A Case Study in the Lack of Federal and State Coordination
As published in the ISSA Journal February 2018. ISSA is the Information Systems Security Association International
Executive Summary: Federal and state laws governing notification of breach of patient medical information vary, and some of those variations are material. It is important for health care providers to understand the differences between these regulatory schemes and to comply with each. Providers located in one state and treating patients from another state may also have a regulatory burden of which they are unaware. The assistance of experienced privacy and data breach counsel should be sought when examining these issues.
The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), enacted by Congress as a part of the American Recovery and Reinvestment Act of 2009, places a duty on covered entities to notify patients, the Secretary of the Federal Department of Health and Human Services through its Office for Civil Rights (“OCR”) and, in some cases, the media, of any “breach” of unsecured “protected health information” (“PHI”).1 Because of this obligation, it is important that health care providers develop internal systems for investigating security incidents involving unsecured PHI. Critically, although every “breach” of unsecured PHI is an impermissible disclosure under HIPAA, not every impermissible disclosure under HIPAA is a “breach.” Being able to tell the difference between the two will help covered entities avoid unnecessary, embarrassing, and potentially costly notification requirements and penalties.
Adding to this regulatory burden are the requirements of the several states governing patient information and its privacy. Although many states default to the federal HIPAA standard, many do not. In these states, covered entities may have different reporting requirements, definitions of data that are covered by the protections of state law, and differing penalties. Providers need to be aware of both and not make the mistake that HIPAA pre-empts all state privacy rules. Remember: only those state regulations that provide less protection for patients are replaced by HIPAA – in all other circumstances, the state scheme survives.2
The Federal Framework
For federal purposes, “unsecured PHI” is defined as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by OCR.3 Currently approved encryption technologies and destruction methodologies are outlined in the National Institute of Standards and Technology (“NIST”) Special Publications 800-111, 800-52, 800-77, 800-113, and 800-88.4 The definition should remind us that the federal HITECH breach and notification requirements cover both paper and electronic records: this is not just an expansion of the HIPAA Security Rule covering only electronic PHI.
A “breach” of unsecured PHI under the federal regulations occurs where (1) the PHI is acquired, accessed, used, or disclosed in a manner not permitted under the HIPAA Privacy Rule;5 and (2) that compromises the security or privacy of the protected health information. The security or privacy of the information is presumed compromised for the purpose of this analysis UNLESS an exception applies (described below) OR the covered entity “demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment” of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.
Even if the “breach” does not pass the above analysis, it is still not a “breach” requiring notice and disclosure under the federal scheme if the information meets any one of the following three (3) criteria:
(a) It is individually identifiable health information held by the covered entity or business associate in its capacity as an employer. For example, workers’ compensation information on a hospital’s employee would contain health information, but it would not be subject to these provisions.
(b) It is PHI that does not include one of the sixteen (16) identifiers listed at 45 C.F.R. § 164.514(e)(2) or the patient’s date of birth or the patient’s zip code.
(c) It is information that has been “de-identified” in accordance with the HIPAA Privacy Rule.6
A Smattering of State Schemes
As one might expect, state legislators and regulators take very different approaches to privacy of their citizens’ personal health information and when notification of a security incident is required. A brief examination of three such regulatory schemes will illustrate the problem for health care businesses with a presence in more than one state.
Section 1280.15 of the California Health & Safety Code requires certain medical providers to “report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the [California Department of Public Health] no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected” by the provider, and to make the same report to “the affected patient or the patient’s representative.”7
“Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.8 A “breach” in this context means any “unlawful or unauthorized access to, [or] use [or] disclosure of” medical information.9 “Unauthorized” in this context means “access, review, or viewing of patient medical information without a direct need for medical diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act or any other statute or regulation governing the lawful access, use, or disclosure of medical information.”10
One can see immediately that the California statute is remarkably similar to the current HIPAA/HITECH statute in both the breadth of information covered and the circumstances under which that information is compromised. And both the California statute and HIPAA/HITECH exempt from the breach notification requirements incidents involving any information that is encrypted. However, the California statute does not contain any exemption from breach notification if there is a “low probability that the [PHI] has been compromised” as the federal scheme does: any breach meeting the California definition (and therefore, arguably, the HIPAA/HITECH definition) would require patient notification.11
But, and importantly for our comparison, California does provide a “safe harbor” for health care entities involved in a breach that would qualify under both California law and HIPAA. Entities that are “covered entities” under HIPAA need only comply with the patient notification requirements articulated in HITECH in order to comply with the patient notice provisions of California law; however, those entities will still have to notify the California attorney general if required to do so.
