The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security

7/28/2019 The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security

1/146


2/146


3/146


4/146


5/146


6/146


7/146


8/146


9/146


10/146


11/146


12/146


13/146


14/146


15/146


16/146


17/146


18/146


19/146


20/146


21/146


22/146


23/146


24/146


25/146


26/146


27/146


28/146


29/146


30/146


31/146


32/146


33/146


34/146


35/146


36/146


37/146


38/146


39/146


40/146


41/146


42/146


43/146


44/146


45/146


46/146


47/146


48/146


49/146


50/146


51/146


52/146


53/146


54/146


55/146


56/146


57/146


58/146


59/146


60/146


61/146


62/146


63/146


64/146


65/146


66/146


67/146


68/146

APPENDIX A Glossary o Terms and Acronyms

To accurately understand the legal obligationsassociated with saeguarding protectedhealth inormation (PHI), it is important to havean understanding o key terms. The ollowingdenitions are a summary o key terms and acronymsused in The Financial Impact o Breached ProtectedHealth Inormation report and its appendices. These arebased on denitions ound in common authoritative texts andin case law. They do not necessarily constitute a denition that

may be universally applied in any situation. Should the readerhave a question as to whether a particular denition ts a particularscenario, the advice o appropriate legal counsel should be sought.

Access

HIPAA Administrative Simplifcation Regulation Text 45 CFR 164.304

The ability or the means necessary to read, write, modiy, or communicate data/inormation or otherwise use any system resource.

NIST IR 7298 Revision 1, Glossary o Key Inormation Security Terms

Ability to make use o any inormation system (IS) resource. SOURCE: SP 800-32

Ability and means to communicate with or otherwise interact with a system, to use system resources to handle inormation, togain knowledge o the inormation the system contains, or to control system components and unctions. SOURCE: CNSSI-4009

Administrative Saeguards


Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenanceo security measures to protect electronic protected health inormation and to manage the conduct o the covered entitys

workorce in relation to the protection o that inormation.

NIST IR 7298 Revision 1, Glossary o Key Inormation Security TermsAbility to make use o any inormation system (IS) resource. SOURCE: SP 800-32

Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance osecurity measures to protect electronic health inormation and to manage the conduct o the covered entitys workorce in relationto protecting that inormation. SOURCE: SP 800-66

The Financial Impact o Breached Protected Health Inormation -Appendix A download the publication atwebstore.ansi.org/phi 1

The Financial Impact o Breached

Protected Health Inormation
http://webstore.ansi.org/phi/http://webstore.ansi.org/phi/http://webstore.ansi.org/phi/


69/146


Attack


An attempt to gain unauthorized access to system services, resources, or inormation, or an attempt to compromise system

integrity. SOURCE: SP 800-32Any kind o malicious act ivity that at tempts to col lect, disrupt, deny, degrade, or destroy inormation system resources or theinormation itsel. SOURCE: CNSSI-4009

Audit


Independent review and examination o records and activities to assess the adequacy o system controls, to ensurecompliance with established policies and operational procedures, and to recommend necessary changes in controls, policies,or procedures. SOURCE: SP 800-32

Independent review and examination o records and activities to assess the adequacy o system controls, to ensure compliancewith established policies and operational procedures. SOURCE: CNSSI-4009

Availability


The property that data or inormation is accessible and useable upon demand by an authorized person.

NIST IR 7298 Revision 1, Glossary o Key Inormation Security TermsEnsuring timely and reliable access to and use o inormation. SOURCE: SP 800-53; SP 800-53A; SP 800-27; SP 800-60; SP 800-37; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542

The property o being accessible and useable upon demand by an authorized entity. SOURCE: CNSSI-4009


70/146


Breach

42 USC 17921(1)

(A) In general: The term breach means the unauthorized acquisition, access, use, or disclosure o protected health

inormation which compromises the security or privacy o such inormation, except where an unauthorized person to whomsuch inormation is disclosed would not reasonably have been able to retain such inormation.(B) Exceptions: The term breach does not include (i) any unintentional acquisition, access, or use o protected healthinormation by an employee or individual acting under the authority o a covered entity or business associate i (I)such acquisition, access, or use was made in good aith and within the course and scope o the employment or otherproessional relationship o such employee or individual, respectively, with the covered entity or business associate; and (II)such inormation is not urther acquired, accessed, used, or disclosed by any person; or (ii) any inadvertent disclosure roman individual who is otherwise authorized to access protected health inormation at a acility operated by a covered entity orbusiness associate to another similarly situated individual at same acility; and (iii) any such inormation received as a resulto such disclosure is not urther acquired, accessed, used, or disclosed without authorization by any person.

HIPAA Administrative Simplifcation Regulation Text Section 45 CFR 164.402

The acquisition, access, use, or disclosure o protected health inormation in a manner not permitted under subpart Eo this part which compromises the security or privacy o the protected health inormation. (1)(i) For purposes o thisdenition, compromises the security or privacy o the protected health inormation means poses a signicant risk o nancial,reputational, or other harm to the individual. (ii) A use or disclosure o protected health inormation that does not include theidentiers listed at 164.514(e)(2), date o birth, and zip code does not compromise the security or privacy o the protectedhealth inormation. (2) Breach excludes: (i) Any unintentional acquisition, access, or use o protected health inormation bya workorce member or person acting under the authority o a covered entity or a business associate, i such acquisition,access, or use was made in good aith and within the scope o authority and does not result in urther use or disclosure in amanner not permitted under subpart E o this part. (ii) Any inadvertent disclosure by a person who is authorized to accessprotected health inormation at a covered entity or business associate to another person authorized to access protected healthinormation at the same covered entity or business associate, or organized health care arrangement in which the coveredentity participates, and the inormation received as a result o such disclosure is not urther used or disclosed in a manner not

permitted under subpart E o this part. (iii) A disclosure o protected health inormation where a covered entity or businessassociate has a good aith belie that an unauthorized person to whom the disclosure was made would not reasonably havebeen able to retain such inormation.
http://webstore.ansi.org/phi/http://webstore.ansi.org/phi/http://webstore.ansi.org/phi/http://webstore.ansi.org/phi/


71/146


Business Associate


(1) Except as provided in paragraph (2) o this denition, business associate means, with respect to a covered entity, a

person who: (i) On behal o such covered entity or o an organized health care arrangement (as dened in 164.501 othis subchapter) in which the covered entity participates, but other than in the capacity o a member o the workorce osuch covered entity or arrangement, perorms, or assists in the perormance o: (A) A unction or activity involving the useor disclosure o individually identiable health inormation, including claims processing or administration, data analysis,processing or administration, utilization review, quality assurance, billing, benet management, practice management, andrepricing; or (B) Any other unction or activity regulated by this subchapter; or (ii) Provides, other than in the capacity oa member o the workorce o such covered entity, legal, actuarial, accounting, consulting, data aggregation (as denedin 164.501 o this subchapter), management, administrative, accreditation, or nancial services to or or such coveredentity, or to or or an organized health care arrangement in which the covered entity participates, where the provision othe service involves the disclosure o individually identiable health inormation rom such covered entity or arrangement, orrom another business associate o such covered entity or arrangement, to the person. (2) A covered entity participating in anorganized health care arrangement that perorms a unction or activity as described by paragraph (1)(i) o this denition oror on behal o such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) o this

denition to or or such organized health care arrangement, does not, simply through the perormance o such unction oractivity or the provision o such service, become a business associate o other covered entities participating in such organizedhealth care arrangement. (3) A covered entity may be a business associate o another covered entity.

