Attack of a Paper Tiger: Ignoring Own Policies Leads to HIPAA Fine

2403148199_1284b0edbc_o21On June 18, 2018, the Office for Civil Rights released a decision and memorandum from an Administrative Law Judge following a dispute over HIPAA fines imposed against The University of Texas MD Anderson Cancer Center (“MD Anderson”). The decision for all intents and purposes draws a clear line in the sand that encryption, despite being an addressable element under the Security Rule, cannot be avoided.

An outline of the facts will help to set the stage. OCR investigated MD Anderson following submission of three separate breach notifications. One notification concerned a stolen laptop and the other two involved stolen thumb drives. In each instance, the device was not encrypted. As described in the decision, MD Anderson for years identified the risk associated with unencrypted data on laptops, portable devices and other devices. MD Anderson at many points in time set internal policies that encryption was the most appropriate means of addressing the risk posed by such devices.

After dragging its feet for years on implementing the encryption, even fully stopping all plans at one point over lack of funding, MD Anderson began a slow process of encrypting its devices. However, those efforts still took years with significant portions of identified devices remaining unencrypted following report of the breaches that formed the basis of the issue behind the decision.

In trying to appeal OCR’s imposition of a $4.3 million fine, MD Anderson asserted that encryption is not mandated by either the HIPAA statute or regulations. The administrative law judge rejected this argument, stating that HIPAA requires entities to render all systems containing protected health information inaccessible to unauthorized users. The ALJ was careful to suggest that encryption is not mandated, but found encryption required in MD Anderson’s case because it self-identified that encryption was the best means of rendering the information inaccessible. Despite not explicitly stating that encryption is mandatory, a question does exist as to what alternative viably list other than encryption to render information inaccessible.

The decision addresses other elements of HIPAA compliance and what constitutes a breach. In that regard, another interesting area of the decision to explore is MD Anderson’s failed argument that mere loss of an unencrypted device does not constitute a disclosure not permitted under HIPAA. Arguably, that assertion is an attempt of throwing concepts at the wall in the hope that one would stick to reduce or remove the penalty. As expected, the ALJ did not accept MD Anderson’s argument. The ALJ stated that an impermissible release is enough to show a violation of the HIPAA privacy requirements. Using the general definition of release, it can include setting free from restraint, which practically means losing control. What more fully constitutes losing control of something than having it stolen or not knowing where it is. The ALJ also contrasted the situation from claims for private damages that actual access is not necessary since the HIPAA regulatory scheme seeks to ensure that entities are maintaining and securing information.

As noted, the decision against MD Anderson is important from the perspective that it seems to mandate encryption. As described above, the ALJ never directly stated that HIPAA mandates encryption. The Security Rule includes encryption as an addressable element. As should be known, addressable elements are not optional, but flexible in the approach of how to implement. As already described, the ALJ focused on the need to render information inaccessible, which could be done through any variety of means selected by the entity. Accordingly, if some viable means aside from encryption is or becomes available, then an entity may be able to use that instead of encryption. Without a thorough technical background, at this point in time, it is not clear how information can be rendered inaccessible other than with encryption.

Leaving aside the nuance of whether encryption is in fact now required, it should be noted that many will interpret the decision as mandating encryption. It will also remain to be seen how OCR uses the decision when it comes to encryption. Since government agencies rarely want to set a clear line in the sand, it should not be expected that OCR will come out and clearly state that encryption is now required.

Taking a longer-term view, it is actually beneficial that encryption has not been identified as essential. Arguments are being made that it will soon be relatively “easy” to break encryption as different forms of machine learning quantum computing or other technological breakthroughs continue to be developed. On the defensive side, suggestions have been made the artificial intelligence should be implemented as part of the security mechanism, which can be used to proactively block attackers. Would this be sufficient? As with so many things, it depends.

Whether encryption is, in fact, mandatory is not the real takeaway from the MD Anderson decision. What entities should actually takeaway is that security is about protecting information and taking all reasonable steps to prevent others from accessing the information.

The other big takeaway is that an entity’s own plans and policies will often establish the basis for it to get int trouble. MD Anderson ran into issues because it did not follow its own policies for years on end despite repeatedly identifying the risk for not encrypting devices. The decision leaned very heavily on MD Anderson’s own decisions and no follow through. Remember, policies written and put on the shelf without ever being considered again are worse than ignoring a policy.

Posted in Compliance, HIPAA, Healthcare, HITECH | Tagged , , , , , | Leave a comment

Privacy Invasion or Smart Marketing: Geofencing in Healthcare

navigation-2049643_640The healthcare industry got a loud introduction to geofencing marketing recently. The headlines were driven by a law firm targeting individuals going to an emergency room. In particular, the ads attempted to lure individuals into a personal injury suit. The type of action that would be sure to draw lines as personal injury is often a disfavored side of the law.

Naturally, the revelation that location could be used for targeted advertising created the usual rush of questioning whether the law firm violated HIPAA. The answer is almost certainly no since the law firm is probably not subject to HIPAA in any form. In the reported instance, the law firm was a personal injury firm, which means it wanted to represent the patients. If the law firm represents the patients, individuals are not covered by HIPAA with regard to their own information. Additionally, the firm was advertising for its own benefit and not for the benefit of the hospital or any other healthcare provider. As such, the law firm is outside the HIPAA regulatory scheme. However, there are a lot of questions to consider when it comes to geofencing and healthcare.

The first question to address is what does geofencing actually mean? It is the process of establishing an artificial perimeter around a specified location using either global positioning (GPS) or radio frequency identification (RFID). Once the geographic boundary is established, the entity or individual running the campaign can set “triggers” that will result in a certain action occurring when a device enters the identified area. In many instances, the action is to push an advertisement when a web browser is opened or otherwise generate targeted ads based. The content of the ads will be determined the entity or individual running the campaign.

