Data Privacy Monitor - Commentary on Data Privacy, Security and Social Media Subjects

“HIPAA is a valve, not a blockage,” stated HHS OCR Director Leon Rodriguez, at the OCR/NIST 6^th Annual Conference on Safeguarding Health Information:  Building Assurance through HIPAA Security.  Discussing the tension inherent in HIPAA, between patient access to patient information and an organization’s safeguarding of protected health information (PHI), Director Rodriguez characterized OCR’s HIPAA guidance as providing the “super highways” to ensuring patient access to PHI and to safeguarding PHI.   An organization, on its own, must figure out the “surface streets,” emphasizing once again the flexibility and scalability of HIPAA.  Regardless of the type or size of an organization governed by HIPAA, the basic rules remain the same.  To adequately safeguard PHI, HIPAA defines a process.  HIPAA provides an organization with a series of decisions, policies and procedures, analyses, and plans.  Above all, patient expectations govern. 

Where does an organization draw the line between patient access and protecting PHI, especially in light of increased OCR enforcement of HIPAA/HITECH?  To ease a covered entity’s and business associate’s anxiety, Director Rodriguez reassured organizations that OCR is not playing a game of “gotcha.”   OCR is neither trolling for enforcement actions and civil monetary penalties (CMPs), nor seeking to punish a proactive organization for a single incident.   In support of his statement, Director Rodriguez highlighted the fact that of the 74,554 complaints filed since 2003, and the 26,513 total cases investigated by OCR, 17,767 cases resulted in corrective action, and only 13 cases since 2008 resulted in a Resolution Agreement and CMPs.   

Director Rodriguez acknowledged that breaches of PHI are going to happen, as risks exist even where organizations are doing everything right.   OCR is interested in what an organization is not doing, and whether the proper analysis is being conducted.  An organization must identify, remedy and change (if needed).  

So what type of action/inaction ends up in an OCR monetary enforcement scenario?  Director Rodriguez categorized two culprits:  (1) an ongoing failure to comply with the HIPAA Privacy and Security Rules, and (2) an unforgivable disclosure.  Regarding the first category, an ongoing failure usually exists over several months and/or years.  Often times, a risk analysis is missing, including a lack of routine information system reviews.  Director Rodriguez stressed the importance of conducting risk analyses to identify vulnerabilities.  Once risk is identified, it must be properly evaluated and addressed.  Another reoccurring ongoing failure is the lack of updating of policies and procedures after a change in business operations or a change in technology.  Director Rodriguez summarized the routine case OCR falling under monetary enforcement scenario as an incident affecting a large number of records, a vulnerability that exists for a number of months, and a failure to assess risk (e.g. OCR’s May 21, 2013 Resolution Agreement with Idaho State University).  The second category is an unforgivable disclosure of PHI that is borderline criminal (e.g. UCLA breach of celebrities’ privacy resulting in OCR’s July 6, 2011 Resolution Agreement). 

Regarding CMPs, Director Rodriguez highlighted the guidance provided in the Final Rule regarding factors to consider in determining the amount of CMPs to assess.  The Resolution Agreement in the Alaska DHSS, where there was an alleged lack of remediation over a long period of time, is an example used by Director Rodriguez to demonstrate how the failure to remediate over a prolonged period of time can increase a CMP.  In Alaska DHHS, the Resolution Agreement required payment of $1.7M.  Accordingly, in addition to identifying, assessing and responding to a breach incident, an organization must also timely remedy any vulnerability in order to keep the amount of any potential CMP low.       

Director Rodriguez also commented on the vulnerabilities associated with mobile devices, which remains a topic of interest for OCR.  Of the breach reports received by OCR, 25% are related to paper records and vulnerability of mobile devices.  Director Rodriguez encourages all organizations to focus on securing mobile devices (a “great vulnerability”) and to use HHS resources regarding mobile device security.   

OCR’s HIPAA audits were also discussed – specifically OCR’s findings regarding encryption.  Not surprisingly, OCR found that encryption, an addressable implementation specification under the Security Rule, was not always implemented by organizations.  Director Rodriguez stressed the importance of conducting an analysis – shopping for technology, evaluating the risks and costs with implementation, and how encryption might affect patient care in the clinical setting.  An organization must weigh the pros and cons of encryption in making the final decision to encrypt or not to encrypt.  This lack of analysis regarding the adoption of encryption is a red flag.   

