Tag Archives: health insurance portability & accountability act

Expect More Cyber Turbulence in 2016

In February 2015, Anthem, the nation’s second-largest health care insurer, disclosed losing records for 80 million employees, customers and partners. That was followed a few weeks later by Premera Blue Cross admitting it lost records for 11 million people.

Then in July 2015, the U.S. Office of Personnel Management began a series of mea culpas. OPM ultimately conceded that hackers swiped sensitive personnel records for 21.5 million federal employees, contractors and their family members. Anthem, Premera Blue Cross and OPM were among the high-profile breaches in a year when the Identity Theft Resource Center counted more than 750 publicly disclosed data leaks.

ThirdCertainty asked three IDT911 experts — Brian Huntley, Eduard Goodman and Victor Searcy — for their 2016 prognostications. (Full disclosure: IDT911 underwrites ThirdCertainty.)

Wire fraud and politics 

Brian Huntley, IDT911 Chief Information Security Officer
Brian Huntley, IDT911 Chief Information Security Officer

 

Huntley: In the coming year, fraud and theft will plague the merchant payments and ACH wire transfer systems. Small and medium-size businesses are especially vulnerable. If enough SMBs get victimized, it could result in a public outcry about the inherent vulnerabilities in these systems, especially as consumers and small business owners come to realize there is minimal regulatory protections in these types of cases.

This being an election year, U.S. presidential candidates will focus on cyber war strategy and armament. Armchair quarterbacking of the 2015 U.S.-China cybersecurity agreement will arise as the centerpiece of this debate. We could see the U.S.-China cyber accord ascend as the basis for peer agreements between other nation states.

Meanwhile, the search will continue in different industries for an information security control framework that is akin to what the financial services sector has in the Federal Financial Institutions Examination Council’s (FFIEC) Information Security Guidelines and the health care sector has in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Data tranfers and children’s privacy

Eduard Goodman, IDT911 Chief Privacy Officer
Eduard Goodman, IDT911 Chief Privacy Officer

 

Goodman: U.S. companies with a European presence will encounter a tremendous amount of uncertainty in 2016 with respect to Europe’s stricter Safe Harbor data privacy rules, relating to the sensitive data transfers to businesses in the U.S.

European regulators can be expected to harass the likes of Facebook and Google. And the threat of sanctions for noncompliance with Europe’s tougher Safe Harbor standards could easily filter down to many smaller companies, as well.

In another area, the recent hacking of toy maker VTech and Hello Kitty parent company SanrioTown.com signals that the theft of children’s information could become a worrisome new trend. As children obtain earlier access to social media, smartphones and Web-enabled toys, details of their personal information and preferences are rapidly becoming part of the greater data ecosystem.

As a result, we will see more breaches that involve the theft of information for individuals under the age of 18. Hopefully, we also will see more public dialogue about the concept of preserving children’s privacy, whether it be school record data, health information or data files containing images, video and audio recordings.

Taxpayers targeted—once again

Victor Searcy, IDT911 Director of Fraud Operations
Victor Searcy, IDT911 Director of Fraud Operations

 

Searcy: One of the most pervasive identity theft scams involves the filing of a faked federal tax return using an ill-gotten Social Security number. Sadly, this will continue to be true again in 2016.

In the 2010 and 2011 tax seasons, the Internal Revenue Service paid out $8.8 billion of taxpayer money to identity thieves. And statistics pulled from a sampling of customers assisted through IDT911’s Resolution Center in 2014 show a 120% increase in tax fraud victims in 2014 and another 134% increase in 2015.

We expect this number to grow again in 2016. It can take months for a victim to sort out the mess with the IRS. Worse, there is little stopping criminals from using a victim’s Social Security number and other personal information in other scams.

IDT911 stats show that 16% of tax fraud victims also were victims of financial identity theft; 12% of customers experienced multiyear tax fraud; and 16% were victims of both federal and state tax fraud.

Healthcare Breaches: How to Respond

The news of a data breach at Premera Blue Cross, following on the heels of the recent announcements of large-scale,  healthcare breaches at Anthem, is another reminder that employers and other health plan sponsors, fiduciaries and insurers need to take immediate steps to assess and tighten up their privacy, data security and data breach compliance and risk management.

Health plans and their employers, administrators, insurers and other vendors and service providers need to take immediate steps to conduct documented investigations, provide mandated breach notifications and take other actions that are required by the Privacy, Security & Breach Notification Rules imposed by the Health Insurance Portability & Accountability Act and other potentially applicable laws.

Employers or other plan sponsors, fiduciaries, administrators and service providers also may be subject to additional responsibilities under the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code and a host of other laws. Whether they are subject to the additional responsibilities depends on the scope of data affected and their involvement with the affected plans,

Insurance industry or other vendors providing services to these plans also may face specific responsibilities under applicable insurance, health care, federal or state identity theft, privacy or data security or other federal or state laws. (See, e.g., Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond; HIPAA Compliance & Breach Data Shares Helpful Lessons for Health Plans, Providers and Business Associates.)

