Tag Archive for: PHI

Data Breach? Your Obligations under the Texas Identity Theft Enforcement and Protection Act

/in /by
Illustration by attorney Christopher Elam

For any business – big or small – customer confidence is critical for success in today’s competitive marketplace.  But in the event your company’s security is breached and consumer information is stolen, you may have a legal obligation to notify your customers.  Admitting a data breach can be embarrassing, but failure to comply with the law can be devastating to your reputation and your bottom line. 

The Texas Identity Theft Enforcement and Protection Act

The Texas Identity Theft Enforcement and Protection Act (Tex. Bus. Com. Code §§521.001 et seq.) applies to anyone who conducts business in Texas and “owns or licenses computerized data that includes sensitive personal information.”  Texas businesses are required under the Act to protect the sensitive personal information of their staff and customers.   As used in the Act, the term “sensitive personal information” includes unencrypted identifying information, such as an individual’s name in combination with other information, such as a social security number, driver’s license number, or credit card information.  The term also includes an individual’s health care information.

The Act requires you to notify the affected individuals as soon as possible after you discover or reasonably believe that there has been a data breach.  A data breach isn’t just limited to your computer systems being hacked – the Act’s notification requirements could also be triggered if, for example, an unscrupulous employee steals a customer’s credit card information, or if a customer using your website receives another customer’s information as a result of a coding error.  If the data breach affects more than 10,000 individuals, you must also report the incident to consumer reporting agencies.

The Penalties

The penalties for not complying with the notification requirements can be steep.  For each violation, the State of Texas can impose a civil penalty of anywhere between $2,000 and $50,000.  Plus, for every person that should have received notification of the data breach but did not, there’s an additional penalty of up to $100 per person.  If you fail to react appropriately to an extensive data breach, you could be on the hook for up to $250,000 in fines alone.  Although individuals themselves cannot bring a lawsuit to enforce the law, the Texas Attorney General may bring an action to recover the penalties and may even seek an injunction.  The Attorney General is also entitled to recover reasonable expenses, including attorney’s fees, court costs, and investigatory costs.

If your business collects or maintains the sensitive personal information of its customers such as credit card information or healthcare information, you need to take extra precautions to collect, store, and secure that data properly.  If you have experienced a data breach, or even if you suspect one has occurred, we strongly recommend seeking the advice of an experienced attorney to help you avoid the perils of an inadequate response.

Christopher Elam is an attorney at Farrow-Gillespie Heath Witter LLP. Mr. Elam has experience in business transactions, corporate governance, trademarks and real estate transactions, as well as mergers and acquisitions. He graduated from SMU Dedman School of Law in 2010.

Health Law | Farrow-Gillespie & Heath LLP | Dallas, Texas

$2.5M Settlement Shows that not Understanding HIPAA requirements Creates Financial Risk

/in , /by

Health Law | Farrow-Gillespie & Heath LLP | Dallas, TexasThe U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently announced a Health Insurance Portability and Accountability Act (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  In 2012, CardioNet, a company that remotely monitors patients at risk for cardiac arrhythmias, reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home.  The laptop contained the ePHI of 1,391 individuals.  The settlement was not reached until 2017, indicating the length of time that some HIPAA investigations can take, with its attendant costs.

CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.  This settlement is the first involving a wireless health services provider, based, in part, on CardioNet’s failure to comply with basic HIPAA rules that are applicable to all “covered entities” and “business associates”. Thus, the compliance steps outlined below for mobile devices are applicable to any device used to store PHI or ePHI.

OCR’s investigation into the impermissible disclosure revealed that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft.  Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.  Further, the organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

HHS and OCR have published a very helpful 5-step guideline for establishing compliance with HIPAA.  While the following actions relate specifically to mobile devices, these five steps are applicable to all PHI.

Decide

Decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information or used as part of your organization’s internal networks or systems (e.g., your EHR system).

Understand the risks to your organization before you decide to allow the use of mobile devices. Risks (threats and vulnerabilities) can vary based on the mobile device and its use. Some risks may be:

  1. A lost or stolen mobile device
  2. Inadvertent downloading of viruses or other malware
  3. Unintentional disclosure to unauthorized users when sharing mobile devices with friends, family and/or coworkers
  4. Use of an unsecured Wi-Fi network.

Assess

Assess how mobile devices affect the risks (threats and vulnerabilities) to the PHI your organization holds.

Conduct a risk analysis to identify the risks to your organization. If you are a solo provider, you may conduct this risk analysis yourself. If you work in a larger organization, the organization may conduct the risk analysis.

A risk analysis will help determine the safeguards, policies, and procedures your organization needs. It should include reviewing risks created by all mobile devices used to communicate with your internal networks or systems, regardless whether the devices are personally owned or provided by the organization.

Perform a risk analysis periodically and whenever there is a new mobile device, a lost or stolen device, or suspected compromised health information.

After conducting a risk analysis, document, in writing:

  1. Which mobile devices are being used to communicate with your organization’s internal networks or system (g., the EHR system or Health Information Exchange (HIE)), and
  2. What information is accessed, received, stored, and transmitted by or with the mobile device.

Identify

Identify your organization’s mobile device risk management strategy, including privacy and security safeguards.

The purpose of a mobile device risk management strategy is to develop and implement mobile device safeguards to reduce risks (threats and vulnerabilities) identified in the risk analysis. The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.

Develop, Document, and Implement

Develop, document, and implement the organization’s mobile device policies and procedures to safeguard health information.

Organizations should develop and implement reasonable and appropriate policies and procedures to safeguard health information, including those specific to mobile devices. Here are some topics and questions to consider when developing mobile device policies and procedures:

  1. Has the organization identified all the mobile devices that are being used in the organization? How is the organization keeping track of them?
  2. Should the organization let providers and professionals use their personally owned mobile devices within the organization?
  3. Should providers and professionals be able to connect to the organization’s internal network or system with their personally owned mobile devices, either remotely or on site?
  4. Does the organization restrict how providers and professionals can use mobile devices?
  5. Will the organization institute standard configuration and technical controls on all mobile devices used to access internal networks or systems, such as an EHR?
  6. Are there restrictions on the type of information providers and professionals can store on mobile devices?
  7. Does the organization have written procedures for addressing misuse of mobile devices?
  8. Does the organization have procedures to wipe or disable a mobile device that is lost or stolen or when providers and professionals end their employment or association with the organization?
  9. How is the organization training its workforce (management, doctors, nurses, and staff) on policies and procedures and holding them accountable?

Train

Train and conduct mobile device privacy and security awareness and training for providers and professionals.

Providers and professionals who use mobile devices must have privacy and security awareness and training, on an annual basis, to avoid costly mistakes that can result in loss of patient trust.

Privacy and security awareness and training should include a discussion of the following topics:

  1. How to assess risks (threats and vulnerabilities) when using mobile devices for work;
  2. How to secure mobile devices;
  3. How to protect and secure health information;
  4. How to avoid mistakes when using mobile devices.

Finally, the organization should train its workforce so that they understand the organization’s mobile device policies and procedures and how to follow them.

Jennifer Snow | Farrow-Gillespie & Heath LLP | Dallas, TX

Jennifer Snow practices in the areas of health care law and business litigation. She is the author of numerous articles on health care law. Jennifer represents physicians and physician groups in health law matters, and she represents companies and executives in business litigation.

Ms. Snow has been named to the list of “Rising Stars” by Texas Monthly Magazine and Texas Super Lawyers (a Thomson Reuters service) in every year since 2014.

Scott Chase | Farrow-Gillespie & Heath LLPScott Chase has practiced health law, corporate law, and intellectual property law for over 35 years. Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization.

Scott’s primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues such as the Affordable Care Act, HIPAA and peer review. Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

Health Care Law | Farrow-Gillespie & Heaht LLP

Healthcare Providers’ Risk of Data Breach

/in /by

Health Care Law | Farrow-Gillespie & Heaht LLPBy Scott Chase and Catherine Parsley

Healthcare providers receive, collect, and store vast quantities of sensitive personal health information (“PHI”) from their patients. However, only half of providers responding to a recent survey said that they are prepared to respond to cyber-attacks. Attacks and other security breaches can have far-reaching effects for providers and their patients.

