Stanford Health Privacy Breach Highlights Downstream Vendor Risks, Issues

In an earlier post I described a HIPAA privacy breach that occurred when a spreadsheet detailing the emergency room treatment of nearly 20,000 patients of Stanford Hospital was posted online, for the better part of a year, at a “homework for hire” website, The New York Times has published an article tracing the breach to a job applicant who received the spreadsheet from a one-person marketing agency hired by the Hospital’s third party billing contractor.

The spreadsheet was originally transmitted in encrypted format from the Hospital to the marketing agent, who had represented himself as a vice-president of the billing contractor and was in fact the hospital’s main contact for the billing contractor. In fact, he was not an executive of the billing contractor, but the billing contractor nonetheless condoned his use of that title in order to get access to various health executives and generate customers for its billing services. The marketing agent unencrypted the spreadsheet and provided it to the job applicant with the request that she demonstrate her skills converting it to bar graphs and charts. Without recognizing that the names and treatment codes on the spreadsheet were “real world” data, the job applicant then sought help with the assignment by posting the spreadsheet on, where it was discovered almost a year later by the parent of a Hospital patient named in the chart.

In other words, the breach was not attributable to a Hospital employee, or an employee of the Hospital’s business associate, the billing contractor, but to a “downstream vendor” or “subcontractor” of the billing contractor, and not even to an employee of the downstream vendor but to a mere job applicant. One of the patients disclosed in the spreadsheet has since sued Stanford Hospital and the billing vendor in L.A. County Superior Court, seeking damages of $1,000 for each of the 20,000 affected individuals.

This is a frightening object lesson for covered entities – the Stanford Hospitals of the world – and for business associates such as the billing contractor – about the risks presented by “downstream” vendors, and the need to ensure that their handling and use of protected health information and e-PHI meets HIPAA and applicable state law privacy and data security standards. HIPAA as amended by HITECH now demands that business associates vouch in this manner for their downstream vendors in their business associate agreements. Clearly, to do so, the parties first must clearly identify downstream vendor relationships, and not disguise the vendor’s staff as business associate employees, as occurred in the Stanford case. Even where the vendors clearly are identified, business associates should also address, in business associate agreements, whether the covered entity can share data directly with the downstream vendors, and if so, under what conditions. The Stanford case is unusual due to the disguising of the marketing agent’s true status, but it suggests that business associates might always want to be at least notified of such communications, if this is administratively practical. Or, they might want to vouch for privacy/security compliance only when data passes through them to the downstream vendor, but require the covered entity to be responsible for breaches resulting from its direct communications with the downstream vendors.

Trying to stay ahead of the technological curve in data transmission is almost impossible, but we can learn from others’ mistakes and take whatever steps are necessary not to repeat them.

Outside Contractor the Weak Link in Stanford Health Data Security Breach

August 8th’s New York Times contains an article that details a HIPAA data security breach traced to an outside billing and payment data contractor for the Stanford Hospital in Palo Alto, California. The item that was disclosed was a detailed spreadsheet, prepared by the billing contractor, tracking the emergency room treatment of 20,000 individuals seen at the hospital during a 6-month period in 2009, including their names and diagnosis codes. Somehow, the spreadsheet made its way to a commercial Web site as an example of how to convert data into a bar graph. The site in question, “Student of Fortune,” provides online tutoring and help with homework to students for a fee. The spreadsheet was made publicly available in this manner for over a year before a patient brought it to the hospital’s attention. It is not clear how the spreadsheet was disclosed in this manner but the article suggests that investigation cleared hospital employees of any involvement.

The hospital provided written notification to affected patients of the breach four days after learning it had occurred. This is within the 5-day time period required under California Health and Safety Code § 1280.15 (scroll down), governing health data security breaches occurring at California medical facilities. The hospital also paid for identify theft protection for the affected patients, even though the spreadsheet did not contain Social Security Numbers or other information commonly leading to identity theft. The Times article notes that in an earlier incident involving theft of a laptop from its Children’s Hospital, Stanford had waited 19 days to notify affected patients’ families, and even though no PHI was released in the incident the California Department of Public Health fined the hospital $250,000 for its delay.

Statistics quoted in the article attribute 20 percent of health data security breaches to outside contractors to the health care providers, insurers and other “covered entities” which were HIPAA’s original focus. HIPAA designates outside contractors whose role requires them regularly to maintain or access protected health information (PHI) as “business associates” and requires that they comply with HIPAA privacy rules to the same degree as the covered entity (hospital, insurer, etc.) they work for, and also enter into a “business associate agreement” to that effect.

Until recently, business associates’ duties and liability under HIPAA were limited to the written terms of their business associate agreements with covered entities. However, HITECH made business associates individually accountable under HIPAA for the first time. Further, proposed regulations under HITECH extend business associate status to downstream subcontractors of business associates, and require that they enter into written agreements with business associates confirming their duties under HIPAA. This brings within the sweep of HIPAA compliance entities — such as document shredders and other peripheral businessplace vendors and service providers — that prior HIPAA regulations had expressly carved out from compliance duties.

