Covered entities should report cybersecurity threats, but no PHI disclosures

Cyber threats are becoming more and more common, both in general and specifically in the health sphere. The Department of Homeland Security operates the National Cybersecurity and Communications Integration Center (NCCIC), with four branches dedicated to protecting the right to privacy in the government, private sector, and international defense network communities. The US Computer Emergency Readiness Team (US-CERT) develops information on immediate threats and analyzes data gleaned from cybersecurity incidents.

As part of these efforts, health entities can report any suspicious activity or cybersecurity incidents to US-CERT. Disclosing cyber threat indicators, which includes information such as malicious reconnaissance, security vulnerabilities, methods of defeating controls or exploiting vulnerabilities, is intended to alert other entities of possible issues. This type of information sharing allows the federal government to better protect information systems, and maintain current alerts and reports on vulnerabilities on the US-CERT site.

HIPAA concerns

HHS recently clarified that entities subject to the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) may not disclose protected health information (PHI) for the purpose of sharing cyber threat indicators. This also applies to business associates. PHI may only be released under these circumstances if the disclosure is permitted under the Privacy Rule.

HHS noted that PHI is generally not included in cyber threat indicators, so prohibiting PHI disclosure in cyber threat reporting will typically not be an issue. Under the Privacy Rule, an entity could disclose PHI to law enforcement without the individual’s written authorization in order to comply with a court order or to alert and inform law enforcement as necessary regarding criminal activity. In some instances, an entity may report limited PHI. Entities may disclose to federal officials authorized to conduct national security activities or to protect the President. In all other circumstances that are not expressly included and permitted in the Privacy Rule, the entities must obtain authorization from the individual whose PHI is to be disclosed.

Highlight on New York: Insurers subject to first-in-nation cybersecurity regulations affecting financial institutions

The nation’s first cybersecurity regulations governing financial institutions–including insurers–take effect March 1, 2017 in New York state. Noting that  “New York is the financial capital of the world,” Governor Andrew Cuomo (D) stressed the necessity of protecting consumers and financial systems from cyberattacks. The regulations require institutions to implement a cybersecurity program that includes regular assessments of information systems and the use of effective controls, requires compliance by third party vendors, and includes more stringent governmental reporting requirements than the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

The regulations apply to anyone operating under the Banking Law, Insurance Law, or Financial Services Law and specifically pertain to “nonpublic information.” Only electronic information qualifies as nonpublic information, which can be protected health information (PHI) as it is understood under HIPAA; business-related information that could materially and adversely impact the entity’s business, operations, or security; or any information concerning an individual that, when combined with specific data elements, including but not limited to Social Security and drivers’ license numbers, could identify the individual.

The regulations require covered entities to maintain a cybersecurity program based upon a required risk assessment. Risk assessments must be conducted on a “periodic” basis and “updated as reasonably necessary.” Entities must implement and maintain written cybersecurity policies, including policies governing vendor and third party service provider management and recurrent assessments and policies that allow for secure and periodic disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes. They must also designate a chief information security officer (CISO) who is employed by the entity, an affiliate, or a third party service provider, and who will provide a written report to the covered entity’s board of directors at least annually.

While HIPAA does not require penetration testing, the New York regulations require annual testing and biannual vulnerability assessments, unless covered entities have in effect some other type of continuous monitoring or other system to detect changes in information systems that could create or suggest vulnerabilities. The regulations specifically require entities to limit user access privileges to nonpublic information and to periodically review those privileges. They also require multi-factor authentication whenever an individual accesses the entity’s internal network from an external network, unless the CISO has approved controls in writing that are at least reasonably equivalent. Encryption is required for all nonpublic information held or transmitted by the entity; if encryption is not feasible, the CISO must review and approve “alternative compensating controls” and review them at least annually.

Certain requirements do not apply to entities with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end total assets.

The regulations define a “cybersecurity event” as an act or attempt, successful or not, to gain unauthorized access to, or to disrupt or misuse an information system or the information stored in the system. Written incident response plans to cybersecurity events must detail the response process and its goals, including “the definition of clear roles, responsibilities and levels of decision-making authority.” Requirements for reporting to government entities are much stricter than those under HIPAA Breach Notification Rule, which requires entities to report breaches affecting 500 or more individuals to the HHS Secretary “without unreasonable delay,” but no more than 60 days since discovery of a breach, or, if affecting fewer than 500 individuals, within 60 days of the end of the calendar year in which the breach occurred.  The New York regulations, in contrast, require entities that are otherwise required to provide notice to the government or other self-regulatory agency or supervisory body, or who believe that a cybersecurity event is reasonably likely to materially harm the entity’s normal operations, to notify the Superintendent of the New York Department of Financial Services as soon as possible, but no more than 72 hours after determining that the event occurred.