Director Rodriguez, concluding his dialogue on HIPAA/HITECH compliance, recommended that every organization “be smart and implement best practices” and remember that the patient is most important.  Organizations must determine how to best ensure patient access to PHI while also adequately safeguarding PHI.  “[A] risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program.”

There has been a lot of discussion about the impact of Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH).  In Part I, we discussed what HIPAA covered entities (CEs) need to do to prepare.  This discussion will focus on what suggestions we have for HIPAA business associates (BAs) and their subcontractors (subBAs).  Although the core recommendations are for the most part the same as we identified in Part I for CEs, the justification for adopting these suggestions is slightly different and the priorities are reorganized for BAs and subBAs.

Legal:  BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements. Experienced outside privacy counsel can help BAs become compliant with the final rule requirements.  Privacy counsel will be valuable to assist and document whether a breach has occurred, as well as to help BAs and SubBAs develop appropriate compliance programs. Now that CEs have an obligation related to appropriately selecting and retaining vendors, CEs will be doing their due diligence to determine whether their vendors are compliant.

Cyber Insurance:  CE’s have been struggling with HIPAA compliance, particularly compliance with the Security Rule, for nearly a decade.  Now, BAs must enter into the fold.  While BAs for the most part have safeguards in place for protected health information (PHI), strict compliance with the HIPAA Security Rule by BAs is questionable.  Insurance is not a substitute for compliance.  More than one-third of breaches are caused by vendors and the breach reports we have seen since 2009 suggest that BAs and subBAs have a lot to do to become fully compliant with HIPAA.  Therefore, as BAs and subBAs wrestle with these compliance issues, it is critical to have a robust cyber insurance policy in place that covers not only notification costs, but also regulatory penalties.  BAs and CEs need to keep in mind that penalties for violations of the HIPAA Rules will be specific to the organization against which the penalty is being assessed.

There appears to be some confusion over whether or not joint and several liability principles will apply to assessment of penalties.  There may be a few very limited circumstances where this might be an issue, but for the most part, the penalty will relate to a specific violation by that entity.  For example, a BA will not be subject to penalties because a CE did not perform a periodic risk assessment as required by HIPAA. Or, a BA may be subject to a penalty for not having sufficient technical safeguards in place while the CE may be subject to a penalty for being aware of the BA’s failures and not doing something to stop the practice.

Policies and Procedures:  Compliance with HIPAA requires that administrative, technical, and physical safeguards be in place to protect PHI.  Additionally, the organization must have policies and procedures in place to implement these safeguards.  The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has enforcement authority of the HIPAA Privacy and Security Rules.  After a breach is reported to HHS, OCR requests a copy of the organization’s policies and procedures in place to safeguard PHI.  The request is often more broad than the cause of the reported breach and extends to all policies and procedures in place in order for OCR to determine if the responding organization is compliant with HIPAA.  Examples of policies that BAs should have in place include:  (1) permitted uses and disclosures of PHI; (2) business associates; (3) minimum necessary; (4) de-identification of PHI; (4) back-up plans; (5) disaster recovery; (6) risk analysis; (7) risk management plans; (8) workforce training; and (9) termination of access.

Risk Assessments and Risk Management Plans:  BAs are now subject to the OCR HIPAA Audit protocol.  HIPAA requires organizations to conduct periodic risk assessments and then to address the risks identified in a risk management plan.  The OCR HIPAA Audit program sets a framework to analyze process, controls, and policies of the selected BA by using a comprehensive audit protocol.  The protocol addresses uses and disclosures, safeguards in place (administrative, physical, and technical), and breach notification rule compliance.

Incident Response Plans (IRPs):  IRPs are a roadmap to guide an organization’s incident response team’s (IRT) breach response activities.  As with CEs, the IRPs of BAs and subBAs must include the factors HHS has outlined for consideration in determining whether there is a low probability of compromise:  (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed).   An IRT’s members depend on the size and complexity of the organization, but typically include members from the following groups:  (1)  general counsel; (2) IS/IT; (3) communications; (4) HR; (5) compliance and (6) privacy.  External members of the team can include:  (1) outside privacy counsel; (2) forensics; (3) notification vendors; and (4) crisis management.

