The move to electronic health records encouraged by the Health Information Technology for Economic and Clinical Health (HITECH) Act1 and the 21st Century Cures Act2 has transformed the medical record system. Couple that with the COVID-19 pandemic, which hastened the move to telehealth, and that an ever-increasing amount of healthcare data is being generated and stored electronically.
Bad actors have taken notice. In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day, and 2020 saw 642 large data breaches reported by covered entities and business associates — a 25 percent increase from 2019.3 Below, please find a refresher of the Health Insurance Portability and Accountability Act (HIPAA) breach notification requirements, state notification requirements, and a discussion of the latest trends in federal and state enforcement.
HIPAA Breach Notification Rule
HIPAA’s Breach Notification Rule defines a “breach” of protected health information (PHI) as an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the PHI.4 Under HIPAA’s Breach Notification Rule, a covered entity must notify individuals when there has been a security incident resulting in a breach of the individuals’ unsecured PHI.5 These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. They must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the reporting entity.6 If the breach was experienced by the covered entity’s business associate, the covered entity may delegate the responsibility of providing individual notices to the business associate.
Under the HIPAA Breach Notification Rule, covered entities that experience a breach affecting more than 500 residents of a state must promptly notify the media serving the state.7 The notification may be provided in the form of a press release.8 This media notification must be provided without unreasonable delay, but in no case later than 60 calendar days after the discovery of the breach.9
The HIPAA Breach Notification Rule also requires covered entities to promptly notify the Department of Health and Human Services (HHS) Secretary of breaches affecting more than 500 individuals without unreasonable delay, but in no case later than 60 calendar days after the discovery of the breach.10 Covered entities may provide this notification to the HHS Secretary by filing a breach report online on the HHS website.11 For breaches affecting fewer than 500 individuals, covered entities must report to the HHS Secretary on an annual basis by submitting a report no later than 60 calendar days after the end of the calendar year in which the breach is discovered.12
Office for Civil Rights (OCR) Enforcement Trends
Resolution Agreements and Corrective Action Plans
The HIPAA Enforcement Rule establishes rules dictating the compliance responsibilities for covered entities and business associates and the rules governing investigations by OCR, the agency within HHS with HIPAA enforcement authority.13 Under the HIPAA Enforcement Rule, OCR may impose civil monetary penalties (CMPs) on covered entities and business associates that violate HIPAA.14 Additionally, in certain circumstances, OCR may reach a resolution with the covered entity or business associate by informal means, requiring the covered entity or business associate to complete a corrective action plan (CAP) — typically, in exchange for a lesser CMP.15 CAPs generally require that the covered entity or business associate comply with specific enumerated requirements (such as revising and distributing its HIPAA policies and procedures and providing HIPAA training to its workforce) and to report to OCR during the CAP period, which usually runs from one to three years. Accordingly, some HIPAA governed entities have preferred to pay a CMP rather than enter into a resolution agreement with a CAP and its ongoing monitoring period.16
In January 2021, Excellus Health Plan agreed to a $5.1 million CMP and CAP with OCR due to a malware attack that lasted from December 2013 to May 2015.17 The names, addresses, birth dates, email addresses, social security numbers, bank account information, and claims information of 9.3 million individuals were exposed. OCR stated that the health plan failed, among other things, to complete an enterprise-wide HIPAA security risk assessment.18
The other enforcement actions in 2021 have been under OCR’s Right to Access Initiative, which is focused on enforcing patients’ rights of access to their own PHI and medical records in a timely, reasonable manner.19 As of March 26, 2021, OCR settled its 18th enforcement action resulting from the Right to Access Initiative. While a continued focus on patient access rights is expected, OCR is also expected to continue to focus its enforcement actions on the need for HIPAA governed entities to conduct enterprise-wide HIPAA security risk assessments.20
Public Law 116-321
On January 5, 2021, Congress enacted Public Law 116–321 (the Act)21 which amends the HITECH Act. Under the Act, as part of its enforcement of the HIPAA Security Rule, OCR must now consider whether the covered entity or business associate under investigation has “recognized security practices” in place for at least the last 12 months. The Act defines “recognized security practices” as: (1) standards, guidelines, best practices, methodologies, procedures, and processes developed by the National Institute of Standards and Technology (NIST);22 (2) the approaches promulgated under the Cybersecurity Act of 2015;23 and (3) other programs and processes that address cybersecurity and are developed, recognized, or promulgated through regulations under other statutory authorities.24
For covered entities that follow “recognized security practices,” HHS may mitigate fines and remedies resulting from enforcement actions and may even issue an early, favorable audit termination.
Other Reporting Requirements
A HIPAA-governed entity reporting a breach to OCR must also consider what other reporting requirements were triggered by the breach at the state and federal level.
State Breach Notification Laws and State Attorneys General
Since California passed the first state breach notification law in 2002, every other state has also passed a breach notification law of some kind.25 While these state laws share many similarities, the state legislatures did not adopt a uniform law. Rather, the states have tinkered with the notification requirements, each taking their own unique approach. As a result, a “patchwork” of state data breach notification laws has developed. These differences include, but are not limited to, the following:
- Covered Information: Some states have amended their data breach notification laws to include “medical information.” It is important to remember that even if a state law does not cover “medical information,” there are other kinds of data, like Social Security numbers (SSNs), that are covered and could be part of a breach.
- Notice to Attorney General: Some states require notification to the state’s attorney general when a breach occurs that affects residents of the state. The states requiring notification to the attorney general can also have different thresholds for the number of affected residents that triggers a notification requirement.
- Timing of Notification: Some states require notification to residents to occur “without unreasonable delay” and “within the most expedient time possible,” while other states include a specific timeframe for notification.
- HIPAA: Some states have exemptions for entities subject to HIPAA, while other states do not include such an exemption or provide caveats to the exemption.
When responding to a breach, it is critical for an entity to carefully review the requirements for the states where individuals were affected. State attorneys general take their responsibilities to enforce data breach notification requirements seriously and, if needed, will conduct investigations to determine whether an entity adequately notified under the state law.
If an entity suffers a data breach affecting a significant number of individuals, state attorneys general also conduct joint, “multi-state investigations” to determine whether an entity had “reasonable” data security. Following the investigation, when state attorneys general determine an entity’s security was lacking, they will seek — via settlement or lawsuit, if necessary — for the entity to agree to take corrective action to improve its security and make a monetary payment to the states.26
State Departments of Insurance
In 2017, the National Association of Insurance Commissioners (NAIC) approved an Insurance Data Security Model Law (NAIC Model Law)27 that requires “Licensees” to report “Cybersecurity Events.”28 Several states have passed laws based on the NAIC Model Law.29 The NAIC Model Law requires notification as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred when certain criteria are met.
In addition to the states that adopted laws based on the NAIC Model Law, several states have adopted their own data breach incident laws that require notification to state authorities in the event of a cybersecurity event. Of these states, New York’s requirements are the most wide-ranging, including encryption and multi-factor authentication requirements in addition to cybersecurity event reporting, and are discussed below.
NYDFS Cybersecurity Regulation
The New York Department of Financial Services’ Cybersecurity Regulation, which became effective March 1, 2017, requires Covered Entities30 to notify the superintendent of certain Cybersecurity Events31 as promptly as possible but in no event later than 72 hours from a determination that a reportable Cybersecurity Event has occurred.32
There have been only two enforcement actions brought by NYDFS under the NYDFS Cybersecurity Regulations. The first enforcement action was against First American Title Insurance Company (First American) alleging that First American exposed hundreds of millions of documents containing sensitive personal information.33 According to the Statement of Charges and Notice of Hearing, the security vulnerability resulted in the exposure of sensitive personal information (SSNs, bank account numbers and statements, mortgage and tax records, wire transaction receipts, and driver’s license images) for over four years on a public-facing website. In addition, First American allegedly waited six months to remedy the breach after it was discovered. This enforcement action is still in litigation.
