An RSS Feed from melniklegal.com

Telemedicine is Coming to Florida (Slowly but Surely)

Fri, 15 Nov 2013 10:58:51 EST

The Florida Boards of Medicine and Osteopathic Medicine are Moving Closer to Proposing a Rule on Standards for Telemedicine Practice.

In a joint meeting of the Florida Boards of Medicine and Osteopathic Medicine on November 14, 2013, the Telemedicine Subcommittee moved closer to proposing a rule aimed at setting the standards for telemedicine practice in Florida.

The Telemedicine Subcommittee was established during the August 2013 Board of Medicine meeting to address Florida's growing telemedicine field. The Subcommittee is comprised of six Board of Medicine members and three Board of Osteopathic Medicine members.[1]

The current telemedicine rule for each of the Florida Board of Medicine and Osteopathic Medicine is limited to Internet prescribing.[2] But, as Dr. Orr, the Chair of the Telemedicine Subcommittee, explained during the first meeting on September 9, 2013, the Subcommittee's goal is to examine current uses of telemedicine and to amend the Board's rules to address the use of telemedicine [3] in a more comprehensive manner.

The Subcommittee has proposed to define telemedicine as "the practice of medicine by a licensed Florida physician or physician assistant where patient care, treatment, or services are provided through the use of medical information exchanged from one site to another via electronic communications. Telemedicine shall not include the provision of health care services only through an audio only telephone, email messages, text messages, facsimile transmission, U.S. Mail or other parcel service, or any combination thereof." [4]

Additionally, "[t]he standard of care, as defined in s. 456.50(1)(e), F.S., shall remain the same regardless of whether a Florida licensed physician or physician assistant provides health care services in person or by telemedicine." [5]

Some members of the public expressed concern during the November 14 meeting that the proposed rule did not provide adequate clarity that use of telemedicine would be subject to compliance with HIPAA and other data privacy and security requirements similar to in-person patient encounters. But, the subcommittee expressed concerns regarding including an express reference to HIPAA because of Florida's requirements with respect to incorporating other statutes and regulations. That is, under Florida law, a Board may incorporate only the current version of a federal regulation or statute. So, when that regulation or statute changes, the Board must convene to incorporate the new version. This may be problematic if a particular regulation or statute is routine modified.

However, the Subcommittee agreed that language should be added to clarify obligations with respect to patient confidentiality and proposed language that, "[t]he practice of medicine by telemedicine does not alter any obligation of the physician or the physician assistant regarding patient confidentiality or recordkeeping."

One issue that was raised, but not yet addressed, is whether Florida will permit out of state doctors to treat Florida patients via telemedicine. That is, several other states do have limited telemedicine licenses. Texas, for example, provides that:

(a) For a person to be eligible for an out-of-state telemedicine license to practice medicine across state lines under the Medical Practice Act, �151.056, and �163.1 of this title (relating to Definitions), the person must:
(1) be 21 years of age or older;
(2) be actively licensed to practice medicine in another state which is recognized by the board for purposes of licensure, and not the recipient of a previous disciplinary action by any other state or jurisdiction;
(3) not be the subject of a pending investigation by a state medical board or another state or federal agency;
(4) be currently certified by a member board of the American Board of Medical Specialties or Bureau of Osteopathic Specialists, or by the American Board of Oral and Maxillofacial Surgery, obtained by passing, within the ten years prior to date of applying for licensure, a monitored: (A) specialty certification examination; (B) maintenance of certification examination; or (C) continuous certification examination;
(5) have passed the Texas Medical Jurisprudence Examination;
(6) complete a board-approved application for an out-of-state telemedicine license for the practice of medicine across state lines and submit the requisite initial fee; and
(7) not be determined ineligible for licensure under subsection (b) of this section.

Texas Administrative Code, 22-9-172(C) Rule �172.12.

The Subcommittee advised that it would research the licensure issue and further discuss it at a later meeting.

The Subcommittee made clear that it was eager to move quickly on developing telemedicine rule.

Nonetheless, for now, reimbursement for telemedicine (or telehealth) services in Florida remains an issue because it is limited to a very narrow set of circumstances under the Medicaid program and no state law requires reimbursement by private insurers.

