Privacy & Law. An A.S. Pratt Publication. vol. 3 no. 8. Editor s Note: Cybersecurity for Attorneys Victoria Prussen Spears

Transcription

1 An A.S. Pratt Publication OCTOBER 2017 vol. 3 no. 8 pratt s Privacy & Cybersecurity Law Report Editor s Note: Cybersecurity for Attorneys Victoria Prussen Spears ACC Cybersecurity Guidelines: The What, Why, and How Stephen E. Reynolds and Nicole R. Woods D.C. Circuit Sets Dangerous Precedent by Immunizing Foreign Governments that Commit Cyber Attacks Against U.S. Companies and Citizens Jerry S. Goldman and Bruce Strong White House Releases Cybersecurity Executive Order Christopher W. Savage Patient Crimes and Press Releases: Recent HIPAA Settlement Highlights Management Pitfalls Kimberly C. Metzger and Deepali Doddi Filling in the Gaps on Medical Device Cybersecurity Yarmela Pavlovic and Shilpa Prem Scary as Dinosaurs: California s Genetic Information Discrimination Code Marjorie Clara Soto and Kristen Peters Germany Enacts GDPR Implementation Bill Hanno Timner and Jens Wollesen

2 Pratt s Privacy & Cybersecurity Law Report VOLUME 3 NUMBER 8 OCTOBER 2017 Editor s Note: Cybersecurity for Attorneys Victoria Prussen Spears 269 ACC Cybersecurity Guidelines: The What, Why, and How Stephen E. Reynolds and Nicole R. Woods 272 D.C. Circuit Sets Dangerous Precedent by Immunizing Foreign Governments that Commit Cyber Attacks Against U.S. Companies and Citizens Jerry S. Goldman and Bruce Strong 277 White House Releases Cybersecurity Executive Order Christopher W. Savage 281 Patient Crimes and Press Releases: Recent HIPAA Settlement Highlights Management Pitfalls Kimberly C. Metzger and Deepali Doddi 284 Filling in the Gaps on Medical Device Cybersecurity Yarmela Pavlovic and Shilpa Prem 289 Scary as Dinosaurs: California s Genetic Information Discrimination Code Marjorie Clara Soto and Kristen Peters 293 Germany Enacts GDPR Implementation Bill Hanno Timner and Jens Wollesen 296

3 QUESTIONS ABOUT THIS PUBLICATION? For questions about the Editorial Content appearing in these volumes or reprint permission, please contact: Deneil C. Targowski at For assistance with replacement pages, shipments, billing or other customer service matters, please call: Customer Services Department at... (800) Outside the United States and Canada, please call... (518) Fax Number (800) Customer Service Web site... For information on other Matthew Bender publications, please call Your account manager or... (800) Outside the United States and Canada, please call... (937) ISBN: (print) ISBN: (ebook) ISSN: (Print) ISSN: (Online) Cite this publication as: [author name], [article title], [vol. no.] PRATT S PRIVACY & CYBERSECURITY LAW REPORT [page number] (LexisNexis A.S. Pratt); Laura Clark Fey and Jeff Johnson, Shielding Personal Information in ediscovery, [1] PRATT S PRIVACY & CYBERSECURITY LAW REPORT [272] (LexisNexis A.S. Pratt) This publication is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. A.S. Pratt is a trademark of Reed Elsevier Properties SA, used under license. Copyright # 2017 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. All Rights Reserved. No copyright is claimed by LexisNexis, Matthew Bender & Company, Inc., or Reed Elsevier Properties SA, in the text of statutes, regulations, and excerpts from court opinions quoted within this work. Permission to copy material may be licensed for a fee from the Copyright Clearance Center, 222 Rosewood Drive, Danvers, Mass , telephone (978) An A.S. Prattä Publication Editorial Editorial Offices 630 Central Ave., New Providence, NJ (908) Mission St., San Francisco, CA (415) (2017 Pub. 4939)

