HIPAA Compliance for Medical Practices
60.5K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

$10 Million Fine in Improper Disposal Case

$10 Million Fine in Improper Disposal Case | HIPAA Compliance for Medical Practices | Scoop.it

The grocery store chain Safeway has been ordered to pay a $9.87 million penalty as part of a settlement with California prosecutors related to improper disposal of confidential pharmacy records and hazardous waste in dumpsters.

The settlement resolves allegations that Safeway unlawfully disposed of customer pharmacy records containing private medical information in violation of California's Confidentiality of Medical Information Act.


Prosecutors in California also alleged Safeway unlawfully disposed of various hazardous materials over a period of longer than seven years. Those materials included over-the-counter medications, pharmaceuticals, aerosol products, ignitable liquids, batteries, electronic devices and other toxic, ignitable and corrosive materials, according to a statement from the Alameda County District Attorney's Office. That office took the lead on the civil enforcement lawsuit filed on Dec. 31 by a coalition of 43 California district attorneys and two city attorneys.

Safeway operates about 500 stores and distribution centers in California under a number of brand names, including Von's, Pavilions and Pak 'n Save, and is in the process of merging with another large grocery chain, Albertsons, which operates stores in several states under brands that include ACME, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market and Super Saver.

The case against Safeway by the California district attorneys was based on a series of waste inspections of dumpsters belonging to Safeway facilities conducted by state environmental regulators and other inspectors during 2012 and 2013.

Kenneth Mifsud, Alameda County assistant district attorney, tells Information Security Media Group that the inspections were conducted at dozens of Safeway stores about once a month during an 18-month period. Investigators - who examined retail store waste taken to landfills - found violations in about 40 percent of the stores inspected. In some cases, pharmacy documents, such as store summaries listing medical and personal information on dozens of patients, were found among the waste, he says.

"The inspections revealed that Safeway was routinely and systematically sending hazardous wastes to local landfills, and was failing to take measures to protect the privacy of their pharmacy customers' confidential medical information," says the Alameda County district attorney's statement. "Upon being notified by prosecutors of the widespread issues, Safeway worked cooperatively to remedy the issue, enhance its environmental compliance program and train its employees to properly handle such waste."

The case against Safeway spotlights the importance of retail pharmacy chains, hospitals and other healthcare entities properly shredding or "making indecipherable" patient and other consumer personal information before disposing it, Mifsud says.

"There's a risk of identity theft committed by dumpster divers, and unfortunately by some employees," he says.

Settlement Terms

According to settlement documents filed in the Superior Court in Alameda County on Dec. 31 - the same day the suit was filed by the district attorneys against Safeway - the $9.87 million in civil penalties and costs Safeway agreed to pay are mainly related to the environmental and unfair business claims against the company. The unfair business claims encompass the violations of California's medical confidentiality laws, Mifsud says.

Also as part of the settlement, the retailer must also "maintain and enhance, as necessary" its customer record destruction program to ensure that confidential medical information is disposed of in a manner that protects individuals' privacy. Plus, it must take several steps related to environmental compliance, including ensuring that its workforce is trained in properly disposing waste.

Court documents do not indicate how many customers' improperly dumped pharmacy records were found by inspectors. Mifsud says it's difficult to estimate the number of patients or pharmacy records that were affected by the improper disposal because the inspections only provided "a snapshot" of the some stores' activities.

Approximately 500 Safeway retail stores and distribution centers in the state must abide by the corrective action terms of the settlement, Mifsud says.

State attorneys started negotiations with Safeway in 2012, when the first violations were first discovered, he says. The suit and settlement documents were both filed in court the same day, Dec. 31, as a formality to those discussions, he explains.

In a statement to ISMG, Safeway says, "We have enhanced [our] programs and added new and supplementary training to ensure strict adherence to the law and to our policies. Safeway will continue to dedicate significant resources to these important programs."

Privacy and security attorney Kathryn Coburn, a partner at law firm Cooke Kobrick LLP, says that the Safeway case is a reminder to all organizations that having policies about protecting sensitive information of patients is not enough; they also need to have procedures for the workforce to follow and training to ensure those procedures are understood.

"Everyone I deal with has policies. But if there are no procedures, and no training, those policies aren't any good," she says.

Other Disposal Cases

The Safeway settlement is not the first time enforcement actions have been taken by regulators against a retailer charged with improper disposal of sensitive medical information.

In a 2010 settlement with the U.S. Department of Health and Human Services, Rite Aid Corp. agreed to pay a $1 million fine and take corrective action after some of its stores improperly disposed of prescription information in dumpsters. Also, a $2.25 million HHS settlement was reached in a similar case against CVS Caremark in February 2009.