References and Resources

[1] Florida Board of Medicine, Newsletter: Updates on Telemedicine, Sept. 25, 2013. (PDF)

[2] For Florida Board of Medicine, see Rule 64B8-9.014. Standards for Telemedicine Prescribing Practice. For Florida Board of Osteopathic Medicine, see Rule 64B15-14.008 Standards for Telemedicine Practice.

[3] Florida Board of Medicine, Joint Meeting of the Florida Boards of Medicine & Osteopathic
Medicine Telemedicine Subcommittee Meeting Report, Sept. 9, 2013 (opening comments by Dr. Orr). (PDF)

[4] For a full record of the materials, see the Public Book for the Nov. 14, 2013 Telemedicine Subcommittee Meeting. (PDF). The Rules as proposed are Rule 64B8-9.0141 (Medicine) and Rule 64B15-14.0081 (Osteopathic Medicine) and are available here. See also Telemedicine Subcommittee, Public Book, Sept. 9, 2013 for the full materials and click here for the rules as proposed on Sept. 9. (PDF)

[5] Telemedicine Subcommittee, Public Book, Nov. 14, 2013. (PDF)

Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

Sun, 25 Jan 2015 18:54:23 EST

On November 14, 2014, the Court of Appeals of Indiana issued a decision in the Hinchy v. Walgreen Co. case, upholding the jury verdict in favor of Ms. Hinchy. After a four-day jury trial that began in July 23, 2013, the jury found that Ms. Hinchy suffered damages in the amount of $1.8 million, with $1.4 million of that (80%) to be borne jointly by Walgreens and Ms. Withers, a Walgreen's pharmacist. The rest (20%) was to be borne by Mr. Peterson, Ms. Hinchy's ex-boyfriend and the father of her child and Ms. Withers's husband.

In upholding the jury verdict, which courts are "loathe to disturb," the Appellate Court began its decision as follows: "In this case, a pharmacist breached one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client's ex-boyfriend."[1] Walgreens vowed to appeal the decision to the Indiana Supreme Court, but first petitioned the Appellate Court for a rehearing. On January 15, 2015, the Court of Appeals of Indiana ruled on Walgreen Co.'s petition for a rehearing and declined to disturb its original decision.[2] As such, the Court of Appeals of Indiana's decision to uphold the jury verdict stands. Walgreen may yet appeal to the Indiana Supreme Court.

A few preliminary comments....The Hinchy case has garnered a good amount of attention in the media, among attorneys, and more importantly, businesses that handle protected health information. While this case does arise under Indiana law, as Mr. Eggeson, the attorney that tried this case on behalf of Ms. Hinchy noted to me in an interview I conducted with him in December 2014, "[this case] has now created a precedent which will make life MUCH easier for privacy victims across the country--showing those victims how to bring their claims, how to structure and argue their claims so as to make corporate employers liable for the acts of their employees, and how to earn large damages awards from the jury." (The full interview is to be published in an upcoming article for the Journal of Health Care Compliance.)

Covered entities, business associates, and subcontractors should pay careful attention to the circumstances in this case because this can very easily be them. Here is a company that, arguably, has a strong HIPAA training program, where employees are educated on how they can and cannot access and use protected health information. Yet, a jury still found Walgreen liable under respondeat superior. That is, the jury determined that the pharmacist's actions were within the scope of employment because they were of the same general nature as those authorized, or incidental to the actions that were authorized, by Walgreen. Importantly, the jury found Walgreen's failure to terminate the pharmacist after it learned of the actions as problematic and, as counsel for Walgreen stated during the oral arguments, one juror specifically noted that Walgreen should have fired the pharmacist. As Mr. Eggeson succinctly explained it to me, "From a plaintiff's perspective, the 'good' privacy case is the one where a compliance officer or defense attorney mistakenly believes that corporate policies will be more persuasive to a jury than a tearful privacy victim."

All companies that handle protected health information (or any sensitive information, including credit card numbers, social security numbers, and driver's licenses) should take the time to review their data breach insurance coverage. Healthcare providers in particular should work with counsel to review the extent of their coverage. Many malpractice carriers now include at least some basic coverage for data breach liability in malpractice policies. But, generally, this coverage is insufficient. You may learn more about cyberliability coverage in a three part series that I wrote for the Mature Market Experts blog: Part One (A Few Things to Consider When Purchasing Cyberliability Insurance), Part Two (How Much Coverage Do Organizations Need?) and Part Three (How Much Do Policies Cost?).