The need for prompt assessment and action is not necessarily limited to health plans and organizations sponsoring, administering or doing business with the plans involved in the Premera or Anthem breaches. The report of these and other healthcare breaches, as well as recent reports of identity theft and other fraud affecting federal tax returns and other large data breach reports involving retailers and other prominent businesses are spurring recognition of the large risks and need for greater scrutiny and accountability to business collection, use and protection of sensitive personal and other data.

Of course, the risk is exploding largely in response to the continued evolution of electronic payment and other business operating systems coupled with the emergence of data harvesting and other capabilities at virtually every U.S. business. Cyber criminals seem to always be one step ahead of business and government in leveraging these emerging opportunities for their criminal purposes.

Everyone from the Internal Revenue Service, other federal and state government agencies and private business partners are pushing for electronic transactions and data. So, businesses are conducting more and more transactions electronically containing business and individual tax information, personal financial information, personal health information, confidential business and personal information. Meanwhile, “big data” and other business and marketing gurus also encourage businesses to use data from customers, prospects and other sources to benefit marketing and other parts of the business.

As these practices have taken hold over the past decade, data breaches, other cyber crimes and risks have also grown. Privacy, identity theft and other cyber crimes have led federal and state lawmakers to enact an ever-growing list of notice, consent, disclosure, security and other laws and regulations, including the Fair and Accurate Credit Transaction Act (FACTA),the Gramm-Leach-Bliley Act, the Privacy and Security Rules of the Health Insurance Portability and Accountability Act and state identity theft, data security and data breach and other electronic privacy and security laws.

As notorious breaches occur and judgments, penalties and other costs soar, federal and state regulators are looking at the need for expanded rules and penalties. (See Cybercrime Enforcement Statistics; DOJ Enforcement Priorities and Statistics.) Widening data privacy and security concerns from incidents like the recent reports of breaches at Anthem and elsewhere have prompted Congress and state regulators to hold hearings to consider the need for added reforms, and the Federal Trade Commission has just announced plans to host a workshop on Nov. 16, 2015, to look at the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes.

While these and other legal and enforcement developments promise new liabilities and expenses, the business losses and customer and business partner implications experienced by Target, Anthem and other businesses illustrate the severe business consequences that inevitably result if a business appears to have failed to take customer privacy or other data security concerns seriously.

The notorious Target hacking data breach event is illustrative. Target reported in late 2013 that credit and debit card thieves stole the name, address, email address and phone number from the credit and debit card records of around 70 million Target shoppers between Nov. 27 and Dec. 15, 2013. After announcing the breach, Target reported a 46% drop in profits in the fourth quarter of 2013, compared with the year before. The company announced plans to invest $100 million upgrading its payment terminals to support Chip-and-PIN-enabled cards and millions of dollars more in rectification efforts. Subsequently, Target’s losses have continued to mount, and it now faces lawsuits and other enforcement actions as a result of the breach.

Beyond a general need to tighten their defenses, health plans, their sponsors, fiduciaries, administrators and vendors have specific obligations that require immediate, well-documented action when an actual or potential breach happens. The Privacy, Security and Breach Notification requirements of HIPAA require that health plans adopt specific policies and maintain and administer specific safeguards. In the event of a breach, these rules require that the health plan, usually acting through its fiduciaries, and affected service providers that qualify as business associates both investigate and redress the breach, as well as provide specific notification as soon as possible, usually no later than 30 days after the health plan knows or has reason to know of the breach. Significant civil and even criminal penalties can apply.

Beyond the specific requirements of HIPAA, employers and other plan sponsors and others involved in the maintenance and administration of the health plan or the selection and oversight of its vendors often may have less-realized responsibilities. As health plan data often includes payroll and other tax data, employers, there may be specific responsibilities under the Internal Revenue Code or other laws. To the extent that the plan sponsor or another party is named as the plan administrator or otherwise exercises control over the selection of the insurer or other plan vendor or other plan operations, the fiduciary obligations of ERISA also may require a prudent investigation and other action. Brokers, insurers, third party administrators, preferred provider organizations or other managed care providers and others doing business with the health plan also may have specific responsibilities under state insurance, health care, data breach and identity theft or other laws. Under the provisions of most of these laws, leaving it to the insurer or other vendor involved in the breach generally will not suffice to fulfill applicable legal responsibilities, much less allay the fears of plan members, employees, healthcare providers and others involved with the health plan.

