Don’t Misrepresent Your U.S. – E.U. Privacy Shield Status: FTC Brings An Enforcement Action

Posted by Ryan Blaney on July 06, 2018
cybersecurity, Federal Trade Commission, FTC, Privacy, Uncategorized / No Comments

As US companies continue to spend time and effort complying and responding to all of the new privacy laws and regulations both in the United States and aboard (i.e. GDPR and California Consumer Privacy Act of 2018) companies cannot forget the basics.  If you represent something in your Privacy Policy it better be accurate, up to date, and not misleading!

On July 2, 2018, the Federal Trade Commission (FTC) issued a number of press releases and a proposed settlement with California-based employee training company ReadyTech Corporation.  In announcing the settlement, FTC Chairman Joe Simons said, “Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.”  According to the FTC, this is the 4th case enforcing the Privacy Shield and 47th case enforcing international privacy frameworks such as the Safe Harbor framework and the Asia Pacific Economic Cooperation Cross Border Privacy Rules.

The ReadyTech settlement should be a warning for other companies that make representations in their Privacy Policies about the Privacy Shield, GDPR, CCPA and other data security and privacy frameworks.  By way of background, the Privacy Shield framework allows companies to transfer personal data lawfully from the EU to the United States.  To join the Privacy Shield framework, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements that have been deemed to meet the EU’s adequacy standard.  A company, like ReadyTech, that claims it has self-certified to the Privacy Shield Principles, but failed to self-certify to the U.S. Department of Commerce, may be subject to an enforcement action by the FTC. Continue reading…

About The Author

Data Security Plays a Key Role in the Adoption and Success of Precision Medicine

Posted by Ryan Blaney on June 16, 2016
Uncategorized / No Comments

shutterstock_157454741The White House recently released a guidance document for those in the precision medicine community to help ensure that participants’ data and resources remain secure.  The document, titled “Precision Medicine Initiative: Data Security Policy Principles and Framework,” is meant to offer “security policy principles and a framework to guide decision-making by organizations conducting or participating in precision medicine activities” and is the result of a collaborative, interagency process featuring roundtable discussions with various security experts as well as a review of existing data security resources.  Federal PMI agencies already have committed to integrating the framework into all PMI activities.

But the document is meant only to be a guideline – not a one-size-fits-all solution.  It notes that those in the PMI community must constantly strive to use current best practices and should conduct their own “comprehensive risk assessment to identify specific security requirements and establish processes to continuously review and make improvements.”

The guidance emphasizes some overarching principles that anyone dealing with sensitive data should bear in mind when developing and implementing a data security plan:

  • Keep pace with changing technology and new security threats.
  • Tailor your data security plan to your unique circumstances.
  • Be specific – think about your risks and put in writing how you will neutralize them.
  • Have an independent third party review your plan.
  • Without compromising security, be transparent about your plan to build trust among participants.

The document also offers specific suggestions with respect to identity proofing, user credentials and authentication, encryption and physical security, audits to detect anomalous activity, and incident response, among other topics.  The White House also emphasizes the importance of ongoing participant education, as well as role-specific training for those who use PMI data.

On balance, the White House’s message to the PMI community is clear: Think hard about data security, think often about data security, and act vigilantly.

The guidance is available here: www.whitehouse.gov/sites/whitehouse.gov/files/documents/PMI_Security_Principles_Framework_v2.pdf.

For more information you can contact Ryan P. Blaney or another member of Cozen O’Connor’s Health Law team.

About The Author

The E-Cigarettes Industry Fights Back Challenging the FDA in Federal Court

Posted by Ryan Blaney on May 16, 2016
E-Cigarettes, Food and Drug Law, HHS, Regulations / No Comments

e cig

Days after the publication of the Food and Drug Administration’s controversial final rule regarding e-cigarettes (and other nicotine-delivering products), a company called Nicopure Labs LLC filed a lawsuit challenging it in the U.S. District Court for the District of Columbia.  Nicopure seeks to have the rule vacated and declared unlawful, and has requested a preliminary injunction barring enforcement of the rule and prohibiting the FDA from taking any action under the rule pending resolution of the lawsuit.

The final rule, which will take effect on August 8, 2016 absent an injunction, grants the FDA authority to regulate electronic cigarettes and other vaping products and imposes rules on the industry that many insiders fear will leave it decimated.  These rules include banning sales to anyone younger than 18 years of age, requiring extensive warning labels on packing and — most significantly — subjecting all products (even those currently on the market) to the FDA approval process and the FDA’s reporting and recordkeeping requirements.  The price tag associated with the FDA approval process alone likely will pose an insurmountable barrier for the small vape shops, device manufacturers and e-liquid producers that currently drive most of the industry.