Cloud Computing


NIST Special Publication 800-146

A model or enabling on-demand network access to a shared pool o congurable IT capabilities/resources (e.g., networks,

servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management eort orservice provider interaction. It allows users to access technology-based services rom the network cloud without knowledge o,expertise with, or control over the technology inrastructure that supports them. This cloud model is composed o ve essentialcharacteristics (on-demand sel-service, ubiquitous network access, location independent resource pooling, rapid elasticity,and measured service); three service delivery models (cloud sotware as a service [SaaS], cloud platorm as a service [PaaS],and cloud inrastructure as a service [IaaS]); and our models or enterprise access (private cloud, community cloud, publiccloud, and hybrid cloud).

Note: Both the users data and essential security services may reside in and be managed within the network cloud. SOURCE: CNSSI-4009


72/146


Confdentiality


The property that data or inormation is not made available or disclosed to unauthorized persons or processes.

NIST IR 7298 Revision 1, Glossary o Key Inormation Security TermsPreserving authorized restrictions on inormation access and disclosure, including means or protecting personal privacy andproprietary inormation. SOURCE: SP 800-53; SP 800-53A; SP 800-18; SP 800-27; SP 800-60; SP 800-37; FIPS 200;FIPS 199; 44 U.S.C., Sec. 3542

National Committee on Vital and Health Statistics, Recommendations on Privacy and Confdentiality, 2006-2008The obligations o those who receive inormation to respect the privacy interests o those to whom the data relate.

Covered Entities


(1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health inormation inelectronic orm in connection with a transaction covered by this subchapter.

Cyber Attack


An attack, via cyberspace, target ing an enterprises use o cyberspace or the purpose o disrupting, disabling, destroying, ormaliciously controlling a computing environment/inrastructure; or destroying the integrity o the data or stealing controlledinormation. SOURCE: CNSSI-4009

Data


A subset o inormation in an electronic ormat that allows it to be retrieved or transmitted. SOURCE: CNSSI-4009


73/146


Electronic Health Records (EHR)

42 USC 17921(5)

The term electronic health record means an electronic record o health-related inormation on an individual that is created,

gathered, managed, and consulted by authorized health care clinicians and sta.

42 USC 3000(13)

The term qualied electronic health record means an electronic record o health-related inormation on an individual that (A) includes patient demographic and clinical health inormation, such as medical history and problem lists; and (B) has thecapacity (i) to provide clinical decision support; (ii) to support physician order entry; (iii) to capture and query inormationrelevant to health care quality; and (iv) to exchange electronic health inormation with, and integrate such inormation rom,other sources.

Encryption


Encryption means the use o an algorithmic process to transorm data into a orm in which there is a low probability oassigning meaning without use o a condential process or key.


Conversion o plaintext to ciphertext through the use o a cryptographic algorithm. SOURCE: FIPS 185

The process o changing plaintext into ciphertext or the purpose o security or privacy. SOURCE: SP 800-21; CNSSI-4009

HHS

The U.S. Department o Health and Human Services

HIPAA

The Health Insurance Portability and Accountability Act o 1996 (HIPAA), Public Law 104-191

HITECH

The Health Inormation Technology or Economic and Clinical Health Act, Public Law 111-5


74/146

The Financial Impact o Breached Protected Health Inormation download this publication reely atwebstore.ansi.org/phi 7

Identity Thet

18 U.S.C. 1028

(a) Whoever, in a circumstance described in subsection (c) o this section (1) knowingly and without lawul authority

produces an identication document, authentication eature, or a alse identication document; (2) knowingly transers anidentication document, authentication eature, or a alse identication document knowing that such document or eaturewas stolen or produced without lawul authority; (3) knowingly possesses with intent to use unlawully or transer unlawullyve or more identication documents (other than those issued lawully or the use o the possessor), authentication eatures,or alse identication documents; (4) knowingly possesses an identication document (other than one issued lawully or theuse o the possessor), authentication eature, or a alse identication document, with the intent such document or eaturebe used to deraud the United States; (5) knowingly produces, transers, or possesses a document-making implementor authentication eature with the intent such document-making implement or authentication eature will be used in theproduction o a alse identication document or another document-making implement or authentication eature which willbe so used; (6) knowingly possesses an identication document or authentication eature that is or appears to be anidentication document or authentication eature o the United States or a sponsoring entity o an event designated as aspecial event o national signicance which is stolen or produced without lawul authority knowing that such document oreature was stolen or produced without such authority; (7) knowingly transers, possesses, or uses, without lawul authority,

a means o identication o another person with the intent to commit, or to aid, or abet, or in connection with, any unlawulactivity that constitutes a violation o Federal law, or that constitutes a elony under any applicable state or local law; or(8) knowingly tracs in alse or actual authentication eatures or use in alse identication documents, document-makingimplements, or means o identication.

18 U.S.C. 1028(a) The term identity thet means a raud committed or attempted using the identiying inormation o another person withoutauthority. (b) The term identiying inormation means any name or number that may be used, alone or in conjunction withany other inormation, to identiy a specic person, including any (1) Name, social security number, date o birth, ocialState or government issued drivers license or identication number, alien registration number, government passport number,employer or taxpayer identication number; (2) Unique biometric data, such as ngerprint, voice print, retina or iris image,

or other unique physical representation; (3) Unique electronic identication number, address, or routing code; or(4) Telecommunication identiying inormation or access device (as dened in 18 U.S.C. 1029[e]).

Pub. L. 108159, sec 111; 15 U.S.C. 1681a

The term identity thet means a raud committed using the identiying inormation o another person, subject to such urtherdenition as the Commission may prescribe, by regulation.


75/146


Incident


Security incident means the attempted or successul unauthorized access, use, disclosure, modication, or destruction o

inormation or intererence with system operations in an inormation system.

NIST IR 7298 Revision 1, Glossary o Key Inormation Security TermsA violation or imminent threat o violation o computer security policies, acceptable use policies, or standard security practices SOURCE: SP 800-61An occurrence that actually or potentially jeopardizes the condentiality, integrity, or availability o an inormation systemor the inormation the system processes, stores, or transmits or that constitutes a violation or imminent threat o violation osecurity policies, security procedures, or acceptable use policies. SOURCE: FIPS 200; SP 800-53

An assessed occurrence that actually or potentially jeopardizes the condential ity, integrity, or availability o an inormationsystem; or the inormation the system processes, stores, or transmits; or that constitutes a violation or imminent threat o

violation o security policies, security procedures, or acceptable use policies. SOURCE: CNSSI-4009

Individually Identifable Health Inormation

Health Insurance Portability and Accountability Act o 1996, Public Law 104-191


Inormation that is a subset o health inormation, including demographic inormation collected rom an individual, and: (1)Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to thepast, present, or uture physical or mental health or condition o an individual; the provision o health care to an individual;

or the past, present, or uture payment or the provision o health care to an individual; and (i) That identies the individual;or (ii) With respect to which there is a reasonable basis to believe the inormation can be used to identiy the individual.

Integrity


The property that data or inormation have not been altered or destroyed in an unauthorized manner.

Malware


A program that is inserted into a system, usually covertly, with the intent o compromising the condentiality, integrity,or availability o the victims data, applications, or operating system or o otherwise annoying or disrupting the victim. SOURCE: SP 800-83


76/146


Media


Electronic media means: (1) Electronic storage media including memory devices in computers (hard drives) and anyremovable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or(2) Transmission media used to exchange inormation already in electronic storage media. Transmission media include, orexample, the internet (wide-open), extranet (using internet technology to link a business with inormation accessible only tocollaborating parties), leased lines, dial-up lines, private networks, and the physical movement o removable/transportableelectronic storage media. Certain transmissions, including o paper, via acsimile, and o voice, via telephone, are notconsidered to be transmissions via electronic media, because the inormation being exchanged did not exist in electronicorm beore the transmission.