In the face of these developments, health plans and their sponsors, fiduciaries and others working with them must take immediate action in response to breaches. Businesses also should check the adequacy and defensibility of their current overall data collection, use and security practices while remaining ever-vigilant for new requirements, as well as weaknesses in their own practices.

Businesses need to build their defenses in anticipation of breaches both to withstand government and private litigation and enforcement, and the judgment of public opinion.

Medical Identity Theft And Fraud

Medical identity theft (MIDT) is a crime that has profound consequences for patients, insurance providers, and health care providers. The definition of medical identity theft is the fraudulent use of an individual’s personally identifiable information (PII), such as name, Social Security number, and/or medical insurance identity number to obtain medical goods or services, or to fraudulently bill for medical goods or services using an unlawfully obtained medical identity. Unfortunately, the definition of medical identity theft and the consequences that are associated with the crime are not common knowledge to the general public.

A recent study conducted by Harris Interactive on behalf of Nationwide Insurance found that only one in six (~15%) of insured adults say they are familiar or very familiar with the term “medical identity theft.” Of the 15% that professed familiarity with the term, only 38% could correctly define what a medical identity was (Medical ID Theft Study 4). Unfortunately, this lack of widespread understanding of medical identity theft by consumers is part of the problem and it is costing consumers, insurers, and healthcare providers alike.

According to the most recent Ponemon Institute Research Report, 1.85 million Americans were affected by medical identity theft in 2012. This is a dramatic increase from the 1.49 million affected by medical identity theft in 2011, amounting to an almost 25% increase in just one year (Third Annual Survey 1). This rate of growth has the potential to explode due to several reasons. First, The Affordable Care Act is estimated to reduce the number of uninsured by approximately 30 million (Insurance Coverage Provisions 13), drastically increasing the number of insurers and insured patients that are targets for medical identity theft. Second, HIPAA policies and new rules under HITECH are increasing the use of electronic health records (EHRs) which can be vulnerable to data hackers. And lastly, the data hackers themselves are more sophisticated and cognizant of ways to profit off of personal data than ever before. All these factors combined pose a very serious dilemma in controlling the rate of growth for medical identity theft. Ponemon estimates that the cost of medical identity theft to consumers in 2012 was approximately $41 billion (Third Annual Survey 1). This does not include the untold cost borne by healthcare and insurance providers. We cannot afford the cost of letting this crime grow.

In order to minimize the effects of medical identity theft we must better understand the nature of medical identity theft. The Identity Theft Resource Center (ITRC) knows it is important to assess how consumers’ identities are stolen, how they find out they have fallen victim to this crime, and how difficult it is to resolve once discovered. The Identity Theft Resource Center believes this information can be used to educate and make aware the general public as to what medical identity theft is and how they can minimize their risk or mitigate the cost once they become a victim.

Looking at how medical identity theft victims discover they have fallen victim to this crime is crucial in determining what can be done to discover medical identity theft sooner to avoid increased expenses and instances of fraud. The 2012 Ponemon report found that the most common way (39%) people discover they have become victims of identity theft is by receiving collection letters for delinquent bills. This is bad news as this means the costs for the fraudulent services worked their way through the providers’ billing systems and languished there until they were forwarded to collection departments or agencies. In the time it took for the bill to make it to the collection department or agency, the imposter could have committed many more instances of fraud in different locations. The second most common method of discovery (32%) was by noticing mistakes in their health records, tipping them off to the medical identity theft. This is also bad news as mistakes in health records can have catastrophic consequences which can be fatal.

Fortunately, the third most common method (26%) of discovering identity theft was by victims noticing suspicious postings to a statement or invoice, such as an Explanation of Benefits statement. This is very good news as this usually means the victim is discovering their medical identity theft as early as possible. The earlier the victim notices the crime, the more likely they may avoid damage to their credit score, stop future abuse of their medical identity, and reduce the amount of time and money spent to rectify the issue. This statistic is even more interesting when compared to the previous two years of the Ponemon study, where only 9% of participants indicated that they discovered their medical identity theft via suspicious statements of invoices. This is a promising example of how educating and making consumers aware of medical identity theft can make a big difference in helping reduce the incidence of medical identity theft and its costs as a whole.

Looking into the mitigation process victims are confronted with after they discover their medical identity theft reveals the costs and trouble they have to go through to clear their names. There are two distinct objectives when mitigating medical identity theft. First, the victim must deal with an individual incident such as a thief receiving medical care under the victim’s name and the associated fiscal impact the crime imposes. Second, the victim must now deal with the task of “curing” themselves of medical identity theft, insuring that their medical identity is not abused again in the future. This second objective is extremely difficult and contributes to the devastating nature of medical identity theft.