And retail pharmacies aren't the only organizations that have been cited by regulators for improper disposal of medical information. For example, HHS' Office for Civil Rights last June announced an $800,000 HIPAA settlement with Parkview Health Systems, an Indiana community health system, after paper medical records for 5,000 to 8,000 patients were dumped in the driveway of a physician's home.

Security and privacy attorney Stephen Wu of the law firm Silicon Valley Law Group says OCR could decide to open a HIPAA non-compliance case against Safeway based on the findings by state regulators in their suit against the retailer.

"If I were Safeway's counsel, I'd be advising the company to look for another shoe to drop," Wu says.

Mifsud says he's unaware if OCR is investigating the Safeway matter. OCR did not respond to ISMG's request for comment.


more...
No comment yet.
Scoop.it!

Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context - Data Protection - United States

Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context - Data Protection - United States | HIPAA Compliance for Medical Practices | Scoop.it

A recent decision of the Connecticut Supreme Court signals a growing trend in Health Insurance Portability and Accountability Act (HIPAA) jurisprudence that could prove significant in the broader data-security context. 

Although HIPAA contains no private right of action and preempts contrary state laws, several courts have held the HIPAA does not preempt state-law negligence claims for improper disclosure of private patient information and—importantly—that HIPAA regulations may inform the state-law duty of care. This trend and the most recent case, Byrne v. Avery Center for Obstetrics & Gynecology, P.C., should be of interest not only to health care providers, but also to all companies collecting or disseminating sensitive customer information.  Courts have yet to address the contours of any common-law duty to protect consumer data in the data-security context, but Byrne suggests that courts could look to federal regulations and standards, even if the federal-law sources do not provide private rights of action.
While certainly not new, data-breach lawsuits have become more common after numerous high-profile breaches within the past year.  But most of the litigation to-date has centered on a plaintiff's ability to state a cause of action. Plaintiffs have tried numerous common-law theories: breach of contract, unjust enrichment, invasion of privacy, misrepresentation and negligence. Courts generally reject contract, unjust enrichment and misrepresentation claims unless the defendants undertook some specific security obligations in their contracts or privacy policies.  Invasion of privacy claims frequently fail for lack of "publication," and negligence claims fail for lack of actual injury—e.g., identity theft—under either the economic loss doctrine or Article III standing. 

Few cases have gone beyond the pleadings, and fewer still have reached the question of what a state-law negligence duty entails in the context of data breach.  In the HIPAA context, however, courts have begun to look to federal regulations for guidance, a trend that could inform courts in data-breach cases that survive the pleadings.

The plaintiff in Byrne received treatment in connection with her pregnancy from the defendant obstetrics center, which agreed in its privacy policy not to disclose her health information without authorization. But after the child's father filed paternity actions and served a subpoena, the obstetrics center mailed a copy of the plaintiff's medical records to the family law court without informing Byrne. Before Byrne could seal the records, the father reviewed them and allegedly harassed and threatened her.  Byrne sued the obstetrics center, alleging, in pertinent part, statutory negligence, common-law negligence and negligent infliction of emotional distress. 

The trial court dismissed the statutory and common-law negligence claims and the negligent infliction of emotional distress count, reasoning that they were essentially HIPAA claims in disguise. More specifically, addressing the state statutory negligence claim, the court wrote that "[t]o the extent that [the statute] permits disclosure of protected medical records pursuant to a subpoena without the safeguards provided by HIPAA, it is both contrary to and less stringent than HIPAA and therefore superseded by HIPAA." Similarly, the trial court opined that if "common law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA's preemption rule" and "[b]ecause it is not more stringent [than HIPAA], the preemption exception does not apply." The court further ruled that insofar as the doctrine of negligent infliction of emotional distress "permits a private right of action for HIPAA claims" it is also is preempted by HIPAA.

The Connecticut Supreme Court reversed the trial court's decision, holding that HIPAA does not preempt state-law negligence actions for breach of patient confidentiality, as such actions are not "contrary" to HIPAA, but either complementary or "more stringent." Of interest in the broader data-security context, Connecticut joined courts in North Carolina, Kentucky, Delaware and Maine by ruling that "HIPAA and its implementing regulations may be utilized to inform the standard of care applicable" in state-law negligence actions. In addition, district courts in Tennessee and Missouri have remanded negligence claims predicated on HIPAA regulations to the respective state courts, implying that such claims are proper under state law.

These rulings apply only in the HIPAA context and only in those specific states. Even so, the cases bear watching from a data-security perspective, as courts could employ similar reasoning in data-breach actions, looking to regulations or pronouncements by the Federal Trade Commission, Federal Communications Commission, or other federal regulatory entities that have entered or might yet enter the data-security fray. 

