Related Industries


Focus on Healthcare Privacy

Alerts / December 13, 2011

Welcome to this special Executive Alert focusing on healthcare privacy developments. Topics covered today include:

We hope you find this information helpful. Please contact any member of Baker Hostetler's Healthcare Team with questions.


I recently presented on the topic of "Healthcare Data Breaches—A to Z," at the annual American Society for Healthcare Risk Management (ASHRM) conference in Phoenix. Attendees at any conference are always looking for practical takeaways to share with their colleagues and to help guide them even before a crisis event occurs. During my presentation, with the hope that at least one of the tenets would be helpful to tackle the constantly evolving data breach legal landscape, I gave the audience my A to Zs for healthcare organizations. Many of these will seem like common sense, but in my experience, there are a number of organizations that still do not recognize the importance of each of these. Since the ASHRM conference, I have received many requests for my list and decided to publish it here.

A - Accept that it will happen to you

B - Breach response policies are not only mandatory, they are helpful

C - Compliance with policies and procedures is critical

D - Data breach Fridays—the breach call always comes in at 6:00 p.m. on a Friday

E - Empathize with your customers/patients/employees—how are they going to react to your response?

F - Familiarize yourself with the members of your breach response team before the breach occurs

G - Government has its hands in everything when it comes to privacy


I - IT is not the only one responsible for breaches—it is a C-suite issue

J - Joint Commission may ask you about your healthcare breach

K - Kids' information is sensitive to parents no matter how low level you may think it is

L - Legal landscape is constantly changing

M - Mitigation of harm (credit monitoring, identity monitoring, reissued credit cards)

N - Notice to the media needs to be carefully considered even when required by law, and your PR firm may not be in the best position to advise you

O - Overreacting is not going to get you through the event

P - Preparedness is key

Q - Quit keeping old data

R - Risk of harm analyses should be documented

S - Social media policies should be in place

T - Transparency is expected by regulators and customers

U - Understand the laws that impact your organization

V - Vendors cause about 1/3 of the breaches

W - Wait to see what you are dealing with before you announce a breach to the world

X - X-rays are being stolen to be melted down for their silver content, but you may still need to notify the patients affected because the sleeves often contain PHI

Y - Yesterday's events can't be changed—get over it, look forward, and change your practices

Z - Zealously investigate your breach—it will help you in the end

Building these principles into your organization's philosophy as it bolsters its data security and privacy policies and procedures will help you when an event occurs. Consider updating your breach response/incident response plans, written information security plans, social media policies, portal agreements, vendor contracts and risk assessments. An increasing number of clients also are requesting tabletop exercises or workshops to help them prepare to respond to a breach. The more prepared an organization is, and the more an organization's C-suite recognizes that this is not an IT-only issue, the better equipped organizations will be to respond to customers, lawsuits and regulators.

Ted Kobus serves as National Co-Leader of the firm's Privacy, Security and Social Media Team, advising healthcare providers on privacy, data breaches, social media and intellectual property issues. For more information, please contact Theodore J. Kobus III at or 212.271.1504 or any member of the Baker Hostetler Privacy, Security and Social Media Team.

top of page


The Ponemon Institute released a recent patient privacy study and determined that healthcare data breaches have increased 32 percent in 2011, costing the healthcare industry approximately $6.5 billion. Despite increased compliance with the Health Information Technology and Economic and Clinical Health Act (HITECH) by healthcare organizations, breaches are on the rise. As a result, patients are not getting the privacy that is afforded them under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH. The survey indicates that problems stem across the board, including people, technology and governance issues.


According to the Ponemon survey, 96 percent of all healthcare providers have had at least one data breach in the last two years. Many of these were due to employee mistakes and carelessness with 49 percent citing lost or stolen computing devices. Another cited cause is third-party error, including by business associates, in 46 percent of cases. The perception is, too, that not all persons who handle medical and billing files understand the importance of protecting that information. In fact, 60 percent of the survey respondents agree that medical billing personnel do not appreciate the importance of patient data protection and 58 percent of IT personnel do not. This is alarming considering the amount of patient information that flows through a typical billing department and that most healthcare institutions rely on the IT department to secure data by technological means.