Regarding the first objective, the process for rectifying an individual incident of medical identity theft is complicated and drawn out. The victim must immediately contact the medical records and billing departments of the healthcare provider that provided the services to the imposter, request their medical records, and inform the provider that they are not responsible for the fraudulent bills. Upon learning that there may be fraudulent information in the victim’s medical record, the healthcare provider may deny the victim access to their medical record for fear of violating the Health Insurance Portability and Accountability Act (HIPAA). HIPAA protects the privacy of patients’ medical records making healthcare providers worry that they may be violating the imposter’s privacy rights by releasing the medical record to the victim. Oftentimes, the healthcare provider does not know for a fact that the fraudulent information in the medical record was a result of medical identity theft and cannot rule out that it may simply have been an accidental mixing of two patients’ records. Regardless of the situation, the healthcare provider is afraid of incurring liability under HIPAA for releasing confidential medical information even if it is under the victim’s name. The victim may have to appeal the decision in order to be able to view their records.

In one case, a medical identity theft victim was charged for bills related to the alleged amputation of one of her feet. Luckily, this was easily refutable as she would simply show the hospital billing department that she still has her two feet. Unfortunately, the imposter also had diabetes which prompted a physician, during a subsequent hospitalization, to ask the victim what medications she was taking to treat her diabetes. Note, the victim has never had the disease (Menn). This case demonstrates how frustrating correcting medical records can be and reminds us how dangerous medical identity theft is to the victim.

It is also recommended that victims file a police report and submit a copy of the report to healthcare providers as it will usually help streamline the process. It is important for victims to note that medical identity theft, like any other form of identity theft, is a crime police are required to provide a police report for in most states. Once the incorrect information is identified, the victim must request that the healthcare provider either remove the information or at least flag it should the provider be reluctant to permanently remove it. After correcting the records at the location the imposter received medical services, the victim will then have to request an accounting of disclosures listing all the entities to which the healthcare provider sent the victim’s fraudulent records. The victim must repeat this procedure at each location that has their fraudulent medical record. All of this creates mountains of work for healthcare providers, insurers, and the victims themselves which increases costs in the medical industry for everyone involved.

The second and more difficult objective, “curing” oneself of medical identity theft, does not have a set solution. The problem stems from the decentralized structure of the medical data system. Every healthcare provider, pharmacy, and insurer has its own records and records system. In contrast, the financial industry has three major credit reporting agencies through which almost all financial credit information is processed. Therefore, when you have suffered financial identity theft, a great way to mitigate future instances of fraud is to place a credit freeze with all three credit reporting agencies so that identity thieves cannot abuse your credit again. There is no such central medical record agency for medical records. Thus, it is possible for a medical identity thief to commit fraud with the same medical identity over and over again in multiple locations around the country. The victim will have to go through the individual incident mitigation process every time and just hope that the identity thief will stop using their medical identity.

Since there is no way to get ahead of the thief and prevent the medical fraud from occurring, the best way to mitigate the costs and effects of medical identity theft is for the victim to be vigilant and confront each instance of fraud as soon as possible in order to reduce the amount of wasted time and costs. This repetitive cycle is exhausting and costly for the victim as well as healthcare providers and insurers. In all three years Ponemon has conducted this survey, the number of victims who said they had completely resolved their medical identity theft never exceeded 11% (Third Annual Survey 11). This is an ongoing problem that does not yet have a solution, but it is imperative for all stakeholders to be involved.

All of this information points us to the realization that medical identity theft is a costly and potentially dangerous crime that is incredibly difficult to resolve. To make matters worse, medical identity theft often goes undiscovered for long periods of time and only becomes more detrimental and difficult to resolve the longer it goes undetected.

The Identity Theft Resource Center proposes that one of the best methods of reducing medical identity theft and the costs associated with it is an educated and aware consumer population. To make this point, it is useful to separate out the causes of identity theft listed in the Ponemon report into two groups. The first group includes causes of identity theft that victims have no control over: healthcare provider used identification to conduct fraudulent billing (22%), malicious employee in the health provider’s office stole health information (7%), and the healthcare provider, insurer or other related organization had a data breach (6%). In total, 35% of the causes of identity theft cannot be affected by actions of the consumer. The second group consists of causes of identity theft that a consumer does have a degree of control over: family member took personal identification credentials without my knowledge (35%), mailed statement or invoice was intercepted by the criminal (6%), lost a wallet containing personal identification credentials (5%), and a phishing attack by criminal who obtained personal identification credentials (4%). Thus, the total of causes of medical identity theft that can be affected by actions of the consumer is 50%. It should be noted that 15% of the participants still did not know how they had their medical identity stolen.

Looking at the numbers above, it is clear that the consumers themselves can have the largest impact in reducing the number of medical identity theft cases and the severity of the cases that still occur. Not only do the consumers themselves have the best ability to reduce the risk of medical identity theft happening to them, they are the only people that can reduce the severity of the crime when it does happen. The Identity Theft Resource Center has long understood the ramifications of medical identity theft on the consumer population as well as the medical industry itself. We know that educating the consumer population can be cost-effective and powerful.

