Tag Archive for: compliance

HIPAA Safe Harbor Bill | Tahlia Clement

The HIPAA Safe Harbor Bill: A New Incentive for Organizations to Prioritize Security

/in /by
HIPAA Safe Harbor Bill | Tahlia Clement

On January 5, 2021, the President signed H.R. 7898, The HIPAA Safe Harbor Bill, into law. This new legislation amends the HITECH act to require the Department of Health and Human Services (HHS) to incentivize best-practice cybersecurity for meeting HIPAA requirements.

Previously, organizations that experienced cyberattacks were subject to HIPAA enforcement actions that included severe penalties and fines despite such organization’s cybersecurity practices.  Now, H.R. 7898 specifically requires that HHS evaluate whether the organization is using recognized security practices by reviewing the previous 12 months when calculating fines or penalties based on a cyberattack. However, the law also expressly states that it does not give HHS the authority to increase fines or even the extent of an audit when an organization is found to be out of compliance with recognized security practices.

According to the law, “the Term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act, the approaches promulgated under… the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

This new law is important since the healthcare industry continues to be the most impacted sector when it comes to cyberattacks. The healthcare industry accounted for 79 percent of all reported data breaches from January to November 2020, and attacks against healthcare organizations increased overall by 45 percent between November 2020 and January 2021. In addition, HIPAA violation fines can range from $100 per violation all the way up to $59,522 per violation. Since these fines are calculated on a “per violation” basis, in 2020 the fines imposed ranged from $3,500 to $6,850,000, with multiple fines imposed totaling over $1,000,000.

A recent example is when University of Texas M.D. Anderson Cancer Center was fined $4,300,000 for violations of the HIPAA and HITECH Act. However, on January 14, 2021 the United States Court of Appeals for the Fifth Circuit vacated the fine stating that it was “arbitrary, capricious, and otherwise unlawful.” The Court held that HIPAA does not require entities to use “bulletproof protection” and instead held that M.D. Anderson had adopted sufficient security practices. This case shows that even courts are now looking at security practices when determining if a HIPAA violation fine is reasonable.

For more information about your entity’s cybersecurity risks and HIPAA compliance, reach out to one of FGHW’s healthcare attorneys. Our attorneys have extensive experience with reviewing and analyzing HIPAA and cybersecurity practices to determine if they comply with recognized security practices under the new law. If your cybersecurity practices are not up to the new standards, FGHW’s attorneys can assist in implementing practices that are compliant.

Dallas Attorney Tahlia Clement

Tahlia Clement’s primary practice areas are marketing, advertising and promotions law, health law, internet law, and general business transactions. Tahlia graduated from SMU Dedman School of Law and holds a B.A. in journalism and mass communications from Arizona State University.

Five Key Internal Investigation Considerations

/in /by

Internal investigations are used by companies to learn the facts, identify legal and compliance issues, and resolve concerns across a number of areas, ranging from employment practices to health and safety to financial reporting.  When a company determines to conduct an internal investigation, thinking through these five key issues will help assure a thorough and objective investigation.

  1. Identify the right process owner. This is not the person who will conduct the investigation but the one who authorizes it, receives the report, and takes action on it. The process owner needs to be someone who is independent in the matter. For example, if the investigation involves alleged misconduct by an officer, a committee of the board of directors may need to authorize and oversee the investigation.
  2. Preserve evidence promptly. Take immediate steps to preserve obviously relevant documents and other evidence for the investigation. Making relevant evidence available to the investigator and preserving it for later review is a key step to gaining credibility for your investigation if regulators decide to review the same issues at a later date or if stakeholders question the neutrality of the investigation.
  3. Develop a plan of investigation. A well-thought-out plan of investigation helps establish a baseline understanding between the investigator and the process owner. The plan should establish an initial scope of the investigation, i.e., identify the issue(s) to be considered. The plan should also identify the types of documents that will need to be collected and reviewed and the witnesses who should be interviewed.  In some instances, the plan may identify experts that should be consulted. As the investigation progresses, the scope may need to be expanded, based on consultation between the investigator and the process owner, and additional witnesses or experts may be identified. 
  4. Consider the privilege. If the company wants to conduct an investigation that is protected by attorney-client privilege, steps should be taken from the outset to establish and protect the privilege. In many jurisdictions, the privilege is more likely to be upheld if outside counsel serves as the investigator. An engagement letter or memorandum to the file from the process owner or in-house counsel should be written at the outset and should state that the purpose of the investigation is to obtain legal advice. Witness interviews should include appropriate instructions about the privileged nature of the investigation and need for confidentiality. Potential waivers of privilege should be considered before they arise and discussed between the investigator and the process owner. Careful planning can allow the investigator to take steps to minimize or avoid the potential for privilege waiver.
  5. Decide on the form of report. Sometimes a written report is the best format. But finalizing a written report can take time. In some instances, e.g., an accounting restatement where investors have been told not to rely on the company’s existing financial statements, the need for prompt answers may be better served by an oral report or a simple slide show format. As with other key decisions, the investigator should advise and consult the process owner on the form of the final report.