NIST IR 7298 Revision 1, Glossary o Key Inormation Security TermsPhysical devices or writing suraces including but not limited to magnetic tapes, optical disks, magnetic disks, large scaleintegration (LSI) memory chips, and printouts (but not including display media) onto which inormation is recorded, stored,

or printed within an inormation system. SOURCE: FIPS 200; SP 800-53; CNSSI-4009

Medical Identity Thet

The World Privacy Forum, Medical Identity Thet: The Inormation Crime that Can Kill You, Spring 2006

Medical identity thet occurs when someone uses a persons name and sometimes other parts o their identity such asinsurance inormation without the persons knowledge or consent to obtain medical services or goods, or uses the personsidentity inormation to make alse claims or medical services or goods. Medical identity thet requently results in erroneousentries being put into existing medical records, and can involve the creation o ctitious medical records in the victims name.

Mobile Devices


Portable cartridge/disk-based, removable storage media (e.g., foppy disks, compact disks, USB fash drives, external harddrives, and other fash memory cards/drives that contain nonvolatile memory).

Portable computing and communications device with inormation storage capability (e.g., notebook/laptop computers,personal digital assistants, cellular telephones, digital cameras, and audio recording devices). SOURCE: SP 800-53

NIST

National Institute o Standards and Technology


77/146


Personally Identifable Inormation (PII)

OMB Memorandum M-07-16, Saeguarding Against and Responding to the Breach o Personally Identifable Inormation

Inormation which can be used to distinguish or trace an individuals identity such as their name, social security number, biometric

records, etc., alone, or when combined with other personal or identiying inormation which is linked or linkable to a specifc individual,such as date and place o birth, mothers maiden name, etc.

NIST Special Publication 800-122, Guide to Protecting the Confdentiality o Personally Identifable Inormation (PII)

Any inormation about an individual maintained by an agency, including: (i) any inormation that can be used to distinguish or trace anindividuals identity, such as name, social security number, date and place o birth, mothers maiden name, or biometric records; and (ii)any other inormation that is linked or linkable to an individual, such as medical, educational, fnancial, and employment inormation.

Physical Saeguards


Physical measures, policies, and procedures to protect a covered entitys electronic inormation systems and related buildings andequipment, rom natural and environmental hazards, and unauthorized intrusion.

Privacy

National Committee on Vital and Health Statistics, Recommendations on Privacy and Confdentiality, 2006-2008

Health inormation privacy is an individuals right to control the acquisition, uses, or disclosures o his or her identifable health data.

Proprietary Inormation


Material and inormation relating to or associated with a companys products, business, or activities, including but not limited to fnancialinormation; data or statements; trade secrets; product research and development; existing and uture product designs and perormancespecifcations; marketing plans or techniques; schematics; client lists; computer programs; processes; and know-how that has beenclearly identifed and properly marked by the company as proprietary inormation, trade secrets, or company confdential inormation.The inormation must have been developed by the company and not be available to the government or to the public without restrictionrom another source. SOURCE: CNSSI-4009


78/146


Protected Health Inormation (PHI)


Protected health inormation means individually identiable health inormation: (1) Except as provided in paragraph

(2) o this denition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmittedor maintained in any other orm or medium. (2) Protected health inormation excludes individually identiable healthinormation in: (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C.1232g; (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) Employment records held by a covered entity inits role as employer.

Risk


The level o impact on organizational operations (including mission, unctions, image, or reputation), organizational

assets, or individuals resulting rom the operation o an inormation system given the potential impact o a threat and thelikelihood o that threat occurring. SOURCE: FIPS 200

The level o impact on organizational operations (including mission, unctions, image, or reputation), organizationalassets, individuals, other organizations, or the nation resulting rom the operation o an inormation system given thepotential impact o a threat and the likelihood o that threat occurring. SOURCE: SP 800-60

A measure o the extent to which an entity is threatened by a potent ial circumstance or event, and typically a unct iono: (i) the adverse impacts that would arise i the circumstance or event occurs; and (ii) the likelihood o occurrence.Note: Inormation systemrelated security risks are those risks that arise rom the loss o condentiality, integrity, oravailability o inormation or inormation systems and consider the adverse impacts to organizational operations (includingmission, unctions, image, or reputation), organizational assets, individuals, other organizations, and the nation. SOURCE: SP 800-53

A measure o the extent to which an entity is threatened by a potent ial circumstance or event, and typically a unct iono: (1) the adverse impacts that would arise i the circumstance or event occurs; and (2) the likelihood o occurrence.Note: Inormation system-related security risks are those risks that arise rom the loss o condentiality, integrity, oravailability o inormation or inormation systems and refect the potential adverse impacts to organizational operations(including mission, unctions, image, or reputation), organizational assets, individuals, other organizations, and thenation. SOURCE: CNSSI-4009

A measure o the extent to which an entity is threatened by a potent ial circumstance or event, and typically a unct iono: (i) the adverse impacts that would arise i the circumstance or event occurs; and (ii) the likelihood o occurrence.Note: Inormation system-related security risks are those risks that arise rom the loss o condentiality, integrity, oravailability o inormation or inormation systems and refect the potential adverse impacts to organizational operations(including mission, unctions, image, or reputation), organizational assets, individuals, other organizations, and thenation. Adverse impacts to the nation include, or example, compromises to inormation systems that support criticalinrastructure applications or are paramount to government continuity o operations as dened by the Department oHomeland Security. SOURCE: SP 800-37; SP 800-53A

The probability that one or more adverse events will occur. SOURCE: SP 800-61


79/146


Security

National Committee on Vital and Health Statistics, Recommendations on Privacy and Confdentiality, 20062008

Physical, technological, or administrative saeguards or tools used to protect identiable health data rom unwarranted

access or disclosure.


A condition that results rom the establishment and maintenance o protective measures that enable an enterprise to perormits mission or critical unctions despite risks posed by threats to its use o inormation systems. Protective measures mayinvolve a combination o deterrence, avoidance, prevention, detection, recovery, and correction that should orm part o theenterprises risk management approach. SOURCE: CNSSI-4009

Technical Saeguards


The technology and the policy and procedures or its use that protect electronic protected health inormation and controlaccess to it.

Threat


Any circumstance or event with the potential to adversely impact organizational operations (including mission, unctions,image, or reputation), organizational assets, individuals, other organizations, or the nation through an inormation system

via unauthorized access, destruction, disclosure, modication o inormation, and/or denial o service. SOURCE: SP 800-53; SP 800-53A; SP 800-27; SP 800-60; SP 800-37; CNSSI-4009

The potential source o an adverse event. SOURCE: SP 800-61

Any circumstance or event with the potential to adversely impact organizational operations (including mission, unctions,image, or reputation), organizational assets, or individuals through an inormation system via unauthorized access,destruction, disclosure, modication o inormation, and/or denial o service. Also, the potential or a threat-source tosuccessully exploit a particular inormation system vulnerability. SOURCE: FIPS 200

Unauthorized Disclosure


An event involving the exposure o inormation to entit ies not authorized access to the inormation. SOURCE: SP 800-57;CNSSI-4009


80/146

APPENDIX B Legal and Regulatory Liabilities

Note: These research notes have been substantially edited

down so as to supplement but not duplicate inormation

included in the PHI project report.

The Impact of Electronic Health Informationon Health Information Privacy: The Growth inReported Privacy Violations

According to the U.S. Department o Health and Human Services(HHS) Oce or Civil Rights (OCR), nearly 20 million Americans havehad the privacy o their electronic protected health inormation (PHI)breached in nearly 400 incidents involving more than 500 individualsbetween September 2009 and February 2012.1 The most common cause othese breaches was thet.