The Identity Theft Resource Center is a founding organization of the Medical Identity Fraud Alliance, the first public/private sector-coordinated effort with a focused agenda that unites all the stakeholders to jointly develop solutions and best practices for medical identity fraud. We encourage all industry stakeholders to join so that we can work together in galvanizing the consumer population into becoming the most effective weapon yet against medical identity theft.

How Consumers Can Minimize Their Risk Of Medical Identity Theft

  • Review Explanation of Benefit statements as soon as you receive them as they may detail medical services that you never received.
  • Review your credit reports multiple times a year to see if any fraudulent accounts have been opened in your name, or if any medical bills have been reported as unpaid.
  • Be aware of phishing emails. These emails are designed to look like they are official communications from either a healthcare provider or insurer and ask for personal information such as a Social Security number, insurance policy number, or other information used to commit medical fraud in your name.
  • Do not open attachments in emails from people you are not familiar with as it may have a virus or program to steal information from your computer.
  • Use a Virtual Private Network when using the Internet outside of your home as this will encrypt your signal from your mobile device or laptop.
  • Do not carry your Medicare card, Social Security card, or certain military identification as these have your Social Security number on them. Should you lose your wallet or purse or have it stolen, this information would be extremely valuable to a medical identity thief.
  • Shred or safeguard any documents with personally identifiable information by either locking them in a safe hidden in the home or by storing them on an encrypted thumb drive and deleting them off your computer. Sensitive documents with PII include:
    • Tax preparation papers
    • Explanation of Benefits statements
    • Medical Bills or Records
    • Bank Statements
    • Passport
    • Medicare, Social Security, or military identification card

References
Nationwide Mutual Insurance Company. “Medical ID Theft Study Results.” March 2012. Print.

Ponemon Institute. “Third Annual Survey on Medical Identity Theft.” June 2012. Print.

Congressional Budget Office. Estimates for the Insurance Coverage Provisions of the Affordable Care Act Updated for the Recent Supreme Court Decision. U.S. Government Printing Office. July 2012. 13 December 2012. http://www.cbo.gov/sites/default/files/cbofiles/attachments/43472-07-24-2012-CoverageEstimates.pdf

Menn, Joseph. “ID Theft Infects Medical Records.” Los Angeles Times. 25 Sept. 2006. N.pag. Web. 20 Dec. 2012

OCR Nails Hospice For $50K In First HIPAA Breach Settlement Involving Small Data Breach

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!

That’s the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights’ announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights’ first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay $100000 & Implement Other Safeguards).

Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

Office of Civil Rights Director Leon Rodriguez, in OCR’s announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights’ expectation that covered entities will properly encrypt ePHI on mobile or other devices. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

In the face of rising enforcement and fines, the Office of Civil Rights’ initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights’ investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights’ enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.

For more information on HIPAA compliance and risk management tips, see here.

Brace For New Disability Discrimination Claims

President Obama’s declaration on October 1, 2012 of October as National Disability Employment Awareness Month reminds business that U.S. businesses and their leaders need to tighten their disability discrimination risk management and compliance in light of the Obama Administration’s emphasis on aggressively interpreting and enforcing disability discrimination laws, rising private plaintiff lawsuits and other recent regulatory and judicial changes.

With the Administration expected to step up further its already substantial educational outreach to the disabled and their advocates, U.S. employers should brace for this month’s celebration to fuel even more disability discrimination claims and other activity by the disabled and their activists.

Since taking office, President Obama has made enforcing and expanding the rights of the disabled in employment and other areas a leading priority. In his proclamation, President Obama reaffirmed his often stated commitment to the aggressive enforcement of disability laws and other efforts to promote opportunities for disabled individuals, stating “[My Administration remains committed to helping our businesses, schools, and communities support our entire workforce. To meet this challenge,… we are striving to make it easier to get and keep those jobs by improving compliance with Section 508 of the Rehabilitation Act.”

As the administration marks the month, U.S. employers and other business leaders can expect the Obama Administration will be stepping up its already aggressive outreach to disabled Americans to promote awareness of their disability law rights and tools for asserting and enforcing these rights. See, e.g. October Is National Disability Employment Awareness Month (NDEAM).

Business Faces Growing Employment Disability Exposures
As part of his administration’s commitment, the Obama Administration has moved to aggressively enforce the disability and accommodations of the Americans With Disabilities Act (ADA), Section 508 of the Rehabilitation Act, and other federal disability discrimination laws. The reach and effectiveness of these efforts has been enhanced by statutory and regulatory changes that require employers to exercise greater efforts to meet their compliance obligations and manage their disability and other discrimination risks.