Electronic Medical Records

Healthcare providers have many vulnerabilities that are unique to their field. Most providers are adopting or have adopted electronic medical records (EMRs), but those programs are often clunky and can be inadequately secured. The new EMR systems make sharing PHI easy. Easy sharing is great for internal use but poses an increased risk of external leakage compared to old-fashioned paper records. Many  providers’ network systems have been pieced together over time, leaving vulnerabilities and  inconsistencies. At the same time, online attackers are getting increasingly complex and sophisticated. Another problem created by piece-meal network systems is that many providers either cannot or do not know how to detect in real time if their network system is being compromised.

HIPAA Violation

These factors leave healthcare providers open to higher risk of attacks and data loss. Any data loss can constitute a breach of the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA). If a provider loses PHI, or even puts PHI at risk of exposure to unauthorized individuals, the provider can be held to have breached HIPAA, even if no loss or theft actually occurs. One hospital was recently fined over three million dollars after it did not comply with HIPAA-required protective measures. It had several violations, including storing PHI on unencrypted devices, allowing such devices to be accessed by individuals who were not HIPAA-authorized, and failing to implement recommended risk management plans.

It is also important to note that the HIPAA, pursuant to its security rule, requires a risk assessment for PHI vulnerability whenever the following occurs:

  • In response to environmental and operational changes, such as implementation of new technology or changed office operations
  • Any security breach or security incident that indicates vulnerability.

Fines have been levied on providers that have not performed such assessments, even if no HIPAA breach was found. While healthcare providers are not targeted as frequently as some other types of organizations, such as banking and financial institutions, the wealth of data that healthcare providers own makes them a highly-sought out target. The data can be used for various fraudulent purposes by the attacker, and any loss or possible loss can be a HIPAA violation.  In addition to having appropriate corporate policies in place, providers should also review the various types of insurance coverage available to reduce losses.

Farrow-Gillespie Heath Witter LLP can help healthcare providers deal with security threats. Our attorneys can work with clients to put policies in place before problems arise, or help clients deal with regulatory or operational issues after a breach occurs.  For more information on the available services, contact board-certified health care attorney Scott Chase.

Read More

Scott Chase | Farrow-Gillespie & Heath LLPScott Chase is a Dallas health law attorney, certified by the Board of Texas Legal Specialization.  Mr. Chase has been named for many years to the list of Texas Super Lawyers (a Thomson Reuters service), Best Lawyers in America (U.S. News & World Report), and Best Lawyers in Dallas (D Magazine).

More on Scott Chase

More on health law

Scott Chase | Farrow-Gillespie & Heath LLP

What is HIPAA?

/in /by

HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records.

The HIPAA Security Rule, in particular, requires that covered entities must keep electronically-stored protected health information in a manner that maintains the records’ confidentiality, integrity, and availability. Covered health care providers must carefully identify potential risks and vulnerabilities and protect against reasonably-anticipated threats or hazards to the security of confidential information. They must protect against reasonably anticipated impermissible uses or disclosures and ensure compliance by their employees. The Security Rule requires covered entities to provide access to usable electronically-stored protected health information to authorized persons on demand. Business associates of HIPAA-covered entities, who are not covered entities themselves, also face increased responsibility under the HITECH Act of 2009 to securely maintain and handle protected health information. To avoid steep fines and the growing possibility of civil liability, covered entities and their business associates should be informed and proactive regarding their evolving responsibilities with respect to protected health information.

The Security Rule does not dictate specific protection measures, but instead allows each covered entity to develop its own measures considering its size, complexity, and capabilities; its technical infrastructure; costs; and the likelihood and possible impact of inadvertent disclosures of protected health information. Entities must properly document their chosen safety measure. Importantly, however, it is not enough for an entity to adopt security standards; instead, those standards must actually be assessed, implemented, and followed. The Security Rule requires that security measures be updated and documented “as needed.” While the Rule does not state how frequently risk analysis must be performed, regular review and modification of security measures is undoubtedly key in ensuring HIPAA compliance. Security assessments and training should take place on an ongoing basis, and legal audits in compliance are advisable on a periodic basis or when an entity has experienced a security incident, a change in ownership, or a turnover in key staff, or when the entity is planning to incorporate new technology.

For more information, contact board-certified health care attorney Scott Chase.