The privacy o thousands o additional individuals has been breached in incidentsinvolving less than 500 individuals. From April 2003 through July 2011, OCR received

more than 62,000 complaints o violations o The Health Insurance Portability andAccountability Act o 1996 (HIPAA) Privacy Rule. Another 420 complaints were receivedby OCR rom October 2009 through July 2011, alleging violations o the HIPAA SecurityRule. OCR has reerred more than 499 cases to the Department o Justice or possible criminalprosecution. O course, OCR has no authority to track or investigate privacy violations by entitiesother than covered entities and their business associates.

1. The Costs of Electronic Privacy Breaches

Four major types o enterprise costs resulting rom inadequate protection o electronic health inormation are:(a) criminal and civil penalties or ailing to comply with health inormation privacy laws; (b) damages or breacho privacy and negligence; (c) legal and consulting ees in connection with enorcement actions and private law

suits; and (d) loss o business and reputation.2 While not direct enterprise costs, higher costs are also incurred bythe health care system when individuals ail to obtain needed health care due to privacy concerns. 3 It has been estimatedthat the direct cost o health care data breaches is $371 per record and that data breaches cost the health care industryapproximately $6.5 billion a year.4

Penalties or violations o privacy laws are the easiest to quantiy. OCR recently invoked the HIPAA Privacy Rule and imposeda civil monetary penalty o $4.3 million on a health plan that ailed to provide 41 patients with access to their healthinormation and then ailed to respond to OCRs complaint and subsequent investigative demands.5 OCR also recently agreedto a settlement o $1 million with a physician group practice specializing in inectious diseases due to the loss o records o

The Financial Impact o Breached Protected Health Inormation -Appendix B download the publication atwebstore.ansi.org/phi 1

The Financial Impact of Breached

Protected Health Information
https://webstore.ansi.org/phi/https://webstore.ansi.org/phi/https://webstore.ansi.org/phi/https://webstore.ansi.org/phi/


81/146


192 patients, including patients with HIV/AIDS, when an employee let the records on a subway train.6 More recently, OCRagreed to accept a payment o $865,500 rom a university health care provider or allegedly ailing to prevent an employeerom improperly viewing electronic health records (EHRs) o celebrity patients and ailing to sanction the employee. 7 Apsychotherapist was recently indicted on ederal criminal charges stemming rom a HIPAA Privacy Rule violation or allegedlydisclosing a patients mental health treatment inormation to an agent o the patients employer without the patientsauthorization and on the alse pretense that the patient was an imminent threat to the public while knowing otherwise.8

OCR has provided training to state attorneys general in how to institute legal proceedings or health inormation privacyviolations.9 A major health plan recently agreed to pay a $100,000 ne levied by a state attorney general involving anelectronic health privacy breach.10 Another state attorney general agreed to a $250,000 settlement o a HIPAA violationin which a health insurer lost a computer disk containing the names, addresses, and health and nancial inormation omore than 2 million customers.11

OCR recently hired an accounting rm to perorm 150 HIPAA privacy and security compliance audits by the end o2012.12 Given that the Oce o the Inspector General o HHS published a report that seven hospitals randomly reviewedor compliance with health inormation privacy and security compliance had 151 vulnerabilities in systems and controls 124 o which were categorized as high impact13 it is likely that audits will nd deciencies in compliance.

In addition to ederal and state nes and penalties, private lawsuits or breach o health inormation privacy can also resultin large awards or settlements. For example, the U.S. Department o Veterans Aairs (VA) agreed to pay a $20 millionsettlement or the thet o a laptop computer rom an employees home, containing inormation on 26.5 million VA patients,even though the items were later turned in and there was no evidence that the databases had been accessed. 14 A nationalcompany with eye examination and eyewear subsidiaries settled a class action lawsuit brought by 1.4 million consumersor $20 million, ollowing allegations that the eye examiners improperly disclosed health histories to the eyewear retaileror the purposes o marketing eyewear.15 Recently, the health care program or the U.S. Department o Deense was suedor $4.9 billion ater backup tapes containing health and other personal inormation on 4.9 million military personnel werestolen rom the automobile o a contractor or the program. 16

The Health Inormation Technology or Economic and Clinical Health (HITECH) Act enacted in February 2009, which

expanded privacy protections o the HIPAA Privacy Rule, has been projected to increase health care spending under theMedicare and Medicaid programs by $32.7 billion rom 2009 through 2019.17That cost was projected to be decreased to$20.8 million i 45% o hospitals and 65% o physicians adopt EHR systems by 2019. As o 2009, only about 1.5% o U.S.hospitals had comprehensive EHR systems (i.e., present in all clinical units), 7.6% had a basic system, while only about 5%o physicians had a ully unctional EHR system that is interoperable. 18 The rising cost o electronic privacy breaches doesnot appear to have been actored into the cost o implementing EHR systems nationwide. Investment in protection o theprivacy o health care is critical to the adoption o EHRs to preserve the publics condence that private health inormationwill be adequately protected, and is essential in avoiding ur ther escalation o health care costs.

2. The Publics Perception of Health Information Privacy

What is the publics expectation o health inormation privacy? Ater one o the largest rulemakings in the history o the

agency, HHS determined when it issued the original HIPAA Privacy Rule that

. . . the entire health care system is built upon the willingness o individuals to share the most intimate details otheir lives with their health care providers.19

According to HHS, this essential transaction cannot occur without a relationship o trust.20 For that trust to exist, individualsmust believe that the privacy o their health inormation will be protected by those who handle it. 21 Trust must also exist orthe public to accept the use o electronic health inormation systems to store and transmit their personal health inormation.22


82/146


Legal Liability Arising from Electronic Health Information Systems:Sources of Health Information Privacy Liability

Management and reduction o the nancial and business liability arising rom mishandling personal health inormationis only possible with a clear understanding o the privacy rights o patients and customers and the requirements andenorcement mechanisms o health inormation privacy laws and proessional ethics. In other words, enterprises that

handle electronic health inormation must be aware o their customer privacy expectations which orm the basis o laws,regulations, and what is considered reasonable in the context o tort liability.

1. The Constitutional Right to Privacy

Even though the Constitution only protects individuals rom privacy intrusions by governments rather than by privateentities,23 individuals employed by governmental entities (e.g., governmentally operated hospitals) can be sued in theirpersonal capacities or violating privacy rights they should have known existed.24 For example, a swimming coachemployed by a county high school was successully sued in his individual capacity under the Civil Rights Actor violatingthe constitutionally protected privacy rights o a young woman on the team when he disclosed the results o a pregnancytest he required her to take.25 A police ocer was successully sued or the wrongul death o a young man who committedsuicide ater the ocer threatened to disclose his sexual orientation to his amily. 26

Most recently, in 2012, the Supreme Court unanimously held that Americans have a right to privacy with respect tothe government or inormation collected using electronic technology, and that this protection is aorded by the FourthAmendment right to be ree rom unreasonable searches and seizures. The basis o the right to privacy can be either theintent o the ramers o the Constitution at the time it was drated or an individuals reasonable expectation o privacytoday. As one justice said in a concurring opinion, health inormation such as trips to the psychiatrist, the plastic surgeon,the abortion clinic, the AIDS treatment center would clearly come within the constitutionally protected right to privacy. 27

In a 2011 decision, the Supreme Court held that a state law that prohibited the unauthorized use o prescribing inormationor marketing purposes by data miners violated their ree speech rights under the First Amendment to the Constitutionbecause it allowed others to use the inormation without comparable restrictions. 28 The data miners in this case purchased

the inormation in de-identied orm rom pharmacies to help better detail sales pitches to physicians. This decision couldwell mean that privacy laws in the uture will have ewer exceptions to the authorization requirements in order to avoid theappearance o discriminating in avor o certain groups.

