OCR Provides Further Clarification on Charging Flat Rate for Copies of PHI

The Office of Civil Rights (OCR) at the Department of Health and Human Services recently provided further clarification about the amount that an individual may be charged for a copy of their protected health information (PHI). After releasing guidance earlier this year about individuals’ rights under HIPAA to access and obtain a copy of their health information, OCR provided clarification in response to questions it received after releasing the guidance. In a new frequently asked question, OCR clarifies that $6.50 is not the maximum amount that can be charged to provide individuals with a copy of their PHI. Rather, OCR states that charging a flat fee of $6.50 is an option available to those covered entities (or business associate acting on behalf of the covered entity) that do not want to calculate the allowable fees for providing individuals with copies of their PHI as provided by the Privacy Rule.

Macaroni and Malware: Hundreds of Noodles & Company Locations Hacked, Exposing Consumer Financial Information

In the wake of Wendy’s announcement of a data breach in its point-of-sale system, Noodles & Company recently announced that it too was a victim of a cyber-attack, which may have resulted in access to thousands of customers’ debit and credit card data. Noodles & Company’s June 28, 2016 press release identifies restaurant locations in 27 states and Washington DC in which data security may have been breached.

In its press release, Noodles & Company states that it began investigating on May 17, 2016, after its credit card processor reported “unusual activity.” It immediately hired a third-party forensic expert to investigate, and on June 2, 2016, it discovered evidence of “suspicious activity on its computer system that indicated a potential compromise.”

Noodles & Company states that it is “moving forward on a number of fronts” in response to the data breach, including working with third-party forensic investigators, operating with the United States Secret Service, and providing guidance to guests who may have been affected. In a subsequent press release, Noodles & Company asserts that it “contained the incident once the malware was identified and credit and debit cards used at the affected locations identified are no longer at risk from the malware involved in [the] incident.” Nonetheless, it will not be a surprise if Noodles & Company suffers the same fate as Wendy’s: defending a federal consumer class-action lawsuit.

We will continue to monitor and report on this story as it develops.

Shared Patient Videos Lead to Class Action against Sharp Grossmont Hospital

On May 24, 2016, a class-action complaint was filed against Sharp Healthcare in San Diego, California, alleging violations of the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the complaint alleges that Sharp secretly recorded approximately 15,000 videos of patients in Sharp’s year-long attempt to build a case against an anesthesiologist allegedly stealing the drug Propofol. Sharp allowed security guards to review the recordings, and released 14 of the recordings to the anesthesiologist’s defense attorney. Many of the videos depicted unconscious patients, nudity, Cesarean sections, or other surgeries.

The named plaintiff, Melissa Escalera, was allegedly filmed during a Cesarean section. The class potentially includes more than 1,000 patients secretly recorded by Sharp between July 2012 and June 2013. The complaint seeks class certification and damages for breach of fiduciary duty, breach of confidentiality, unlawful recording of confidential information, negligent creation and maintenance of medical information, unlawful disclosure of medical information, invasion of privacy, and distribution of private sexually explicit materials.

We will continue to monitor this story as it develops.

Text Messaging and HIPAA Compliance Risks

Like everyone else, health care workers have become accustomed to the convenience of communicating by text message. Although using text messages can make communications more efficient in the health care setting, transmitting protected health information (PHI), including photographs, in text messages raises Health Insurance Portability and Accountability Act compliance risks. Some of the compliance risks include the following:

  • Many people do not password-protect a mobile device, making it easy for another user to access PHI stored in texts. This access can occur when the device is shared, lost, or stolen.
  • Text messages often are not encrypted, unlike e-mail.
  • The use of personal mobile devices to send texts or photographs is common, unlike email, which most often is sent on work-issued computers or tablets.
  • Text messages can remain on a mobile device indefinitely.

HC BLOG_textingThe U.S. Department of Health & Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) have gathered tips to safeguard PHI when using mobile devices. They make the following suggestions about how to protect and secure information on mobile devices, which applies to developing a policy on transmitting PHI by text message.

  • Use a password or other user authentication.
  • Install and enable encryption.
  • Install and activate remote wiping and/or remote disabling.
  • Maintain physical control of the mobile device.
  • Delete all stored health information before discarding or reusing the mobile device.

HHS and ONC have resources to assist in updating or developing policies for mobile device use. They recommend the following five steps for policy planning. These steps can assist health care organizations in developing a policy on using text messages to transmit PHI.

1.   Decide whether mobile devices will be used to access, receive, transmit or store PHI.

2.   Conduct a risk analysis to identify risks and perform a risk analysis periodically whenever there is a new mobile device, a lost or stolen device, or suspicion of compromised health information. After conducting a risk analysis, document:

  • which mobile devices are used to communicate with your organization’s internal networks or system; and
  • what information is accessed, received, stored, and transmitted by or with the mobile device.

In addition, organizations should review HHS “HIPAA Security Series: Basics of Risk Analysis and Risk Management” for guidance on conducting a risk analysis.

3.   Identify your organization’s mobile device risk management strategy, including privacy and security safeguards. The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.

