29 April 2012

Health Privacy Breaches

Two announcements from the US about action under national health privacy law.

In the first the federal Department of Health & Human Services (HHS) last month reached a US$1.5 million settlement with insurer BlueCross BlueShield of Tennessee regarding a 2009 data breach. That settlement is the first under the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule noted in past posts on this blog.

BlueCross notified the HHS Office for Civil Rights that 57 unencrypted hard drives had been stolen from a 'secure' room in a facility vacated by BlueCross as part of its move to new accommodation. The 'data closet' was ostensibly protected by "biometric and keycard scan security", a magnetic lock and an additional door with a keyed lock. The property manager also provided general security services for the premises. The drives featured health information concerning approximately one million individuals.

BlueCross' 2009 statement indicated that
The hard drives were part of a system that recorded and stored audio and video recordings of coordination of care and eligibility telephone calls from providers and members to BlueCross’ former Eastgate call center located in Chattanooga. The hard drives that were stolen contained data that included protected health information data of some members of the health plan. This data included member names and identification numbers and, on some but not all recordings, a diagnosis/diagnosis code, date of birth and/or a Social Security number.
The notification, consistent with mandatory data breach reporting, resulted in an investigation by the Office for Civil Rights. The latter concluded that BlueCross had failed to implement appropriate administrative safeguards and failed to provide physical safeguards to adequately protect the unencrypted information. Criticism of inadequate administrative safeguards centred on the failure to conduct a required security evaluation in response to operational changes (ie BlueCross failed to assess risks associated with movement to the new accommodation).

At a few cents more than a dollar per individual the penalty is unimpressive and compares unfavourably with remuneration of BlueCross senior executives. Media coverage suggests that BlueCross has spent over US$17 million in responding to the data breach over two and a half years. More importantly, it is required to implement a Corrective Action Plan that features random HHS auditing of BlueCross data storage devices, including unannounced site visits to facilities housing portable devices.

 The announcement was followed by news of a HHS settlement with Phoenix Cardiac Surgery regarding alleged violations of the HIPAA Privacy and Security Rules, which predate the HITECH Act and do not invoke mandatory data breach reporting.

The HHS Office for Civil Rights launched an investigation in February 2009 following a complaint alleging Phoenix "impermissibly disclosed electronic protected health information by making it publicly available on the Internet".

The Office found that Phoenix failed to adequately train employees on appropriate handling of protected health information. Phoenix did not have appropriate and reasonable administrative, physical and technical safeguards for the protection of patient data. In an egregious example, that resembles the Medvet incident in Australia, Phoenix allegedly "posted over 1,000 separate entries" of electronic personal medical information "on a publicly accessible, Internet-based calendar”. Phoenix employees emailed such information to their own personal email accounts. Perhaps not the sort of organisation you'd trust with your medical data.

The Office alleged that Phoenix had failed to appoint a security officer as required by HIPAA. Phoenix did not perform an accurate and thorough risk assessment and allegedly failed to gain “satisfactory assurances in a business associate agreement” from its commercial associates, an indication that Phoenix did not meet requirements under HIPAA.

The Office's Director commented that
This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules. We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.
No matter. The settlement with HHS was a US$100,000 and commitment to a one year corrective action plan.