Bottom line this means a new level of scrutiny must be brought to service agreements between a business associate, on the one hand, and any other entity that routinely could be considered within the “chain of custody” of hard copy documentation or digital data comprising PHI. A weakness at any point in that chain may result in liability to the business associate and, as occurred in the Stanford Hospital/Student of Fortune matter, to the covered entity itself.

California Legislature to Clarify, Expand Data Breach Notice Requirements

A bill that is close to final passage in Sacramento will clarify and slightly expand notification requirements upon a breach of unsecured personal data of California residents, including financial, health or health insurance information. Currently the law requires written or electronic breach notification, but does not mandate any particular content for notifications. Senate Bill 24 will amend California Civil Code § 1798.29 (applicable to state agencies) and § 1798.82 (applicable to private owners or licensors of data) to specify what information must be conveyed in notification of a breach. Specifically, the measure requires that the notification:

• Be written in plain language
• Be dated
• Include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach
• Include toll-free phone numbers for the major credit reporting agencies
• Describe whether notification was delayed due to law enforcement investigation.

Optional language that may be added to the notice includes information about what the notifying party has done to protect individuals whose information has been breached, and advice on steps affected individuals can take to protect against identity theft or other consequences of the breach.

The new law also slightly expands notice duties, by requiring that an electronic copy of the breach notification be sent to the Attorney General in each instance where a single breach affects more than 500 California residents. Additionally, it requires those making use of “substitute” notification to also notify the Office of Privacy Protection within the State and Consumer Services Agency (state agencies must instead notify the Office of Information Security within the California Technology Agency). Substitute notice may be provided upon demonstrating that the cost of providing notice would exceed $250,000, or where more than 500,000 individuals’ data is affected. In addition to the new agency notification duty, substitute notice requires all of the following:

• E-mail notice where valid e-mail addresses are available;
• Conspicuous posting of the notice on the breaching party’s web page; and
• Notification to statewide media.

Similar to rules under HIPAA/HITECH, notification is only required if unencrypted data is released, and notice is not required where the data exposure is limited to “good faith acquisition by an employee or agent of the business for purposes of the business.” Civil Code § 1798.82(g). Under both federal and state law, however, notice is required not only upon discovery of an actual security breach but also upon formation of a reasonable belief that a breach occurred.

Unlike HIPAA/HITECH, which specify a maximum 60-day notice period, the California law does not specify a notice time period, requiring only that it be provided “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, [ . . . ] or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Civil Code § 1798.82(a). A business that simply maintains data but does not own or license it must “immediately” provide notice of the breach to the owner or licensee of the data, which in turn will notify the affected individuals.

Finally, there are two “safe harbors” exist in regard to notification:

• Businesses that are “covered entities” under HIPAA need only satisfy HIPAA/HITECH notification duties to be deemed to have complied with the new notice content provisions under California law. Notification of the Attorney General must still be made if more than 500 California residents are affected by the breach, and all California notice duties would appear to apply to business associates under HIPAA.

• Businesses that provide notification under their own notice procedures as part of an information security policy are deemed to have complied with California notice requirements in total , so long as their internal procedures are “otherwise consistent with the timing requirements” of Civil Code §§ 1798.29 and 1798.82; i.e., notice is provided expediently and without unreasonable delay.

SB 24 was just approved on the Senate Floor by a vote of 34-4, has no formal opponents, and may go to the Governor’s desk by the end of the month, depending on the time needed to engross and enroll the bill. If the bill is not signed by September 9, Governor Brown will have an additional 30 days to sign it into law. Keep an eye out for a follow-up post confirming passage of the bill into law.

State Privacy Breach Laws May Trump HIPAA/HITECH

When HITECH amended HIPAA in 2009 it empowered state attorneys general to sue breaching parties to enforce the privacy and security rights of their respective state’s citizens. Prior to this time only the Department of Health and Human Services (DHHS) was permitted to enforce HIPAA. However, § 13410(e) of the HITECH Act limits the money damages that attorneys general can collect to $100 per individual affected, however not to exceed $25,000 for all violations of an identical requirement or prohibition during a calendar year.

Some state health privacy laws impose higher money penalties on breaching parties, and recently the Indiana Attorney General invoked state law, over HIPAA/HITECH, when prosecuting a privacy breach by insurer WellPoint, Inc. In that instance, the applicable Indiana statute permitted recovery of up to $150,000 per failure to disclose a health data security breach.

In the WellPoint breach, applications for individual health insurance policies containing Social Security numbers, financial and health information for 32,051 Indiana residents were accidentally made available on the internet for at least 137 days between October 2009 and March 2010. A member of the public notified WellPoint of the problem on February 22, and ultimately the individual filed a class action lawsuit against WellPoint on March 8. After being sued WellPoint quickly fixed the online problem, which had occurred during a system upgrade. However, WellPoint did not begin notifying its customers of the breach until June 18. And, when it did notify customers in Indiana, it did not notify the Attorney General, as required under state law.

WellPoint notified the DHHS of the breach in accordance with HITECH. However when Greg Zoeller, the Indiana Attorney General, filed suit against WellPoint in October 2010, it did so not under HITECH but under a provision of the Indiana Code allowing recovery of up to $150,000 per “deceptive act,” which term included a failure to disclose a breach of the security of personal data. The Indiana statute also allows recovery of the Attorney General’s reasonable investigation and prosecution costs.

Regarding this choice of law, a spokesperson for the Indiana Attorney General’s office stated:

“While the option to file under HITECH/HIPAA in federal court was considered, Indiana’s notification laws and enforcement options allow greater remedies . . . . [u]nder HITECH/HIPAA, the possible penalties maximum would have been $25,000 vs. $300,000 under Indiana law.” (Presumably the two “deceptive acts” were delayed notification of the public and failure to notify the Indiana AG).

WellPoint ultimately reached a settlement with the Attorney General on June 23, 2011, pursuant to which it will pay a $100,000 fine to a state fund providing restitution to defrauded consumers and will provide two years of credit monitoring and identity theft protection to affected individuals in Indiana. In addition, it will reimburse victims of identity theft for losses up to $50,000 per individual.

Prior to this case, the Connecticut Attorney General sued Health Net under HITECH/HIPAA following the insurer’s delayed notification of its loss of an unencrypted portable disk drive holding records for more than 500,000 insureds in Connecticut and more than 1.5 million nationwide. In that settlement HealthNet agreed to pay $250,000 in damages, provide two years of credit monitoring, $1 million of identity theft insurance and reimburse the costs of security credit freezes.

When HITECH first empowered attorneys general to prosecute data security breaches, little thought was given to the possibility that they might have more leverage under state laws than under the new federal statute. With state budgets stretched to the limit, this may prove more of a factor in which security breaches are prosecuted, and under which laws.

California law permits individuals to sue over breaches of their personal security data and recover up to $3,000 per violation as well as attorneys’ fees, but neither mandates the contents of security breach notices, nor requires notification of the California Attorney General. This may change, however, as a California Senate bill would specify the contents of breach notifications and, and for breaches affecting more than 500 California residents would require that breach notifications be sent electronically to the Attorney General. The Senate passed SB 24 in April 2011 and it is easily passing committee votes in the State Assembly. I will continue to update the progress of the bill in future posts.

Nondiscrimination Rules for Insured Health Plans Put On Hold

The Internal Revenue Service just issued Notice 2011-1 today, stating that compliance with nondiscrimination rules for insured group health plans, otherwise slated to go into effect on January 1, 2011 for non-grandfathered plans, will not be required (and no excise tax for failure to comply need be reported) until after regulations or other administrative guidance on the nondiscrimination rules issues.   The Notice has the support of the other agencies that enforce health care reform, the Department of Labor and the Department of Health and Human Services.

Further, the Service anticipates that any such regulations or guidance will not apply until plan years beginning after a specified period following publication of the new guidance (often this is a 6-month period).   Before the beginning of those plan years, employers will not need to file IRS Form 8929 reporting excise taxes as a result of plan designs that discriminate in favor of highly compensated individuals.   

This is extremely welcome relief for plan sponsors and advisors.   In essence, the Notice appears to bring back the status quo before the Patient Protection and Affordable Care Act by essentially stating that employers with insured health plans cannot realistically be expected to comply with laws that are “similar to” existing nondiscrimination rules for self-funded plans.  For employers that maintained executive carve-out plans prior to the Affordable Care Act, maintenance of those plans in 2011 would not appear, from the Notice, to subject them to any enforcement efforts or excise taxes. 

What does this mean for employers going forward? Employers who already redesigned their group health plan in anticipation of the January 1, 2011 compliance deadline should hesitate before rolling back any newly-compliant, nondiscriminatory plan designs.  Reversing steps taken in order to comply with the law is never a good idea, and nondiscrimination rules eventually will apply so it is unwise to get re-attached to a plan design that ultimately will be obsolete, especially now that employees may be aware that discriminatory plan designs are disfavored.  For employers with a discriminatory insured plan that was never redesigned, maintenance of the plan “as-is” should not result in any excise tax penalties or other enforcement action. Again, however, this grace period will end as of the first day of the plan year first following the year in which nondiscrimination regulations are published, and if regulations issue later this year then nondiscrimination compliance could be required as soon as January 1, 2012. Employers that are subsidizing former executives’ COBRA or other continuation group health coverage through this year and into the next (e.g., under a severance plan) should be aware that maintenance of the plan into 2012 could violate the nondiscrimination rules and result in excise taxes.

As an indication of how complex the nondiscrimination issue is, the Notice requests further commentary from the public on no fewer than 13 different topics, ranging from “safe harbor” plan designs for automatic compliance, application of different rules for plans offered in different geographic regions by the same employer, what constitutes “benefits” for purposes of nondiscriminatory plan design (e.g., rate of employer contributions, versus percentage or amount of employee contributions), and whether compliance can be met merely by making coverage available to employees, whether or not they enroll (as applies in the 401(k) context).  Notably, none of the requests for commentary refer to the transition period beginning with publication of the Notice, and ending with publication of final regulations on nondiscrimination rules for insured plans.  This further confirms that, for pre-existing, discriminatory plans, we are entering a “no enforcement” zone for the immediate future at least.