4.   Develop, document, and implement your policy. HHS and ONC suggest that the organization consider the following:

  • mobile device management, including identifying and tracking devices;
  • whether personal mobile devices can be used and whether they can be used to connect to the organization’s internal network or system;
  • whether the device can be used away from the organization;
  • whether the device can be used to text;
    • security/configuration settings on mobile devices;
    • restrictions on information that can be stored on mobile devices;
  • procedures for addressing misuse of mobile devices; and
  • recovery and deactivation to wipe or disable lost or stolen devices or devices of employees who leave the organization.

5.   Provide training on mobile device use.

Image courtesy of Flickr by Jhaymesisviphotography

Netflix Escapes Liability under the Video Privacy Protection Act

In a recent decision—Mollett, et al. v. Netflix, Inc., No. 12-17045—the Ninth Circuit Court of Appeals held that Netflix cannot be held liable under the Video Privacy Protection Act (“VPPA”) for displaying recently-viewed content on the TV screen.

The plaintiffs, two Netflix subscribers, filed a class action in the Northern District of California alleging that Netflix had violated the VPPA or California’s state law equivalent (Cal. Civ. Code § 1799.3) by displaying recently-viewed content automatically after a subscriber signs in, which could be viewed by a third party such as the subscribers’ family, friend, or a guest of the household. The district court dismissed plaintiffs’ complaint for failure to state a claim, and plaintiffs appealed.

The Ninth Circuit affirmed the District Court’s ruling, finding that the display of recently-viewed content constituted a permissible disclosure “to the consumer” since it was only disclosed to a person who typed in the correct password, which theoretically should only be the consumer or a person to whom the consumer has given his or her password. The fact that nearby third parties might access the subscriber’s account did not alter the legal status of Netflix’s disclosures because “[t]he lawfulness of [the] disclosure cannot depend on circumstances outside of Netflix’s control.” To hold otherwise would convert the VPPA from a “prohibition on unlawful disclosure to a requirement of secure disclosure—an outcome plainly not supported by the VPPA’s text.” The court also affirmed the district court’s dismissal of plaintiffs’ California state law claims on the same grounds in light of the similarities between the two statutes.

This opinion clarifies that once protected information is provided to the consumer, it is then the consumer’s burden to protect his or her personal information.

Please continue to monitor our blog for the latest news on privacy and data security.

Update to “What’s Up Next on the Hacking Block?”

On Friday, July 10, 2015, the Director of the Office of Personnel Management (“OPM”), Katherine Archuleta, resigned amid the two massive data breaches of OPM’s information technology systems that occurred within the last year. The breaches have affected approximately 22.1 million individuals. Beth Cobert, the Deputy Director of Management of the Office of Management and Budget, will replace Archuleta. Lawmakers have also called for the resignation of Donna Seymour, OPM’s Chief Information Officer, but it is not clear whether she will resign or remain the CIO.

Our Privacy & Data Security Group will continue to monitor and report on the implications of government data breaches.

What’s Up Next on the Hacking Block?

From Home Depot to Target to Sony, the world is not lacking in the massive-data-breach department. These hacks have opened up a host of problems for the companies involved, including lawsuits and the implementation of more secure systems to protect sensitive data, as well as for the individuals whose personal and/or financial information may have been compromised. But surely our federal government is safe from hackers, right? The answer, unfortunately, is no.

The Office of Personnel Management (“OPM”) is a federal governmental organization that is “responsible for personnel management of the civil service of the Government,” and it strives “to make the Federal government America’s model employer for the 21st century.” But in April 2015, OPM discovered and began investigating a data breach of up to 4.2 million of its employees’ records. The information included the employees’ names, Social Security numbers, and dates of birth. Then on June 8, 2015, OPM announced that it was looking into a second breach, this one involving “background investigations of current, former, and prospective Federal government employees.” On June 18, 2015, however, OPM officials acknowledged that this second hack occurred a full year ago. Individuals affected by the first data breach were notified between June 8, 2015, and June 19, 2015. The investigation regarding the second breach is still ongoing, but it is now estimated that up to 14 million people will be affected by the two breaches. Id.

It is thought that Chinese hackers are responsible for both hacks in a possible attempt to compile an extensive database on government workers. Id. President Obama is considering economic sanctions against China, but at this point it is not clear that the Chinese government was behind the attacks. And it must be crystal clear that these were Chinese-government-sponsored hacks, or the U.S. will be placed in a very difficult position: China has an undeniably strong position in the global economy, and the U.S. and Chinese economies are closely intertwined. Any sanctions efforts by the U.S. would almost certainly be met with staunch opposition from China that could affect the U.S. economy.

It is important to investigate who is responsible for the hacks, but the House Oversight and Government Reform Committee (“Committee”) is also inquiring as to how OPM allowed the hacks to occur. The Committee conducted a hearing on June 16, 2015, regarding the OPM breaches. Many lawmakers placed the blame on the policies and systems on which OPM relied for data protection and stated that OPM’s leadership should resign. The Committee wanted to know why OPM did not abide by the 2014 recommendation of the Office of the Inspector General to shut down eleven of its computer security systems. OPM blamed legacy systems dating back to 1985 because they could not be encrypted.