4 Editor-in-Chief, Editor & Board of Editors EDITOR-IN-CHIEF STEVEN A. MEYEROWITZ President, Meyerowitz Communications Inc. EDITOR VICTORIA PRUSSEN SPEARS Senior Vice President, Meyerowitz Communications Inc. BOARD OF EDITORS EMILIO W. CIVIDANES Partner, Venable LLP RICHARD COHEN Special Counsel, Kelley Drye & Warren LLP CHRISTOPHER G. CWALINA Partner, Holland & Knight LLP RICHARD D. HARRIS Partner, Day Pitney LLP DAVID C. LASHWAY Partner, Baker & McKenzie LLP CRAIG A. NEWMAN Partner, Patterson Belknap Webb & Tyler LLP ALAN CHARLES RAUL Partner, Sidley Austin LLP AARON P. SIMPSON Partner, Hunton & Williams LLP RANDI SINGER Partner, Weil, Gotshal & Manges LLP JOHN P. TOMASZEWSKI Senior Counsel, Seyfarth Shaw LLP TODD G. VARE Partner, Barnes & Thornburg LLP THOMAS F. ZYCH Partner, Thompson Hine iii

5 Pratt s Privacy & Cybersecurity Law Report is published nine times a year by Matthew Bender & Company, Inc. Periodicals Postage Paid at Washington, D.C., and at additional mailing offices. Copyright 2017 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. No part of this journal may be reproduced in any form by microfilm, xerography, or otherwise or incorporated into any information retrieval system without the written permission of the copyright owner. For customer support, please contact LexisNexis Matthew Bender, 1275 Broadway, Albany, NY or Customer.Support@lexisnexis.com. Direct any editorial inquires and send any material for publication to Steven A. Meyerowitz, Editor-in-Chief, Meyerowitz Communications Inc., Grand Central Parkway Suite 18R, Floral Park, New York 11005, smeyerowitz@meyerowitzcommunications.com, Material for publication is welcomed articles, decisions, or other items of interest to lawyers and law firms, in-house counsel, government lawyers, senior business executives, and anyone interested in privacy and cybersecurity related issues and legal developments. This publication is designed to be accurate and authoritative, but neither the publisher nor the authors are rendering legal, accounting, or other professional services in this publication. If legal or other expert advice is desired, retain the services of an appropriate professional. The articles and columns reflect only the present considerations and views of the authors and do not necessarily reflect those of the firms or organizations with which they are affiliated, any of the former or present clients of the authors or their firms or organizations, or the editors or publisher. POSTMASTER: Send address changes to Pratt s Privacy & Cybersecurity Law Report, LexisNexis Matthew Bender, 630 Central Ave., New Providence, NJ iv

6 Patient Crimes and Press Releases: Recent HIPAA Settlement Highlights Management Pitfalls By Kimberly C. Metzger and Deepali Doddi * The U.S. Department of Health and Human Services, Office for Civil Rights, has settled with Memorial Hermann Health System, which agreed to pay $2.4 million and enter a corrective action plan to settle claims that it improperly disclosed a patient s protected health information without authorization. The authors of this article discuss the settlement, which underscores the importance of understanding the foundational elements of Privacy Rule compliance. The U.S. Department of Health and Human Services, Office for Civil Rights ( OCR ) has announced 1 a settlement with Memorial Hermann Health System ( MHHS ), a not-for-profit health system located in Southeast Texas. MHHS agreed to pay $2.4 million and enter a corrective action plan ( CAP ) to settle claims that it improperly disclosed a patient s protected health information ( PHI ) without authorization. While several issues converged in the underlying fact pattern, OCR s primary message is clear: covered entities ( CE ) and business associates ( BA ) should continue to focus on workforce training at all levels including senior management and should not lose sight of Privacy Rule basics. BACKGROUND In September 2015, a patient presented a fraudulent identification card at one of MHHS clinics. Staff notified law enforcement, and the patient was arrested. In its announcement of the settlement, OCR was quick to point out that this disclosure to law enforcement was permitted under the Privacy Rule. The CE s troubles began, however, when senior management approved a press release regarding the incident that included the patient s name in its title. The situation was compounded by the fact that MHHS did not timely document its sanctioning of the workforce members responsible for the impermissible disclosure. OCR initiated a compliance review based on * Kimberly C. Metzger is a partner in the Litigation and Intellectual Property Group at Ice Miller LLP. She focuses her practice on data security and privacy, and drug and device litigation. Ms. Metzger, who may be contacted at kimberly.metzger@icemiller.com, is a Certified Information Privacy Professional (CIPP/US), Certified Information Privacy Manager (CIPM), and Fellow of Information Privacy through the IAPP. Deepali Doddi is an associate in the firm s Data Security and Privacy practice, advising regulated entities regarding best practices for safeguarding data and ensuring compliance with the HIPAA Privacy and Security Rules and the Breach Notification Rule. She may be reached at deepali.doddi@icemiller.com