ADA Exposures Heightened
The ADA, for instance, generally prohibits disability discrimination and requires employers to make reasonable accommodations to employees’ and applicants’ disabilities as long as this does not pose an undue hardship. Violations of the ADA can expose businesses to substantial liability. Violations of the ADA may be prosecuted by the EEOC or by private lawsuits. Employees or applicants that can prove they experienced prohibited disability discrimination under the ADA generally can recover actual damages, attorneys’ fees, and up to $300,000 of exemplary damages (depending on the size of the employer).

In recent years, amendments to the original provisions of the ADA have made it easier for plaintiffs and the EEOC to prove disabled status of an individual. Businesses should exercise caution to carefully document legitimate business justification for their hiring, promotion and other employment related decisions about these and other individuals who might qualify as disabled.

As signed into law on September 25, 2008, the ADAAA amended the definition of “disability” for purposes of the disability discrimination prohibitions of the ADA to make it easier for an individual seeking protection under the ADA to establish that they have a disability within the meaning of the ADA. The ADAAA retains the ADA’s basic definition of “disability” as an impairment that substantially limits one or more major life activities, a record of such an impairment, or being regarded as having such an impairment. However, provisions of the ADAAA that took effect January 1, 2009 change the way that these statutory terms should be interpreted in several ways. Most significantly, the Act:

  • Directs the EEOC to revise that part of its regulations defining the term “substantially limits;”
  • Expands the definition of “major life activities” by including two non-exhaustive lists: (1) The first list includes many activities that the EEOC has recognized (e.g., walking) as well as activities that EEOC has not specifically recognized (e.g., reading, bending, and communicating); and (2) The second list includes major bodily functions (e.g., “functions of the immune system, normal cell growth, digestive, bowel, bladder, neurological, brain, respiratory, circulatory, endocrine, and reproductive functions”);
  • States that mitigating measures other than “ordinary eyeglasses or contact lenses” shall not be considered in assessing whether an individual has a disability;
  • Clarifies that an impairment that is episodic or in remission is a disability if it would substantially limit a major life activity when active;
  • Changes the definition of “regarded as” so that it no longer requires a showing that the employer perceived the individual to be substantially limited in a major life activity, and instead says that an applicant or employee is “regarded as” disabled if he or she is subject to an action prohibited by the ADA (e.g., failure to hire or termination) based on an impairment that is not transitory and minor; and
  • Provides that individuals covered only under the “regarded as” prong are not entitled to reasonable accommodation.

The ADAAA also emphasizes that the definition of disability should be construed in favor of broad coverage of individuals to the maximum extent permitted by the terms of the ADA and generally shall not require extensive analysis. In adopting these changes, Congress expressly sought to overrule existing employer-friendly judicial precedent construing the current provisions of the ADA and to require the EEOC to update its existing guidance to confirm with the ADAAA Amendments. Under the leadership of the Obama Administration, the EEOC and other federal agencies have embraced this charge and have significantly stepped up enforcement of the ADA and other federal discrimination laws.

Recent enforcement, regulatory and other activities by the EEOC show that the EEOC is enthusiastically moving forward to exercise its regulatory and enforcement powers under these enhanced ADA provisions to tighten requirements for employers and to enforce its rules. See e.g.,

Rising Rehabilitation Act Risks For Government Contractors
Beyond the generally applicable risks to all employers of more than 15 employees under the ADA, federal and state government contractors face more responsibilities and risks.

Subject to limited exceptions, government contractors providing services or supplies on ARRA or other government-funded contracts or projects must comply both with generally applicable employment discrimination requirements and special statutory and contractual nondiscrimination, affirmative action, and recordkeeping requirements applicable to government contractors. For instance, federal law generally requires government contractors to comply with the special equal employment opportunity requirements of Executive Order 11246 (EO 11246), Section 503 of the Rehabilitation Act of 1973 (Section 503), and the Vietnam Veterans’ Readjustment Assistance Act of 1974 (VEVRAA).

Pursuant to these laws, business with the federal government, both contractors and subcontractors, generally must follow a number of statutory and contractual requirements to follow the fair and reasonable standard that they not discriminate in employment on the basis of sex, race, color, religion, national origin, disability or status as a protected veteran. OFCCP generally audits and enforces these requirements. See Memo to Funding Recipients: Compliance with Applicable Nondiscrimination and Equal Opportunity Statutes, Regulations, and Executive Orders.

OFCCP has made clear that it will conduct compliance evaluations and host compliance assistance events to ensure that federal contractors comply and are aware of their responsibilities under EO 11246, Section 503 and VEVRAA.

