| 
Health Care Data Breaches:
Steps To Take When Prevention Fails
By Rebecca Williams, James P. Walsh and Thomas R. Burke
[May 2006]
It seems that every few weeks the media is covering another security breach—often with sensitive health care and personal information winding up in the wrong hands. Health care data breaches, such as thefts of laptop computers containing patient health care and financial information, are occurring more frequently. Security breaches have affected over 50 million people in the United States in the last few years. No organization is immune.
Both federal and state laws are expanding to protect against identity theft and public exposure of personal information of all kinds, in particular health care information. At the same time, however, federal and state governments as well as private initiatives are pushing for the sharing of confidential health information, such as interoperable electronic health records through regional health information organizations and other information sharing collaboration.
Despite reasonable precautions, security breaches have occurred and will continue to occur. Accordingly, organizations should prepare.
A sampling of legal and other considerations HIPAA. The administrative simplification provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) creates both criminal penalties for violations of HIPAA’s statutory prohibitions and civil penalties for violations of its implementing regulations, including the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) and the Security Standards for the Protection of Electronic Protected Health Information (Security Rule).
Under HIPAA, a person may face criminal penalties if the person "knowingly and in violation of" HIPAA, among other things, "obtains individually identifiable health information relating to an individual" or "discloses individually identifiable health information to another person." If convicted for any of these crimes, a person faces: a fine of not more than $50,000 and/or imprisonment of up to one year for a "routine" crime; a fine up to $100,000 and/or jail time of up to five years if the offense is committed under false pretenses; and a fine of not more than $250,000 and/or imprisonment of not more than ten years if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. A violation of the Privacy Rule or Security Rule may result in substantial civil penalties.
Under the Privacy Rule, a covered entity must mitigate, to the extent practicable, any harmful effect of an improper disclosure. The Security Rule also requires such mitigation of harmful effects of a security incident. Notice to the affected individual may be an appropriate step in the mitigation process, depending on the situation; however, notice is not specifically mandated.
A covered entity also must have and apply sanctions to those workforce members who violate the covered entity’s privacy and security policies.
HIPAA does not create a private right of action for persons whose health information is compromised. It, however, does not foreclose other legal remedies an individual may have under either federal or state law should disclosure of confidential health information lead to damage or other injury. In addition, arguably HIPAA sets standards that could provide the basis for civil law suits seeking damages.
FTC Act. The Federal Trade Commission (FTC) has filed complaints against forprofit corporations that improperly disclosed consumers’ personal information. It initially did so when companies represented that they would keep consumer data confidential and secure but then failed to do so. The FTC claimed that the companies’ promises to safeguard data, when they did not do so, were deceptive practices prohibited by the Federal Trade Commission Act ("FTC Act").
More recently, the FTC has brought claims against companies under the FTC Act when the companies failed to implement reasonable information security practices, regardless of whether or not the companies promised to keep data confidential. In such cases, the FTC alleged that the failures amounted to "unfair" practices. For example, in January of 2006, Choicepoint, Inc. agreed to pay the FTC a $15,000,000 fine to settle an FTC complaint that alleged that Choicepoint had committed unfair practices by failing to maintain adequate data security measures. More than 800 consumers reported instances of identity theft caused by Choicepoint’s provision of data to an identity theft ring that was masquerading as a legitimate business.
Confidentiality laws. Every state has laws that restrict the disclosure of health care information. In particular, many of these state laws provide additional protections for areas of heightened confidentiality concerns, such as AIDS/HIV, mental health, substance abuse, developmental disabilities, and genetic testing. Some states have elaborate regulatory approaches. Organizations must comply with these laws, to the extent applicable, and a data security breach may constitute a violation of such confidentiality laws. There also may be some reporting or notification requirements contained in such laws.
Additionally, federal regulations impose stringent confidentiality requirements for substance abuse treatment information.
State data breach notification statutes. More and more states are enacting data breach notification statutes. Many of these laws are based on the California statute, which was the first of its kind in the nation. Generally, these notification laws require businesses that control electronic data to notify state residents if their personal information is believed to have been acquired by an unauthorized person. These statutes often contain timing and content requirements.
State consumer protection act. To protect consumers, most if not all the states prohibit "unfair or deceptive acts or practices in the conduct of any trade or commerce." Many of these unfair business practice laws are modeled on federal consumer protection and fair trade statutes, including the FTC Act.
Possible civil causes of action for data breaches. As experience with data breaches has grown, so have attempts to expand liability for data breaches through litigation, including class action law suits. Such actions generally are based on state privacy torts.
Other potential implications. Health care organizations experiencing security breaches also may have to address issues that may be raised as participating providers under Medicare and Medicaid, as accredited entities with such organizations as the Joint Commission on Accreditation of Healthcare Organizations, and/or as licensed entities under applicable licensing authorities.
Of course, probably the most painful effect is the potential harm to the organization’s reputation and the community’s trust.
What to do when the security system fails
Prevention is the best way to avoid the consequences of a security breach. But, if a security breach does occur, several steps should be considered in response, which depend on the circumstances surrounding the breach. There is, of course, no single or perfect plan. And it is important to keep in mind that applicable notification laws are not entirely clear and often overlap.
- Conducting an Investigation of the Incident. The organization should begin by conducting a thorough investigation of the incident to better understand the scope and likely causes of the breach. A single person, who reports to a senior organization official, should be put in charge of investigating the data breach incident. It may be appropriate to create a team, led by the point person, who can contribute various expertise.
A decision should be made whether to include the organization’s in-house or outside attorneys in the process. Thought should be given to issues such as attorneyclient privilege and confidential communications, particularly if criminal violations are possible. It may be necessary to hire computer or security experts to assist. Insurance coverage should be examined.
Documents and information should be gathered and safeguarded. Once the parameters of the security breach are reasonably known, the organization’s decision-makers should be informed of the results of the investigation and should develop a plan for responding to the security breach.
- Making timely notifications, as appropriate. Disclosure of a security breach may be required to various groups and entities, including the board of directors, shareholders, members, employees, law enforcement, oversight and enforcement officials, state and federal government regulators, auditors, the public, and those whose information has been released. For each category, there should be an analysis of what disclosures may be required by or appropriate under law or policy.
The manner of any such notification sometimes is spelled out by statute and/or regulation and sometimes is not. Care must be taken to meet all requirements of any mandatory notification. If in doubt, a broad notification may be appropriate. Timing also will be an issue. Law enforcement may play a role in deciding when to announce a breach. Notification should happen only after the incident is fully understood. Care should be taken in developing and implementing a notification plan.
If notification is appropriate, the notifications should be crafted carefully to avoid complicating or augmenting the problem. The notification, for example, may include basic information about what happened, who might be affected, measures taken to avoid the problem in the future, and general guidance on what the potentially affected individuals should do to protect themselves.
The organization should be prepared to respond to those who call in or otherwise contact the organization for more information and guidance.
- Determining whether workforce should be disciplined. As part of the investigation, it should be determined whether any employees or other workforce members acted or failed to act in a manner that should result in sanctions, up to and including termination. Sanctions should be consistently applied and documented. It may prove helpful when dealing with agencies who may be investigating the breach to know that disciplinary action has been appropriately taken.
- Fixing and Mitigating the Problem. Steps should be taken to fix the problem that caused the data breach. This may include new computer security systems, additional training, or new organization policies and procedures. Remedial measures should begin as soon as possible. Moreover, the organization should consider whether any actions to mitigate the effects of a data security breach would be appropriate under the circumstances.
- Contacting government and other agencies. The need to disclose a data security breach may require reports to various state and federal agencies, including law enforcement, licensing, and regulatory agencies. Each should be approached with care and each contact documented. Success in handling relationships with these agencies can mean that the problem will not get bigger than mere notification. It is possible, however, that further government investigation could be triggered.
- Continuing operations. Addressing a significant data security breach is stressful and consuming of time and resources. As a result, continuing business as usual is difficult, but essential to the organization and the people the organization serves.
For more information, please contact:
This Health Law Advisory is a publication
of the Health Law Group of Davis Wright Tremaine LLP. Our purpose
in publishing this Advisory is to inform our clients and friends
of developments in health care law. It is not intended, nor
should it be used, as a substitute for specific legal advice
as legal counsel may only be given in response to inquiries
regarding particular situations.
Copyright 2006, Davis Wright Tremaine
LLP.
return to Advisory Bulletins main page
|