All healthcare workforce members should be trained and aware of organizational policies and procedures governing protected health and other personal information. Training should take place on at least an annual basis and more frequently in areas that handle a great deal of patient data to (1) reinforce the importance of personal and technological security with workforce members when using mobile devices or transporting protected health information (PHI) outside the four walls of the organization; and (2) ensure that personnel who handle large volumes of patient information and other personal information outside the traditional healthcare setting (e.g., billing, human resources, IT, and finance) understand the importance of protecting that information and the consequences should a breach occur. Healthcare organizations also should make sure their business associate agreements provide them with adequate protection should the business associate trigger a data breach.


The survey also indicates that the widespread use of mobile devices is putting patient data at risk. Eighty-one percent of the healthcare organizations surveyed for the report use mobile devices to collect, store and transmit PHI, yet 49 percent admit their organizations do nothing to protect the devices. Further, with the adoption of electronic health records (EHR) and the speediness in which they are being adopted, function and operability, not security, are the overriding concerns at many healthcare organizations.

Technological safeguards should be installed on all computing devices. Devices containing PHI, both mobile and stationary, should be encrypted to protect the information on them. The EHR should have appropriate security to not only prevent an intrusion from the outside, but an inadvertent breach to those in the workforce who have no need to access the information for treatment, payment or operations. Regular audits and risk assessments of data security should be conducted to determine areas of vulnerability.


The survey indicates that prevention of unauthorized access to patient data and loss or theft of such data is a priority in only 29 percent of the organizations that participated. The survey reveals that many healthcare organizations say they have insufficient security and privacy budgets at a time when mobile devices and EHR are being demanded. Data security and breach prevention is a C-suite and board issue, and appropriate organizational governance around these issues is needed. Silos among the privacy and compliance, IT, risk management, audit and legal departments need to be broken down so each understands the importance of this enterprise-wide risk and communicates effectively with the other. Policies and procedures are the first step, with regular communication among these groups being a necessity.


This year's Ponemon survey showed the average economic impact of a data breach was $2.2 million, an increase of 10 percent from 2010. Further, 81 percent of the organizations believe they suffered loss in time and productivity as a result of a breach, followed by 78 percent who said they had brand diminishment, and 75 percent who indicated a loss of patient goodwill. Moreover, medical identity theft poses a greater risk to patients, according to the survey. Twenty-nine percent said their breaches led to cases of identity theft, up from last year. While 90 percent of healthcare organizations say that breaches cause harm to patients, 65 percent do not offer protection services for the affected patients, likely due to the belief by 72 percent that credit monitoring is ineffective and that a solution to prevent and detect medical identity theft is needed.

Baker Hostetler's Data Breach Hotline

We recognize that our healthcare clients find themselves challenged to safeguard sensitive patient and employee information in an environment that is increasingly at risk for both deliberate and accidental breaches. To that end, Baker Hostetler has developed a toll-free 24-hour hotline to respond to data breach incidents:

Toll Free 24-Hour

 Data Breach Hotline


The Baker Hostetler Team has handled over 200 data breaches, including some of the largest reported healthcare data breaches in recent months. If you need assistance with workforce education, risk assessments, breach response, or other data security and breach issues, please contact Lynn Sessions, or 713.646.1352, Theodore J. Kobus III at or 212.271.1504 or any member of the firm's Privacy, Security and Social Media Team.

top of page


During the past year, the healthcare privacy and security community has anxiously awaited publication of the "Final HITECH Regulations" amending certain provisions of the privacy and security standards of HIPAA that were mandated by the HITECH Act. But did you know that several components of the HITECH Act already are in effect? Business associates, in particular, need to be aware that the HITECH Act's imposition of specific technical, administrative and physical safeguards onto their operations became effective in early 2010, one year after the HITECH Act was enacted. Further, the HITECH Act Breach Notification Rule became actively enforced in February 2010. Also as discussed in the article that follows below, both covered entities and business associates should be aware that the Office for Civil Rights (OCR) recently awarded a $9 million contract, authorized under the HITECH Act, to the auditing firm of KPMG to commence HIPAA privacy and security compliance audits starting January 1, 2012.

