According to Health Data Management, the Michigan Department of Community Health notified more than 49,000 individuals that a server of the Michigan Cancer Consortium holding their names, birth dates, Social Security numbers, cancer screening test results, and testing dates had been hacked. The Department did not notify local media or the Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”), which enforces the federal health care privacy, security, and breach notification rules because it concluded that the data was not protected health information (“PHI”). Responding to questions from Health Data Management, a Michigan Department of Community Health spokesperson said that the compromised data “were not medical records and therefore, no notification under HIPAA was sent to individuals.” The Department did, however, notify the individuals under Michigan’s Identity Theft Protection Act.
Although the Department of Community Health may not be a covered entity, its decision that HIPAA did not apply seems too simplistic. First, whether individually identifiable health information is maintained in a medical record or not is, quite simply, irrelevant. Certainly, the breach notification rule at HITECH Act § 13402, as amplified by subpart D to part 164 of title 45 C.F.R. in the Omnibus Rule, has no exemption for PHI not in medical records. HIPAA § 1171(b)(1) defines “individually identifiable health information” as [a]ny information, including demographic information collected from an individual that . . . (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and . . . (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. According to 45 C.F.R. § 160.103, PHI is individually identifiable health information—
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable health information:
(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv) (certain education records);
(iii) In employment records held by a covered entity in its role as employer; and
(iv) Regarding a person who has been deceased for more than 50 years.
45 C.F.R. § 164.514 specifies that data is individually identifiable if any of the list of 18 identifiers are present. The information breached by the Consortium includes a number of the identifiers listed in that regulation, including patient names, birth dates, Social Security numbers, and testing dates.
Further, why question whether the breached data is PHI if one is not a covered entity or business associate? Also, the Michigan Cancer Consortium consists of many covered entities and some organizations that are not covered entities. A review of its website indicates that the following are among those that are highly likely to be covered entities:
- Networks, cooperatives, or health care delivery systems with cancer programs recognized by the American College of Surgeons.
- Health care/primary care delivery systems or practices.
- Health care insurance plans.
- Health care purchasers.
- Public health organizations (local public health agencies and so forth.
So even assuming that the Consortium itself does not qualify as a covered entity, a hybrid entity, or an organized health care arrangement, it could still qualify as a business associate—an entity that performs a service for or on behalf of a covered entity involving PHI. Among other possible uses of PHI to serve the membership and its consumers are development and implementation of the Comprehensive Cancer Control Plan for Michigan, 2009-2015, which, among other processes, reviewed cancer burden data, evidence-based reviews, and capacity assessment results to confirm the goals of this plan. Sounds like using PHI to me. In fact, it may qualify as a health information exchange, which is an organization that oversees and governs the exchange of health-related information among organizations according to nationally recognized standards. See Department of Health and Human Services, Office for Civil Rights, “The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment.” Covered entities participating in such an exchange must have a single common business associate agreement if all covered entities participate or individual business associate agreements with the exchange.
And now, under the HITECH Act and Omnibus Rule, business associates, including subcontractors, must comply with the Security Rule, including the breach notification requirements. See my February 11, 2013, blog post, Compliance Hit: Expanded Liability for Business Associates’ Breaches. From the Consortium’s website, one cannot determine whether it is a covered entity or, more likely, a business associate of the Consortium members that are covered entities. Considering, however, the penalties for failing to report when so required, which would seem to constitute willful neglect, which carries the highest ($50,000 per violation, and each individual’s PHI is a separate violation), one ought to do a more comprehensive analysis of whether one is a covered entity or a business associate that may be required to report a breach. Also, because covered entities may be liable under the federal common law of agency (see the blog post above) for their business associate’s breach, the Consortium members are hardly well served by this cavalier analysis of the issue.
No, a far more in-depth analysis of the Consortium’s status was required. Perhaps, had they determined that, even if only as a business associate they had to comply with HIPAA, they would have conducted a Risk Analysis and perhaps could have prevented this breach. The breached information qualifies as electronic protected health information (“EPHI”), which is regulated by the Security Rule, which business associates must comply with if they maintain or transmit EPHI. EPHI is defined as individually identifiable health information that is transmitted by or maintained in electronic media with the exceptions to the definition of PHI discussed above. 45 C.F.R. § 160.103. Because the HITECH Act and the Omnibus Rule, as discussed above, require business associates to comply with the Security Rule, which requires a risk analysis of EPHI, a proper analysis of their status should have led them to conduct such an analysis.
And they would not have had to worry about whether they should have reported the breach to DHHS and whether they now face civil money penalties for not having done so in a timely manner. Or wonder whether they may end up facing legal liability from, say, lawsuits by the victims of the breach.
No, merely assuming that, because the information was not in a medical record, HIPAA did not apply may have severe consequences for the Consortium, its members, and its members’ patients.
For guidance on how to handle a breach, see Jonathan P. Tomes, How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, Overland Park, KS: Veterans Press (2011).
Thanks to Steve Spearman of Health Security Solutions for suggesting this blog post and offering his insights. Steve and I have worked together on getting organizations HIPAA compliant.