Privacy Bulletin: Issue No. 54
Feds crackdown on HIPAA Privacy Rule Violations, Issue Huge Fines
At the end of February, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two press releases concerning million dollar HIPAA Privacy Rule violations. Under the HIPAA Privacy Rule, health plans, health care clearinghouses and covered health care providers are required, subject to both civil and criminal penalties, to protect the privacy of patient information through the use of constant administrative, physical and technical safeguards. In a February 22 press release, OCR announced its imposition of a $4.3 million civil penalty for Cignet Health’s (Prince George’s County, MD) violation of the HIPAA Privacy Rule, which marked the first civil money penalty issued by HHS for HIPAA Privacy Rule Violations. Cignet Health was found to have willfully neglected its duty to comply with the Privacy Rule. Two days later, on February 24, OCR announced in a press release a $1 million settlement with Massachusetts General for alleged violations of the HIPAA Privacy Rule. The settlement payment arose from an OCR investigation following Massachusetts General’s loss of the protected health information (“PHI”) of 192 patients. The investigation indicated that Massachusetts General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI. In connection with the settlement, Massachusetts General also agreed to enter into a Corrective Action Plan to develop, implement, train and enforce privacy policies that ensure PHI is protected. The ramifications of both incidents should serve as a reminder for businesses in the healthcare sector responsibility to protect their pateints' privacy. As noted by OCR Director Georgina Verdugo, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPPA Privacy and Security Rules.”
Supreme Court Holds Corporations do not have Personal Privacy for purposes of FOIA Exemption
In interpreting a provision of the Freedom of Information Act, the Supreme Court held that corporations are not entitled to personal privacy rights that protect the release of sensitive information. See FCC v. AT&T, No. 09-1279 (March 1, 2011). As a result, AT&T could not prevent release of documents compiled during an FCC investigation into whether the company overcharged for the use of the Internet. The Supreme Court ruling overturned a 3rd Circuit opinion which supported AT&T’s position that corporations were covered by Exemption 7 of the Freedom of Information Act, which prevented disclosure of information that would cause an unwarranted invasion of personal privacy. AT&T’s argument focused on the definition of the term person, which the 3rd Circuit said was often defined in the law to include partnerships, associations, and corporation. Writing for the Court, Justice Roberts disagreed and noted that the word personal was not often used to refer to corporations and frequently used to mean exactly the opposite of a corporation. With this ruling, corporations can’t claim protection under FOIA exemptions related to personal privacy.
Obama Signs USA PATRIOT Act Extension
President Obama signed the FISA Sunsets Extension Act (Public Law No. 112-3) into law on Friday, February 25, three days before provisions of the PATRIOT Act extended by the bill were set to expire. The bill extends until May 27, 2011, two privacy provisions of the PATRIOT ACT related to the United States’ ability to access business records and conduct “roving wiretaps” and a provision from the Intelligence Reform and Terrorism Prevention Act, known as the “lone-wolf” provision related to the FBI’s ability to monitor terrorists. Specifically, the law extends the sunset provisions for Section 215 of the PATROIT Act which allows the FBI to obtain an order for “any tangible thing related to a terrorism investigation, including a firm’s customer records” and Section 206 of the PATRIOT ACT which allows law enforcement to attach a wiretap warrant to a suspect, rather than a specific phone. The law also extends Section 6001 of the Intelligence Reform and Terrorism Prevention Act (the “lone wolf” provision) which broadens the definition of “agent of a foreign power” to include individuals who act alone in international terrorism within the United States. With only a three-month extension, Congress will likely soon begin debate on a possible multi-year extension of the provisions and amendments to the Act.
Illinois Court Found No Employer Duty to Protect Health Records
A Chicago appellate court held that a school district was not liable for inadvertant disclosure of employee health information under HIPAA or common law duty. The district disclosed an insurance enrollment list that contained the names of 1,750 former employees, along with their addresses, Social Security numbers, marital status, medical and dental insurers and health insurance plan information, then acted responsibly to attempt to clear up the disclosure. The employees whose names were revealed filed a class action suit against the school district, arguing that the school district owed a HIPAA duty to safeguard their personal information. They also sued under state statute and common law duties. The court ruled in favor of the district and found no statutory duty to safeguard the employees’ personal information. Under HIPAA, health records held by a covered entity in its role as an employer are excluded from the safeguard rule. Cooney v. Chicago Public Schools (IllAppCt) at ¶100-519