Privacy and Security Update - October 2005
HIPAA and Consumer Breach Notification Laws Affect Responses to Patient Information Exposure - by Peter M. Hazelton, Esq.
Health care organizations must consider how to comply simultaneously with the Privacy Rule and Security Rule of the Health Insurance Portability and Accountability Act (“HIPAA”) and with various new consumer breach notification laws. See “States Pass Consumer Breach Notification Laws,” Privacy and Security Update, July, 2005. (www.mt-law.com/ publications.aspx)
The HIPAA Privacy and Security Rules apply to health care organizations like hospitals, physician offices, and health insurers. The Privacy Rule requires health care organizations to mitigate any harmful effects due to the loss or theft of a patient’s protected health information. This Rule requires health care organizations to inform all patients of how to file a privacy complaint with federal regulators. However, it does not require health care organizations to inform federal regulators of their own security breaches. The Privacy Rule also does not require covered entities to notify affected patients of the data breach.
The HIPAA Security Rule makes health care organizations develop security incident procedures. These procedures must detail how the organization will identify and respond to suspected or known security breaches, mitigate any harmful effects, and document security incidents and their outcomes. As with the Privacy Rule, the Security Rule does not impose any duty to notify the government or patients of a security breach concerning their protected health information. With both Rules, however, a health care organization might choose to notify affected patients if it believes that notification would help to mitigate the potential harm from the security breach.
HIPAA preempts some state laws on medical privacy that are contrary to it, but laws mandating consumer breach notification are not contrary to HIPAA. Almost 20 states now have consumer breach notification laws, nearly all of which were passed in 2005. A number of other states are still considering this sort of legislation. These laws require companies, state agencies, or both to notify consumers of security breaches involving their personal information. Many businesses and health care organizations possess personal information about Californians, Floridians, Texans, and residents of the other states that now have consumer breach notification laws.
The U.S. Senate is currently considering consumer breach notification legislation that would apply to the personal information of the residents of all states. Legislation that finally passes may very well preempt many aspects of state consumer notification laws.
Some of these state laws provide a safe harbor for organizations covered by the HIPAA rules, allowing HIPAA-compliant health care organizations to avoid compliance with consumer breach notification requirements. However, most of the state laws do not provide such an exception. Only one of the federal bills regarding consumer breach notification exempts health care organizations covered by HIPAA.
The most publicized information security breaches this year have involved data brokers like ChoicePoint and LexisNexis or financial organizations like JP Morgan Chase, Citigroup, or CardSystems. These organizations have notified customers whose information was compromised by a security breach.
Health care organizations have also had to deal with security breaches involving patient information. In addition to sensitive medical information, patient files contain data useful to identity thieves, like Social Security numbers, addresses, birth dates, and employment information.
Ohio State University Medical Center discovered in June, 2005 that a laptop computer containing patient information was stolen from one of its financial consultants. The computer contained billing information on about 15,000 different patients. However, these files did not contain identifying information like birthdates and Social Security numbers. Ohio State chose to notify each of the patients by letter about the security breach.
The University of Florida faced a similar situation when a laptop computer containing patient information was stolen from one of its outside consultants. The computer was stolen from ChartOne, a Boston company that helps the University to manage medical records. The missing laptop's database contained the names, Social Security numbers, dates of birth, and medical record numbers for almost 4,000 patients. The University notified affected patients of the breach, encouraging them to contact the major credit bureaus regarding account activity.
Medica Health Plans in Minnesota discovered that hackers had stolen company sensitive and confidential data from its computer system. This system also contains information concerning 1.2 million patients, including Social Security numbers, addresses, dates of birth, and employment information. The health plan is now suing the two alleged hackers. Medica does not believe that the hackers actually took any of the patient information. It has not notified any of the patients about the security breach.
Kaiser Permanente Colorado chose to provide notice about a recent privacy breach both to affected patients and to the Office for Civil Rights of the U.S. Department of Health and Human Services. The Office for Civil Rights enforces the HIPAA Privacy Rule. Due to a printing error, a recent issue of Kaiser’s Rocky Mountain Health went out to 190,000 health plan members with member ID numbers on its mailing labels.
Neither the HIPAA Privacy Rule nor the HIPAA Security Rule requires covered entities to notify government regulators about a suspected privacy or security breach. Kaiser did not give its reasons for notifying the Office for Civil Rights. However, it may have taken this course to preempt a government enforcement action prompted by a patient complaint. A Kaiser official stated that the Office for Civil Rights appears to be “fine with things because we have responded appropriately and done the right thing.”
A variety of factors affect a health care organization’s choice of how to comply with the law. The HIPAA Privacy Rule and Security Rule do not mandate the notification of patients about consumer breaches. However, notifying affected patients may be a wise step for health care organizations fulfilling their obligations to mitigate any harmful effects of a security breach. After receiving notification, individual patients can then check their credit reports, cancel certain accounts, and maintain surveillance for any uncharacteristic transactions on their bills.
The HIPAA Privacy Rule and Security Rule do not require health care organizations to notify the government about a security breach. However, health care organizations might do so in hopes of preempting any potential government enforcement action.
The consumer breach notification laws require companies only to notify residents of the 20 or so states that have passed them. However, health care organizations in other states may possess protected health information of individuals who reside in those 20 or so states. Further, it may be both cost-effective and a wise public relations strategy to notify all affected individuals, as opposed to confining notices only to residents of certain states. For example, when ChoicePoint discovered the theft of personal information for 145,000 people early in 2005, only California had a breach notification law on the books. ChoicePoint originally chose to notify only California residents. However, the company broadened its notifications to extend to all affected individuals, regardless of their states of residence, even though few of the remaining states had such laws.
In summary, health care organizations should revisit their established policies to prepare to face consumer notification requirements. Through inside or outside counsel, they should also keep watch on any legislative or regulatory developments and the responses of other health care organizations to security breaches.
Peter M. Hazelton, Esq., M.H.A. has assisted corporate clients, both large and small, in complying with applicable U.S., state, and international laws on health care, online, international, and financial privacy and security. He has published numerous articles and lectured nationally and locally on privacy, security, e-commerce, and other legal issues.
Mr. Hazelton has a Master’s degree in Health Administration in addition to his law degree.
Please see his past editions of the Privacy and Security Update and recent articles on online privacy, HIPAA security, and spyware at http://www.mt-law.com/publications.aspx. You may reach him at (614) 846-6571 x22 or email@example.com.
This Privacy and Security Update is intended to provide information about important legal developments, not legal advice. Readers should consult legal counsel for advice about their specific circumstances.
©2005 Mallory & Tsibouris, Co., LPA - This work is not NOT licensed under the Creative Commons License.