7 HIPAA SETTLEMENT HIGHLIGHTS MANAGEMENT PITFALLS multiple media reports suggesting that the covered entity disclosed PHI to the media and various public officials without the patient s authorization. OCR s investigation indicated that MHHS engaged in the following conduct: Knowingly and intentionally failed to safeguard PHI in its possession; Failed to timely document the sanctions imposed against workforce members who failed to comply with its privacy policies and procedures and the Privacy Rule; and Disclosed the patient s PHI, without obtaining the patient s written authorization (in violation of 45 CFR (a)): * Through press releases issued to 15 media outlets and/or reporters; * Via senior leadership, in three meetings with an advocacy group, state representatives, and a state senator; and * In a statement on its website, during a two-week period. In addition to paying the multimillion dollar resolution amount, MHHS agreed to enter a two-year CAP that requires it to devise, implement, and distribute to workforce members OCR-approved policies and procedures addressing important Privacy Rule foundational elements, including: (1) uses and disclosures for which an authorization is required (such as disclosures to the media, to public officials, and on the internet); (2) disclosures for law enforcement purposes; (3) uses and disclosures for health oversight activities; and (4) the application and documentation of appropriate sanctions against workforce members, including senior management, who fail to comply with the Privacy Rule, Security Rule, Breach Notification Rule, or the CE s own privacy and security policies and procedures (including a description of the sanctions, the timeframe for application and documentation, the manner of documentation, and where the CE will store or retain the documentation). Commenting on the settlement, OCR Director Roger Severino admonished: Senior management should have known that disclosing a patient s name on the title of a press release was a clear HIPAA Privacy violation that would induce swift OCR response. This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere. ANALYSIS Law enforcement disclosures were part of the underlying MHHS fact pattern, but when and how to make them is not the most important lesson to be learned from this 285

8 PRATT S PRIVACY &CYBERSECURITY LAW REPORT settlement. CEs and BAs should remember that the Privacy Rule does not create inordinate barriers to disclosing PHI in situations where it is vital to ensuring public safety. OCR has issued guidance on disclosures to law enforcement, 2 which emphasizes that [t]he Privacy Rule is balanced to protect an individual s privacy while allowing important law enforcement functions to continue. The disclosure MMHS made to law enforcement was, apparently, something it did correctly. The more troubling aspects are twofold: the CE s clear (that is, elemental ) failure to adhere to the Privacy Rule and the fact that this failure occurred at the senior management level. What message can we take away from this settlement? Train, train, and train on the basics of HIPAA Rule compliance at all organizational levels. OCR has addressed the senior management issue before. In June 2013, OCR announced 3 a settlement with Shasta Regional Medical Center that required the CE to pay a $275,000 resolution amount and enter into a CAP. The agency had opened a compliance review after a newspaper article indicated that two senior leaders at the CE had met with media to discuss medical services provided to a patient. OCR s investigation revealed that the CE failed to safeguard the patient s PHI on multiple occasions, including when: it sent a letter to a media outlet responding to a story about Medicare fraud; it described the patient s medical treatment and specifics about her lab results; two senior leaders met with a media editor to discuss the patient s medical record in detail; and it sent a letter to a media outlet containing detailed information about the patient s treatment. OCR also found that the CE failed to sanction workforce members (i.e., senior leaders and others) according to its internal policies. Commenting on that settlement, former OCR Director Leon Rodriguez emphasized: When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior. Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients rights are fully protected. Clearly, the C-suite will not get a pass from OCR. As former Director Rodriguez s comments make clear, privacy violations committed by senior management are likely to engender quite the opposite result: swift and sure enforcement. A CE s workforce members act on its behalf to safeguard the confidentiality, integrity, and availability of PHI, and workforce non-compliance can expose the CE to liability. Senior management, like the rest of the workforce, must comply with the Privacy Rule when using