It is important to note that the Connecticut Supreme Court in Byrne assumed, without holding, that Connecticut's common law recognizes a negligence action for breach of patient confidentiality, so state courts could still hold that companies owe no data-security duties beyond those assumed in contract or imposed by statute.  Moreover, the court noted that HIPAA regulations are relevant to the negligence standard of care to the extent they have become "common practice" for Connecticut health care providers. On this reasoning, only those standards that achieve frequent use within an industry or locale would inform a negligence duty. 

Given the increase in data-breach lawsuits and the trend in HIPAA cases, companies should pay close attention to federal regulatory efforts, especially those that gain common use, even if those standards do not carry penalty provisions or private rights of action.


more...
No comment yet.
Scoop.it!

IT Maintenance Crucial for HIPAA Compliance

The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) recently announced an agreement with a medical center to settle charges stemming from the center’s failure to prevent malware from infecting its computers. The malicious programming breached the electronic protected health information (ePHI) of 2,743 individuals in violation of the Health Insurance Portability and Accountability Act (HIPAA).

The medical center was fined $150,000 and agreed to implement a corrective action plan for violating the mandates of HIPAA’s Security Rule. Under the Security Rule, covered entities and business associates must implement appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and security of ePHI.

According to OCR, the medical center adopted policies to comply with the HIPAA Security Rule, but failed to follow them after putting them to paper. The medical center did not perform an accurate or thorough risk assessment for ePHI, nor did it implement the necessary policies, procedures or technical security measures to prevent unauthorized access to ePHI. Specifically, OCR maintains that the medical center’s failure to identify and address basic risks — e.g., not regularly updating firewalls and running outdated, unsupported software — was the direct cause of the introduction of malicious software into its systems.

In addition to the monetary fine, the medical center agreed to implement a two-year corrective action plan requiring it to —

  • Revise, adopt and distribute updated Security Rule policies and procedures approved by OCR;
  • Develop and provide updated security awareness training — based on training materials approved by OCR — to employees, and update and repeat such training annually;
  • Conduct annual assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI in its possession and document the security measures implemented to address those risks and vulnerabilities;
  • Investigate and report to OCR any violations of its Security Rule policies and procedures by employees; and
  • Submit annual reports to OCR describing its compliance with the corrective action plan.
  • OCR used its announcement to highlight the fact that HIPAA compliance is a continuous process and requires more than establishing initial policies, procedures and systems. Rather, covered entities and business associates will only be able to avoid expensive HIPAA fines and penalties by conducting regular ePHI risk assessments, addressing identified security vulnerabilities and regularly updating HIPAA policies and procedures.

Although technological safeguards are vital to keeping ePHI secure, human error is also a significant threat to patient data security and privacy, making a knowledgeable workforce crucial to HIPAA compliance. Covered entities and business associates can ensure HIPAA compliance with Thomson Reuters’ online training courses on HIPAA Privacy and Security and U.S. Data Privacy and Security. Our online compliance training courses explain the essential principles of HIPAA requirements and of safeguarding individuals’ personal information.


more...
No comment yet.
Scoop.it!

$150,000 HIPAA Settlement Following Breach of Unsecured PHI Due To Malware

$150,000 HIPAA Settlement Following Breach of Unsecured PHI Due To Malware | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced on December 8, 2014 that a community behavioral health organization agreed to pay $150,000 and adopt a corrective action plan to settle potential violations related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In March 2012, Anchorage Community Mental Health Services (ACMHS) notified OCR regarding a breach of unsecured electronic protected health information from malware that compromised the security of ACMHS’ information technology resources. The breach affected 2,743 individuals. ACMHS is a five-facility, non-profit organization providing behavioral health care services in Alaska.

As part of its investigation, OCR noted that ACMHS had adopted HIPAA security rule policies and procedures in 2005, but ACMHS did not follow these rules. As part of the Resolution Agreement, OCR stated that for almost seven years, “ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability” of its electronic protected health information. During that same time period, OCR stated that ACMHS did not implement policies and procedures requiring implementation of security measures. During a four-year period, ACMHS did not implement technical security measures to guard against unauthorized access to electronic protected health information that was transmitted over an electronic communications network by “failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

In early December 2014, ACHMS agreed to enter into a Corrective Action Plan (CAP) with HHS. The two-year CAP requires ACHMS to revise its security rule policies and procedures and distribute them to all workforce members who use or disclose electronic protected health information; provide general security awareness training materials for all workforce members, and conduct an annual “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of its electronic protected health information. ACHMS is required to provide annual reports to HHS of its compliance with the CAP.

In the press releasing announcing the resolution with ACMHS, HHS emphasized that successful HIPAA compliance includes, “reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

This is the sixth resolution agreement announced by OCR in 2014. Overall, HHS has entered into 21 resolution agreements relating to HIPAA compliance. HIPAA compliance continues to be a focus of OCR activities.



more...
No comment yet.