2. The Right to Privacy in Standards of Professional Ethics

The right to not have ones health inormation disclosed without ones consent is a core concept o both the Hippocratic Oathand the standards o ethics o virtually all health proessions.29 The American Medical Association (AMA) has re-armedthis ethical policy in the context o electronic health inormation systems:

Our AMA policy is that where possible, inormed consent should be obtained beore personally identiablehealth inormation is used or any purpose.30

Medical practitioners can have their licenses suspended or revoked or engaging in unethical conduct. Standards o ethicsmay also be used in lawsuits or breach o privacy to show that individuals have a reasonable expectation o privacy.

The HIPAA Privacy Rule also provides that even or permitted disclosures, only the minimum necessary inormation may bedisclosed to accomplish the purpose o the disclosure, and that this is intended to refect, be consistent with, and not override,proessional judgment and standards.31 Proessional ethics clearly retain relevance in determining the individuals privacyrights and the potential liability or those who handle protected health inormation.


83/146


3. The Right to Privacy under Federal and State Privileges

The Supreme Court has ound, based on the reason and experience o the country, that communications between apatient and a psychotherapist, are subject to a psychotherapist-patient privilege that can only be waived by the patient.32The reason is that eective psychotherapy is completely dependent upon an atmosphere o trust that the therapist will notdisclose inormation that the patient provides in condence. The psychotherapist-patient privilege recognized at the ederal

level has also been recognized by all 50 states and the District o Columbia.33

At least 43 states recognize a more general physician-patient privilege.34 The Privacy section o the HITECH Act makesclear that nothing in that section is intended to waive any privileges that might otherwise apply.35 So privileges also remaina source o privacy protection and potential legal liability i they are violated, and mental health inormation is most likelyto be protected under privilege and other privacy laws.

A. Privacy Rights and Liability under Federal Statutes and Regulations

1. HIPAA Privacy and Security Rule and HITECH Act

The HIPAA Privacy and Security regulations prohibit covered entities and their business associates rom using ordisclosing protected health inormation except as permitted or required by the HIPAA Privacy Rule. 36 Uses anddisclosures are permitted, but not required, or treatment, payment, and health care operation, as well as twelvespecial purposes.37 Most other disclosures must be authorized by the individual. Psychotherapy notes (notesrecorded in any medium by a health care provider who is a mental health proessional, documenting or analyzingthe contents o conversation during a private counseling session or a group, joint, or amily counseling session, andthat are separated rom the rest o the individuals medical record)38 are accorded enhanced privacy protectionsand cannot be disclosed without patient authorization in most situations. 39

Under the HITECH Act, covered entities must agree to requests by individuals or restrictions on disclosures o PHIor payment and health care operations i the individual pays out-o-pocket.40 Failure to comply with these or otherrestrictions on uses and disclosures is regarded as a violation o the HIPAA Privacy Rule. 41 Covered entities must

provide aected individuals, the secretary o HHS, and, in some circumstances, the media, with notice o PHI breacheswithin statutorily established timerames.42 Business associates must notiy covered entities o such breaches.43 Permitteddisclosures in most cases are limited to the minimum necessary disclosure or the intended purpose. 44 The HIPAASecurity Rule establishes nearly 20 standards or protecting the security o electronic health inormation, some owhich are required and some o which are addressable.45 When a security standard is addressable, there must bean assessment as to whether it is reasonable and appropriate in the particular environment.46

2. Federal Drug and Alcohol Abuse Act

Federal law protecting the condentiality o alcohol and drug abuse patient records is codied at 42 U.S.C. 290dd-2 and is better known by its implementing regulation, 42 C.F.R. Part 2. The regulation applies to anyederally assisted organization that holds itsel out as providing treatment or alcohol or drug abuse, making a

diagnosis or that treatment, or making a reerral or that treatment.47 Pre-dating HIPAA by nearly two decades,4842 C.F.R. Part 2 implements stringent condentiality standards or patient identiying inormation.49 42 C.F.R. Part2 compliance obligations are unequivocal50 and violators are liable under the ederal criminal code.51 Potentialpenalties can be up to $500 or a rst oense and up to $5,000 or each subsequent oense. 52

Organizations that must comply with HIPAA and 42 C.F.R. Part 2 ace many challenges regarding inormationcondentiality.53 For example, 42 C.F.R. Part 2 pre-empts HIPAAs waiver o patient consent provisions54 and cansignicantly narrow what inormation may be disclosed and re-disclosed about the patient. This becomes a thornyproblem in the wake o a data breach, and organizations suering a breach o patient identiying inormation may


84/146


be liable under both HIPAAs Breach Notication Rule risk o harm standard and impermissible disclosuresunder 42 C.F.R. Part 2.55 Because o this complexity and potential or liability, it has been shown that substanceabuse treatment providers are reluctant to hop on the EHR bandwagon. 56

3. Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Financial Modernization Act o 1999 (GLB Act)57 requires covered companies to giveconsumers privacy notices that explain the institutions inormation-sharing practices. The GLB Act applies tonancial institutions, or entities that oer nancial products or services to individuals, such as, health or lieinsurance. Privacy notices must be clear, conspicuous, and accurate statements o the companys privacy practicesand include: inormation the company collects about its consumers and customers, with whom it shares inormation,and how it protects inormation. Notices apply to nonpublic personal inormation, which includes ones personalinormation the institution collects in the normal course o business, including social security numbers, accountnumbers, and nancial or health inormation. Individuals have the right to opt out o having their inormationshared with certain third parties. Privacy notices must explain how, and oer a reasonable way or them, to opt out;or example, notices can include a detachable orm or toll-ree telephone number or consumers or customers to use.In addition, privacy notices must explain that customers have a right to say no to the sharing o certain inormationwith the inst itutions aliates.

Violations o the GLB Act may result in a civil action being brought by a U.S. attorney. Penalties or violations include:nes upon institutions o up to $100,000 or each violation; nes upon ocers/directors o nancial institutions o upto $10,000 or each violation; and criminal penalties o imprisonment or up to 5 years, a ne, or both.

4. Genetic Information Non-Discrimination Act (GINA)

The Genetic Inormation Non-Discrimination Act o 2008(GINA)58 protects Americans against discrimination basedon their genetic inormation with respect to health insurance and employment and includes several health inormationprivacy provisions. I an employer, employment agency, labor organization, or joint labor-management committeeobtains genetic inormation about an employee/member, the inormation must be maintained on separate orms

and in separate medical les. Further, it must be treated as a condential medical record o the employee/member.The entity may not disclose this inormation except: (1) to the employee/member at his/her written request; (2) to ahealth researcher; (3) in response to a court order; (4) to government ocials investigating compliance with GINA;(5) to the extent that disclosure is made in connection with the employees compliance with the Family and MedicalLeave Act o 1993or similar state laws; and (6) to a ederal, state, or local public health agency concerning acontagious disease that presents an imminent hazard.

I violated, individuals may seek reinstatement, hiring, promotion, back pay, injunctive relie, compensatory andpunitive damages, and attorneys ees and costs. Plaintis may bring suit under the Employee Retirement IncomeSecurity Act(ERISA) to enorce GINA rights without exhausting administrative remedies ater showing that doing sowould cause irreparable harm. Courts may order retroactive reinstatements o health coverage and/or penalties oup to $100 per day o noncompliance. Also, the Department o Labor may sue under GINA. Penalties may be up to

$100 per day, with minimum penalties o $2,500 or de minimis violations and $15,000 or signicant violations.Maximum penalties or unintentional violations are capped at the lesser o 10% o the amount paid by the employeror group health plans during the prior year, or $500,000. Furthermore, there is no cap on the penalty or violationsresulting rom case-law dened willul neglect59 or intentional misconduct.60


85/146


5. Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act o 1974(FERPA)61 protects the privacy o student education recordsand applies to all schools (including student health clinics at colleges and universities) receiving unds under anapplicable program o the U.S. Department o Education. These records may include health inormation such asmedications taken and/or immunization records. I a person or entity acting on behal o a school subject to FERPA

(such as a school nurse) directly maintains student health records, these records are education records under FERPA.As education records, the inormation is protected under FERPA and not HIPAA.