By attending to these five key issues, the investigator and process owner help assure the integrity of the investigation and avoid costly “do-overs.”

Mary O'Connor | Farrow-Gillespie & Heath LLP | Dallas, TX

Mary L. O’Connor’s practice focuses on representing companies and their officers and directors in commercial litigation and arbitration, securities litigation, internal investigations, and regulatory investigations and enforcement proceedings. Mary is currently listed among the Best Lawyers in Dallas by D Magazine, and the Best Lawyers in America by US News and World Report.

Farrow-Gillespie Heath Witter

The CCPA: California’s Follow-up to the GDPR

/in /by

Farrow-Gillespie Heath Witter

Illustration by legal assistant Charles Jackson

Following the enactment of the European Union’s GDPR, California has passed the California Consumer Privacy Act of 2018 (CCPA) that will go into effect January 1, 2020. The CCPA is intended to protect California residents’ personal information, which is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes identifiers such as name or email address, commercial information, personal property records or purchase history, biometric information, search history, professional information and educational information. However, the CCPA does not apply to information already regulated under HIPAA, the Graham-Leach Bliley Act, the FCRA, or the Drivers’ Privacy Protection Act.

The CCPA applies to companies that:

  • Conduct business in California
  • Collect the personal information of California residents
  • Satisfy at least one of the following:
    • Produce annual gross revenues in excess of $25,000,000
    • Buy, receive, sell, share, or a combination thereof, the personal information of 50,000 or more consumers, households, or devices for commercial purposes
    • Obtain 50% or more of their annual revenue from selling, releasing, or renting consumer personal information to a third party for monetary consideration

Under the CCPA, California residents will know what information companies are collecting about them, why the data is being collected, and with whom they are sharing the data.  California residents will have the power to demand that their data is deleted and not stored, and that their data cannot be sold or shared with any third parties.  Further, California residents can opt out a company’s terms of service without losing access to its offerings.  The CCPA also restricts companies from selling the data of anyone under the age of 16 without explicit consent.

To hold companies accountable for consumer data, California residents will be able to sue companies subject to the CCPA for up to $750 for each data breach violation. In addition, the California attorney general can sue for $7,500 for each intentional violation of privacy.

The CCPA also requires the expansion of privacy disclosures that companies provide when collecting or using consumers’ personal information.  The disclosures must include a description of the rights California residents have about their personal information, how they can exercise such rights, as well as information on how the companies will collect, use, and share their data.  In addition, the company must provide a link to a “Do Not Sell My Personal Information” page that allow consumers to opt-out and is accessible on all relevant platforms.

For companies that are subject to CCPA, more requirements may be coming, as the law gives the California Attorney General the authority to implement new regulations.  If you believe you are subject to the CCPA, consult an attorney familiar with data privacy to ensure compliance.

For full documentation of the CCPA, please visit the website of the California legislature.

 

Tahlia Grassie | Farrow-Gillespie & Heath LLP | Dallas, TXTahlia Clement is a clerk at FGHW. Ms. Clement is a 2019 candidate for a Juris Doctor at SMU Dedman School of Law, where she is the Editor-in-Chief for SMU’s Science and Technology Law Review. She holds a B.A. in journalism and mass communications from Arizona State University.