When budgeting and setting objectives for privacy and security compliance during the 2012 calendar year, healthcare providers, health plans and business associates subject to HIPAA would do well to review the compliance deadlines currently in effect, along with reviewing their policies and making plans to fulfill the new HITECH Act final regulations, which government insiders predict may be published by year end. The following are key dates that may impact how your organization sets its IT and compliance priorities for privacy and security in the coming year:

 Privacy and Security Compliance Deadlines Currently In Effect


Compliance Date
(Enforcement Date)

HIPAA Privacy Regulations: Healthcare Providers, Health Plans and Healthcare Clearinghouses April 14, 2003
HIPAA Privacy Regulations: Small Health Plans April 14, 2004
HIPAA Security Standards: Healthcare Providers, Health Plans and Healthcare Clearinghouses April 20, 2005
HIPAA Security Standards: Small Health Plans April 20, 2005
HITECH Act: Increase in Civil Penalties for Violations February 17, 2009
HITECH Act: HIPAA Enforcement Through State Attorneys General February 17, 2009
HITECH Act: Guidance Specifying the Technologies and Methodologies for Rendering PHI Unusable,
Unreadable or Indecipherable to Unauthorized Individuals
August 24, 2009
HITECH Act: Breach Notification Rule (Interim) September 23, 2009
(February 22, 2010)
HITECH Act: Personal Health Records: FTC Breach Notification Rule (Interim) September 24, 2009
(February 22, 2010)
HITECH Act: Interim Final Rule—Increased Enforcement/Tiered Penalties November 30, 2009
HITECH Act: Application of Security Rule to Business Associates February 17, 2010
HITECH Act: Final Regulations Amending HIPAA Privacy Regulations (no later than 2013)
HITECH Act: Proposed Revision to Accounting Rule (published May 31, 2011)

For more information, please contact John S. Mulhollan, or 216.861.7484.

top of page


In an effort to comply with Section 13411 of the HITECH Act, the OCR recently announced the implementation of a pilot program to audit covered entities and business associates to ensure they are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. OCR anticipates performing up to 150 audits during the pilot phase, which began in November 2011 and should conclude by December 2012. OCR will use the audits and associated site visits to assess HIPAA compliance efforts, examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR's complaint investigations and compliance reviews.

Every covered entity is eligible for an audit, and OCR anticipates including business associates in future audits. When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The notification letter will provide an introduction to the auditor contractor—KPMG won OCR's $9.2 million contract for the HITECH-required HIPAA audits—explain the audit process and describe the initial document and information requests. OCR expects entities selected for audit to provide the requested information within ten business days of the request for information.

During the pilot phase, every audit will be accompanied by a site visit in which auditors will interview key personnel and observe processes and operations to help determine compliance. Covered entities should be notified of a site visit between 30 and 90 days prior to the anticipated visit, which itself may take between 3 and 10 business days. Auditors then will develop a draft report describing the findings and what actions the covered entity is taking in response to those findings. Before finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified.

OCR maintains that the audits are primarily a compliance improvement activity. However, should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Unlike breaches, OCR will not post a listing of audited entities or otherwise identify the audited entity when sharing findings. Covered entities should begin preparing for these new audits by reviewing and updating their policies, procedures and training. Entities should ensure compliance protocols are being followed and that they are positioned to identify audit notification letters and respond in the short timeframes for producing requested information.

For more information, please contact Lynn Sessions, or 713.646.1352, or Ameena N. Ashfaq, or 713.646.1329.

top of page


By now, most healthcare providers, health plans and their business associates are aware of the growth of "cloud computing" in the information technology (IT) industry. Moving an organization's applications, data and IT support to a cloud-based platform can significantly reduce the costs of information technology, through greater availability and access (due to its web-based network infrastructure), economies of scale, flexibility/scalability and higher level of real-time reliability (less system downtimes). There are, however, significant risks to cloud computing, especially regarding the placement of sensitive, individually identifiable patient information on the cloud. Under the privacy and security standards of HIPAA, covered entities and business associates are under a heightened duty to ensure that the computing resources they employ to handle PHI are adequately protected from security threats such as hackers, misuse by employees, data destruction and downtime caused by system outages or disasters (i.e., disruptions that may threaten patient safety).

Therefore, in order to take advantage of the benefits of cloud computing, healthcare organizations must be prepared to focus on risk identification and risk management before, during and after implementation of a cloud-based information system. Fortunately, there is a growing expanse of literature being published to assist covered entities and business associates with managing the risks associated with cloud computing. One such resource, published earlier this year, is the NIST (National Institute for Standards and Technology) proposed guidance, "Guidelines on Security and Privacy in Public Cloud Computing," Draft Special Publication 900-144 (January 2011). The following paragraphs highlight some key considerations that healthcare providers, health plans and their business associates should follow when moving IT to the cloud.