The oral argument before the Court of Appeals of Indiana is available online - https://mycourts.in.gov/arguments/default.aspx?&id=1724&view=detail. The argument is about an hour and is worth watching to see the issues that the judges picked out and found important as well as the facts the attorneys cited in defense of their specific position(s). There was a rather lengthy discussion regarding the respondeat superior issue as well as the need to track employee access.

How this Case Arose

This privacy breach case arose as these cases typically arise - there was a love triangle of sorts and someone disclosed information they should not have. Sometime between fall 2006 and spring 2010, Ms. Hinchy was involved in a relationship with Mr. David Peterson.[3] As the Appellate Court recited:

During this [2006 - 2010] period, Hinchy filled all of her prescriptions, including oral birth control pills, at a Walgreen pharmacy. At some point in 2009, Peterson began dating Walgreen pharmacist Audra Withers. In August 2009, Hinchy became pregnant with Peterson's child. On an unknown date, Peterson learned that he had contracted genital herpes. Hinchy gave birth to a son on May 22, 2010.

At some point during the week of May 26, 2010, Peterson mailed a letter to Withers informing her about the baby and about the possibility that he may have exposed her to genital herpes. Withers became terrified about the possibility of contracting a sexually transmitted disease. Consequently, during her shift and while at work, Withers looked up Hinchy's prescription profile in the Walgreen computer system to see if she could find any information about Hinchy's sexually transmitted disease. The next day, Withers again looked up Hinchy's profile to confirm that she had spelled it correctly the day before.[4]

Subsequently on May 29, 2010, Mr. Peterson sent Ms. Hinchy a number of accusatory text messages and disclosed to her that he had a copy of her prescription records. Ms. Hinchy tried to determine how Mr. Peterson obtained a copy of her records and was told by an employee at Walgreens "that there was no way to track whether her records had been accessed."[5] Ms. Hinchy let the matter go at that time because she did not know how to proceed. But, in March 2011, Ms. Hinchy learned that Mr. Peterson was married to Ms. Withers and that Ms. Withers was a pharmacist at the local Walgreens where Ms. Withers fills her prescriptions. Ms. Hinchy reported the matter to the local Walgreens, which investigated the matter:

When Withers was confronted about the situation, she admitted that she had accessed Hinchy's prescription profile for personal reasons. On April 15, 2011, Loss Prevention Detective Michael Bryant confirmed to Hinchy that (1) a HIPAA/privacy violation had occurred, (2) Withers had viewed Hinchy's prescription information without consent and for personal purposes, and (3) Walgreen could not confirm that Withers had revealed that information to a third party. As a result of Walgreen's investigation, Withers received a written warning and was required to retake a computer training program regarding HIPAA.[6]

Ms. Hinchy filed suit against both Walgreens and Ms. Withers on August 1, 2011. Against Ms. Withers, Ms. Hinchy filed claims of:

(1) negligence/professional malpractice,
(2) invasion of privacy/public disclosure of private facts, and
(3) invasion of privacy/intrusion.

Against Walgreens, Ms. Hinchy filed claims:

(1) seeking liability for the counts she filed against Withers by way of respondeat superior,
(2) direct claims for:
(a) negligent training,
(b) negligent supervision,
(c) negligent retention, and
(d) negligence/professional malpractice.

Walgreens appealed the jury verdict on a number of grounds, but this discussion will only focus on the Appellate Court's discussion of the underlying liability, the respondeat superior claim, and the amount of damages.

Underlying Liability

The Appellate Court first looked at "the tort of negligence by virtue of professional malpractice of a pharmacist. Negligence is comprised of three elements: (1) a duty on the part of the defendant to the plaintiff; (2) a breach of that duty; and (3) an injury to the plaintiff resulting from the breach."[7] The Court found that Ms. Withers had a duty under Indiana law to keep the medical information she learned confidential. Ms. Withers breached that duty when she disclosed the information to Mr. Peterson. Ms. Hinchy further testified that, among other things, she suffered a number of emotional damages which impacted her ability to care for her child, she was humiliated, that she had a general distrust of healthcare providers, and that she was now taking a stronger anti-depressant.[8] As such, the Appellate Court found that Ms. Withers was negligent by virtue of professional malpractice.