 

Human subject research: expert discusses recent privacy and security concerns

Recent privacy and security developments in human subject research were the topic of discussion during a recent Health Care Compliance Association (HCCA) webinar. The webinar presenter, William J. Roberts, a partner in Shipman & Goodwin LLP’s Health Law Practice Group and the Chair of its Privacy and Data Protection team, discussed: (1) the disclosure of substance use disorder records for research purposes; (2) the rights of a research subject to directly access their test results; and (3) electronic informed consent of research subjects.

Disclosure for research purposes

In discussing the disclosure of substance use disorder records of patients for research purposes, Roberts focused on the revised requirements for the research exception (42 C.F.R. sec. 2.52) set forth in the January 18, 2017 Final rule (82 FR 6052) issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), which are effective March 21, 2017.

First, under the revised research exception at 42 C.F.R. 2.52(a), Roberts noted that a federally-assisted program or other lawful holder of patient identifying information may disclose this information to qualified personnel for the purpose of conducting scientific research if the individual designated as director or managing director, or other individual with comparable authority determines that the researcher or recipient of the patient identifying information satisfies the following requirements:

  • has obtained and documented patient authorization or a waiver/alteration of authorization consistent with HIPAA; and
  • provides documentation that (1) the researcher is in compliance with the requirements of the HHS regulations regarding the protection of human subjects, including the informed consent/waiver of consent requirements or (2) the research qualifies for exemption under the HHS regulations or any successor regulations.

In addition, under revised 42 C.F.R 2.52(b), Roberts pointed out that the researcher who receives the information must: (1) not re-disclose patient identifying information except back to the individual or entity from whom the information was obtained; (2) maintain and destroypatient identifying information in accordance with the security policies and procedures under the Part 2 regulations; (3) retain records in compliance with applicable federal, state, and local record retention laws; and (4) if necessary, resist in judicial proceedings any efforts to obtain access to patient records containing Part 2 data.

Further, under 42 C.F.R. 2.52(c), Roberts pointed out that researchers may link to data from federal and non-federal data repositories holding patient identifying information, if the researcher: (1) has the request for data linkages reviewed and approved by an institutional review board (IRB) registered with the HHS Office for Human Research Protections; and (2) ensures that patient identifying information obtained is not provided to law enforcement agencies or officials.

Finally, under 42 C.F.R. 2.52(d), Roberts indicated that upon receipt of patient identifying information, data repositories are fully bound by Part 2 regulations and must: (1) after providing the researcher with the linked data, destroy or delete the linked data from its records (including sanitizing any associated hard copy or electronic media); and (2) ensure that patient identifying information is not provided to law enforcement agencies or officials.

Roberts believes that the key take-aways from the revised Part 2 regulations are that: (1) we can expect a more simplified process for obtaining patient information from Part 2 subject facilities and providers, which may open more doors to research collaborations and projects: (2) population health studies will benefit from linkages; and (3) future revisions to the regulations may be possible because SAMHSA has been soliciting additional comments and has expressed openness to future changes.

Rights of research subjects

In discussing the right of research subjects to directly access their test results, Roberts focused on some problems with the February 6, 2014 joint CMS and Office of Civil Rights (OCR) Final rule designed to harmonize the requirements of the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and Health Insurance Portability and Accountability Act (HIPAA) rules (see Amended CLIA, HIPAA regulations provide patients direct access to lab test results, Health Law Daily, February 6, 2014).

According to Roberts, while the joint Final rule amended the CLIA requirements to permit laboratories to give completed test results directly to a patient or patient’s representative upon request, and the HIPAA rule to require HIPAA covered laboratories to provide access rights to patients, it also created a conflict. For example, CLIA prohibits non-CLIA certified research laboratories from returning results to individuals for the “diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients,” while HIPAA-covered laboratories have a legal responsibility to provide research results to research subjects upon request if the information is in the “designated record set.”

Roberts explained that the Secretary’s Advisory Committee on Human Research Protections (SACHRP) has made three recommendations to resolve the CLIA/HIPAA conflict:

  • HHS (including OCR, FDA, CMS) should clarify and ratify necessary regulatory interpretations or amendments so that researchers in a non-CLIA-certified laboratory are able to refer, without penalty, a research subject to a CLIA-certified laboratory for additional testing after identifying clinically actionable information.
  • HHS should clarify the duties of HIPAA covered entities to provide results to individuals, upon their request, from non-CLIA-certified laboratories.
  • OCR should provide guidance on how to interpret the “designated record set” in the context of access to test results from non-CLIA research laboratories.

Until there is closure on these recommendations, Roberts recommended that covered entities: (1) review existing practices of researchers with respect to participants’ access to test results; (2) review the standard for determining what test results are part of the “designated record set”; and (3) consult the IRB or counsel about responding to requests.

Electronic informed consent

Roberts’ discussion of electronic informed consent (eIC) included the examination of: (1) a joint FDA/Office for Human Research Protections (OHRP) frequently asked questions guidance; (2) paper v. eIC; (3) electronic signatures; and (4) verification of the research subject’s identity.

The upshot of the joint guidance, according to Roberts, is that: (1) if the research is conducted or supported by HHS and involves a FDA-regulated product, it is subject to both the FDA and HHS regulations; and (2) in the event the regulations differ, the regulations that offer the greater protection to human subjects should be followed.