Nicopure, a Florida company that distributes battery-powered vaping devices and manufactures and distributes e-liquid, seeks to have the Final Rule vacated on several grounds.  First, Nicopure alleges that the deeming rule defines “tobacco product” so broadly that it constitutes an unreasonable construction of the authority granted under the Administrative Procedure Act (APA).  Additionally, Nicopure contends that the rule should be vacated as arbitrary and capricious in violation of the APA.  Finally, Nicopure brings a constitutional challenge, arguing that the rule violates the First Amendment by prohibiting manufacturers from “making truthful and nonmisleading statements regarding vaping devices, e-liquids and related products” and from “engaging in other forms of protected expression, including by distributing free samples of vaping devices or e-liquids.”

As of this writing, the FDA has not responded to Nicopure’s complaint, but the case (Nicopure Labs, LLC v. Food and Drug Administration, et al.,1:16-cv-00-878) will no doubt be closely watched by the rule’s proponents and detractors alike.

For more information you can contact Ryan Blaney or another member of Cozen O’Connor’s Health Law team.

 

About The Author

Tags: , , ,

Heads-up! HIPAA Phase Two Audits Begin – Business Associates Included!

Posted by Ryan Blaney on March 22, 2016
HHS, OCR / No Comments

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publicly available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

About The Authors

Tags: , , , , , , , , , , , , , , , ,

Finally! CMS Publishes the 60-Day Rule for Reporting and Repaying Medicare Overpayments

Posted by Ryan Blaney on February 12, 2016
ACA, Affordable Care Act, False Claims Act, Final Rule, Fraud and Abuse / No Comments

After four years and 200 comments, CMS finalized the much‑awaited “60‑Day Rule” for reporting and repaying Medicare Part A and B overpayments (CMS issued a Final Rule related to Medicare part C and D overpayments in the May 23, 2014 Federal Register, 79 FR 29844, and will address Medicaid overpayments in future rulemaking). The 60-Day Rule is part of CMS’s efforts to reduce fraud, waste, and abuse in the Medicare program.

Section 6402(d) of the Affordable Care Act (ACA), created section 1128J(d) of the Social Security Act (codified at 42 U.S.C. 1320a-7k(d)), requiring a person or entity who has received an overpayment to report and return the overpayment to the appropriate entity by the later of: (1) 60 days after the date on which the overpayment was “identified”; or (2) the date any corresponding cost report is due (if applicable). Importantly, the ACA also made reporting and repaying overpayments within 60 days an “obligation” under the False Claims Act (FCA), and therefore subject to FCA liability. Proof of specific intent to defraud the government is not required for a person or entity to be liable under the 60-Day Rule.

The Final Rule slightly relaxes some of the onerous requirements in the 2012 Proposed Rule:

Six Year Lookback Period: CMS responded to numerous comments and concerns that the proposed 10-year look back period for identifying overpayments was too long. The 60-Day Rule changed the lookback period to 6 years, consistent with the statutory limitations for the FCA.

Definition of Identify: CMS acknowledged the numerous comments submitted on what it means to “identify” an overpayment and said, “We agree and have revised the language … to clarify that part of identification is quantifying the amount, which requires a reasonably diligent investigation.” According to CMS, “[t]he Final Rule clarifies that a person has identified an overpayment when the person has or should have, through the exercise of reasonable diligence, determined that the person has received an overpayment and quantified the amount of the overpayment.” CMS warned Medicare providers and suppliers not to use the “ostrich defense”; reasonable diligence includes both proactive compliance activities conducted in good faith by qualified individuals, and good faith investigation of credible information conducted in a timely manner by qualified individuals. Quantification of the amount of the overpayment may be determined using statistical sampling and extrapolation methodologies.

How to Report and Return Overpayments: The Final Rule states that providers and suppliers must use an applicable claims adjustment, credit balance, self-reported refund, or another appropriate process to satisfy the obligation to report and return overpayments.

The Final 60-Day Rule is available at: https://federalregister.gov/a/2016-02789. By way of comparison, the February 16, 2012 Proposed Rule is available at:  https://www.gpo.gov/fdsys/pkg/FR-2012-02-16/pdf/2012-3642.pdf

To learn more about reporting or making repayments under the Final Rule, please contact Ryan Blaney, Dana Petrillo or any member of Cozen O’Connor’s Health Law team.