The second enforcement action was brought against National Securities Corporation (National Securities) and resulted in a settlement in early April 2021.34 The enforcement action against National Securities resulted, in part, from unauthorized access to an employee’s email account in September 2019. NYDFS’s investigation revealed that National Securities’ internal network did not have multi-factor authentication fully implemented for all users until August 2020. Under the settlement with NYDFS, National Securities must pay $3 million and complete certain remediation activities within 120 days of the settlement.
Securities and Exchange Commission (SEC) Reporting
Finally, the SEC requires companies that are publicly traded to report material events that could be important to shareholders or the SEC.35 If a public company experiences a data breach or other cybersecurity event that rises to the level of a material event, it must report such event on Form 8-K and file the form with the SEC.
Healthcare entities need to be on the alert. Healthcare data continues to be a target for bad actors. To limit the likelihood of successful attacks, entities should conduct HIPAA security risk assessments and adopt reasonable security practices, as they continue to constitute the best front-line defense and will inevitably be the focus of federal and state regulatory investigations following a data breach.
- The HITECH Act was signed into law on February 17, 2009 to promote the adoption and improvement of privacy and security protections for healthcare data. Subtitle D of the HITECH Act includes provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
- The 21st Century Cures Act was signed into law on December 13, 2016 to promote innovation in healthcare and the interoperability of healthcare data.
- See 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020, available at https://www.hipaajournal.com/2020-healthcare-data-breach-report-us/ (last accessed Apr. 29, 2021).
- 45 C.F.R. § 164.402.
- Id. at § 164.404(a)(1).
- If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute notice by posting the notice on the home page of its website or by providing the notice in major print where the affected individuals likely reside. Id. at § 164.402(d)(2).
- 45 C.F.R. § 164.406(a).
- See HHS, Breach Notification Rule, available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html (last accessed Apr. 28, 2021).
- 45 C.F.R. § 164.406(b).
- Id. at § 164.408(b).
- See HHS, Breach Notification Rule, supra n. 8.
- 45 C.F.R. § 164.408(c).
- 45 C.F.R. Part 160, Subparts C, D, and E. Since 2009, state attorneys general have had authority to obtain damages on behalf of state residents for HIPAA violations. See American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, § 13410(e). Relying on this authority, in the last few years individual state attorneys general have brought a handful of HIPAA enforcement actions. The settlement amounts tend to be lower than settlements with OCR. See, e.g., New Jersey Office of the Attorney General, News Release, “Virtua Medical Group Agrees to Pay Nearly $418,000, Tighten Data Security to Settle Allegations of Privacy Lapses Concerning Medical Treatment Files of Patients,” available at https://nj.gov/oag/newsreleases18/pr20180404b.html (last accessed May 13, 2021).
- 45 C.F.R. § 160.402(a).
- Id. at § 160.312(a)(1).
- For example, University of Texas M.D. Anderson Cancer Center (M.D. Anderson) took just such a path. It then litigated the $4,348,000 CMP levied by OCR. The Fifth Circuit Court of Appeals ruled in M.D. Anderson’s favor. Univ. of Tex. M.D. Anderson Cancer Center v. U.S. Dep’t of Health and Human Serv., No. 19-60226, (5th Cir. Jan. 14, 2021).
- The HIPAA Security Rule requires a covered entity or business associate to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI that is held by the covered entity or business associate. 45 C.F.R. § 164.308(a)(1)(ii)(A).
- Under HIPAA, individuals have a right of access to inspect and obtain a copy of their PHI in a designated record set. 45 C.F.R. § 164.524(a)(1). OCR announced in early 2019 its initiative to enforce patients’ rights to access their PHI. The first settlement occurred in September 2019.
- The OCR’s Right to Access Initiative began under the Trump Administration and focuses on the importance of patients’ right to have access to their confidential medical records. There is no indication from the Biden administration that this initiative will be discontinued. In fact, there have been two right to access settlements since President Biden took office.
- Public Law 116-321, available at https://www.congress.gov/116/plaws/publ321/PLAW-116publ321.pdf (last accessed May 10, 2021).