Breach Analysis Forms:  Keep in mind two basic requirements when considering the impact of the final rule.  The first is compliance and the second is documentation.  As BAs develop their compliance programs to fit the new requirements, they need to remember to update their forms as well.  The standard for determining whether or not a breach has occurred has changed and so has the required analysis.  A breach is presumed unless the CE can show that there is a low probability of compromise.  Moreover, HHS has outlined at least four (4) factors that must be considered. (The four factors are listed under Incident Response Plans, supra.) To the extent that third-party tools which analyze breach notification are utilized, BAs need to confirm that the approach reflects the new requirements.

Education:  A culture of compliance is expected.  Education and awareness are the best ways to develop that culture.  In addition to new employee training and annual training, consider periodic training in the form of newsletters and other events to keep privacy at the top of employees’ minds.

Business Associate Agreements:  Expect an administrative nightmare.  Changes to business associate agreements (BAAs) are coming.  CEs will be struggling with compliance with the final rule and you are going to see demands from CEs that may test the BAs' ability to comply with the requests--both on an administrative level because of the volume of contracts that will need to be amended and from a compliance standpoint because BAs are not prepared to meet the safeguard demands.  Additionally, BAs will need to modify the agreements they have in place with subBAs to ensure compliance with HIPAA. 

Forensics:  As with CEs, BAs need to develop relationships with forensic firms because outside forensics is going to be critical in helping to reach a conclusion that a breach has not occurred--low probability of compromise. For those BAs that already have cyber insurance, talk to your broker or carrier about the forensics options and seek recommendations from them as to how the coverage will support you with the changes in the regulations.

OCR Director Rodriguez has made it clear the final rule provides for the most sweeping changes to HIPAA since the Privacy and Security Rules were released.  And, further, the final rule provides OCR with an opportunity to vigorously enforce compliance.  These statements are a reality for the several dozen OCR investigations that we are currently defending.  As time passes, and OCR gains experience through the thousands of breaches that are reported and the audits that are conducted, the questions which organizations face will become more difficult to answer.  Compliance with HIPAA must be a top priority for all CEs, BAs, and subBAs.  

The Department of Health and Human Services (HHS) issued, on January 17, 2013, its Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  Our initial discussion can be found here.  The healthcare industry has been waiting for the final rule for more than two and half years--now that it is here, what do Covered Entities (CEs) and Business Associates (BAs) need to do to prepare for compliance?  We will cover recommendations for CEs in this post, Part I, and BAs will be addressed in Part II.

Incident Response Plans:  To the extent you are a CE who has been waiting for the final rule to implement an incident response plan (IRP), now is the time.  An IRP helps the breach response team respond to privacy events by providing them with a roadmap so that a determination can be made as to whether or not a breach has occurred.  At a minimum, new and existing plans should incorporate the factors outlined by HHS to be considered:  (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). 

Policies and Procedures:  CEs policies and procedures, including the Notice of Privacy Policy, must be updated and amended to reflect the new requirements.  For example, there are new requirements regarding the timeliness of responding to requests for a copy of PHI.

Breach Analysis Forms:  CEs have been utilizing forms that reflect the language of the interim final rule where the focus is on the potential harm to the patient.  Many CEs have also utilized breach analysis forms that depend on a risk rating developed by third parties to assess whether there is a significant risk of harm due to the impermissible use or disclosure.  The standard has changed and so will the required analysis.  A breach is presumed unless the CE can show that there is a low possibility of a compromise.  Moreover, HHS has outlined at least four (4) factors that must be considered.  (The four factors are listed under Incident Response Plans, supra.)

Education:  HHS and OCR expect that healthcare organizations will create a culture of compliance.  Raising awareness about the importance of privacy issues through education is just one way to achieve this goal.  CEs should consider other opportunities to keep privacy at the top of their employees' minds (e.g., posters, newsletters, committee calls).  Just as the Federal Trade Commission (FTC) is promoting Privacy by Design, CEs need to consider ways that privacy awareness can be incorporated into every aspect of patient care and healthcare operations. 