About The Authors

Tags: , , , , ,

The “Other” Safe Harbor: OIG Warns Healthcare Providers and Vendors Against Information Blocking and Federal Anti-Kickback Violations

golden-whistleblower

For those of us who work in the privacy and security space this past week has been a whirlwind with focus on the ramifications of the European Court of Justice (ECJ) decision invalidating the EU-U.S. Safe Harbor Agreement.  Much has been written on the EU-U.S. Safe Harbor Agreement and much more will be written in the coming weeks.  See Cozen O’Connor’s Cyber Law Monitor recent blog post, The End of Safe Harbor – What Does it Mean?   However, the ECJ decision was not the only news on safe harbor last week.  The U.S. Department of Health and Human Services, Office of Inspector General (“OIG”) issued their thoughts on data arrangements and safe harbor, albeit a much different safe harbor than the EU-U.S. Safe Harbor Agreement.  Healthcare providers and health IT vendors should pay close attention to OIG’s Alert.  See October 6, 2015 OIG Alert.

OIG issued the Alert during National Health IT Week and described it as a “Policy Reminder” on Information Blocking and the Federal Anti-Kickback Statute (42 U.S.C. 1320a-7b (b)).  The Federal Anti-Kickback statute prohibits individuals and entities from knowingly and willfully offering, paying, soliciting, or receiving remuneration to induce or reward referrals of business reimbursable under any Federal health care program (“FHCP”).  The Alert addresses a growing trend in the industry, arrangements involving the provision of software or information technology to a referral source.  Although there is a safe harbor for electronic health records (“EHR”) arrangements it “must fit squarely in all safe harbor conditions to be protected.” 42 CFR § 1001.952(y).

In its alert, OIG focused on the parameters of the safe harbor exception that allows donors to enter into a wide variety of arrangements involving EHR software, IT, and training services, provided there are no restrictions to the use, compatibility, or interoperability of donated items or services.  42 CFR § 1001.952(y)(3).  OIG provided guidance on this issue in 2013, explicitly stating that if the interoperability of an item or service is restricted by the donor or anyone acting on the donor’s behalf, including the recipient, then the donation violates the exemption and thus will be actionable under the Federal anti-kickback statute.

OIG’s Alert highlights practices outlined in its 2013 guidance that would be actionable under the Federal anti-kickback statute.  For example, an agreement between a donor and a recipient to limit a competitor from interfacing with the donated items or services would be actionable.  Even an agreement between a donor and an EHR technology vendor to charge non-recipient providers, non-recipient suppliers, or competitors’ high fees may be actionable.

OIG also provided an open invitation to whistleblowers to report fraud by urging persons with knowledge of violations of the safe harbor to be vigilant in reporting potential violations to their office.  Violations will occur when donors engage in information blocking, which refers to practices that unreasonably block the sharing of electronic health information (EHI).  OIG provided three criteria in a 2015 report for identifying practices that qualify as information blocking:

  1. Interference with the ability of authorized people to access, exchange, or otherwise use EHI.
  2. Knowledge, actual or expected under the circumstances, that the practice will be considered information blocking.
  3. No reasonable justification for limiting sharing of EHI.

If all three criteria are met, then the practice in question is considered information blocking.

For more information on this Alert, contact Ryan P. Blaney or any member of Cozen O’Connor’s Health Care team.

About The Author

Tags: , , , , ,

Largest Criminal Health Care Fraud Takedown – 243 Charged and $712 Million in False Billings

Posted by Ryan Blaney on June 18, 2015
DOJ, FBI, Fraud and Abuse, HHS, Hospital, Medicare / No Comments

shutterstock_156007331

On June 18, 2015, HHS Secretary Sylvia M. Burwell and DOJ Attorney General Loretta E. Lynch announced nationwide arrests in Medicare fraud schemes amounting to approximately $712 million in false billings.  Attorney General Lynch described the strike as “the largest criminal health care fraud takedown in the history of the Department of Justice, and it adds to an already remarkable record of enforcement.”

According to the Department of Justice Press Release the takedown was led by the Medicare Fraud Strike Force and resulted in 243 individuals, including 46 doctors, nurses and licensed medical professionals, being charged with Medicare fraud.  This Strike Force targeted false billings for the following services:

  • Home Health
  • Psychotherapy
  • Physical and Occupational Therapy
  • DME
  • Pharmacy Fraud

The nationwide sweep included Florida, Texas, California, Louisiana, New York and Michigan.  Miami was a particular focus with 73 defendants charged and $263 million of false billings for home health, mental health and pharmacy services.