FERPA gives parents certain rights with respect to their childrens education records. These rights then transer tostudents when they reach the age o 18 or attend post-secondary institutions. Students to whom the rights havetranserred are eligible students. Schools must have written permission rom the parent or eligible student torelease any inormation rom the students education record. However, records may be released without consentto certain entities and in certain situations, including: to school ocials with legitimate educational interest; otherschools to which a student is transerring; specied ocials or audit or evaluation purposes; appropriate parties inconnection with nancial aid to a student; organizations conducting certain studies or or on behal o the school;accrediting organizations; to comply with a judicial order or lawully issued subpoena; appropriate ocials incases o health and saety emergencies; and state and local authorities, within a juvenile justice system, pursuant

to specic state law.

The Family Policy Compliance Oce reviews and investigates complaints o violations o FERPA. Penalties caninclude the withdrawal o Department o Education unds. Courts routinely hold that FERPA does not create a privateright o action against the educational institution.

B. Privacy Rights and Liability under State Statutes and Regulations

While the HIPAA Privacy and Security Rules are the most generally applicable requirements concerning an individualshealth inormation, state laws also create health inormation privacy rights and obligations. In enacting HIPAA,Congress established a ederal foor o privacy protections allowing or more restrictive privacy protections under

state regimes to remain in eect.

62

HIPAA provides that only state laws that are contrary to the provisions or requirements o the HIPAA Privacy Rule arepre-empted by the ederal requirements and that contrary provisions o state law that coner more stringent privacyprotections are not superseded.63 Caliornia has the most stringent patient privacy laws in the nation stronger than theederal laws.64 Thereore, a covered entity and particularly one with operations across numerous states should paycareul attention to the requirements o state laws to ensure compliance with applicable ederal and state law. Healthcare organizations sometimes mistakenly believe that i they are in compliance with the ederal HIPAA Privacy andSecurity Rules, they are also in compliance with state privacy laws.

As o October 2010, 46 states, the District o Columbia, Puerto Rico, and the Virgin Islands had enacted electronic databreach disclosure laws.65 Some o these laws require notice o data breaches that are not required under the HITECH

Acts breach notice provisions. Organizations should check these laws as well as the ederal breach notice laws toensure that they are in compliance with both in the case o an inormation breach.

With some exceptions, such as Cali ornias Confdentiality o Medical Inormation Act, states have not instituted broadprivacy requirements concerning health inormation. A ew states and territories (Minnesota, New York, Vermont,Puerto Rico, and Guam) have privacy protections that require patient consent or disclosures by hospitals to otherproviders. Other states either adopt the HIPAA Privacy Rule protections or allow disclosures as permitted by law.


86/146


Congress mandated in the HITECH Act that the HIT Policy Committee, which was established under that Act, makerecommendations to Congress or technologies to protect the privacy o sensitive individually identiable healthinormation including segmentation o such inormation.66 No such recommendations had been made as o October2011 but the HHS Oce o the National Coordinator had begun an inormation gathering exercise.

C. Privacy Rights under Tort and Contract Laws in the States and District of Columbia

Most states and the District o Columbia recognize in case law the torts o invasion o privacy and intrusion uponseclusion that would be oensive to the reasonable person. The common law in some states recognizes a right to healthinormation privacy as part o an implied contract between patients and their health care providers. 67 The applicationo these laws in any given case may be hard to assess. Additionally, tort theories traditionally have as an element somemeasure o damages. Outside o any alleged mental anguish type damages, i one does not suer actual monetarydamages, the reach o state tort law to provide redress is somewhat o an open issue. However, there are new damagestheories that are being advanced based upon the value o the inormation to an individual.68 When actual out-o-pocket damages are suered (or example, where one expends time and/or money to repair their health inormationrecords ater medical identity thet), law suits based on tort theories may provide redress.
https://webstore.ansi.org/phi/https://webstore.ansi.org/phi/https://webstore.ansi.org/phi/


87/146


ENDNOTES1 Breaches Aecting 500 or More Individuals. United States Department o Health and Human Services. Web. 31 Jan. 2012.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnoticationrule/postedbreaches.html.2 New London Consulting. How Privacy Considerations Drive Patient Decisions and Impact Patient Care Outcomes. Rep. 13 Sept. 2011.

FairWarning. Web. http://www.airwarning.com/documents/2011-WHITEPAPER-US-PATIENT-SURVEY.pd.3 HHS nding, 65 Fed. Reg. at 82,776 (Dec. 28. 2000).

4 Ponemon Institute LLC. 2010 Annual Study: U.S. Cost o a Data Breach. Sponsored by Symantec Corporation, March 2011. Web. http://www.symantec.com/content/en/us/about/media/pds/symantec_ponemon_data_breach_costs_report.pd?om_ext_cid=biz_socmed_twitter_acebook_

marketwire_linkedin_2011Mar_worldwide_costodatabreach; ID Experts. Data Breaches Cost the Healthcare Industry an Estimated $6.5 Billion;

Latest Ponemon Study Reveals Data Breaches Up 32 Percent Due to Sloppy Mistakes and Unsecured Mobile Devices. December 1, 2011. Web.

http://www2.idexpertscorp.com/press/healthcare-news/data-breaches-cost-the-healthcare-industry-an-estimated-65-billion/5 U.S. Department o Health and Human Services. HHS Imposes a $4.3 Million Civil Money Penalty or Violations o the HIPAA Privacy Rule. HHS.

gov, 22 Feb. 2011. Web. http://www.hhs.gov/news/press/2011pres/02/20110222a.html.6 U.S. Department o Health and Human Services. Massachusetts General Hospital Settles Potential HIPAA Violations. HHS.gov, 24 Feb. 2011.

Web. http://www.hhs.gov/news/press/2011pres/02/20110224b.html.7U.S. Department o Health and Human Services. University o Caliornia settles HIPAA Privacy and Security case involving UCLA Health System acilities.

HHS.gov, 7 July 2011. Web. http://www.hhs.gov/news/press/2011pres/07/20110707a.html; Conn, Joseph. UCLA Health System Agrees to Settle

HIPAA Complaints. ModernHealthcare.com. 7 July 2011. Web. http://www.modernhealthcare.com/article/20110707/NEWS/307079962.8 Simpson, Elizabeth. Suolk Doctor Faces Federal Privacy Law Charges. PilotOnline.com. The Virginian Pilot, 23 June 2011. Web.

http://hamptonroads.com/2011/06/suolk-doctor-aces-ederal-privacy-law-charges.9 Anderson, Howard. 10.8 Mill ion Aected by Major Breaches. GovInoSecurity.com. 25 Apr. 2011. Web.

http://www.govinosecurity.com/articles.php?art_id=3576.10 Times Sta Report. Ind. AG Reaches Settlement with WellPoint in Consumer Data Breach. Nwitimes.com. Northwest Indiana Times, 5 July

2011. Web. http://www.nwitimes.com/business/local/article_7eddb17-aa1c-5950-b743-cec018b84267.html.11 Nicastro, Dom. HIPAA Faces HITECH-Empowered State AGs. HealthLeaders Media, 27 July 2010. Web.