Geofencing can be a powerful tool for any marketing campaign since it can be hyper-localized and capture a broad audience. Further, it is not really targeted to any one individual so much as anyone who enters that area. As such, geofencing is just another form of marketing

With a quick and general background of geofencing established, can healthcare entities really use this “new” digital tool for their own purposes? The answer is most likely yes. As indicated, geofencing is a form of general advertisement. A healthcare entity does not need to utilize any existing patient information or other sensitive information in its control. As explained, the ads are driven by targeting a particular location and then pinging any individual who enters the area. The geofencing can be analogized to distributing pamphlets or other written materials to anyone walking by on the street.

Since geofencing ads are broadly targeted and do not rely upon personal information currently held by an entity, HIPAA probably does not get invoked. HIPAA protects the privacy of protected health information in the hands of a healthcare provider, health plan or clearinghouse. PHI is information that relates to the past, present or future healthcare, services or payment for an individual. As already discussed, geofencing does not need to touch any of that information. Instead, geofencing establishes a perimeter-based upon predetermined requirements that sits waiting for anyone to enter the particular area. The healthcare entity does not need to know anything about an individual. he healthcare entity only needs to know that a person goes to a certain location that triggers the geofenced action. Given the circumstances, HIPAA will not apply to the establishment of the fence. However, information collected as a result of an individual responding to the targeting from geofencing or information otherwise provided to the healthcare entity could result in a different analysis.

While HIPAA may not present a barrier, there can still be other issues to consider. A settlement between the Massachusett Attorney General and an advertising agency underscore that state law must be factored in. In the Massachusetts settlement, the agency targeted individuals going to certain health clinics with one-side points of view. The ads would then “follow” individuals for up to 30 days after going to the geofenced location. The MA Attorney General pursued the matter based upon state consumer protection laws. The AG determined that the ads violated protections by tracking a consumer’s location, disclosing the location information to third parties, and then using tracking to target the individuals with potentially unwanted advertising. The consumer protections underpinning the Massachusetts settlement are more broad-based privacy protections than relying solely upon the privacy and security provisions of HIPAA. The consumer protection provisions are also a hook that could have potentially more widespread applicability than just HIPAA too.


Arguably the bigger issues raised by geofencing are ethical ones. Is it ok to target individuals just because they happen to visit a certain location? For healthcare entities (or lawyers) is a risk of deceptive advertising, invasion of privacy, or some other concern raised? Those are open questions that will need to be addressed as geofencing and similar practices taking advantage of digital capacities continue to grow and/or get revealed. While the answer may not be clear, it should be expected that traditional notions of privacy are changing and unexpected approaches will be the norm.

Posted in Business, Health IT, HIPAA, HITECH | Tagged , , , , | Leave a comment

To Audit or Not?

testimony-2571893_640Questions often arise as to what terms need to be and should be included in a business associate agreement. The distinction between “need” and “should” is very important. The regulations implementing HIPAA set out what “needs” to be included as failure to include all of the specified elements would leave a business associate agreement deficient. As such, the amount of negotiation on these terms is minimal and more to the finetuning of how such terms are set out.

The “should” terms present the more interesting issues. The “should” terms are not mandated by HIPAA, but can be included in the preference of the parties. One such provision is an audit right to the upper-level party (this could be the covered entity or a business associate over a subcontractor). Under an audit provision, the upper-level party often seeks the right to review, whether in person, through documentation, or some combination of the two. The stated purpose is for the upper-level entity to be able to confirm compliance by the lower-level entity with applicable HIPAA obligations.

The benefit and assurance provided by an audit can sound appealing. Instead of wondering whether a risk analysis has occurred or if a particular policy is in place, the upper-level entity can ask for or find proof by itself. Such information can prove or disprove a party’s assertions, provide comfort that the risk of a breach is not as great as feared or provide grounds for terminating a relationship among various options. The information can be gathered proactively as opposed to waiting for a bad outcome or other negative event to occur.

Despite all of the good intentions though, if an audit provision is included, the right to audit may not actually be utilized. In this instance, the audit may just be used as a persistent threat to spur a desired action or even completely forgotten. Regardless of the reason for an audit provision not be used, any non-use makes it a hollow right. What’s the danger in that though?

The danger presented by not exercising an audit right could arise in the form of liability for the upper-level entity. Take an all too common scenario, a lower-level entity mishandles protected health information because it does not appropriately account for a mobile device, misconfigures a database, falls victim to a phishing attack, or any number of causes. When a breach occurs, all parties in the chan can potentially be liable. From the upper-level entity’s perspective, it may feel comfortable that it has a good business associate agreement in place and does all of its own monitoring. But, that is not the end of the issue. If the upper-level entity includes the right to audit in the business associate agreement, what did or should it have known about the lower-level entity. For example, would an audit have revealed that the lower-level entity was not fully honest about the scope of its compliance, found inconsistent application of policies, or some other deficiency? If that deficiency could have been found, what action would the upper-level entity have been obligated to take?

These questions become important when trying to apportion or assign liability. Arguably, even though an upper-level entity does not need to include an audit provision in a business associate agreement, when it is added then the upper-level entity should follow through with exercising it because that information will aid the upper-level entity in determining whether its vendors are appropriately protecting and securing data. If the upper-level entity cannot be satisfied that appropriate protections are in place, then the relationship should be terminated unless the issue can be remedied. The result is the upper-level entity having created an unintended burden for itself.

While an audit provision can be a powerful tool, it can certainly be a matter of careful what you ask for. It is important to always fully understand the implications of a provision in any agreement, especially when a provision can create unexpected regulatory ramifications.

Posted in Business, Health IT, HIPAA, Regulations | Tagged , , , , , | 1 Comment