Respondeat Superior and Having the Ability to Track Access

The doctrine of respondeat superior allows for vicarious liability to be imposed on an employer "where the employee has inflicted harm while acting within the scope of employment."[9] As the Appellate Court explained:

To fall within the scope of employment, the injurious act must be incidental to the conduct authorized or it must, to an appreciable extent, further the employer's business. An act is incidental to authorized conduct when it is subordinate to or pertinent to an act which the servant is employed to perform, or when it is done to an appreciable extent, to further his employer's business. . . . An employer is not held liable under the doctrine of respondeat superior because it did anything wrong, but rather because of the employer's relationship to the wrongdoer. . . . Furthermore, conduct is within the scope of employment when it is of the same general nature as that authorized, or incidental to the conduct authorized.[10]

In this case, the jury determined that Ms. Wither's actions were within the scope of employment because they "were of the same general nature as those authorized, or incidental to the actions that were authorized, by Walgreen. Specifically, Withers was authorized to use the Walgreen computer system and printer, handle prescriptions for Walgreen customers, look up customer information on the Walgreen computer system, review patient prescription histories, and make prescription-related printouts. Withers was at work, on the job, and using Walgreen equipment when the actions at issue occurred."[11] This issue of whether the actions were within the scope of employment is for the jury to determine and the Appellate Court declined to disturb the jury's decision.

Another important issue in this case is Walgreen's ability to track who accessed a patient's record and the actions that Walgreen took after it learned from Ms. Hinchy that someone had improperly accessed her record. The issue was raised during oral arguments before the Indiana Court of Appeals when the Court and counsel were discussing the issue of respondeat superior, how it relates to other claims (e.g., negligent training) as well as the disciplinary actions Walgreen took after it found out what happened.[12]

Ms. Maggie Smith, counsel for Walgreen noted that prior to this issue, Ms. Wither's had not violated Walgreen's policies. But, the Court challenged this assertion because Walgreen had acknowledged that the Company did not have any way of knowing since the Company had no means to track access. Ms. Smith specifically asserted that other pharmacies did not have the means to track access and therefore Walgreen could not be negligent for failing to do something that is not done in the community. Ms. Smith noted that, "the jury found that the discipline imposed by Walgreen was inadequate. But, there is nothing in negligent retention or supervision jurisprudence that says that the action that you take after learning an employee has acted incorrectly is to fire that employee. Instead what happened here is [that Walgreen took certain disciplinary actions against Ms. Withers.] They took steps to make sure this didn't happen again. They didn't fire her and one of the jurors felt that that's what they should have done."[13]

Mr. Neal Eggeson, counsel for Ms. Hinchy, noted that whether access tracking systems were in place at pharmacies was a dispute between the experts. Mr. Eggeson specifically note that, Curtis Baldwin, the expert that he presented, "said not only is tracking systems something that he's been using at Kroger for 30 years, this is something that he does everyday. The expert that [Walgreen] hired from Perdue, on the other hand, suggests that, to his knowledge, even though he has not worked in any pharmacies, he does not know of any tracking system by any pharmacy. That was a disputed fact and the jury came down on [Ms. Hinchy's] side on that issue."[14]

Amount of Damages

The amount of damages has garnered a significant amount of attention. In its appeal, Walgreen argued "that the damages award was excessive and based on improper factors."[15] Appellate Courts do have the power to set aside jury verdicts if they are excessive. "Where a damage award is so outrageous as to indicate the jury was motivated by passion, prejudice, partiality, or the consideration of improper evidence, [Courts will] find the award excessive."[16] To support that the award was excessive, Walgreen argued that, "(1) Hinchy does not have a physical injury or condition resulting from the breach, (2) Hinchy has had no lost wages as a result of the breach, and (3) Hinchy did not offer any testimony from a medical professional or counselor supporting her claim of emotional distress."[17] Interestingly, some of these damages types have been cited by courts in other jurisdictions as grounds for dismissing data breach class actions, arguing that, because plaintiffs failed to demonstrate 'damages,' they lacked standing to bring their claim(s).