This nationwide sweep involved significant coordination between multiple government enforcement agencies and illustrates the government’s joint efforts to target health care fraud.  Included in the press conference were FBI Director James B. Comey, Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Inspector General Daniel R. Levinson of the HHS Office of Inspector General (HHS-OIG) and Deputy Administrator and Director of CMS Center for Program Integrity Dr. Shantanu Agrawal.

Assistant Attorney General Caldwell spoke and emphasized the Criminal Division’s increased focus on Medicare fraud stating,  “Every day, the Criminal Division is more strategic in our approach to prosecuting Medicare Fraud.  We obtain and analyze billing data in real-time.  We target hot spots – areas of the country and the types of health care services where the billing data shows the potential for a high volume of fraud – and we are speeding up our investigations.  By doing this, we are increasingly able to stop schemes at the developmental stage, and to prevent them from spreading to other parts of the country.”

For further information contact Ryan P. Blaney or any member of Cozen O’Connor’s health care team.

About The Author

Tags: ,

Not Much New … But a Good Reminder for Medical Director Relationships

Posted by Ryan Blaney on June 15, 2015
CMS, Hospital, OIG, Regulations / No Comments

After a sigshutterstock_272707754nificant number of settlement agreements between the U.S. Department of Health and Human Services Office of Inspector General (OIG), OIG decided to release a Fraud Alert reminding physicians, practices and hospitals about the significant compliance risks with medical director agreements. The June 9, 2015 Fraud Alert highlights four issues of concern in medical director agreements and relationships:

 

  1. Agreements providing for medical director compensation based upon a calculation taking into account the volume of a medical director’s referrals to the entity he or she is serving as medical director.
  2. Agreements providing for medical director compensation above fair market value for the services to be rendered by the medical director.
  3. Medical directors failing to actually render the services set forth in medical director agreements, yet still being compensated for such services.
  4. Agreements providing that affiliated health care entities pay for a medical director’s front office staff, thereby relieving the medical director of a financial burden such medical director would otherwise have incurred.

This Fraud Alert offers nothing new in terms of Anti-Kickback regulation and enforcement, reiterating to providers that the Anti-kickback statute generally prohibits a provider from being paid any form of remuneration for referring a patient for federal healthcare business.  It appears to be a not-so-friendly reminder that “remuneration” can come in many shapes and sizes and physicians must continue to be vigilant in their negotiating and entering into medical director agreements, as well as their adherence to same. A physician considering entering into any business venture in the health care sector should proceed with caution, and always confer with a health care attorney before signing on the dotted line.  The complete June 9, 2015 Fraud Alert can be found here: http://oig.hhs.gov/compliance/alerts/guidance/Fraud_Alert_Physician_Compensation_06092015.pdf.

For further information contact a member of Cozen O’Connor’s health care team.

Authored by Ryan Blaney (Washington, DC) and Marc Goldsand (Miami, FL).

About The Authors

Tags: , , , ,

“It’s Not Easy to Unscramble the Eggs” … Despite the FTC’s Win at the U.S. Supreme Court, the Phoebe Putney Hospital Merger Remains Intact

Posted by Ryan Blaney on April 03, 2015
Antitrust, CON Laws, Federal Trade Commission, Hospital, Merger / No Comments

EggsNearly four years after the Federal Trade Commission (“FTC”) first challenged the combination of the only two hospitals in Albany, Georgia, the FTC, Phoebe Putney Health Systems, Inc. (“Phoebe Putney”), Hospital Authority of Albany – Dougherty County (“Hospital Authority”) and HCA, Inc. (“HCA”) agreed to enter into a Consent Agreement. The FTC’s vote finalizing the Consent Agreement was 3-0-2, with Commissioners Joshua D. Wright and Terrell McSweeny not participating.  The Phoebe Putney litigation illustrates the challenges that the FTC and entities attempting to consummate a deal face in the merger process.  In Phoebe Putney, the FTC lost in two federal lower courts, won at the U.S. Supreme Court but ultimately was unable to unscramble a hospital merger that was found to be (1) anti-competitive and (2) a monopoly for inpatient general acute-care.