Vendor Lists and Vendor Contracts:  Vendors remain the cause of a large percentage of breaches that occur; more than a third of all breaches are caused by vendors.  Even though BAs are now directly liable, the final rule makes it clear that CEs have an obligation related to appropriately selecting and retaining vendors.  Review your vendor lists to see if any vendors should be removed because of issues relating to data security and privacy.  Review your contracts to see if language needs to be updated to reflect the final rule.

Risk Assessments and Risk Management Plans:  HIPAA requires healthcare organizations to conduct periodic risk assessments and then to address the risks identified in a risk management plan.  Now is a good time to review and assess your risks to determine if changes can be made to help avoid breaches. Privacy counsel can be a critical member of this exercise.  For example, in some instances, outside counsel can retain the vendor and oversee the project to help maintain the attorney-client privilege. The experience of the privacy counsel, however, is also crucial.  Organizations should retain counsel who has been involved in dozens of OCR investigations and who can provide guidance around what OCR is asking for during those investigations.  That experience translates into the organization's ability to better identify risk mitigation strategies in response to the vulnerabilities found during the risk assessment.

Cyber Insurance:  There are many types of cyber policies being sold to healthcare organizations.  Whether or not you have purchased cyber insurance for breach notification, consider seriously the scope of your coverage for regulatory violations and defense of class actions. We predict that OCR and State Attorneys General (SAGs) are going to be far more aggressive than in the past.  Additionally, due to the changed threshold for breach notification, we may see more class action lawsuits which are expensive to defend.

Legal:  Experienced outside privacy counsel is critical for full compliance with the breach notification requirements of the final rule.  A breach is now presumed which means that outside counsel is going to need to help document the reasons why an organization concludes a breach did not occur.

Forensics:  I am not a big proponent of retaining forensics companies prior to a breach occurring.  This is because, like lawyers, the strengths amongst forensics firms varies.  Therefore, if I am dealing with an issue involving a new malware variant, I may find a forensics vendor who has experience with the variant and is better positioned to assist my client.  The final rule, however, is a bit of a game changer and I am now encouraging my clients who do not have insurance to interview a few forensics firms as the new breach notification rules make it clear that a technically sound and understandable forensics report is critical for supporting determinations that a breach did not occur.  For those that have insurance, talk to your broker or carrier about the forensics options and seek recommendations from them as to how the coverage will support you with the changes in the regulations.

The final rule becomes effective on March 26, 2013, but enforcement will not commence until September 23, 2013.  This does not mean that mean that organizations do not need to be compliant.  The Office for Civil Rights (OCR) has made it clear that civil monetary penalties (CMPs) will be on the rise for HIPAA violations.  A culture of compliance is expected and not encouraged.  

On Wednesday, January 23, 2013 at Noon EST, we will be hosting a webinar to discuss some of the big changes in the final rule.  You may register here.

The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far:

• BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements:  impermissible uses and disclosures; failure to provide breach notification to the covered entity; failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual's designee; failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules; failure to provide an accounting of disclosures; and for failure to comply with the requirements of the Security Rule.
• Insurers may need a business associate agreement (BAA) with a covered entity if it is performing risk management or assessment activities or legal services for the covered entity which involve access to PHI.
• Additional guidance has been provided regarding the assessment of civil monetary penalties (CMPs):  number of individuals affected and time period during which violations occurred will be considered.  As noted below, OCR's presentation to the State Attorneys General shows how quickly CMPs can reach very high numbers.
• Reputational harm is a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis.  Instead, OCR will look at whether there were adverse affects on employment, standing in the community, or personal relationships.  
• When assessing CMPs, an organization's history of compliance and non-compliance will be considered.  A mere complaint does not constitute an indication of non-compliance.
• There are significant changes to treatment and care communications when the covered entity receives financial remuneration for promoting a third party's goods and services.
• Individuals must have a right to access and to obtain a copy of PHI within 30 days (with a one-time 30 day extension after written notice for the delay and when the records will be provided).
• The definition of breach has been modified to clarify that an impermissible use or disclosure of PHI is PRESUMED to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised.  Documentation sufficient to meet this burden of proof must be maintained.
• Breach notification is not required if a CE or BA demonstrates through a risk assessment that there is a low probability that the PHI has been compromised--the focus is no longer on the harm to the individual.
• The probability of harm must be assessed by considering at least: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). Most of these factors were likely considered previously by CEs.
• Notification does not require an analysis of risk because the occurrence of a breach is presumed.
• Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.  An example is provided of a misdirected fax to the incorrect physician who immediately calls to report the error. This is nothing new, just a clear expression of what many have already believed.
• Substitute notice or media notice may at times occur after the 60-day period dependin g on circumstances.
• Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred.
• Notification to the Secretary must occur contemporaneously with notice to individuals for breaches over 500.