But, as the Court here explained, Walgreen's argument amounted to "a request that [the Court] reweigh the evidence, a practice in which we do not engage when evaluating a damages award. We find that the evidence in the record supporting the award is sufficient to affirm it."[18] The Appellate Court identified the following evidence in support of the damages award:

Withers gained information about Hinchy's private health information, including her social security number, and then shared that information with Peterson, who then shared the information with at least three other people
Hinchy's father learned about Hinchy's use of birth control, that Hinchy had herpes, and that Hinchy had stopped taking birth control shortly before becoming pregnant.
Hinchy testified that she experienced mental distress, humiliation, and anguish as a result of the breach. She stated that she was upset, crying, and feeling "completely freaked out . . . ." She felt "violated," "shocked," and "confused."
The disclosure led to Peterson berating Hinchy for "getting pregnant on purpose" and eventually extorting Hinchy by threatening to release the details of her prescription usage to her family unless she abandoned her paternity lawsuit.
Hinchy testified that she experienced uncontrollable crying that affected her ability to care for her child, going to a counselor to address the emotional toll of the privacy breach, experiencing a general distrust of all healthcare providers, and feeling a persistent and continuous loss of "peace of mind."
Hinchy also testified that she now takes Celexa, an anti-depressant, which costs $75 per month. Before the breach, she had taken a weaker anti-depressant intermittently, and had not taken it for more than one year before the breach.[19]

The Appellate Court declined to disturb the awarded damages.

Walgreen's Petition for Rehearing

Subsequent to the first decision from the Appellate Court, Walgreen petitioned for a rehearing from the Court of Appeals of Indiana. On January 15, 2015, the Court denied the petition. As a result, the jury's decision and that of the Appellate Court upholding the decision stands.

-------------------------------------
[1] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, *2 (App. Ct. Ind., Nov. 14, 2014), available at https://www.in.gov/judiciary/opinions/pdf/11141404jgb.pdf [hereinafter the "First Appellate Decision"].

[2] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, (App. Ct. Ind., Jan. 15, 2015), available at https://www.in.gov/judiciary/opinions/pdf/01151503jgb.pdf.

[3] First Appellate Decision at *2-3.

[4] Id. at *3.

[5] Id. at *4.

[6] Id. at *5.

[7] Id. at *14.

[8] Id. at *22.

[9] Id. at *8 (internal quotations and citations omitted).

[10] Id. at *8-10 (internal quotations and citations omitted).

[11] Id. at *11.

[12] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, Oral Arguments, Oct. 14, 2014, available at https://mycourts.in.gov/arguments/default.aspx?&id=1724&view=detail.

[13] Id. at 14:57 - 15:49 (argument of Maggie Smith).

[14] Id. at 28:26 - 28:51 (argument of Neal Eggeson).

[15] First Appellate Decision at *21.

[16] Id. (internal quotations omitted).

[17] Id. at *22.

[18] Id. at *22-23.

[19] Id.

-------------------------------------

Posted by Tatiana Melnik on January 25, 2015

Eligible Professionals May Apply for a Hardship Exception from Meaningful Use Penalties

Sun, 15 Dec 2013 17:59:56 EST

As part of the American Recovery and Reinvestment Act of 2009 (ARRA), Congress mandated that payment adjustments be applied to Medicare eligible professionals (EPs) who are not meaningful users of Certified EHR Technology under the Medicare EHR Incentive Programs.

Medicare EPs who are not meaningful users will be subject to a payment adjustment beginning on January 1, 2015.

But, exceptions are available under certain limited circumstances.

Which practitioners are subject to MU payment adjustments and when do the payment adjustments begin?

EPs who participate in the Medicare EHR Incentive Program.
EPs who can participate in either the Medicare or Medicaid EHR Incentive Programs.
These payment adjustments will be applied beginning on January 1, 2015, for Medicare EPs.

Which practitioners are NOT subject to MU payment adjustments?

Medicaid EPs who can only participate in the Medicaid EHR Incentive Program and do not bill Medicare.

How much are the payment adjustments and how are they applied?

The payment adjustment will be applied to the Medicare physician fee schedule (PFS) amount for covered professional services furnished by the EP during the year (including the fee schedule amount for purposes of determining a payment based on the fee schedule amount).

The payment adjustment is 1% per year and is cumulative for every year that an EP is not a meaningful user. Depending on the total number of Medicare EPs who are meaningful users under the EHR Incentive Programs after 2018, the maximum cumulative payment adjustment can reach as high as 5%.

For additional details on MU payment adjustments, please see the Payment Adjustments and Hardships Exceptions Tipsheet for Eligible Professionals released by CMS.

Are there any payment adjustment exceptions available for Medicare EPs who cannot meet MU deadlines?

Yes. EPs who cannot meet MU deadlines may be eligible to receive a hardship exception from CMS. But, CMS has explained that these exceptions will be granted only under specific circumstances and only if CMS determines that providers have demonstrated that those circumstances pose a significant barrier to their achieving meaningful use.