Scott Chase | Farrow-Gillespie & Heath LLP

What is HIPAA?

/in /by

HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records.

The HIPAA Security Rule, in particular, requires that covered entities must keep electronically-stored protected health information in a manner that maintains the records’ confidentiality, integrity, and availability. Covered health care providers must carefully identify potential risks and vulnerabilities and protect against reasonably-anticipated threats or hazards to the security of confidential information. They must protect against reasonably anticipated impermissible uses or disclosures and ensure compliance by their employees. The Security Rule requires covered entities to provide access to usable electronically-stored protected health information to authorized persons on demand. Business associates of HIPAA-covered entities, who are not covered entities themselves, also face increased responsibility under the HITECH Act of 2009 to securely maintain and handle protected health information. To avoid steep fines and the growing possibility of civil liability, covered entities and their business associates should be informed and proactive regarding their evolving responsibilities with respect to protected health information.

The Security Rule does not dictate specific protection measures, but instead allows each covered entity to develop its own measures considering its size, complexity, and capabilities; its technical infrastructure; costs; and the likelihood and possible impact of inadvertent disclosures of protected health information. Entities must properly document their chosen safety measure. Importantly, however, it is not enough for an entity to adopt security standards; instead, those standards must actually be assessed, implemented, and followed. The Security Rule requires that security measures be updated and documented “as needed.” While the Rule does not state how frequently risk analysis must be performed, regular review and modification of security measures is undoubtedly key in ensuring HIPAA compliance. Security assessments and training should take place on an ongoing basis, and legal audits in compliance are advisable on a periodic basis or when an entity has experienced a security incident, a change in ownership, or a turnover in key staff, or when the entity is planning to incorporate new technology.

For more information, contact board-certified health care attorney Scott Chase.

Scott Chase | Farrow-Gillespie & Heath LLP

$150,000 Penalty for HIPAA Violation

/in /by

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR), has recently entered into another HIPAA settlement, emphasizing yet again the government’s focus on the HIPAA Security Rule. The settlement highlights that health care entities cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice on an ongoing basis. In early December 2014, HHS-OCR confirmed that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services, had agreed to pay a $150,000 fine and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years. The settlement was based on a HHS-OCR investigation regarding ACMHS’s breach of unsecured electronic protected health information (ePHI). The breach was the result of a malware that compromised the security of ACMHS’ information technology (IT) resources and affected 2,743 individuals.

During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed and/or updated. Thus, ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures and regularly assessed and updated its IT resources with available patches. The settlement with ACMHS is just one of several recent settlements arising from an HHS-OCR investigation, either because an organization self-reported a breach of ePHI or because HHS-OCR investigated an organization’s HIPAA compliance program after receiving a complaint or as part of its annual audit protocol. No matter how the investigation begins, HHS-OCR will expect an organization to have fully implemented and updated its HIPAA compliance program and/or policies and procedures. Compliance with the HIPAA Security Rule requires organizations (among other things) to assess risks to ePHI on a regular basis, including whenever new software, e.g., a patient portal, is implemented. Organizations cannot simply adopt HIPAA policies and procedures, conduct training and then ignore HIPAA. All organizations subject to HIPAA, both “covered entities” and “business associates” (regardless of size), must devote ongoing resources to protect personal health information from security threats.

Most of the activities that HHS-OCR found lacking in ACMHS are ones that can be efficiently developed, implemented or sustained with timely planning by health care providers.

For more information, please contact board-certified health law attorney Scott Chase.

Jennifer Snow | Farrow-Gillespie & Heath | Dallas, TX

HIPAA Law and Business Associates

/in /by

HIPAA-covered entities and their business associates are facing increased obligations to securely maintain and handle protected health information. A health care entity subject to HIPAA rules must ensure that its contracts with a business associate that may receive protected health information include statutorily required assurances that the business associate will appropriately safeguard the information. That is, in a vendor contract, staffing contract, or services contract in which data provided to a party includes protected health information of any person, the contract that governs that transaction or relationship must include language of HIPAA compliance.

For more information, contact board-certified healthcare attorney Scott Chase.