Security, Privacy and Information Governance

Author: Sumaya M. Noush (page 1 of 3)

Connecticut Supreme Court Establishes Private Right to Sue Over Medical Record Breaches


The Connecticut Supreme Court has joined several other states by holding that health care providers owe patients a common law duty to maintain the confidentiality of their medical records. In a unanimous reversal of the lower court’s ruling, the court determined that the unauthorized disclosure of confidential information obtained in the course of a physician-patient relationship gives rise to a cause of action in tort against the health care provider, unless the disclosure is otherwise allowed by law.

Emily Byrne sued the Avery Center for Obstetrics and Gynecology, P.C. (“Avery”) for negligence and negligent infliction of emotional distress in connection with Avery’s release of her medical records in response to a subpoena issued by her ex-boyfriend, Andro Mendoza, in the course of a paternity action.  The subpoena instructed Avery to send the custodian of its records to appear, together with Byrne’s medical records, at the New Haven Regional Children’s Probate Court.  Avery did not alert Bryne about the subpoena, file a motion to quash it, or appear in court – it mailed Byrne’s medical records.  Bryne alleges that she suffered harassment and extortion threats from Mendoza because Avery gave him access to her medical records without her knowledge or consent.

Continue reading

CMS Confirms Policy on Texting Patient Information among Healthcare Providers


The Centers for Medicare & Medicaid Services (CMS) recently issued a State Survey & Certification Memorandum effective immediately in order to clarify its position on texting patient information among health care providers.

Although CMS acknowledges that the use of texting to communicate with other members of a patient’s health care team has become a common and invaluable practice, it acknowledges that such practice risks noncompliance with the Medicare Conditions of Participation (CoPs) or Conditions for Coverage (CfCs).  In order to text and comply with the CoPs or CfCs, CMS requires providers to use, maintain, and routinely assess secure, encrypted systems or platforms and minimize the risks to patient privacy and confidentiality per the Health Insurance Portability and Accountability Act and other requirements under the CoPs or CfCs.

Continue reading

Oncology Services Provider Reaches $2.3 Million Settlement with HHS for Data Breach


21st Century Oncology, Inc. (21CO), a Florida-based oncology services provider, has agreed to pay $2.3 million in a no-fault resolution to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to settle potential civil money penalties stemming from a 2015 cyberattack on its network SQL database.  The Federal Bureau of Investigation (FBI) was first to detect that an unauthorized third party illegally obtained patient information from 21CO in October 2015.  Upon further investigation by 21CO and OCR, it was determined that 21CO:

  • Impermissibly disclosed the protected health information (PHI), including names, social security numbers, and diagnoses, and treatments, of 2,213,597 of its patients.   
  • Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI).   
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.   
  • Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.   
  • Disclosed protected health information to  third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement.

In addition to the fine, 21CO agreed to enter into a two-year corrective action plan (CAP) with HHS-OCR whereby 21CO agrees to:

  • Appoint a compliance officer.
  • Complete a risk analysis and risk management plan.
  • Revise and adopt policies and procedures.
  • Provide HHS with an accounting and copies of its business associate agreements.
  • Conduct internal and external monitoring.
  • Create an internal reporting mechanism for workforce members to report violations of 21CO’s policies and procedures.
  • Submit to HHS an annual report for the duration of the CAP that summarizes its compliance with the aforementioned requirements.

This resolution and corrective action plan is the first OCR-HIPAA compliance enforcement action since May 2017.   It underscores the importance of having a robust HIPAA compliance program that properly assesses vulnerabilities and mitigates them to a reasonable and appropriate level.  The settlement was approved by the United States Bankruptcy Court for the Southern District of New York on December 11, 2017. 21CO has 136 centers located across 17 states and 36 centers in seven Latin American countries and had petitioned for bankruptcy on May 25, 2017,

The OCR settlement comes on the heels of two other major settlements for 21CO.  On March 8, 2016, 21CO entered into a settlement agreement with the U.S. Department of Justice (DOJ) for $34.7 million over a billing fraud case, and most recently settled with the DOJ on December 12, 2017 for $26 million to settle  False Claims Act allegations.   

If you have questions about HIPAA compliance or health care fraud and abuse matters, please feel free to contact any member of Drinker Biddle’s Health Care Team.

Another State-Lead Data Breach Action Results in High Fines and Strict Compliance Requirements


Massachusetts Attorney General Maura Healey and Multi-State Billing Services (MSB), a Medicaid billing company that provided processing services for 13 public schools, signed a no-fault consent judgment settling a 2014 data breach resulting from a stolen laptop that put 2,618 children at risk for identity theft and fraud.   The MSB laptop contained unencrypted personal information, including names, social security numbers, Medicaid identification numbers and birth dates.

The settlement requires MSB to pay $100,000 and implement improved security practices after an investigation by the attorney general’s office determined it violated state consumer protection and data security laws.  More specifically, the judgment requires MSB to continue to develop, implement and maintain a written and comprehensive information security program and review and update its existing policies and procedures for compliance with data security laws.  It must also train its staff on how to protect personal information and regularly report on its compliance with such requirements to the state attorney general’s office.

Continue reading

Investigation Continues After Massive Data Breach at Henry Ford Health System


An unknown hacker gained access to 18,470 patients’ personal health information via employee emails at Detroit-based Henry Ford Health System (HFHS).

According to the press release, HFHS first learned of the incident on October 3, 2017, after becoming aware that the email credentials of a group of employees were compromised.  Even though the emails were name and password protected by encryption, they remained vulnerable to such illegal access.  The email accounts contained patient health information, including:

  • Patient name
  • Date of birth
  • Medical record number
  • Provider’s name
  • Date of service
  • Department’s name
  • Location
  • Medical condition
  • Health insurer

Continue reading

California’s First 2017 Health Care Data Breach Enforcement Results in $2 Million Settlement


Cottage Health System has settled a state enforcement action over two separate data breaches that made more than 50,000 patients’ medical information publicly available online. The no-fault settlement requires Cottage Health System to:
Continue reading

Older posts

© 2018 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy