Last week, Diabetes, Endocrinology & Lipidology Center Inc. (DELC) of West Virginia reached a $5,000 settlement with the Office for Civil Rights (OCR) over  allegations that it failed to provide timely access to a patient’s health records.   The OCR alleged that DELC waited more than two years to send a minor’s medical records to their parent, and the records were sent only after the OCR opened an investigation in response to the parent’s complaint. This alleged failure to provide timely access was a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires health care providers to respond to a patient’s request for access to health records within 30 days.

This is the 19th settlement for alleged right-of-access violations.

In addition to the $5,000 payment, DELC has agreed to implement a corrective action plan and submit to two years of monitoring.

The Office for Civil Rights (OCR) this week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA.

The settlement includes a $25,000 payment to OCR by Peachstate, a corrective action plan, and three years of monitoring by OCR.

OCR initiated a compliance review of Peachstate in December 2017 to determine its compliance with HIPAA following a report of a data breach by the U.S. Department of Veterans Affairs.  The notification alleged that the data breach was caused by the VA’s vendor, which was subsequently acquired by Peachstate.

According to OCR’s press release, “OCR’s investigation found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.”

OCR further stated, “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”

The state of Virginia might be the next state to enact a privacy law. Senate Bill No. 1392 recently passed the Senate and is likely on its way to Governor Ralph Northam’s desk.  The bill adds the Consumer Data Protection Act to the Virginia Code and includes definitions of biometric data, precise geolocation data, profiling, sensitive data, and targeted advertising. The bill’s effective date is January 1, 2023.

The bill will apply to persons who conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth, and that (i) during a calendar year, control or process data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenues from the sale of personal data. The law would not apply to any state or local government agency, to financial institutions subject to the Gramm-Leach-Bliley Act, or to covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Consumer rights include the following:

  1. The right to know whether or not a controller is processing the consumer’s personal data and the right to access such personal data;
  2. The right to correct inaccuracies in the consumer’s personal data;
  3. The right to delete personal data provided by or obtained about the consumer;
  4. The right to data portability; and
  5. The right to opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The bill is designed to feature data controllers and data processors and organizes the rights and responsibilities of each according to those roles. There is no private right-of-action in this bill, as the Attorney General is charged with enforcing violations. The Attorney General will have the exclusive authority to enforce violations in the name of the Commonwealth or on behalf of individual persons residing in the Commonwealth.

The Office for Civil Rights (OCR) issued a press release on November 12, 2020, announcing that it had settled its eleventh enforcement action in its HIPAA Right-of-Access Initiative. The settlement with Dr. Rajendra Bhayani, an otolaryngologist (ENT) practicing in Regal Park, New York, included a payment of $15,000, a corrective action plan and two years of monitoring by the OCR.

The facts behind the case are these: In September 2018, the OCR received a complaint from a patient alleging that Dr. Bhayani failed to provide her with access to her medical records after she requested them in July 2018. Following the complaint, the OCR provided technical assistance to Dr. Bhayani regarding compliance with the right-of-access requirements and closed the case. Similar to other recent settlements with the OCR, the patient lodged a second complaint, alleging that Dr. Bhayani still had not provided her with access to her records, and as a result of re-opening the file, the OCR “determined that Dr. Bhayani’s failure to provide the requested medical records was a potential violation of the HIPAA right of access standard.” Following the investigation, the patient received a copy of her medical records in September 2020.

According to OCR Director Roger Severino, “Doctor’s offices, large and small, must provide patients their medical records in a timely fashion. We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.”

Providers, the message is clear: carefully follow HIPAA’s right-of-access requirements.

New Jersey Attorney General (AG) Gurbir S. Grewal announced on November 2, 2020, that his office has settled with ShopRite’s parent company, Wakefern Food Corp. (Wakefern) and two of its supermarket entities for $235,000 for a data breach that occurred in 2016.

According to the press release, the AG alleged that Wakefern violated HIPAA and the New Jersey Consumer Fraud Act (CFA) by “failing to properly dispose of electronic devices used to collect the signatures and purchase information of pharmacy customers” in its Kingston and Millville ShopRite stores.

The AG alleged that the electronic devices were discarded in dumpsters in 2016 without wiping them when newer technology was adopted. The incident “may have exposed names, phone numbers, birthdates, driver’s license numbers, prescription numbers, medication names, dates and times of pick-up or delivery, and customer zip codes.”

In addition to the fine, Wakefern is required to appoint a chief privacy officer, execute Business Associate Agreements with the entities that are operating its pharmacies, ensure that all ShopRite stores with pharmacies designate a HIPAA privacy officer and a HIPAA security officer, and provide online training for those officers on the HIPAA privacy and security rules.

Proposition 24 is known as the California Privacy Rights Act of 2020 (CPRA). It is on the ballot in California on November 3, and if it passes it will amend and expand certain provisions of the California Consumer Privacy Act (CCPA). Some say it’s CCPA 2.0, however, there are some provisions that make the CPRA look more like the General Data Protection Regulation (GDPR) – the European data regulation that reshaped privacy rights in the European Union. Two provisions in particular are very GDPR-like; specifically, the creation of the California Privacy Protection Agency (CPPA), which will become the regulator charged with implementing and enforcing both the CCPA and CPRA, and the expanded definition of sensitive personal information. CPRA would become effective Jan. 1, 2023, with an enforcement date of July 1, 2023. Here are some key highlights of Proposition 24.

What’s new for California consumers in CPRA? CPRA creates a new category of data, similar to GDPR, for sensitive personal information. CPRA also adds several new rights for consumers:

  • to restrict the use of sensitive personal information;
  • to correct inaccurate personal information;
  • to prevent businesses from storing data longer than necessary;
  • to limit businesses from collecting more data than necessary;
  • to know what personal information is sold or shared and to whom, and to opt out of that sale or sharing of personal information;
  • CPRA expands the non-discrimination provision to prevent retaliation against an employee, applicant for employment, or independent contractor for exercising their privacy rights.

What do businesses need to know regarding CPRA? It creates a new data protection agency with regulatory authority for enforcement of both CCPA and CPRA. Some new key provisions for businesses are:

  • the CPRA creates a Chief Auditor, who will have the authority to audit businesses data practices;
  • the CPRA also requires high risk data processors to perform regular cybersecurity audits and regular risk assessments;
  • the CPRA adds provisions regarding profiling and automated decision making;
  • the CPRA adds restrictions on transfer of personal information;
  • the CPRA requires businesses that sell or share personal information to provide notice to consumers and a separate link to the “Do Not Sell or Share My Personal Information” webpage and a separate link to the “Limit the Use of My Sensitive Personal Information” webpage or a single link to both choices;
  • the CPRA triples the fines set forth in CCPA for collecting and selling children’s private information and requires opt-in consent to sell personal information of consumers under the age of 16;
  • the CPRA expands the consumer’s private right of action to include a breach of a consumer’s email address and password/security question and answer.

The CPRA also changes the definition of “business” to more clearly define the annual period of time to determine annual gross revenues, which specifies that a business must comply with CPRA if, “as of January 1 of the calendar year,” the business had annual gross revenues in excess of twenty-five million dollars “in the preceding calendar year,” or alone or in combination annually buys or sells or shares the personal information of 100,000 or more consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

In addition to these criteria, CPRA adds somewhat puzzling language that states that a business would also be defined in the CPRA as a person that does business in California, that is not covered by one of the criteria described above, who may voluntarily certify to the California Privacy Protection Agency that it is in compliance with and agrees to be bound by CPRA.

The CPRA adds the new term “contractor” in addition to service provider. A contractor is a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business. The CPRA contains specific provisions to be included in the contract terms, and the contract must include a certification that the contractor understands the restrictions and will comply with them. The CPRA adds several new definitions, including definitions for cross-context behavioral advertising, dark pattern, non-personalized advertising, and profiling, and makes some changes to the definition of personal information. The CPRA eliminates some of the CCPA language regarding the “categories” of personal information.

The CPRA also adds “sensitive personal information” as a defined term which means:

(l) personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The CPRA retains the CCPA exemptions for medical information governed by the California Confidentiality of Medical Information Act or protected health information collected by a covered entity or business associate under HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act), personal information collected as part of a clinical trial or other biomedical research study, activity involving the collection of personal information bearing on a consumer’s credit worthiness, and personal information collected, processed, sold or disclosed subject to the Gramm-Leach-Bliley Act or the federal Driver’s Privacy Protection Act of 1994.

The CCPA’s limited exemptions for employment information and so-called business-to-business information are also continued in the CPRA, however these provisions shall expire on January 1, 2023.

The CPRA provides authority for the CPPA to create extensive regulations, including a requirement for regulation of businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent; and (B) to submit to the CPPA on a regular basis a risk assessment with respect to the processing of personal information.

The private right of action under CPRA is expanded to include that consumers whose email address in combination with a password or security question and answer that would permit access to the account be able to institute a civil action and to recover damages or other injunctive relief. The CCPA 30-day cure period after notice of a breach is eliminated and administrative fines for violation of the CPRA increase to not more than $2,500 for each violation or $7,500 for each intentional violation or violations involving the personal information of consumers that the business has actual knowledge is under 16 years of age. The CPPA will have broad powers of investigation and enforcement for violations of the CPRA.

We will follow the progress of Proposition 24 on election day and provide an update here next week.

Continuing with its previous enforcement actions centered on covered entities’ failure to provide patients with access to their health records, the Office for Civil Rights (OCR) announced on October 9, 2020 that it entered into a settlement with Dignity Health, doing business as St. Joseph’s Hospital and Medical Center in Phoenix (St. Joseph’s) for $160,000 for failing to respond to multiple requests of a mother for her son’s records.

According to the OCR, a patient’s mother requested on multiple occasions her son’s medical records and St. Joseph’s failed to respond to her requests. She complained to the OCR, which commenced an investigation. Although St. Joseph’s provided partial records within months of the mother’s initial request in January 2018, the request was not fully complied with until December 2019.

The OCR stated “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.” The OCR warned covered entities by further stating “OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.”

In addition to the settlement of $160,000, St. Joseph’s is subject to a two-year corrective action plan that requires it to retrain its employees, update its policies and procedures around access to records, and distribute them to employees.

On October 8, 2020, New Jersey Attorney General Gurbir Grewal (AG) announced that his office has entered into a multi-state settlement agreement with Community Health Systems, Inc. (CHS) stemming from an investigation of a 2014 data breach that exposed personal information of approximately 6.1 million patients, including 45,000 New Jersey residents. This is after CHS agreed to pay $2.3 million in settlement for HIPAA violations alleged by the Office for Civil Rights.

The AG filed a complaint against CHS following the data breach alleging misrepresentation and violation of the New Jersey Consumer Fraud Act because CHS disclosed to consumers that it “employed security measures to protect information from unauthorized disclosure through various means such as encryption.”

The complaint alleged that CHS failed to implement and maintain reasonable security for the personal information that it collected and maintained, failed to provide security and confidentiality of stored information, and permitted unauthorized disclosure of protected health information inconsistent with HIPAA.

CHS and its subsidiary CHSPSC LLC agreed to pay $5 million to 28 participating states. In the final consent judgment, CHS denied the facts as alleged or any liability for the data breach.

 

Premera Blue Cross (Premera) has agreed to settle with the Office for Civil Rights (OCR) for $6.85 million over allegations of violations of HIPAA after an investigation of a data breach that occurred in 2014 affecting 10.4 million individuals. This is the largest settlement the OCR has entered into with a covered entity in 2020, and the second largest in history (second only to Anthem, which settled with the OCR for $16 million in 2018 for a data breach that occurred in 2015).

Premera self-reported to the OCR on March 17, 2015, that cyber-attackers infiltrated its IT system through a phishing campaign in May 2014, which went undetected until January of 2015. The attack, an advanced persistent threat, compromised the protected health information of 10.4 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and clinical information.

Following an investigation, the OCR alleged that Premera failed both to conduct an enterprise-wide security risk analysis and to implement risk management measures or audit controls.

In addition to the payment of the settlement amount, Premera entered into a Corrective Action Plan to implement security measures, including conducting a risk analysis and developing and implementing a risk management plan, and revising its privacy and security policies.

Binary Check Ad Blocker Security News

Recently we wrote about two amendments to the California Consumer Privacy Act of 2018 (CCPA) that were awaiting signature on Governor Newsom’s desk: AB 1281, which extends the one-year exemptions for employee information and business to business information for another year until January 1, 2022; and AB 713, which provides an exemption from the CCPA to medical information that is governed by the California Confidentiality of Medical Information Act (CMIA) or to protected health information that is collected by a covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act (HIPAA) and the federal Health Information Technology for Economic and Clinical Health Act (HITECH). Both amendments were signed by the Governor.

While AB 1281 extends the exemptions for employee information and business to business information from the CCPA for another year, AB 713 actually broadens the CCPA exemption for medical information to include business associates. Section 1798.146(a) now includes a business associate of a covered entity governed by HIPAA and HITECH, to the extent that the business associate maintains, uses, and discloses patient information.