While many government contractors may be tempted to become complacent about OFCCP exposures based on reports of the OFCCP’s relatively low enforcement in the past, see Report Says OFCCP Enforcement Data Show Infrequent Veteran, Disability Bias Findings. Recent enforcement data documents that OFCCP is getting much more serious and aggressive about auditing and enforcing compliance with its affirmative action and other requirements against government contractors under the Obama Administration. See also OFCCP Enforcement Data is Available on a New DOL Website and Affirmative Action Update: OFCCP Enforcement Statistics Show Increase in Violations.

The readiness of OFCCP to enforce its rules is illustrated by the settlement of an OFCCP action filed against federal contractor Nash Finch Co. (Nash Finch) announced recently. Under the settlement, Nash Finch agreed to pay $188,500 in back wages and interest and offer jobs to certain women applicants who OFCCP charged Nash rejected for the entry-level position of order selector at the company’s distribution facility in Lumberton, Minnesota. See Settlement of OFCCP Employment Discrimination Charge Reminder To ARRA, Other Government Contractors Of Heightened Enforcement Risks.

These government contractor disability discrimination risks are particularly acute where the government contractor works on or provides supplies on contacts or projects funded in whole or in part by monies provided under ARRA. When the contract or project in question receives any funding out of the $787 billion of stimulus funding provided by ARRA, special OFCCP rules applicable to ARRA funded projects necessitates that federal contractors exercise special care to understand and meet their responsibilities and manage associated exposures. See, e.g. Settlement of OFCCP Employment Discrimination Charge Reminder To ARRA, Other Government Contractors Of Heightened Enforcement Risks.

GINA & Other Medical Information Nondiscrimination & Privacy Risks
Employers also need to use care to ensure that their hiring and other employment practices, as well as their employee benefits, workers’ compensation and wellness practices are up to date and properly managed to mitigate exposures under laws like the Genetic Information and Nondiscrimination Act (GINA), the ADA’s medical information privacy requirements, as well as the privacy and nondiscrimination rules of the Health Insurance Portability & Accountability Act and other relevant federal and state laws.

Signed into law by President Bush on May 21, 2008 and in effect since November 21, 2009, for instance, Title VII of GINA amended the Civil Rights Act to prohibit employment discrimination based on genetic information and to restrict the ability of employers and their health plans to require, collect or retain certain genetic information. Under GINA, employers, employment agencies, labor organizations and joint labor-management committees face significant liability for violating the sweeping nondiscrimination and confidentiality requirements of GINA concerning their use, maintenance and disclosure of genetic information. Employees can sue for damages and other relief like now available under Title VII of the Civil Rights Act of 1964 and other nondiscrimination laws. For instance, GINA’s employment related provisions include rules that:

  • Prohibit employers and employment agencies from discriminating based on genetic information in hiring, termination or referral decisions or in other decisions regarding compensation, terms, conditions or privileges of employment;
  • Prohibit employers and employment agencies from limiting, segregating or classifying employees so as to deny employment opportunities to an employee based on genetic information;
  • Bar labor organizations from excluding, expelling or otherwise discriminating against individuals based on genetic information;
  • Prohibit employers, employment agencies and labor organizations from requesting, requiring or purchasing genetic information of an employee or an employee’s family member except as allowed by GINA to satisfy certification requirements of family and medical leave laws, to monitor the biological effects of toxic substances in the workplace or other conditions specifically allowed by GINA;
  • Prohibit employers, labor organizations and joint labor-management committees from discriminating in any decisions related to admission or employment in training or retraining programs, including apprenticeships based on genetic information;
  • Mandate that in the narrow situations where genetic information is obtained by a covered entity, it maintain the information on separate forms in separate medical files, treat the information as a confidential medical record, and not disclose the genetic information except in those situations specifically allowed by GINA;
  • Prohibit any person from retaliating against an individual for opposing an act or practice made unlawful by GINA; and
  • Regulate the collection, use, access and disclosure of genetic information by employer sponsored and certain other health plans.

These employment provisions of GINA are in addition to amendments to HIPAA, the Employee Retirement Income Security Act of 1974 (ERISA), the Public Health Service Act, the Internal Revenue Code of 1986, and Title XVIII (Medicare) of the Social Security Act that are effective for group health plan for plan years beginning after May 20, 2009.

Under these HIPAA and GINA rules, health plans generally may not make certain medical inquiries or discriminate against employees or their family members based on family or individual medical history or genetic information. In addition, health plans and others are required to safeguard personal medical information and may only share that information under very limited circumstances requiring specific documentation be in place and that the parties can prove that the access and use of that information is appropriately restricted. Violation of these and other rules can have significant civil and in some cases even criminal liabilities for companies, plans, plan fiduciaries and company officials that take part in violations of these rules.