Hardship exceptions are available in the following categories:

Infrastructure - EPs must demonstrate that they are in an area without sufficient internet access or face insurmountable barriers to obtaining infrastructure (e.g., lack of broadband).
New EPs - Newly practicing EPs who would not have had time to become meaningful users can apply for a 2-year limited exception to payment adjustments. Thus EPs who begin practice in calendar year 2015 would receive an exception to the penalties in 2015 and 2016, but would have to begin demonstrating meaningful use in calendar year 2016 to avoid payment adjustments in 2017.
Unforeseen Circumstances - Examples may include a natural disaster or other unforeseeable barrier.
Patient Interaction - Lack of face-to-face or telemedicine interaction with patients; Lack of follow-up need with patients.
Practice at Multiple Locations - Lack of control over availability of CEHRT for more than 50% of patient encounters

CMS will be providing additional details on the requirements and application process in the future.

Throwing Medical Records into a Recycling Container is Not Proper Disposal

Tue, 14 Jan 2014 11:41:25 EST

Oregon Fines a Medical Clinic for Violating the State's ID Theft Law - The Oregon Department of Consumer and Business Services announced on November 1, 2013 that it fined Samaritan Health Services, Inc., a regional health system, $5,000 (reduced to $1,000) for violating Oregon's identity theft law by improperly discarding business records and patient files with patient names and social security numbers. A patient discovered approximately 1,222 patient files in an unlocked recycling container outside of Samaritan's Family Medicine Clinic in Corvallis, Oregon in July 2013. Of the 1,222 about 20 files included patient names and unredacted social security numbers. [1] The Oregon Department learned of the incident from the press. [2]

[Jump to Take-a-Ways]

Samaritan "operates a non-profit network of hospitals, physician clinics, health plans, and senior care facilities in Albany, Corvallis, Lebanon, Lincoln City, Newport, and Sweet Home, Oregon." [3]

The action was based on the Oregon Consumer Identity Theft Protection Act (ORS 646A.600) ("ID Theft Law"), which, among other things, requires companies to notify consumers in the event of a data breach, permits impacted consumers to put a security freeze on their credit report, prohibits companies from printing and otherwise displaying social security numbers, and requires companies to develop, implement and maintain reasonable safeguards to protect personally identifiable information. The Act also provides that violators may be subject to a civil penalty of not more than $1,000 for every violation.

Samaritan was charged with violating several sections of the ID Theft Law for improper disposal of the records and ordered to pay a civil penalty of $5,000 "for publicly posting, displaying or otherwise making available to the public, files bearing consumer names and unredacted Social Security numbers in violation of ORS 646A.620 (1)(c)." [4]

But, Patrick M. Allen, Director of the Department, agreed to suspend $4,000 of the $5,000 penalty provided that Samaritan "complies with all terms and conditions set out in this Consent Order and commits no new violations of the Identity Theft law, ORS chapter 646A, or Oregon Administrative Rules chapter 441, division 646" for five years.

Take-a-Ways...

The Oregon action serves to remind healthcare providers and those that manage protected health information (PHI) that, when disposing of records containing patient data, they must comply with both HIPAA and state data disposal laws. As of December 2013, at least 30 states have enacted laws setting forth disposal requirements for business records that contain personally identifying information. [5]

The Oregon Consumer Identity Theft Protection Act may be changing. Oregon House Bill 3411 proposed changes to a number of the sections including section 646A.622, which addresses the requirement to develop safeguards for personal information. But, entities subject to HIPAA and the Gramm-Leach-Bliley Act are deemed to comply with section 646A.622 of the Oregon Act if they comply with the respective federal regulations. [6]

Identity theft continues to be of great concern to both state and federal regulators and this concern tends to drive enforcement activity. Healthcare providers and group practices are particularly attractive targets to thieves and fraudsters because these companies have access to a lot of personally identifying information (e.g., names, phone numbers, social security numbers, credit card numbers, etc.) and may not have the proper security measures in place. Providers should be particularly cognizant of these concerns and take appropriate steps to minimize risks to their patients. Proof of identity theft often fulfills the damages requirement in a data breach class action.