http://www.healthleadersmedia.com/page-1/LED-254310/HIPAA-Faces-HITECHEmpowered-State-AGs.12 Mosquera, Mary. HHS Taps KPMG to Perorm HIPAA Audits. Government Health IT. 6 July 2011. Web.

http://www.govhealthit.com/news/hhs-taps-kpmg-perorm-hipaa-audits.13 Oce o the Inspector General. Nationwide Rollup Review o the Centers or Medicare & Medicaid Services Health Insurance Portability and

Accountability Act o 1996 Oversight. Rep. U.S. Department o Health and Human Services, 16 May 2011. Web.

http://www.workplaceprivacyreport.com/uploads/le/Oce%20o%20Insp%20Gen%20Re%20HIPAA%20enorce%205-16-11.pd.14 Yen, Hope. VA Agrees to Pay $20 Million to Veterans in 2006 Data Breach. Boston.com. The Boston Globe, 28 Jan. 2009. Web.

http://articles.boston.com/2009-01-28/news/29254594_1_data-thet-veterans-groups-va-inspector.15 BNA. LensCraters, Pearle Settle Class Actions Alleging Consumer, Privacy Law Violations. Health Care Daily, 15 Aug. 2008.16 Vijayan, Jaikumar. Deense Dept. Hit with $4.9B Lawsuit over Data Breach. Computerworld. 14 Oct. 2011. Web.

http://www.computerworld.com/s/article/9220874/Deense_Dept._hit_with_4.9B_lawsuit_over_data_breach.17Redhead, C. Stephen. Rep. The Health Inormation Technology or Economic and Clinical Health (HITECH) Act. Congressional Research Service,

23 Feb. 2009. Web. http://www.nationalehealth.org/sites/deault/les/hitech_act.pd.18 Id. at p. 1; Jha, Ashish K., and Catherine M. DesRoches, et al. Use o Electronic Health Records in U.S. Hospitals. The New England Journal

o Medicine. 16 Apr. 2009. Web. http://www.nejm.org/doi/ull/10.1056/NEJMsa0900592#t=article.19 65 Fed. Reg. at 82,467 (Dec. 28, 2000).20 Id.21 Id.22 Freudenheim, Milt. Breaches Lead to Push to Protect Medical Data. Nytimes.com. The New York Times, 30 May 2011. Web.

http://www.nytimes.com/2011/05/31/business/31privacy.html?pagewanted=all.23 Citizens or Health v. Leavitt, 428 F.3d 167, 177 (3rd Cir. 2005), cert. den. 127 S. Ct. 43 (2006).24 Bivens v. Six Unknown Fed. Narcotic Agents, 403 U.S. 388, 91 S. Ct. 1999 (1971).25 Gruenke v. Seip, 225 F.3d 290 (3rd Cir. 2000).26 Sterling v. Borough o Minersville, 232 F.3d 190 (3rd Cir. 2000).27United States v. Jones, ___S. Ct. __, 2012 WL 171117 (Jan. 23, 2012).28 Sorrell v. IMS Health, Inc., 564 U.S. _, 131 S. Ct. 2653 (2011).29 National Committee on Vital and Health Statistics. Privacy and Condentiality in the Nationwide Health Inormation Network. Rep. U.S.

Department o Health and Human Services, 22 June 2006. Web. http://ncvhs.hhs.gov/060622lt.htm.
https://webstore.ansi.org/phi/https://webstore.ansi.org/phi/https://webstore.ansi.org/phi/http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.htmlhttp://www.fairwarning.com/documents/2011-WHITEPAPER-US-PATIENT-SURVEY.pdfhttp://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreachhttp://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreachhttp://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreachhttp://www2.idexpertscorp.com/press/healthcare-news/data-breaches-cost-the-healthcare-industry-an-estimated-65-billion/http://www.hhs.gov/news/press/2011pres/02/20110222a.htmlhttp://www.hhs.gov/news/press/2011pres/02/20110224b.htmlhttp://www.hhs.gov/news/press/2011pres/07/20110707a.htmlhttp://www.modernhealthcare.com/article/20110707/NEWS/307079962http://hamptonroads.com/2011/06/suffolk-doctor-faces-federal-privacy-law-chargeshttp://www.govinfosecurity.com/articles.php?art_id=3576http://www.nwitimes.com/business/local/article_7feddb17-aa1c-5950-b743-cec018b84267.htmlhttp://www.healthleadersmedia.com/page-1/LED-254310/HIPAA-Faces-HITECHEmpowered-State-AGshttp://www.govhealthit.com/news/hhs-taps-kpmg-perform-hipaa-auditshttp://www.workplaceprivacyreport.com/uploads/file/Office%20of%20Insp%20Gen%20Re%20HIPAA%20enforce%205-16-11.pdfhttp://articles.boston.com/2009-01-28/news/29254594_1_data-theft-veterans-groups-va-inspectorhttp://www.computerworld.com/s/article/9220874/Defense_Dept._hit_with_4.9B_lawsuit_over_data_breachhttp://www.nationalehealth.org/sites/default/files/hitech_act.pdfhttp://www.nejm.org/doi/full/10.1056/NEJMsa0900592#t=articlehttp://www.nytimes.com/2011/05/31/business/31privacy.html?pagewanted=allhttp://ncvhs.hhs.gov/060622lt.htmhttp://ncvhs.hhs.gov/060622lt.htmhttps://webstore.ansi.org/phi/http://www.nytimes.com/2011/05/31/business/31privacy.html?pagewanted=allhttp://www.nejm.org/doi/full/10.1056/NEJMsa0900592#t=articlehttp://www.nationalehealth.org/sites/default/files/hitech_act.pdfhttp://www.computerworld.com/s/article/9220874/Defense_Dept._hit_with_4.9B_lawsuit_over_data_breachhttp://articles.boston.com/2009-01-28/news/29254594_1_data-theft-veterans-groups-va-inspectorhttp://www.workplaceprivacyreport.com/uploads/file/Office%20of%20Insp%20Gen%20Re%20HIPAA%20enforce%205-16-11.pdfhttp://www.govhealthit.com/news/hhs-taps-kpmg-perform-hipaa-auditshttp://www.healthleadersmedia.com/page-1/LED-254310/HIPAA-Faces-HITECHEmpowered-State-AGshttp://www.nwitimes.com/business/local/article_7feddb17-aa1c-5950-b743-cec018b84267.htmlhttp://www.govinfosecurity.com/articles.php?art_id=3576http://hamptonroads.com/2011/06/suffolk-doctor-faces-federal-privacy-law-chargeshttp://www.modernhealthcare.com/article/20110707/NEWS/307079962http://www.hhs.gov/news/press/2011pres/07/20110707a.htmlhttp://www.hhs.gov/news/press/2011pres/02/20110224b.htmlhttp://www.hhs.gov/news/press/2011pres/02/20110222a.htmlhttp://www2.idexpertscorp.com/press/healthcare-news/data-breaches-cost-the-healthcare-industry-an-estimated-65-billion/http://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreachhttp://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreachhttp://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreachhttp://www.fairwarning.com/documents/2011-WHITEPAPER-US-PATIENT-SURVEY.pdfhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html


88/146


30 American Medical Association, Report 19 o the Board o Trustees (A-07), Patient Inormation in the Electronic Medical Record.31 67 Fed. Reg. at 53,1973; 65 Fed. Reg. at 82,544.32 Jaee v. Redmond, 518 U.S. 1, 116 S. Ct. 1923 (1996).33 See statutes cited in Jaee v. Redmond, 518 U.S. 1, 12, n. 11, 116 S. Ct. 1923 (1996).34 Pritts, Joy, and Angela Choy, et al. State o Health Privacy: A Survey o State Health Privacy Statutes. Rep. 2nd ed. Washington: Institute or Health

Care Research and Policy at Georgetown University, 2002. Health Privacy Project. The Robert Wood Johnson Foundation, June 2002. Web.

http://ihcrp.georgetown.edu/privacy/pds/statereport1.pd.