We also notice some things remain:

• HITECH only preempts state law to the extent HITECH is more stringent.  HITECH is only a Federal floor of privacy protection.
• The revised penalty structure remains.  A presentation by the OCR to state Attorneys General shows how aggressive OCR may be in assessing civil monetary penalties (CMPs).
• "The goal of enforcement is to ensure that violations do not recur without impeding access to care." P. 79.  An entity's financial condition will still be considered.
• The addressable standard remains.  HHS does "not mandate the use of specific technologies, or require uniform policies and procedures for compliance, because [they] recognize the diversity of regulated entities and appreciate the unique characteristics of their environments." P. 102.
• The "minimum necessary" standard applies directly to BAs.
• Certain provisions of the Privacy Rule do not apply to BAs unless the CE delegates that responsibility: designating a privacy officer, providing a notice of privacy practices (NPP).
• BAAs are still required to help clarify and limit permissible uses and disclosures.
• A decedent's PHI will require protection for 50 years.
• The requirement for return or destruction of PHI by the BA at the termination of the contract (if feasible) does extend to sub-BAAs.
• HHS will not establish or endorse a certification process for HIPAA compliance by BAAs and sub-BAAs.
• Timeliness and content of notification have not changed.
• A CE retains the ultimate obligation for proper notification.  Notification by the BA can be delegated.
• Media notification and notification to HHS has not changed.
• Law enforcement delays remain available.
• There are no changes to the circumstances permitting preemption of state law of HITECH.

We will continue to assess these changes and post updates as our analysis develops and the impact of these changes is further considered.  

The breach notification interim final rule requires covered entities to submit to the Office for Civil Rights (OCR) notice of breaches of unsecured protected health information (PHI) (45 C.F.R. 164.408) by March 1, 2013. For breaches affecting fewer than 500 individuals, a covered entity must submit to OCR its annual notification of all breaches occurring in a calendar year within 60 days of the end of the calendar year in which the breaches occurred. This notice must be submitted electronically by completing all information required on the breach notification form, located online. A separate form must be completed for each breach that has occurred during the calendar year. Covered entities should analyze each potential breach under the Health Information Technology for Economic and Clinical Health Act (HITECH) regulations, including a documenting incident reports, risk of harm analyses, and notification documents, where applicable. BakerHostetler works with clients in determining which incidents to include on the annual report so that the covered entity does not set a precedent that could prejudice it in a future large breach.

If you need assistance with your annual OCR reporting or breach analysis, please contact Lynn Sessions at 713.646.1352 or lsessions@bakerlaw.com or Ted Kobus at 212.271.1504 or tkobus@bakerlaw.com.

Co-authored by: Cory Fox

The Department of Health and Human Services Office of Inspector General (“OIG”) recently published a report, CMS Response to Breaches and Medical Identity Theft (“Report”), which referenced 14 breaches of medical information by the Centers for Medicare and Medicaid Services (CMS), including Medicare numbers, affecting nearly 14,000 beneficiaries in the past two years. Because the Medicare number includes a beneficiary's social security number, the risk of identity theft resulting from these breaches is significant. CMS's notification to the affected individuals routinely failed to meet the timeliness and content requirements imposed by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). To address these and other breaches, CMS has set up a database of the Medicare numbers of 284,000 beneficiaries and 5,000 providers that have been involved in medical identity theft in the past and are regarded as vulnerable. The Report notes, however, that database users reported problems with the interface and that the database alone is not an adequate remedy.

