like everyone else, health care workers have become accustomed to the convenience of communicating by text message. Although using text messages can make communications more efficient in the health care setting, transmitting protected health information (PHI), including photographs, in text messages raises Health Insurance Portability and Accountability Act compliance risks. Some of the compliance risks include the following:

  • Many people do not password-protect a mobile device, making it easy for another user to access PHI stored in texts. This access can occur when the device is shared, lost, or stolen.
  • Text messages often are not encrypted, unlike e-mail.
  • The use of personal mobile devices to send texts or photographs is common, unlike email, which most often is sent on work-issued computers or tablets.
  • Text messages can remain on a mobile device indefinitely.

HC BLOG_textingThe U.S. Department of Health & Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) have gathered tips to safeguard PHI when using mobile devices. They make the following suggestions about how to protect and secure information on mobile devices, which applies to developing a policy on transmitting PHI by text message.

  • Use a password or other user authentication.
  • Install and enable encryption.
  • Install and activate remote wiping and/or remote disabling.
  • Maintain physical control of the mobile device.
  • Delete all stored health information before discarding or reusing the mobile device.

HHS and ONC have resources to assist in updating or developing policies for mobile device use. They recommend the following five steps for policy planning. These steps can assist health care organizations in developing a policy on using text messages to transmit PHI.

1.   Decide whether mobile devices will be used to access, receive, transmit or store PHI.

2.   Conduct a risk analysis to identify risks and perform a risk analysis periodically whenever there is a new mobile device, a lost or stolen device, or suspicion of compromised health information. After conducting a risk analysis, document:

  • which mobile devices are used to communicate with your organization’s internal networks or system; and
  • what information is accessed, received, stored, and transmitted by or with the mobile device.

In addition, organizations should review HHS “HIPAA Security Series: Basics of Risk Analysis and Risk Management” for guidance on conducting a risk analysis.

3.   Identify your organization’s mobile device risk management strategy, including privacy and security safeguards. The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.

4.   Develop, document, and implement your policy. HHS and ONC suggest that the organization consider the following:

  • mobile device management, including identifying and tracking devices;
  • whether personal mobile devices can be used and whether they can be used to connect to the organization’s internal network or system;
  • whether the device can be used away from the organization;
  • whether the device can be used to text;
    • security/configuration settings on mobile devices;
    • restrictions on information that can be stored on mobile devices;
  • procedures for addressing misuse of mobile devices; and
  • recovery and deactivation to wipe or disable lost or stolen devices or devices of employees who leave the organization.

5.   Provide training on mobile device use.

Image courtesy of Flickr by Jhaymesisviphotography

State Law Claims Viable For Violations of HIPAA

In a recent opinion, the Connecticut Supreme Court determined that state law claims based on violations of the Health Insurance Portability and Accountability Act (HIPAA) were viable.

The plaintiff in Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433 (Conn. 2014) was involved in a paternity suit and requested that the defendant, her medical provider, not produce any records to her former lover.  However, the defendant was served with a subpoena from the ex-lover, and produced the documents to the court without plaintiff’s knowledge.  See id. at 437.  The plaintiff sued the medical provider after she began experiencing harassment from her ex, who was able to review the medical records.  See id.  In the four-count complaint, the plaintiff alleged breach of contract, negligence, negligent misrepresentation, and negligent infliction of emotional distress.  See id. at 438-439.  In particular, she alleged that the defendant violated HIPAA by producing medical records without authorization.

The court determined that “the regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records.  As the plaintiff aptly notes, one commenter during the rulemaking process had raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy.”  Id. at 453.  Accordingly, the court found that HIPAA did not preempt state law claims for alleged breaches of confidentiality.  See id. at 459.  However, the court declined to find, as a matter of law, whether the defendant was negligent in producing the medical documents, and remanded to the trial court for further proceedings.  We will continue to provide updates in this case.