In addition to the Consent Agreement, a Statement was issued by Chairwoman Ramirez on March 31, 2015 summarizing the extensive procedural history of the litigation, the reasons the FTC challenged the merger, why the FTC did not require a divestiture and an explanation of the obligations that Phoebe Putney must meet under the Consent Agreement.  The March 31st Statement may provide insights into the FTC’s strategies when challenging future hospital mergers.  As explained below in the practice pointers, we anticipate the FTC citing Phoebe Putney in support of their preliminary injunctions and also citing to state certificate of need [CON] laws as evidence of barriers to entry for hospital competitors.

By way of background, since 1890 federal laws have supported national policies in favor of competition.  In Parker v. Brown, a 1943 U.S. Supreme Court decision, the state action doctrine provided that state governments have immunity from federal antitrust laws when they authorize economic activity that normally would be anticompetitive and illegal.  In 1941, Albany, Georgia and surrounding Dougherty County set up the Hospital Authority.  The Hospital Authority acquired an existing hospital, Phoebe Putney Memorial Hospital.  Two miles away Palmyra Medical Center was operated separately by HCA, Inc., one of the largest health care providers in the United States.  Palmyra and Phoebe Putney merged with the Hospital Authority as the buyer of Palmyra with the funds coming from Phoebe Putney.  Palmyra hospital was leased to Putney for $1 a year.  The Hospital Authority approved the merger in December 2010 but was not involved in the merger talks or management of the hospital.

The FTC and the State of Georgia filed a preliminary injunction in federal court to block the transaction but the federal district judge held that the state action doctrine applied and refused to stop the merger.  The FTC appealed to the 11th Circuit, which also found that the merger was insulated from antitrust inquiry under state action immunity concluding that harm to competition was the “foreseeable result” of the legislature’s establishment of the Hospital Authority.

The 11th Circuit decision dissolved the injunction pending appeal and on December 15, 2011 the merger was finalized.  The FTC appealed the 11th Circuit’s decision to the U.S. Supreme Court.  The two issues were: (1) whether the legislature had expressed its intentions clearly enough in allowing hospital proxies to operate in anti-competitive ways, and (2) whether the local hospital arrangement did not have immunity because the hospital authority had not played a large enough role in the merger.

The Supreme Court unanimously answered the first question, ruling that the state legislature had “not clearly articulated and affirmatively expressed a policy to allow hospital authorities to make acquisitions that substantially lessen competition.”  Following the Supreme Court decision, the FTC proceeded with the administrative litigation and proposed a 2013 consent agreement.  However, the 2013 consent agreement was withdrawn after a newly formed health care entity, North Albany Medical Center LLC, expressed interest in Palmyra hospital and sought clarification on Georgia’s CON laws.

In October 2014, the Georgia Department of Community Health (“DCH”) Hearing Officer issued a written finding that the CON laws would preclude Phoebe North from purchasing Palmyra since the Albany region was deemed “over-bedded.”  Given the DCH’s decision, the FTC determined that divestiture of Palmyra – Phoebe Putney was impossible.

The March 31st Settlement is very similar to the one proposed in 2013.  The Settlement requires:

  • Phoebe Putney and the Hospital Authority to notify the FTC in advance of acquiring any part of a hospital or a controlling interest in other health care providers in Albany for the next 10 years.
  • Phoebe Putney and the Hospital Authority cannot object to regulatory applications made by potential new hospital providers in the same region for 5 years.
  • Phoebe Putney and the Hospital Authority stipulate that the transaction was anti-competitive.

Practice Points:

  • The FTC’s March 31st Statement by Chairwoman Ramirez emphasizes the importance of the FTC and private plaintiffs in obtaining preliminary injunctive relief prior to a transaction closing. The health care industry should anticipate the FTC citing the Phoebe Putney case as supporting authority for why there will be irremediable harm if a hospital transaction closes before all appeals are exhausted.
  • We also anticipate that the FTC will use the Phoebe Putney case in support of arguments that state CON laws are additional barriers for entry of potential competitors and should be significant factor when analyzing proposed mergers.

For further information contact the author Ryan P. Blaney (Washington, DC) or other members of Cozen O’Connor’s healthcare antitrust team, R. Christopher Raphaely (Philadelphia, PA), Melissa H. Maxman (Washington, DC) and Jonathan Grossman (Washington, DC).

About The Author

Tags: , , ,

Another Health Plan Hit By Massive CyberAttack and Class Actions Follow

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

About The Authors

Tags: , , ,