CMS's continued use of social security numbers as Medicare numbers has been under scrutiny for several years. Since 2002, the U.S. Government Accountability Office (GAO) has repeatedly recommended that CMS use a different methodology in assigning Medicare numbers in order to protect social security numbers. In May 2008, the OIG issued a report urging CMS to remove social security numbers from Medicare cards in order to prevent identity theft. CMS has consistently refused to modify its methodology, citing logistical and cost constraints. In an August 2012 hearing before the House Ways and Means Committee, Tony Trenkle, CMS's Chief Information Officer, testified that transitioning to a new methodology "would be a task of enormous complexity and cost that, undertaken without sufficient planning, would present great risks to continued access to healthcare for Medicare beneficiaries." Mr. Trenkle estimated that the cost of a smooth transition could be as high as $845 million, and he cautioned the committee that the transition would mean a substantial change for physicians treating Medicare patients. This recent string of CMS data breaches has captured the attention of lawmakers, who once again are calling for CMS to act.

The United Kingdom’s Information Commissioner’s Office (“ICO”) levied a $499,460 civil monetary penalty (“CMP”) to Brighton and Sussex University Hospitals after discovering staff and patients’ sensitive data contained on hard drives sold on Ebay in late 2010.  The breach reportedly exposed tens of thousands of patients’ health information, including HIV status and treatment, other diagnostic and treatment information, disability living allowances and children’s reports. The Brighton and Sussex University Hospitals are NHS trust hospitals.

The breach occurred when the NHS trust’s information technology provider was set to destroy 1,000 hard drives held in a key access only room at Brighton General Hospital. A sub-contractor did not wipe or destroy the drives and took at least 252 out of the hospital. The majority of those found their way on to the internet for auction in October and November 2010.

This the largest fine issued by the ICO since it began issuing CMPs in April 2010 sending the clear message that the ICO intends to ensure compliance with the UK’s security and data protection regulations through their enforcement authority and by levying CMPs for those companies out of compliance.

The U.S. Supreme Court released its decision today in Sorrell v. IMS Health Care, Inc., a case concerning the constitutionality of a Vermont statute that prohibited pharmacies from selling or disclosing prescriber-identifying information taken from prescriptions for marketing purposes.  The challenge to the statute was made by data mining companies.  The Supreme Court stated that "speech in aid of pharmaceutical marketing ... is a form of expression protected by the Free Speech Clause of the First Amendment."  After applying heightened scrutiny, the Court found that the Vermont statute unjustly burdened speech in violation of the First Amendment.

Thirty-five states filed an amicus brief supporting the law as necessary to protect the privacy of patient data.  Senator Leahy (VT) issued a press release following the decision, which stated:

Today the Supreme Court has overturned a sensible Vermont law that sought to protect the privacy of the doctor-patient relationship.  This divided ruling is a win for data miners and large corporations and a loss for those of us who care about privacy not only in my home state of Vermont but across the nation.  States like Vermont must be able to protect the privacy of sensitive information exchanged between a doctor and patient.  This decision undermines that ability, and risks unduly influencing doctors in their future prescription choices.

The two events that drew the most attention in 2010, both of which occurred at year-end, were reports from the FTC and the Department of Commerce.  Below is a brief summary of those two reports and other issues drawing attention in the past year:

(1) FTC Issues Long-Awaited Consumer Privacy Policy Report

On December 1, the FTC published the Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers

The FTC’s press release provides a summary of the preliminary report.  The best practices framework recommended in the preliminary report for businesses that collect or use consumer data include:

• simplifying choices for consumers, providing consumers with greater transparency, and following the Fair Information Practice Principles;
• creating a “Do Not Track” mechanism to give consumers a choice to avoid online tracking;
• extending protection to information collected offline;
• dispensing with the distinction between PII and non-PII because technology allows data fragments to be pieced together; and
• a “Privacy by Design” concept for businesses.

The preliminary report did not change the FTC’s continued focus on self-regulation.  Finally, the preliminary report contained an appendix with 64 questions on which it invited comment by January 31, 2011.  A final report will be issued later in 2011 based on the comments. 

