HIPAA Security Requirements Aren't Cloudy, Especially to Whistleblowers


Earlier this month, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) announced that it had entered into a settlement agreement with St. Elizabeth's Medical Center (SEMC) in Brighton, Massachusetts. Pursuant to the non-admission settlement, SEMC agreed to pay $218,400 and enter into a one-year Corrective Action Plan (CAP) to settle allegations that its employees violated the HIPAA Security Rule by, among other things, storing electronic protected health information (ePHI) in a cloud document sharing application. Covered entities and business associates that increasingly leverage cloud services for storing and managing Electronic Health Records (EHR), and ePHI more generally, should take notice of this development for a number of reasons. First, it underscores the importance of conducting security assessments on, and evaluations of, cloud services before allowing employees to use them to manage ePHI and EHR. Second, it demonstrates the need to create and enforce clear policies prohibiting use of unapproved and untested cloud services. Finally, the settlement appears to have stemmed from an employee whistleblower and highlights how such whistleblowers will become more prominent considerations in cyber and data security investigations and enforcement actions.

The HIPAA Security Rule establishes a federal standard for protecting individuals' ePHI that is created, received, used, or maintained by a covered entity. These standards require appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. HHS OCR is responsible for the administration and enforcement of the Security Rule. It performs compliance audits and investigations and has the authority to impose civil penalties for violations. The Department of Justice is empowered to bring a criminal prosecution against an individual who knowingly obtains or discloses protected health information (PHI), or uses unique health identifiers, maintained by a covered entity without authorization.

In November 2012, HHS OCR initiated an investigation into a complaint alleging that SEMC workforce members used an internet-based document file-sharing service to store documents that contained ePHI of approximately 500 individuals without first conducting a risk-based assessment and analysis of that practice. In August 2014, while that investigation was still ongoing, SEMC notified HHS OCR of an unrelated data breach that resulted from the loss of a laptop and flash drive with ePHI for approximately 600 more individuals. Ultimately, HHS OCR concluded that SEMC's conduct violated the Security Rule because it had: (1) "disclosed the PHI" of almost 1,100 individuals, (2) failed to implement sufficient security measures on the use of the internet-based document sharing platform to reduce risks to a reasonable level, and (3) failed to timely identify and respond to a known security incident.

As a result, HHS OCR and SEMC entered into a settlement agreement under which SEMC agreed to pay $218,400 and enter into a one-year CAP. Although the settlement is not explicit, careful review of the CAP suggests that HHS OCR's concern was not necessarily only that the cloud service was insecure, but rather that SEMC had not reviewed and approved the use of the service or trained its employees to understand the risks involved in storing ePHI in the cloud. Thus, the resolution highlights not only the risks inherent in using cloud services, but also covered entities' obligation to conduct these risk assessments, and to implement and to enforce use restrictions on employees. Both considerations are important given that the government has been encouraging covered entities to leverage cloud services to increase the efficiency and quality with which they provide patient care and related services.

The CAP imposed by HHS OCR carries a number of strict compliance requirements. Specifically, SEMC must conduct a self-assessment of its workforce that focuses on compliance with policies and procedures for, among other things, transmission and storage of ePHI on information systems, removal of ePHI, prohibition on sharing accounts and passwords that can be used to access ePHI, use of mobile devices that access or store ePHI, and the reporting of security incidents.

Finally, unlike many data breaches that are either discovered by law enforcement or an organization's internal security team, SEMC's alleged failure to comply with the HIPAA Security Rule came to light because of a complaint that apparently may have been submitted by SEMC workforce members alleging that employees were using an internet-based document-sharing application to store data containing ePHI. Whistleblowers are not new. Indeed, the HIPAA regime encourages self-reporting of ePHI disclosures to the government or private counsel if the "workforce member or business associate employee" believes in good faith that the covered entity has violated the HIPAA Security Rule. What is new is that employees are becoming more aware more and sophisticated about the existence and meaning of cyber and data security requirements.  Whistleblowers—who are often in the best position to observe lax security—add new dimensions of complexity to traditional data security investigations, and represent a new challenge to managing reputation in, and confidentiality of, an investigation. Moreover, they increase the litigation risk in a breach, especially against the background of potentially strong financial incentives to whistleblowers who contemporaneously pursue qui tam litigation.

In short, the enforcement proceeding against SEMC underscores the need for covered entities to create, implement and audit compliance with security policies and procedures, and the interest of HHS OCR in data and cybersecurity in the cloud. Moreover, the proceeding raises an emerging new "insider threat" that goes beyond the well-documented vector of employee errors and even malfeasance that can lead to breaches, and instead presents an employee-as-whistleblower consideration that raises the spotlight significantly on corporate cybersecurity programs and compliance.

Orrick's Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.