Businesses Should Act To Manage Risks
The ADAAA amendments, the Rehabilitation Act’s expanded reach, and the Obama Administration’s emphasis on enforcement make it likely that businesses generally will face more disability claims from a broader range of employees and will have fewer legal shields to defend themselves against these claims. These changes will make it easier for certain employees to qualify and claim protection as disabled under the ADA, the Rehabilitation Act, and other disability discrimination laws.

All U.S. businesses should review and tighten the adequacy of their existing compliance and risk management practices to promote and document compliance. These efforts should focus on all relevant hiring, recruitment, promotion, compensation, recordkeeping and reporting policies and practices internally, as well as those of any recruiting agencies, subcontractors or other business partners whose actions might impact on compliance.

In light of these and other developments and risks, businesses generally should act cautiously when dealing with applicants or employees with actual, perceived, or claimed physical or mental impairments to minimize exposures under the ADA, the Rehabilitation Act and other laws. Management should exercise caution to carefully and appropriately assess and identify the potential legal significance of physical or mental impairments or conditions that might be less significant in severity or scope, correctable through the use of eyeglasses, hearing aids, daily medications or other adaptive devices, or that management might be tempted to assume fall outside the ADA’s scope.

Likewise, businesses should be ready for the EEOC, OFCCP and the courts to treat a broader range of disabilities, including those much more limited in severity and life activity restriction, to qualify as disabling for purposes of the Act. Businesses should assume that a greater number of employees with such conditions are likely to seek to use the ADA as a basis for challenging hiring, promotion and other employment decisions. For this reason, businesses generally should tighten job performance and other employment recordkeeping to enhance their ability to demonstrate nondiscriminatory business justifications for the employment decisions made by the businesses.

Businesses also should consider tightening their documentation regarding their procedures and processes governing the collection and handling records and communications that may contain information regarding an applicant’s physical or mental impairment, such as medical absences, worker’s compensation claims, emergency information, or other records containing health status or condition related information. The ADA generally requires that these records be maintained in separate confidential files and disclosed only to individuals with a need to know under circumstances allowed by the ADA.

As part of this process, businesses also should carefully review their employment records, group health plan, family leave, disability accommodation, and other existing policies and practices to comply with, and manage exposure under the genetic information nondiscrimination and privacy rules enacted as part of GINA, the health care privacy rules of the HIPAA, and the medical record privacy rules of the ADA. Particular care should be used when planning wellness, health risk assessment, work-related injury, family or other medical leave or related programs, all of which raise particular risks and concerns.

In the face of the rising emphasis of OFCCP, the EEOC and other federal and state agencies on these audit and enforcement activities, government contractors should exercise additional compliance and risk management efforts beyond these generally recommended steps. Among other things, these steps should include the following:

  • Government contractors and subcontractors should specifically review their existing or proposed contracts and involvements to identify projects or contracts which may involve federal or state contracts or funding that could trigger responsibility. In this respect, businesses should conduct well-documented inquiries when proposing and accepting contracts to ensure that potential obligations as a government contractor are not overlooked because of inadequate intake procedures. Businesses also should keep in mind that ARRA and other federal program funds often may be filtered through a complex maze of federal grants or program funding to states or other organizations, which may pass along government contractor status and liability when subcontracting for services as part of the implementation of broader programs. Since the existence of these obligations often is signaled by contractual representations in the contracts with these parties, careful review of contractual or bid specifications and commitments is essential. However, it also generally is advisable also to inquire about whether the requested products or services are provided pursuant to programs or contracts subject to these requirements early in the process.
  • In addition to working to identify contracts and arrangements that are covered by OFCCP or other requirements, government contractors and other businesses also should reconfirm and continuously monitor the specific reporting, affirmative action, and other requirements that apply to any programs that may be subject to OFCCP requirements to ensure that they fully understand and implement appropriate procedures to comply with these conditions as well as pass along the obligation to make similarly necessary arrangements to any subcontractors or suppliers that the government contractor involves as a subcontractor.
  • Throughout the course of the contract, the government contractor also should take steps to maintain and file all required reports and monitor and audit operational compliance with these and other requirements.
  • The organization should develop and administer appropriate procedures for monitoring and investigating potential compliance concerns and maintaining documentation of that activity. Any known potential deficiencies or complaints should be promptly investigated and redressed with the assistance of qualified counsel in a prompt manner to mitigate potential risks.
  • Documentation should be carefully retained and organized on a real time and continuous basis to faciliate efficiency and effectiveness in completing required reports, monitoring compliance indicators and responding to OFCCP, EEOC or private plaintiff charges as well as other compliance inquiries.
  • Any audit inquiries or charges should be promptly referred to qualified legal counsel for timely evaluation and response.
  • When available and affordable, management should consider securing appropriate employment practices liability coverage, indemnification from business partners and other liability protection and assurance to help mitigate investigagtion and defense costs.
  • Board members or other senior management should include periodic review of compliance in their agenda.