Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk.   It’s mission-critical to the successful development (and future viability) of a health app to consider the privacy issues up front (otherwise known as “privacy by design“) because it is cheaper to build it in than it is to remediate.

(Note:  This was originally posted as part 6 of a 7-part series on Building a Health App? on our sister blog, Health Law & Policy Matters.)


Continue Reading HIPAA and Other Privacy Considerations at Play when Building a Health App

Last week, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).

The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.

According to OCR, the login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by HIPAA. The health system also failed to regularly review records of information system activity for its applications that maintain electronic PHI and which are accessed by workforce users and users at affiliated physician practices. To make matters worse, the health system failed to review the audit information despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

While hacking incidents typically garner more media coverage, this case highlights the increasing threat posed by those inside a HIPAA-regulated organization. According to a Protenus report, nearly 60% of the breaches that occurred this past January involved insiders. Organizations would be well-served by reviewing recent OCR guidance on the importance of audit controls.

Originally posted in Mintz Levin’s Health Law Policy Matters

Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jonathan Cain and Paul Pelletier’s Responding to Insider Data Theft & Disclosure presentation.  Jonathan and Paul discussed how distinguishing the insider threat differs from the techniques used to identify and stop hackers, creating an environment that deters insiders from stealing data, and the legal remedies – both civil and criminal – that are available to recover stolen data and compensate for its loss.   Nearly 100 participants joined us for this webinar.

For those who missed the webinar, some of the key takeaways include the following:

  • Data losses due to insiders are not the most common source of loss, but they are consistently among the most damaging to the company’s finances and future.  They target customer data, intellectual property, future business plans and embarrassing skeletons.
  • Insiders are not hackers and traditional technology based barriers to outside hackers don’t stop them because the insider is entitled to be in the network and have authorized access to the data.
  • Detecting insiders is an ongoing exercise of analyzing the data of nominally equivalent employees and identifying anomalous conduct.
  • Deterring insiders through social engineering is easier and more productive than trying to identify an attacker after the fact.  Where employees are aware that indicators of insider attacks are being watched, there is less likelihood that attacks will occur.
  • The Computer Fraud and Abuse Act (CFAA), which is the most commonly employed federal statute to redress insider attacks, has inconsistent interpretations throughout the federal courts, and its effectiveness varies.  State computer abuse, trade secrets, and breach of fiduciary duty law continues to provide suitable remedies, both civil and criminal.
  • Criminal prosecution of insiders under federal law based on the CFAA, wire fraud, HIPAA and other federal criminal statutes is feasible, but is likely to be available only in the largest cases.

For a recording of the webinar, click here.

The next webinar — the fourth in our Mintz Levin Privacy Series —  EU Data Protection for US Companies, will discuss the issues faced by US companies who do business in Europe or simply interact with European customers.  We will look at how to determine whether EU data protection laws apply to you, and what you need to do to comply.  We will also provide an overview of the upcoming major overhaul of EU data protection laws in the form of the draft Data Protection Regulation, which is likely to be finalized in late 2015 or 2016.  The webinar will be presented by Susan Foster, a member in our London office, who is qualified as a solicitor in England & Wales as well as an attorney in California.

Sign up here to attend.


By now (unless you have been under a snow drift), you have likely heard about the apparent intrusion into a database at the nation’s largest health insurer, Anthem, Inc.  Rather than reiterate the facts as currently known (see Anthem’s dedicated website for updates), we’ll look at the fallout and what’s next. Continue Reading The Anthem Data Breach: The Fallout and What’s Next

Written by:  Dianne BourqueKimberly GoldKate Stewart, and Stephanie D. Willis 

(original post in Mintz Levin’s Health Law & Policy Matters blog)
As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases:  (i) risk assessment, (ii) workforce training, and (iii) adequate encryption.  For those of you willing to read on, we elaborate on them below and provide our view on the important takeaways from the conference. Continue Reading Notes from the Joint OCR/NIST HIPAA Security Conference

Written by:  Stephanie D. Willis 

As the world recovers from the excitement leading up to Tuesday’s Apple Live Event announcement of the new iPhone 6 and Apple Watch, mobile app developers are chomping at the bit to create software that leverages the new operating system and Apple’s widely-anticipated “HealthKit,” a purportedly secure platform that allows mHealth apps to share user’s health and fitness data with the new Health app and with each other.  In fact, over 300 apps were created per day in recent years, according to some reports.  But because the mobile app market is supersaturated, the quantity of available mobile apps does not equal the number of quality and secure apps that would be appropriate for use at an organization with a high privacy and security risk profile.  The draft Technical Considerations for Vetting 3rd Party Mobile Applications (the Vetting Report) issued by National Institute of Standards and Technology (NIST) in August 2014 is an essential document for any organization to use to help weed out the mobile apps that may create unnecessary IT risks.