 (2) Department of Commerce Calls for a “Privacy Bill of Rights”

On the heels of the FTC’s preliminary report, the Department of Commerce Internet Policy Task Force released a green paper titled: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.  The press release contains a summary.

The Baker Hostetler Data Privacy Monitor covered this green paper here.  The four broad policy recommendations of the task force are:

• Enhance consumer trust online through recognition of revitalized Fair Information Practice Principles.
• Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through collaborative efforts of multi-stakeholder groups, the FTC, and a Privacy Policy Office within the Department of Commerce.
• Encourage global interoperability.
• Ensure nationally consistent security breach notification rules.

(3) Behavioral Advertising Opt-Out Icon

As reported by the Baker Hostetler Data Privacy Monitor, a behavioral advertising industry group proposed a Self-Regulatory Program for Online Behavioral Advertising, which features an “Advertising Option Icon” that can be placed near online ads that collect data used to conduct behavioral advertising.  Users who click on the icon will receive a disclosure statement about the data collection and use practices associated with the ad along with the ability to opt-out of being tracked.

(4) Social Media

• Facebook faced several privacy issues, including an FTC complaint regarding its privacy policy, details of 100 million Facebook users were published online, and questions from U.S. Senators.
• Google apologized for collecting about 600 gigabytes of data snippets captured from e-mails and browsing history from Wi-Fi networks in more than 30 countries.
• In the first FTC action against a social network service, Twitter settled charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.

 (5)  HHS/HIPAA/HITECH

• White House Forms New Subcommittee to Review Online Privacy Issues
• HHS Withdraws Draft Of Final HIPAA Breach Notification Rule

(6) Massachusetts Data Security Regulations

Massachusetts’ aggressive new data security regulations (201 CMR 17.00 et seq.), which became effective on March 1, 2010, contain broad and imposing mandates that go further than any other state law or regulation.  Even companies that have no facilities or personnel in Massachusetts must comply with the strict mandates if they maintain personal information of any Massachusetts resident in connection with providing goods or services. 

All businesses covered by the statute must institute a written information security program.  That program must, among other things:

• Designate an employee to maintain the security program;
• Identify and evaluates internal and external security risks;
• Impose disciplinary measures for violations of the program rules;
• Oversee third-party service providers;
• Require regular monitoring and updating of the program; and
• Documents responsive actions taken in connection with any breach of security.

For many business, the most difficult compliance issues arises from the encryption mandates of 201 CMR 17.04, which requires the encryption of: (1) laptops containing personal information that leave the businesses premises; (2) personal information transmitted across the Internet or wirelessly; and (3) backup tapes on a prospective basis.

On September 28, 2010, David Blumenthal, M.D., National Coordinator for health information technology, announced selection of the final Regional Extension Centers (RECs), completing a national system of 62 organizations that will help physicians, clinics and hospitals to move from paper-based medical records to electronic health records (EHR).

“The selection of these final awardees means that Regional Extension Centers are now in place in every region of our country to help health providers make the switch from paper-based medical practice to electronic health records,” said Dr. Blumenthal. “For primary care physicians and smaller hospitals in particular, the RECs will be an important resource to help meet the challenges of adopting EHRs and using them to deliver better care.”

RECs were created last year under the Health Information Technology Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009.   Under the HITECH Act, $677 million is allocated for the next two years to support a nationwide system of RECs.  Additionally, the HITECH Act also created the Medicare and Medicaid EHR incentive programs, which will provide incentive payments to eligible professionals and hospitals that adopt and demonstrate meaningful use of certified EHR technology.  Incentives totaling as much as $27.4 billion over 10 years could be expended under the program, which is administered by the Centers for Medicare & Medicaid Services.

RECs will target their assistance to eligible primary care providers in smaller practices as well as small and rural hospitals and public health clinics.  However, the RECs will also serve as a resource for all providers in an area, giving assistance, as feasible, to any doctor, hospital or clinic making the request.  Each REC organization has identified a target number of primary care physicians, based on population needs to be assisted in the first two years of the program. 

Link to the complete ONC press release.