The Florida Information Protection Act of 2014 (FIPA)12 requires “covered entities”13 to notify persons if a “breach of security” occurs with respect to a person’s “personal information.” FIPA defines “personal information” as either one of two types of information: (1) an individual’s first name or first initial and last name in combination with at least one of (a) a social security number; (b) a “driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity”; (c) a financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account; (d) any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or (e) an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual OR (2) a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.14 A “breach of security” occurs when there is “unauthorized access of data in electronic form containing personal information.”15 However, a breach is not a breach requiring notice if “after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.”16
Several things are apparent when comparing FIPA with HIPAA. First, there are fewer exceptions to the notification standard if a breach has occurred in FIPA; however, the risk protected against in FIPA (identity theft and financial harm) is arguably more narrow than the risk framework contemplated by HIPAA, which would include reputational and other non-financial risks, and could therefore more easily result in a “no notice” breach. Second, the exception available under FIPA requires active collaboration with law enforcement, whereas there is no such requirement in HIPAA. Third, although HIPAA could consider a breach to occur when any of the information listed in FIPA is used, accessed, acquired, or disclosed, FIPA requires those data elements to be accessed “in combination with” the patient’s name; thus, a release of just a patient’s name would not cause a breach under FIPA when it would under HIPAA. Fourth, FIPA requires the release of both the person’s email account AND password or access credential, whereas HIPAA requires only one of the two to be involved in a “breach.” Finally, and most importantly, FIPA only covers electronic information, whereas HIPAA applies to all PHI, regardless of the format in which it is maintained.
The Identity Theft Protection Act of 200517 requires businesses18 and state and local government to notify people when there is a “security breach” involving their “personal information.”19 For the purposes of this statute, a “security breach” is “an incident of unauthorized access to and acquisition of unencrypted20 and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.”21
In the healthcare context, the North Carolina act may have limited application, as the types of data generally are only those relating to financial resources. However, a patient’s name, Social Security number, email addresses, biometric identifiers, fingerprints, and “any other numbers or information that can be used to access a person’s financial resources”,22 which could include “health plan beneficiary numbers” and “account numbers”,23 are protected under the North Carolina act and under HIPAA as well.
Without even considering the definition of “personal information,” note the important distinctions between the federal HIPAA framework and the North Carolina act. First, the data must be illegally accessed and acquired for the North Carolina act to apply, whereas HIPAA requires only one or the other. Second, and similar to the rule in Florida, whereas encryption of the data provides a complete exception to the breach and notice framework under HIPAA, the acquisition of the data along with the key to the encryption still constitutes a breach requiring notice in North Carolina. Third, unless criminal activity is involved, a “security breach” is not presumed under the North Carolina act; an analysis still must be conducted to determine whether there is a “material risk of harm,” which is the approach to the HIPAA breach notification scheme before its most recent amendment.
States take a varied approach to the regulation of losses of patient health information. Some regulate only electronic information (such as Florida), others only apply regulatory scrutiny if it can be shown that the information has been both accessed and acquired by an unauthorized person (such as North Carolina), and some, such as California, provide even broader protections than those found in HIPAA/HITECH. Providers operating in states with such statutes and regulations must be mindful of the differences between the federal and the operative state schemes. In addition, some states, of which North Carolina is one, would purport to regulate providers outside of the state who have protected information on its own citizens, a situation which could prove harmful to providers holding licenses in that state even though they may not have a physical presence in that state. Careful review of all of the statutes, rules, and regulations applicable to patient data safety and release is ever more critical. Providers would be well advised to seek knowledgeable counsel to guide them through these requirements.
Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.
- The combined regulations can be accessed at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
- 45 C.F.R. Section 160.202.
- 45 C.F.R. Section 164.402
- 45 C.F.R. Section 164.310 requires covered entities to address the “final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored” and to implement procedures for “removal of electronic protected health information from electronic media before the media are made available for re-use.” The NIST criteria for electronic data destruction are available at http://csrc.nist.gov/.
- 45 C.F.R. § 164.500, et seq.
- 45 C.F.R. Section 164.502(d) permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications in §164.514(a)-(b).
- Section 1280.15(b) of the California Health & Safety Code.
- Section 56.05(j) of the California Civil Code.
- Section 1280.15(a) of the California Health & Safety Code.
- Id. The Confidentiality of Medical Information Act is found at Section 56 of the California Civil Code.
- Section 1280.15(b) of the California Health & Safety Code.
- Fla. Stat. Section 501.171.
- The definition includes arguably only “commercial entities” and all units of state and local government that “maintain, store, or use personal information.” Fla. Stat. Section 501.171(1)(b).
- Fla. Stat. 501.171(1)(g)(1).
- Fla. Stat. Section 501.171(1)(a).
- Fla. Stat. Section 501.171(4)(c).
- N.C.G.S. Chapter 75-60 et seq.
- The business must either be located in North Carolina or the data must be that of North Carolina residents.
- N.C.G.S. Section 75-65(a). The term “personal information: includes the information governed by N.C.G.S. Section 14-113.20(b) regarding identity theft, and includes the following pieces of information in combination with a person’s first name or first initial and last name: (1) Social Security or employer taxpayer identification numbers; (2) driver’s license, State identification card, or passport numbers; (3) checking account numbers; (4) savings account numbers; (5) credit card numbers; (6) debit card numbers; (7) Personal Identification (PIN) Code;(8) electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names; (9) digital signatures; (10) any other numbers or information that can be used to access a person’s financial resources; (11) biometric data; (12) fingerprints; (13) passwords; and (14) parent’s legal surname prior to marriage.
- “Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall [also] constitute a security breach.” N.C.G.S. Section 75-61(14)
- N.C.G.S. Section 75-65(a).
- N.C.G.S. Section 14-113.20(b)((10).
- 45 C.F.R. Section 164-512(b)(2)(i)(H), (I), (P).