9 HIPAA SETTLEMENT HIGHLIGHTS MANAGEMENT PITFALLS and disclosing the entity s PHI and, like the rest of the workforce, must be appropriately educated, trained, and sanctioned for violating the HIPAA Rules or the CE s privacy policies. In fact, OCR may construe a HIPAA violation committed by senior leadership (individuals who should have known better ) as signaling the CE s organizational disregard for compliance with the HIPAA Rules. Accordingly, noncompliance at the senior management level may demonstrate that the CE acted with willful neglect, which may result in OCR assessing a greater civil money penalty or proposing a higher settlement amount than it would otherwise. 4 As the Privacy Rule s administrative requirements state: A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by [the Privacy Rule], as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. 5 Must all C-suite members sit through a day-long (or longer) soup-to-nuts HIPAA training? Yes, if that level of granularity is necessary and appropriate to enable them to carry out their functions. If a member of senior management does not regularly use or disclose PHI, or only uses or discloses PHI in certain situations, the CE or BA will likely make best use of time and resources by tailoring his or her training specifically to those situations. But all workforce members at a CE or BA should be able to recognize PHI, understand the scope and function of the Privacy Rule, and the general rules for uses and disclosures, and perhaps most importantly know how to reach out to its compliance officers, legal counsel, and even OCR for further guidance and support. In other words, even if the C-suite does not regularly use or disclose PHI, each and every member should be an adroit issue-spotter and understand when to seek help with HIPPA Rule compliance. Just as OCR will not excuse senior management from compliance, it will not excuse the CE for failing to sanction executives for their violations. The Privacy Rule states that a CE must have and apply appropriate sanctions against workforce members who fail to comply with the Privacy Rule or the organization s policies and procedures. 6 Two key provisions are apply and appropriate. On one hand, it is not enough to merely document ( have ) a sanctions policy, the CE must also enforce ( apply ) it and enforce it uniformly regardless of the violator s position at the organization. On the other hand, not every violation is or should be a terminable event. Rather, sanctions should be appropriate to the circumstances of the offense. Depending on the facts, appropriate sanctions may include re-training, a verbal reprimand, reassignment, written 4 45 C.F.R (defining willful neglect as the conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. ) C.F.R (b)(1) (emphasis added) C.F.R (e)(1). Note that the HIPAA Security and Breach Notification Rules also include requirements for appropriately sanctioning workforce members. 287

10 PRATT S PRIVACY &CYBERSECURITY LAW REPORT warnings... or termination. The Privacy Rule does not prescribe the type of sanction that a CE should apply for a particular violation, but OCR expects CEs to document a sanctions policy and follow it methodically when violations occur. The important MHHS takeaway is that no one at the CE is exempt from the Privacy Rule sanctions requirement or from compliance with the entity s related policies and procedures. CONCLUSION The MHHS settlement goes beyond admonishing senior management; it also speaks to the importance of understanding the foundational elements of Privacy Rule compliance. Regulated entities should not dismiss as hyperbole Director Severino s strong language when describing the MHHS settlement: i.e., what senior leaders should have known, the clear Privacy Rule violation, and OCR s swift response. OCR does not appear to have viewed the decision that got the CE into trouble (whether to disclose the patient s name in a press release) as particularly complicated: clear[ly], this should not have occurred. In fact, the arguably more complex decision of whether to disclose the patient s identity to law enforcement was apparently made correctly. This sends a clear message that regulated entities should not become so mired in the zebras that they forget about the horses. Now is a good time for CEs and BAs to reassess their workforce s foundational knowledge of HIPAA compliance and respond accordingly. 288