Public or Private Cloud?

Most, if not all, healthcare organizations subject to HIPAA privacy and security will be required to limit their use of cloud computing to "private" cloud services. The security risks and lack of negotiability of the terms of public cloud services typically will foreclose the possibility of subscribing to an off-the-shelf public cloud provider. Public cloud providers, such as consumer- or small business-oriented web hosting and storage companies, typically offer a standardized product with uniform terms of service available to the general public, usually at a very reasonable fee due to the large economies of scale and standardized product or service. Public cloud computing is typically web-based, residing entirely on a platform external to the subscriber's organization.

Private cloud computing, on the other hand, consists of an exclusive system of access and computing resources, usually with terms of service, or "Service Level Agreement," that is negotiated to meet the unique needs of the customer. Private cloud computing resources may still be web-based, but the data and applications may reside on dedicated servers; and, for privacy and security reasons, the system may be walled-off using firewalls and other security appliances to protect the customer's system and data from outside intrusion and access. Private cloud computing solutions also may contain hybrid elements, such as location of some devices within the customer's facility with remote management by the cloud provider. As this description reveals, it is through private cloud computing that HIPAA-covered entities and their business associates may pursue the exclusive, tailored approach to managing the PHI security and privacy requirements needed for HIPAA compliance. Although the cost of private cloud computing may be higher than public cloud computing, covered entities and business associates may nevertheless achieve significant reductions in computing costs by outsourcing key information systems, thus converting previously fixed, substantial capital outlays to periodic, variable and customizable operating expenses with respect to healthcare IT.

Considerations Prior to Adopting a Cloud-Based Solution

As can be seen from the distinction between private and public cloud computing, one of the primary considerations before entering into a cloud-based IT solution is the evaluation and adoption of clearly defined security and privacy requirements. Covered entities and business associates should conduct a reasonable, yet thorough, risk assessment to identify the necessary controls and potential gaps in security associated with the cloud solutions being considered. Other considerations prior to purchasing cloud services include a thorough vetting of the cloud service provider's reputation, including checking references, capacity commitments, backup systems, management tenure and IT expertise. Ensuring open and clear communications also will be key, as the customer will need to have direct lines of communication with the cloud provider in the event of a security incident or Breach of Unsecured Protected Health Information triggering reporting obligations under the HITECH Act.

Contracting and Operational Considerations

One of the biggest red flags when evaluating a potential cloud computing services provider will be the unwillingness to discuss or negotiate terms of security and privacy protections in a service level agreement (SLA). A cloud provider's reluctance to share the basic details of its security infrastructure capabilities may raise questions concerning the provider's knowledge of and ability to tailor a system meeting HIPAA requirements. This is why the negotiation of a cloud computing services agreement should involve a legal advisor trained in HIPAA and information security requirements, as well as general IT licensing and intellectual property issues.

When negotiating a cloud computing solution, the three areas of (1) vendor due diligence; (2) careful drafting of the SLA; and (3) an effective business associate agreement, are critical to ensuring HIPAA compliance and avoiding future liability exposure. A practical approach may include creating a "HIPAA checklist" of key standards, safeguards and system components that are required by the customer, with an ongoing evaluation of the cloud provider's specific measures adopted to meet HIPAA's stringent privacy and security requirements. The checklist should include key considerations such as (1) breach reporting; (2) encryption of e-mail and stored data; (3) training of personnel; and (4) physical, technical and administrative security safeguards, as well as appropriate controls on downstream uses or disclosures of PHI, such as when an IT provider delegates or outsources services to subcontractors or other downstream vendors. Covered entities should check with their legal advisors for any legal prohibition on downstream contracting that may apply to their business and ensure appropriate legal language in the SLA. The parties also should ensure that the SLA covers any other applicable regulatory requirements, such as reporting any computerized data breaches under state law.

Further essential steps include, during and after the negotiation of the SLA, the use of a detailed IT work plan itemizing the specific cloud products and service components and their delivery dates for "going live." This is especially important for mission-critical areas such as EHR, where a hospital or medical group's ability to qualify for federal financial incentives under HITECH's EHR Meaningful Use program may be at stake. Finally, ongoing monitoring, through appointed liaisons between the cloud service provider and the customer, will be needed to oversee and ensure that the terms of the SLA are being performed. The SLA should contain rights of access and auditing by the customer to ensure that the cloud provider is doing what it represented it would do.