35 42 U.S.C. 17951(c); HITECH Act, section 13421(c).36 45 C.F.R. 164.501, et seq.; 45 C.F.R. 164.302 et seq.3745 C.F.R. 164.502; 164.512.38 45 C.F.R. 164.501 Denitions.39 45 C.F.R. 164.508(a)(2).40 42 U.S.C. 17935(a); HITECH Act, section 13405(a).41 45 C.F.R. 164.522(a)(1)(iii).42 42 U.S.C. 17932; HITECH Act, section 13402.43 42 U.S.C. 17932(b); HITECH Act, section 13402(b).44 45 C.F.R. 164.514(d).45 45 C.F.R. 164.306-316.46 454 C.F.R. 164.306(d).

4742 C.F.R. 2.11.48 Ms. Rose Jade is a noted authority on the history o 42 C.F.R. Part 2. See: Jade, Rose. The Secret Lie o 42 CFR Part 2 - What Every Deender

and Investigator Needs to Know About Patient Records rom Federally Funded Drug or Alcohol Treatment Centers. The Champion, Vol. 30, No.

34, April 2006. Available at SSRN: http://ssrn.com/abstract=1128955.49 42 C.F.R. 2.11.50 42 C.F.R. 2.13(b).51 42 U.S.C. 290dd-2().52 42 U.S.C. 17939(d); HITECH Act, section 13410(d).53 Substance Abuse and Mental Health Services Administration and the U.S. Department o Health and Human Services. The Condentiality o Alcohol and

Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule: Implications or Alcohol and Substance Abuse Programs. Rep. Substance Abuse and

Mental Health Services Administration, June 2004. Web. http://www.samhsa.gov/HealthPrivacy/docs/SAMHSAPart2-HIPAAComparison2004.pd.54 Ibid. p. 5.55

Breach Notication or Unsecured Protected Health Inormation; Interim Final Rule. 74 Federal Register 162 (August 24, 2009), ootnote 8 p.42745.56 Legal Action Center. Condentiality o Alcohol and Drug Records in the 21st Century. Jan. 2010. Web.

http://www.lac.org/doc_library/lac/publications/Condentiality_o_Alcohol_and_Drug_Records_in_the_21st_Century-1-20-10.pd.57Pub.L. 106-102, 113 Stat. 1338 (Nov. 12, 1999).58 Pub.L. 110-233, 122 Stat. 881 (May 21, 2008).59 Willul neglect has been dened as a conscious, intentional ailure or reckless indierence. Whether a ailure to le timely is due to reasonable

cause and not willul neglect is a question o act. Cunningham v. Commr, T.C. Memo 2009-194 (T.C. 2009).60 The term intentional misconduct means conduct by a person with knowledge (at the time o the conduct) that the conduct is harmul to the health

or well-being o another person [42 USCS 1791 (b) (8)].

61 Pub. L. No. 93-380 (1974).62 67 Fed. Reg. at 53,212.63 42 U.S.C. 1320d-2(c)(2); HIPAA, section 264(c)(2).64 Nicastro, Dom. Beware o More Stringent State HIPAA Laws. HealthLeaders Media, 24 July 2009. Web.

http://www.healthleadersmedia.com/content/TEC-236461/Beware-o-More-Stringent-State-HIPAA-Laws.html.65 National Conerence o State Legislatures. State Security Breach Notication Laws. NCSL.org. 6 Feb. 2012. Web.

http://www.ncsl.org/issues-research/telecom/security-breach-notication-laws.aspx.66 42 U.S.C. 300jj-12(b)(2)(B); HITECH Act, section 3002(b)(2)(B).67Givens v. Millikin, 75 S. W. 3d 383 (Tenn. 2002).

68 Manos, Diana. Patients Sue Walgreens or Making Money on Their Data. Healthcare IT News. 18 Mar. 2011. Web.

http://www.healthcareitnews.com/news/patients-sue-walgreens-making-money-their-data; Kramer, Reuben. CVS Faces Suit or Prescription

Data Sales. Courthouse News Service. 8 Mar. 2011. Web. http://www.courthousenews.com/2011/03/08/34749.htm.
https://webstore.ansi.org/phi/https://webstore.ansi.org/phi/https://webstore.ansi.org/phi/http://ihcrp.georgetown.edu/privacy/pdfs/statereport1.pdfhttp://ssrn.com/abstract=1128955http://www.samhsa.gov/HealthPrivacy/docs/SAMHSAPart2-HIPAAComparison2004.pdfhttp://www.lac.org/doc_library/lac/publications/Confidentiality_of_Alcohol_and_Drug_Records_in_the_21st_Century-1-20-10.pdfhttp://www.gpo.gov/fdsys/pkg/PLAW-106publ102/content-detail.htmlhttp://www.gpo.gov/fdsys/pkg/PLAW-110publ233/content-detail.htmlhttp://www.healthleadersmedia.com/content/TEC-236461/Beware-of-More-Stringent-State-HIPAA-Laws.htmlhttp://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspxhttp://www.healthcareitnews.com/news/patients-sue-walgreens-making-money-their-datahttp://www.courthousenews.com/2011/03/08/34749.htmhttps://webstore.ansi.org/phi/http://www.gpo.gov/fdsys/pkg/PLAW-110publ233/content-detail.htmlhttp://www.gpo.gov/fdsys/pkg/PLAW-106publ102/content-detail.htmlhttp://www.courthousenews.com/2011/03/08/34749.htmhttp://www.healthcareitnews.com/news/patients-sue-walgreens-making-money-their-datahttp://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspxhttp://www.healthleadersmedia.com/content/TEC-236461/Beware-of-More-Stringent-State-HIPAA-Laws.htmlhttp://www.lac.org/doc_library/lac/publications/Confidentiality_of_Alcohol_and_Drug_Records_in_the_21st_Century-1-20-10.pdfhttp://www.samhsa.gov/HealthPrivacy/docs/SAMHSAPart2-HIPAAComparison2004.pdfhttp://ssrn.com/abstract=1128955http://ihcrp.georgetown.edu/privacy/pdfs/statereport1.pdf


89/146

APPENDIX C Legal Considerationswith Respect to Cloud Computing

Cloud computing is not governed by statutes orregulations unique to the cloud nor unique to healthdata processed or stored in a cloud inrastructure.However, cloud computing presents heightenedopportunities or breaches o protected health inormation(PHI) because o the nature o the inrastructure itsel, andbecause o the complexities that the inrastructure creates insecuring satisactory contractual arrangements with a provider ocloud services.

In cloud computing, the entity purchasing cloud computing services, i.e.,the consumer or user, contracts with a cloud provider to access itsresources hardware inrastructure, sotware, and data storage, or example on a dynamic, on-demand basis. How much service and where the serviceor the consumers data will be located are not always known at the time o thecontract, as services and processing power may be located in a number o sitesincluding several countries.

Cloud computing is somewhat similar to a shared utility or a shared acility. Each useris responsible or preparing the resources to suit its own needs or data protection. Thecloud providers resources are shared among all consumers dynamically so that as one userfnishes a task, removes his sotware or data, or relinquishes control o a resource, another

users sotware and data may move in to consume thatsame resource. The high speed and requent swapping oconsumers and resources create opportunities to lose controli not very careully managed by the user and the cloud provider.

Although a cloud services environment can be created by a consumerand controlled internally in a private cloud or sharing computing

resources within an organization, there are a number o issues that aconsumer must consider in purchasing public cloud services (or even a hybridpublic and private cloud). While sharing resources hosted internally in a private

Documents

The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security