Roberts explained that both OHRP and FDA regulations allow for the use of eIC and paper informed consent, independently or in combination with each other, and for electronic signatures to be used in lieu of traditional signatures.

Roberts suggested that an eIC should: (1) be easy to navigate, (2) allow the user to proceed forward and backward and to stop and continue at a later time, (3) use hyperlinks where helpful, (4) give patients options to use paper or electronic; and (5) ask: Do research subjects need assistance in completing the eIC? Roberts also suggested that research subjects be given a copy of the written informed consent form, preferably with the subject’s signature and the date the form was executed.

Finally, Roberts cautioned that before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization must verify the identity of the individual.

Overall, with regard to eIC, Roberts recommends checking with the IRB about the use of eIC to ensure that the IRB agrees that the format may be used for the particular research. Examples of possible formats include: encrypted digital signature, electronic signature pad, voice print, and digital fingerprint.

Roberts also recommended: (1) reviewing and revising privacy policies and procedures with respect to any eIC data stored in “the cloud” to ensure compliance with applicable laws; (2) ensuring that eIC materials are easy for the research subject to navigate; and (3) ensuring eIC technology allows an easy way for subjects to ask questions and get answers.

Protecting personal data beyond HIPAA

Safeguarding protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) is important, but what responsibilities do hospitals have to protect other types of personally identifiable information (PII)? What concrete steps can hospitals take to follow through on these responsibilities? Meg Grimaldi, Director of Compliance at Martin Luther King, Jr. Community Hospital in Los Angeles, and Sarah Bruno, Matthew Mills, and Jade Kelly, Partners at Arent Fox LLP, answered these questions in a Health Care Compliance Association (HCCA) webinar titled, “Navigating the Rest of the Iceberg: Privacy and Security Compliance Beyond HIPAA.”

Grimaldi began by reminding hospitals of the different types of information they encounter and the manner in which they encounter them. Aside from PHI gleaned through medical records, for example, hospitals may take in data used in accessing patient portals or submitted through event registrations and surveys. When gathering such information, hospitals must weigh the benefits of detriments of easy to use portals with the need to verity identity. User IDs, passwords, and personal questions are no longer sufficient to protect data; instead, hospitals should implement two-factor authentication—something a person knows, such as a User ID and password, with something a person has, such as a card or mobile device. Some hospitals may even consider utilizing biometrics. Hospitals should carefully consider the need to use cookies, which store data. If using cookies, session cookies are less risky because they do not save personal information beyond a single session. The use of long-term cookies must be carefully safeguarded.

The hospitals, themselves, may handle payment information or employee information submitted through secure portals, or may farm these duties out to third parties, but they remain no less responsible for the protection of the PII. Hospitals must ensure that business associate agreements (BAAs) or other contracts hold third parties accountable for handling types of data.

In general, hospitals should implement safeguards such as network segmentation, security scans, penetration testing, and encryption. In addition, they should routinely review software patching solutions, implement active alerts in intrusion detection systems, and periodically perform test backups. When data is no longer needed, hospitals should destroy it.

Bruno noted a need to categorize data as falling into the purview of specific laws, including HIPAA, the Children’s Online Privacy Protection Act of 1998 (COPPA) (P.L. 105-277), and various other federal and state laws, as well as industry standards. In addition, hospitals should take note that European countries accept a much broader definition of PII than the U.S., and that care should be taken the handling of information from European nationals. The hospital’s website should disclose its privacy practices. Mills discussed laws and industry standards that govern debtor data, including the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to provide their customers with notice of the institutions’ privacy practices and to safeguard sensitive data.

Kelly discussed hospitals responsibilities with respect to employee data, including noting in many cases that employee medical information should be kept separate from personnel files and accessed only by certain authorized individuals. Employer must also be sure to comply with the Fair Credit Reporting Act (15 USC § 1681 et seq.) and any applicable state laws.

Grimaldi discussed the need to inform employees of the location of PII policies and procedures and make sure they are easily accessible to employees. Hospitals should diversify training materials to discuss types of data beyond PHI so that they understand what must be protected. It is crucial for hospitals to use plain language, skipping jargon, abbreviations, and acronyms, to ensure that each employee understands what is being discussed. For example, many employees may understand the importance of not clicking on strange emails, but may not know that the tactic is referred to as “phishing” and may thus not understand directions about responses to phishing campaigns. It has been suggested that information needs to be communicated seven times before it is truly understood, so it is important to deliver information in various modes, including training, newsletters, and staff huddles. Hospitals should train employees in various social engineering techniques that are relevant to the particular organization.

Bruno noted that hospitals must create a culture in which employees feel comfortable letting the organization know about potential and actual breaches, which are inevitable, whether through a malicious hack or a lost laptop. Once a breach is identified, a number of individuals should be involved in the response, including the privacy officer, the head of marketing, and the chief information security officer (CISO).