Continue Reading NIST Issues Draft Report Enumerating Risks and Protections to Consider When Evaluating Mobile Apps for Your Enterprise

In the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date, two New York hospitals have agreed to pay $4.8 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their shared network.  Our sister blog, Health Law Policy Matters, provides an analysis of the incidents and settlement here.



Haul out the holly, fill up the stockings, even though it’s just one week past Thanksgiving day…..


Rather than look back at 2013, next week the Privacy & Security blog will count down The 12 Days of Privacy, looking ahead to what we might expect in 2014.    The editor’s muse for this series came from our friend and partner, Len Weiser-Varon, who riffed on yesterday’s post regarding the latest password hack:


  • 318,000 Facebook accounts
  • 70,000 Gmail, Google+ and YouTube accounts
  • 60,000 Yahoo accounts
  • 22,000 Twitter accounts
  • 8,000 ADP accounts (ADP says it counted 2,400)
  • 8,000 LinkedIn accounts
  • Three French hens
  • Two turtle doves
  • And a password in a pear tree.

In Len’s words: This year, a brand new password in an unhacked stocking is a holiday must.

Don’t miss our series starting on Monday. Continue Reading Coming Next Week: The 12 Days of Privacy

If you haven’t yet caught up with the new HIPAA Omnibus Rule and its consequences for those businesses who are not themselves healthcare providers, but are service providers to healthcare entities (and even further downstream than that….), you can take a listen to our recent webinar highlighting the most important changes and issues.

A recent settlement released by the Massachusetts Attorney General calls attention to the fact that improper disposal of medical records and personal information can cost you.  The owners of a medical billing practice and four pathology groups, whose patient information was all improperly disposed, will collectively pay $140,000 to settle the claims.

In July 2010 a Boston Globe photographer discovered a knoll of medical records at the Georgetown Transfer Station.  Goldthwait Associates, a medical billing practice, tossed the records of more than 67,000 Massachusetts residents at the public dump when they closed shop in May 2010.  The records included names, Social Security numbers, health insurance information and medical diagnoses.

The AG alleged that the owners of Goldthwait Associates improperly disposed of medical records and in doing so violated the Massachusetts Consumer Protection Act, the Massachusetts Data and Disposal and Destruction Act, and the Massachusetts Security Breach Act (including 201 CMR 17.00).  The pathology groups were charged with “failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates” and not taking reasonable steps to retain a service provider that had appropriate security measures in place to protect personal information (PI) and protected health information (PHI).  The groups were alleged to be in violations of the Massachusetts Security Breach Act and HIPAA Privacy and Security Rules.

The complaint outlines steps that the groups did not take during their relationship with Goldthwait, which can serve as a to-do list when onboarding new vendors:

  1.  inquire about the vendor’s methods for ensuring adequate safeguards for protecting PI and PHI;
  2.  inquire about the vendor’s methods for disposing of PI and PHI;
  3.  inspect the vendor’s facilities;
  4.  request a copy of the vendor’s policies and procedures or contracts that detail the vendor’s method for disposing of PI and PHI;
  5.  verify that employees of the vendor who come into contact with PI or PHI are adequately trained regarding the appropriate methods for handling or disposing of such information.

The settlement agreement requires each pathology group to vet all business associates, ensuring they have a written information security plan and the practices described are sufficient to comply with the groups’ obligations to protect personal information and PHI.  The groups must also execute business associate agreements before disclosing any PI or PHI to service providers.  AG Coakley said, “Personal health information must be safeguarded as it passes from patients to doctors to medical billers and third-party contractors.”

Gagnon, the owner of Goldthwait Associates, told news sources that some of the groups were his clients for over 25 years, which may explain why they failed to have formal agreements in place.  This settlement underscores the importance of reviewing the practices of your vendors (even if your best friend owns the company) and signing agreements with them that cover the protection of PI and PHI.  If you handle PHI you should also take a look at the data security tips for health care organizations for helpful ways to update your data security practices.