Activities at the Conclusion of Cloud Services Arrangement

It is essential not to forget the importance of ensuring the privacy and security of PHI at the conclusion of a cloud computing services arrangement. As with all data, PHI tends to hang around in company systems long after the parties have moved on to other systems and objectives. The handling of residual PHI, just like the handling of toxic waste in the EPA field, has significant risks associated with it under both HIPAA and state laws. Every SLA for cloud computing should contain clearly defined triggers for terminating the agreement, with detailed steps for the resolution of open service issues and the return of PHI at the conclusion of the contract. Ensuring the following will be of utmost importance at the conclusion of a cloud services arrangement: (1) termination of all physical and electronic access rights granted by customer to cloud provider's personnel; (2) return or destruction (in a HIPAA-compliant manner) of all PHI in the possession of the cloud provider; and (3) return of any other assets and protection of any intellectual or other property rights of the parties. In order to ensure the privacy and security of PHI at the conclusion of a cloud services arrangement, the parties should detail the preceding requirements at the beginning of the arrangement, preferably in the SLA. At the conclusion of the contract, the covered entity or business associate should take steps to inform or remind the cloud services provider of its contractual obligations upon termination.

In conclusion, cloud computing continues to have a growing, widespread effect on the development and use of information systems across the country, and particularly in healthcare, where mobility, interoperability and information exchange are key to the ever-changing healthcare environment. It is likely that all businesses, large and small, will be required to evaluate the possibility of using cloud computing resources in the near future, because of the cloud's unique ability to reduce information technology costs, and to "keep up with the Joneses" in their industry. Given the heightened duty to secure and protect the privacy of PHI under HIPAA, healthcare providers, health plans and business associates should consider a managed risk-based approach to cloud computing, to avoid the dark clouds of a potential security breach and enjoy the sunshine of efficient technology through a vetted, secure cloud-based service platform.

For more information, please contact John S. Mulhollan, or 216.861.7484.

top of page


In the healthcare setting, identity theft is most often committed by an individual illegally using someone else's personal information to obtain medical services. This type of identity theft can result in harm to the victim's credit score due to unpaid medical bills. In 2009, the Federal Trade Commission (FTC) reported that medical identity theft accounts for 1.3 - 3 percent of all identity theft crimes.

In compliance with the FTC's Red Flags Rule, to combat identity theft, healthcare providers establish identity theft prevention programs to detect, prevent and mitigate risks associated with identity theft. Put simply, the programs help verify that the patient is the same person that is on file. As recommended by the FTC, such identity theft prevention programs often require that a patient arriving for a procedure present a valid form of photo identification and their insurance card. Other patient authentication methods include having a patient demonstrate knowledge of their personal information, previous services received or the providing of a password.

Recently, such identity theft prevention programs have expanded to include the photographing of patients or the scanning/copying of a patient's photo IDs—attaching the patient's photo to an EHR. Often, and importantly, the patient has an option as to whether to be photographed or whether to provide a copy of a photo ID.

While healthcare providers are proactively attempting to guard against identity theft and health insurance fraud, some patients feel as if their privacy is being violated. Some opponents state that such linking of photos to EHRs increases the threat of identity theft. Accordingly, crafters of identity theft programs, interested in including photos in their patient authentication process, must balance the benefits of retaining a patient's photo with the risk of invading a patient's privacy.

For more information, please contact Kimberly M. Wong at or 212.271.2028.

top of page


A recent decision under the federal Driver's Privacy Protection Act (DPPA) may spur lawsuits against healthcare providers who collect driver's license information. Under the DPPA, a provider may not obtain or disclose personal information from a motor vehicle record except for one of the limited permissible purposes. Such data, however, can be used in the normal course of business, but only (1) to verify the accuracy of personal information submitted by the individual; and (2) if submitted information is not correct or is no longer correct, to obtain the correct information, but only for the purpose of preventing fraud by pursuing legal remedies, or recovering on a debt or security interest against the individual. A more complete overview of the DPPA is available in a recent Baker Hostetler Executive Alert.

top of page

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2011 Baker & Hostetler LLP