The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) continues to pay close attention to those companies in the health care industry and how they use patient information, specifically in the context of the Health Insurance Portability and Accountability Act (HIPAA). OCR has announced its first ever enforcement action and settlement agreement related to its Right of Access Initiative. The Initiative was announced earlier in 2019 and is focused on enforcing individuals’ rights to receive copies of their medical records (or their minor children’s records) in a timely and cost-friendly manner.
The settlement arose out of an OCR investigation into a hospital after a woman complained that the hospital did not provide access to records about her unborn child. As a result of the investigation, the hospital provided the woman with the records more than nine months after her request. Under the settlement, the hospital paid OCR $85,000 and is required to develop information access policies and procedures, provide employee training on the policies and to be monitored by OCR for one year. This recent settlement reflects just how seriously OCR is taking its Right of Access Initiative. Healthcare providers should become familiar with and comply with HIPAA’s right of access rules. These require providers to provide access to personal health information within 30 days of the request and to make sure fees for record copies are reasonable and cost-based.
OCR also recently announced its settlement with Medical Informatics Engineering, Inc. (MIE), an Indiana company that provides medical record services to health care providers. In 2015, MIE notified OCR that hackers accessed personal health information of over 3.5 million people. OCR then investigated and discovered MIE had never conducted a comprehensive risk analysis to determine risks and vulnerabilities with respect to the company’s personal health information. As part of the settlement, MIE paid OCR $100,000 and must implement a corrective action plan to help MIE comply with HIPAA rules.
It is imperative for companies entrusted with personal health information to conduct risk assessments. HIPAA rules specifically require companies to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information” held by the company. Failure to do so can lead to enforcement actions and leaves businesses open to data breaches.
In May, OCR announced that Touchstone Medical Imaging (Touchstone), a company providing diagnostic medical imaging services, agreed to pay $3,000,000 and adopt a corrective action plan to settle potential HIPAA violations.
In 2014, both the FBI and OCR notified Touchstone of a data breach allowing uncontrolled access to Touchstone patients’ personal health information. While Touchstone initially denied any health information was exposed in the breach, OCR later discovered health information of over 300,000 people was exposed and available online. OCR’s investigation revealed a number of other issues including Touchstone’s failure to seriously investigate the breach until months after notice from both the FBI and OCR, failure to notify individuals affected by the breach in a timely manner, failure to conduct a comprehensive risk assessment and a lack of HIPAA required agreements between Touchstone and their third-party vendors.
The Touchstone incident reflects how a complete lack of preparation in the data privacy and security context can lead to disaster. As the OCR Director has stated, a failure to identify personal health information risks and vulnerabilities “opens the door to breaches and violates HIPAA.” When a data breach occurs, businesses must take them seriously to not only minimize the risk of the affected individuals, but also to minimize risk for themselves. Failure to do so, as Touchstone has learned, can be quite costly.
Enforcement actions are not limited to health information. The Federal Trade Commission (FTC) enforces data privacy and security rules through its role to protect consumers and prevent unfair trade practices.
The FTC recently settled charges against an automotive dealer software provider, LightYear Dealer Technologies (LightYear). LightYear’s software collected large amounts of personal information (such as names, addresses, social security numbers, credit card numbers and bank account information) about dealership customers and employees. The FTC alleged LightYear stored this information “in clear text, without any access controls or authentication protections, such as passwords.” LightYear also used a backup storage device without any steps taken to ensure it was set up safely and securely. The failure to implement even basic security measures, the FTC alleged, led to a breach exposing the personal information of approximately 12.5 million people.
Under the settlement, unless LightYear develops and implements a comprehensive program to protect personal information, they are prohibited from sharing, collecting or maintaining personal information. Additionally, the settlement requires LightYear to have a third party assess its security programs every two years and for a LightYear senior corporate manager to certify every year they are complying with the FTC’s order. When collecting, storing or sharing sensitive personal information, it is imperative to take reasonable steps to secure and protect that data.
Businesses should make sure they understand the type of data they collect, store or share; how it is used; and the risks and vulnerabilities to that data. Doing so enables businesses to develop, maintain and revise policies to best protect consumers’ data. The failure to do so can lead to devastating data breaches and costly regulatory investigations and actions.
The FTC has also announced a proposed record-breaking settlement where Google, and its subsidiary YouTube, agreed to pay $170 million to settle allegations that they violated the Children’s Online Privacy Protection Act (COPPA) by collecting children’s personal data without parental consent. The FTC alleged YouTube used technology on its child-directed channels to track users on the internet (i.e., cookies) to deliver targeted ads without notification of such practices and subsequently obtaining parental consent.
Child-directed websites and online services should familiarize themselves with COPPA requirements.
Before child-directed platforms collect personal information from children under the age of 13, they must provide notice of the business’s personal information policies and practices and to obtain parental consent.
Further, third parties, such as advertisers, need to know where their data is coming from – as those with knowledge that the information they collect is from users of child-directed platforms are also subject to COPPA rules.
This summer the FTC announced its proposed settlement with Unrollme Inc., a company that helps users manage their emails. The FTC alleged that despite assuring its users they would not access or use their personal emails (instead only clearing out user inboxes, unsubscribing them from unwanted email subscriptions, etc.), Unrollme accessed personal emails containing electronic receipts and shared them with its parent company who then used and sold the information in its market research products. The settlement requires Unrollme to notify certain users of their information collection and sharing policies, bars Unrollme from misrepresenting their data policies and requires both Unrollme and its parent company to delete the information collected from the electronic receipts unless they obtain express consent from the Unrollme users to keep the data.
Businesses must be honest about their data collection and use policies. To do so, businesses should comprehensively understand their policies and communicate them to customers in a clear, conspicuous way.
Warner Associate Alexandra Woods contributed to this article.