Just because a story isn’t about healthcare and HIPAA doesn’t mean they don’t offer some important news for healthcare to note. Marriott and Zoom cybersecurity cases were just in the news. We all need to take note of them and pay close attention to what happens next.
In this episode:
Vendors included in breach lawsuits – Ep 281
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
HIPAA Say What!?![05:42] Dr. Rajendra Bhayani, who is an otolaryngology or ENT doctor in Regal Park, New York, agreed to a CAP plus pay $15,000 to settle a complaint with OCR on a patient right of access issue.
In September 2018, OCR received a complaint alleging that Dr. Bhayani failed to provide a patient with access to her medical records following her request in July 2018. OCR responded by providing Dr. Bhayani with technical assistance on complying with HIPAA’s Right of Access requirements and closed the complaint. In July 2019, however, OCR received a second complaint alleging that Dr. Bhayani still had not provided the complainant with access to her records. OCR determined that Dr. Bhayani’s failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, the complainant received a complete copy of her medical records in September 2020.
On July 9, 2019, OCR received a complaint alleging that Dr. Bhayani, had not provided the patient with their medical records. That is after OCR sent a letter dated October 30, 2018 advising Dr. Bhayani of his obligation to provide the patient access to her PHI. Turns out,Dr. Bhayani failed to provide the medical records and failed to respond to OCR’s August 2, 2019 and October 22, 2019 letters requesting that it happen. Uh oh! Never ignore them.
HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
a. Dr. Bhayani failed to provide timely access to protected health information. See 45 C.F.R. § 164.524; and
b. Dr. Bhayani failed to cooperate with OCR’s complaint investigation. See 45 C.F.R. §160.310(b);
Vendors included in breach lawsuits – Ep 281
Now, let’s get into the legal actions that have gotten our attention recently. If you aren’t paying attention to these cases and you are a vendor, it is time to get educated.
The Zoom and Marriott cases have a lot of information that will later impact others. At least, that is what we think. Let’s review them and you tell us if you think they matter.
Zoom Settlement Sounds Like HIPAA Security[14:05] The FTC settlement describes the steps Zoom must take, including:
- Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- Implement a vulnerability management program;
- Deploy safeguards such as multifactor authentication to protect against unauthorized access to its network, institute data deletion controls and take steps to prevent the use of known compromised user credentials;
- Require Zoom personnel to review any software updates for security flaws and ensure the updates will not hamper third-party security features.
There was no financial hit on this one but the FTC says any future violations could cost Zoom up to $43,280 for each.
Note that New York State already hit them and got the same types of commitments from them earlier this year. Zoom’s New York Settlement Spells Out Security Moves
Marriott case is the big news[25:38] Marriott suffered one of the worst data breaches in history. The worst part is they didn’t find it until 2018, four years after it began. By then, an estimated 339 million individuals’ personal details had been exposed. This is what happens when you acquire or merge with a company and no one does a deep dive into their network security.
There are so many things to learn in this case because it came when Marriott acquired Starwood. Starwood had a breach at that time that had started 2 years before. No one there had detected it and dealt with it. Marriott didn’t find it for 2 years after the acquisition. There is a 4 year breach.
I can not stress enough the importance of checking out the privacy and security programs organizations you are going to merge or acquire. That happens a lot in healthcare and I expect it will pick up next year with the impacts of 2020 finally settling in on us. If you can’t do a full scan and SRA before the deal do it ASAP after the deal.
Cyber Consulting Vendor Sued[31:25] Now we get to the part that made David sort of stop breathing for a few seconds. The Marriott class action cases now include Accenture.
Accenture was accused of negligence as cybersecurity consultant to Marriott after the breach which we now know exposed data on up to 500 million. Accenture must be one of the defendants in the case according to a judge in the U.S. District Court for the District of Maryland ruling.
The consumers sufficiently made their case that harms from the hack, such as fraudulent credit card charges, were “traceable” to Accenture, according to the judge’s decision. The consulting firm was responsible for outlining and implementing Starwood’s cyber policies before the breach.
Capital One has a similar problem with their breach where consumers are suing the bank and asked for a copy of a post-incident report by Mandiant. Capital One’s lawyers tried to shield the official report by claiming an attorney work product privilege. That didn’t work out either when a judge in the U.S. District Court for the Eastern District of Virginia granted access to the report. According to the official ruling because there had been a long-standing consulting relationship between Capital One and Mandiant it couldn’t be considered a work product.
Healthcare vendors are more intertwined with clients[40:05] To make sure we point out that healthcare vendors are getting caught up in these cases too, check out a class action filed recently: Class Actions Emerge under the HIPAA and HITECH Right of Access Initiative
The Plaintiff claims that the hospital (Healthalliance) and its medical records management provider (Ciox) engaged in a pattern of information blocking by refusing to provide medical records to the Plaintiff widow who sought the records for the purpose of a potential wrongful death / malpractice claim. These actions included: refusing to provide any electronic health records; charging an excessive amount for paper records they were willing to provide; and for being intentionally unresponsive and obstructionist in their dealings with the Plaintiff. On top of these direct claims, the plaintiff seeks certification of a class action for similarly situated individuals—a group alleged to include thousands of potential members.
The impact on healthcare entities is no longer going to be the stopping point when these cases run deeper down the supply chain. That is becoming more clear with every breach of data and privacy.
That last bit brings us to the next big topic in healthcare IT. Information blocking. This is part of the 21st Century Cures Act forcing interoperability in healthcare. Vendors have created a huge problem trying to lock you into their systems. It is also clear even though HIPAA requires patient right of access providers are not doing a good job making sure they get them. Information blocking rules are rolling out. The enforcement of them will take a while but the law is there now. A topic for an episode very soon!
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!