Training workforce members on the proper handling and disposal of patient records must be an ongoing effort. As of December 31, 2013, two of the top complaints received by the Office of Civil Rights, the federal enforcer of HIPAA, is impermissible uses and disclosures of PHI and lack of PHI safeguards. [7]

For many people, a report to the press is the first stop. Negative publicity can cause great damage the goodwill and the bottom line of an organization. Moreover, as clear from this incident, state regulators are paying attention to press reports. The Office of Civil Rights pays attention as well. For example, OCR entered into a settlement agreement with Shasta Regional Medical Center for $275,000 after OCR learned from media reports that senior leaders at the company met with members of the press to discuss medical services provided to a patient. "When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior," said OCR Director Leon Rodriguez. [8]

------------------
[1] In re Samaritan Health Services, Oregon Department of Consumer and Business, Division of Finance and Corporate Securities, Consent Order No. 13-0570 (11/1/13) [hereinafter Consent Order].

[2] Bloomberg BNA Health Law Resource Center, Oregon Regulator Fines Health System
After Records Discovered in Recycling Bin, 22 HLR 1674 (Nov. 5, 2013) ("Diane Childs, a spokeswoman for the Division of Finance and Corporate Securities, told Bloomberg BNA Nov. 5 that the agency found out about the breach through an article in a local newspaper.")

[3] Consent Order at para. 1.

[4] Id. at para. 10.

[5] A list may be obtained from the National Conference of State Legislatures, https://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx (last visited Jan. 14, 2014).

[6] 77th Oregon Legislative Assembly, 2013 Regular Session, House Bill 3411 (Sponsored by Representative Gomberg, Representatives Boone, Gallegos, Lovely, and Senator Roblan.

[7] Office of Civil Rights, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/ (last visited Jan. 14, 2014).

[8] Press Release, Office of Civil Rights, HHS Requires California Medical Center to Protect Patients� Right to Privacy, June 13, 2013, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement-press-release.html.

Interest in Cyber Security of Financial Services Firms Continues to Increase

Fri, 08 Aug 2014 10:29:28 EST

As news of data breaches continue to mount, federal and state regulators are becoming increasingly interested in the steps companies are taking to secure the information entrusted to them by consumers as well as other companies. This year we have seen an increased focus on the financial services sector, which suffered large losses in the wake of the data breach at Target. This was then followed by data breaches at Neiman Marcus, Michaels, PF Changs, among many many others.

Some of the recent examples include:

FFIEC - The Federal Financial Institutions Examination Council has launched a pilot program to assess the cyber security preparedness of 500 community banks. This announcement coincides with the launching of a web page on June 24, 2014 on cyber security, which is meant to serve as "a central repository for current and future FFIEC-related materials on cyber security." As the FFIEC explains, "Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cyber security controls, service provider and vendor risk management, and cyber incident management and resilience."[1]

New York Department of Financial Services - In May 2014, the New York Department of Financial Services (NYDFS) issued a "Report on Cyber Security in the Banking Sector." The Report notes that, "Although large-scale denial-of-services attacks against major financial institutions generate the most headlines, community and regional banks, credit unions, money transmitters, and third-party service providers (such as credit card and payment processors) have experienced attempted breaches in recent years."[3] After conducting a preliminary survey of 154 financial services institutions in 2013, the Department now "plans to expand its IT examination procedures to focus more fully on cyber security." These "revised examination procedures will include additional questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery." Those providing services to these entities should also expect to see more questions regarding cyber security now that regulators are becoming more interested in vendor practices.

SEC - Cyber security has been a focal point at the Securities and Exchange Commission for a few years. But, the SEC's Office of Compliance Inspections and Examinations announced in a Risk Alert on April 15, 2014 that it is undertaking cyber security examinations of more than 50 registered broker-dealers and registered investment advisers.[2] The OCIE will be focusing on the entity�s cyber security governance, identification and assessment of cyber security risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cyber security threats.

---------------------------------------
[1] Press Release, FFEIC, FFIEC Launches Cybersecurity Web Page, Promotes Awareness of Cybersecurity Activities, June 24, 2014, https://www.ffiec.gov/press/pr062414.htm.

[2] SEC, National Exam Program Risk Alert, Vol. IV, Iss. 2 (April 15, 2014), https://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf.

[3] NY State Department of Financial Services, Report on Cyber Security in the Banking Sector (May 2014), https://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf.
---------------------------------------

Posted by Tatiana Melnik on August 8, 2014