It is unclear whether OPM’s leadership will resign in the face of this hacker disaster. But what is clear is that more research and investigation into what went wrong and how to prevent future attacks will continue. Our Privacy & Data Security Group will continue to monitor and report on the implications of government data breaches.

Hacking Major League Baseball

The FBI and the U.S. Justice Department are investigating whether St. Louis Cardinals officials hacked into the Houston Astros’ internal networks. This appears to be one of the first suspected cases of corporate espionage relating to a professional sports team hacking the database of another team.

According to numerous reports, FBI investigators appear to have uncovered evidence that the Cardinals breached the Astros’ databases, and one database in particular known as “Ground Control,” to obtain information and internal discussions about trades, proprietary statistics and scouting reports. This information could be used for a variety of purposes including knowing what players are being scouted, the team’s scouting methods and other proprietary information of the team.

Reports also indicate that the attack may have been launched to cause problems for Astros’ general manager Jeff Luhnow, who left the Cardinals in 2011. According to some reports, the Cardinals’ officials were concerned that Luhnow may have taken the team’s proprietary information to the Astros. Speculation is that the Cardinals may have simply tried a series of passwords (Luhnow has denied that he used similar passwords while working for the two teams) until they were able to gain access to the Astros’ network. Whether true or not, this is another example of why passwords should not be recycled or used universally across different platforms and applications. Rather, users should use different passwords, mix uppercase, lower case and symbols.

We will continue providing updates to the investigation of the House of (the) Cards, as they occur.

Data Privacy and Security Meets the Legal Industry

Huron Legal has recently reported that law firms are getting smarter about addressing data privacy and security issues. Aside from the efforts these law departments, law firms, and other service providers are making to protect sensitive and confidential data, the overall focus on privacy and recent data breaches is affecting the legal sector just like any other sector. According to the article, the four biggest trends in data privacy in the legal industry are the following:

  • Law Firms as Clients: As law firms become increasingly more involved with privacy issues, they are becoming more sophisticated consumers of external legal services. They are placing the information governance practices of vendors and third party legal service contractors under much greater scrutiny than ever before.
  • Opportunity Versus Threat: Although one could expect to see more pushback from law firms on newer stringent data security requirements, instead law firms seem to be responding to these heightened client demands and seeing them as a differentiator when competing for business. Demonstrating an ability to deal with sensitive and often high-value matters from an information perspective makes good business sense.
  • Privacy by Design Vendors: Legal vendors are largely playing catch-up in data privacy issues. For a long time, the tools they provided for legal services were narrow. But now legal vendors need to rise to the same challenge. Additionally, these vendors need to design both the software and processes with privacy in mind. This includes considering the “privacy by design” principles before they become hindrances to the sale of services.
  • Data Privacy Moves Fast: The most important consideration when dealing with privacy and security is understanding that it is an evolving field. Since the definitions and laws are changing, both within the U.S. and abroad, everyone in the legal industry needs to be prepared for change and to be flexible. The laws today may be different in two years, so planning with that in mind is critical.

The full article is here. Our Privacy & Data Security Group will continue to monitor the implications of privacy issues within the legal services sector.

Speedy Internet May Cost You More Than Money

On March 30, 2015, AT&T offered its “GigaPower” service to Cupertino, California. It is currently offered in a handful of cities across the United States (Austin, Dallas, Fort Worth, Kansas, Raleigh-Durham, and Winston-Salem) with ten other planned metro areas. GigaPower is promoted as Internet service with “[b]lazing-fast speeds up to 1Gbps,” allowing the user to download twenty-five songs in one second, an HD television show in three seconds, and an HD movie in thirty-six seconds.

The price tag for this super-speed is either $139.00/month, or $110.00/month plus allowing AT&T to monitor your Internet browsing. Thus, AT&T’s customers will have to choose whether to allow such monitoring or in effect pay $29.00 for their privacy. AT&T’s “Internet Preferences” analytics program monitors all activity in order to use that information to target its customers with personalized advertisements, for which it can then charge advertisers. According to an AT&T spokesperson, opting out of the Internet Preferences program will ensure that the customer does not receive targeted ads, but AT&T’s privacy policy still allows it to collect information on its customers’ web activity for certain purposes. AT&T has stated that the benefits of these ads are that AT&T can keep its prices from rising, and since all the data is maintained in-house, it will not sell its customers’ information. AT&T claims that the “vast majority” of its customers have opted to participate in the Internet Preferences program.

This comes on the heels of the recent battle over net neutrality which resulted in the Federal Communications Commission’s February 26, 2015 adoption of “Open Internet” rules. These rules seek to “protect and maintain open, uninhibited access to legal online content without broadband Internet access providers being allowed to block, impair, or establish fast/slow lanes to lawful content.” Given that the federal government has determined that service providers cannot charge web users or websites for entry onto an Internet superhighway “fast” lane, it is unlikely that AT&T will be the only Internet service provider to start charging to maintain its customers’ privacy.

Our Privacy & Data Security Group will continue to monitor the implications of AT&T’s recent offering in this regard.

Image courtesy of Flickr by Mike Mozart