- NIST is a nonregulatory federal agency within the Department of Commerce’s Technology Administration Department that is responsible for developing standards and guidelines used by federal agencies.
- The Cybersecurity Act of 2015 requires HHS to collaborate with governmental entities and the private sector to establish voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, and procedures to manage cybersecurity risks and support improvements in cybersecurity safeguards in the healthcare industry in a cost-effective manner.
- The Act states that covered entities and business associates may determine these practices in a manner consistent with the HIPAA Security Rule. Additional guidance may be issued regarding the Act and what programs and processes will be considered as “recognized security practices.”
- The National Conference of State Legislatures regularly updates a website with links to state data breach notification laws that can be found at: https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. While this site provides helpful links, the status of any state requirement should be confirmed with legal counsel.
- Three multi-state actions have been brought by state attorneys general. The first addressed a 2015 Medical Informatics Engineering incident that led to a $100,000 settlement with OCR and ended in a settlement for $900,000. See North Carolina Department of Justice, News Release, “Attorney General Josh Stein Reaches $900,000 Multistate Settlement with Medical Informatics Engineering Over Data Breach,” available at https://ncdoj.gov/attorney-general-josh-stein-reaches-900000-multi/ (last accessed May 13, 2021). The second addressed a breach that affected over 11 million individuals and settled for $10 million. See Ohio Office of the Attorney General, News Release, “AG Yost Announces Multistate Data Breach Settlement with Premera Blue Cross,” available at https://www.ohioattorneygeneral.gov/Media/News-Releases/July-2019/AG-Yost-Announces-Multistate-Data-Breach-Settlemen (last accessed May 13, 2021). The most recent was a multistate settlement with Anthem. See Arizona Office of the Attorney General, News Release, “Anthem to Pay $39.5 Million in Multistate Settlement over 2014 Data Breach,” available at https://www.azag.gov/press-release/anthem-pay-395-million-multistate-settlement-over-2014-data-breach (last accessed May 13, 2021).
- See NAIC, Insurance Data Security Model Law, available at https://content.naic.org/sites/default/files/inline-files/MDL-668.pdf (last accessed Apr. 29, 2021).
- The NAIC Model Law defines “Licensee” as any person “licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.” “Cybersecurity Event” is defined as an event resulting in unauthorized access to, disruption or misuse of, an information system or information stored on such information system.
- States that have adopted laws based on the NAIC Model Law include, but are not limited to: Delaware (18 Del. Code Ann. §§ 8601 et seq. (2019)); Indiana (Ind. Code Ann. §§ 27-2-27-1 et seq. (2020)); Ohio (Ohio Rev. Code Ann. §§ 3965.01 et seq. (2018)); South Carolina (S.C. Code Ann. §§ 38-99-10 et seq. (2018)); and Virginia (Va. Code Ann. §§ 38.2-621 et seq. (2020)).
- A Covered Entity is defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR § 500.1(c).
- A Cybersecurity Event is defined as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.” 23 NYCRR § 500.1(d).
- See NYDFS, FAQs: 23 NYCRR Part 500 - Cybersecurity, available at https://www.dfs.ny.gov/industry_guidance/cyber_faqs#:~:text=23%20NYCRR%20500.01%20defines%20Senior,operating%20under%20or%20required%20to (last accessed Apr. 29, 2021).
- See NYDFS, Press Release: Department of Financial Services Announces Cybersecurity Charges Against a Leading Title Insurance Provider for Exposing Millions of Documents with Consumers’ Personal Information (July 22, 2020), available at https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202007221 (last accessed Apr. 20, 2021).
- See Consent Order between NYDFS and National Securities Corporation, available at https://www.dfs.ny.gov/system/files/documents/2021/04/ea20210412_national_securities_corp.pdf (last accessed May 10, 2021).
- See U.S. Securities and Exchange Commission, Fast Answers, available at https://www.sec.gov/fast-answers/answersform8khtm.html (last accessed Apr. 30, 2021).