Forbes reported, on December 19, 2011, that Gwinnett Medical Center in Georgia experienced a “computer infection” on December 14, and was forced to send all non-emergency patients elsewhere. The hospital insisted that neither patient care nor confidentiality was threatened because the Patients’ “information was safe.” http://www.forbes.com/sites/mobiledia/2011/12/19/computer-virus-shuts-down-georgia-hospital/

Patient information may have been “safe” this time but computer viruses, particularly the “worm” variety suspected here, frequently obtain and send information to the malware creators. Some of the most well known viruses, for example, attack the users’ contact lists and transmit the contact information, which is then used I for phishing and other identity theft schemes.

The HIPAA Security Rule is quite explicit that Covered Entities, such as hospitals and physicians, must create, implement and document safeguards against losses of Protected Health Information (PHI). To meet these requirements, most CIO’S, Information Security personnel and Risk Managers have focused on implementation of such security measures as access control (passwords), unauthorized disclosures of PHI, and administrative safeguards against losses of portable media (most of the recently reported breaches have comprised losses of laptops, portable hard drives and USB’s). These precautions are critical but must reach beyond mere safekeeping of the devices to portable media information controls. Forbes reported that the Gwinnett virus may have been introduced by an employee’s USB drive.

The Office of Civil Rights of the U.S. Department of Health and Human Services has commenced a program of “spot audits” for compliance with the HIPAA Security Rule. In the wake of this and similar incidents, Covered Entities and counsel and consultants assisting them should focus on protection against malware that may result in mass disclosures of PHI. It should not come as a surprise if OCR asks for the documentation of such protection during its audits.

The Guidance was issued on October 13, 2011, available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Following a security breach, the SEC and/or litigants will look at the listed company’s security policies, and training on those policies, with an eye toward whether extant risks, which led to the breach, had been adequately disclosed. Security breaches at such companies as JP MorganChase, Amazon, Facebook and Zynga have raised public awareness of information security risks, and have led to class action litigation (those suits have, for the most part, been dismissed due to lack of standing because there was no concrete proof of injury). Breaches of health information have become even more highly publicized, and this Guidance will apply to those hospitals owned by listed companies. The Guidance indicates a potential for enforcement actions in the event of a breach by an entity that had not adequately disclosed its information security risks.

Regulation S-K Item 503(c) sets forth the requirements for risk disclosure generally, and the Guidance notes that cyber security risks fall squarely within the criteria for risk disclosure. Significantly, the Guidance notes that the information security risk disclosure should be a specific as possible (especially where there have been previous attacks or incidents), and should include “a discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks,” including “risks that may remain undetected for an extended period.”

The SEC took particular note of risks for multinational corporations, noting the potential need for disclosures of the extent to which the “registrant outsources functions that have material cyber security risks.” These entities, in particular, should conduct and document a security analysis of their operations, facilitated by outside counsel and technical consultants, to evaluate the need to address costs and other material information security risks before a breach occurs.

While there are many court decisions on e-discovery that follow the same general standards, a cursory review of decisions regarding the admissibility of electronic evidence, particularly at the state level, indicates that only consistency in the application of rules of evidence is its inconsistency.  This state of affairs may be laid, to some degree, on attorneys who do not understand the technology themselves and thus cannot educate the court on the authenticity and reliability of digital evidence such as social media posts. There is among judges as with juries, a CSI effect, in which it is widely believed that all required digital information can be obtained with the click of a mouse, and just as easily altered.

So it was that a New York State Supreme Court justice went to the opposite  extreme, imbuing social media posts with perhaps evidentiary significance that trumped the hearsay rule and permitted a police officer to be cross-examined on social media posts he did not write. The defendant was being tried for possession of a gun at the West Indian Day parade.  The defendant alleged the arresting officer planted the gun.  In preparing for trial, defense counsel found that the officer was on Facebook, and belonged a group that claimed it stood for “N.Y.P.D. officers who are threatened by superiors and forced to be victims themselves of the West Indian Day massacre” (See, Glaberson, William, “Online, Police Leveled Abuse At Paradegoers,” The New York Times, December 6, 2011 at A1).  Defense counsel read to the jury such posts on the site as “Drop a bomb and wipe them all out,” and “ethnic cleansing,” and one that described the police detail at the parade as “ghetto training” and asked the officer if he agreed with them.  The objections of the Assistant District Attorney that the posts were not the officer’s statements, that they did not indicate agreement by the witness, and were hearsay were overruled.

It is not clear whether the Facebook posts were properly authenticated before being read to the jury, which reading made them evidence. In a 2010 murder trial in Queens, New York, the judge excluded MySpace photographs offered by the defense because they could have been altered by Photo Shop(though there was no indication that they were so altered).  The pendulum of inconsistency in electronic evidence rulings will, no doubt, continue to swing both ways. It is incumbent on trial counsel, assisted by his or her client’s IT and social media resources, to educate the court in order to obtain appropriate rulings.

Download this presentation in PDF format

A successful social media engagement involves an interdisciplinary team who can all arrive at “yes” together through the following six components:

• Dialogue
• Inclusiveness and Flexibility
• Interdisciplinary Protocol Drafting
• Draft Policies to Uses, Not the Technology
• Training
• Monitor Compliance

Download the full presentation by completing the form on the right.

The audits had been announced in a Press Release from OCR on November 8, 2011 at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html. The audit program, authorized by the HITECH Act, is as wide as it is deep, reaching HIPAA Business Associates such as law firms and HIT consultants as well as traditional Covered Entities such as health plans and providers.

The HIT Chicken Littles need not be proven one hundred present prescient, though, because now that Covered Entities and Business Associates have been forewarned, they can take steps to prevent the digital sky from falling. First, conduct and document (or update) your HIPAA Security Risk Analysis. A current documented Analysis is required by 45 C.F.R. § 164.308(1)(ii)(A), and will be one of the first items requested by the auditors. The time to begin the Analysis is not when you have received the Audit Letter.

The HIPAA Security Risk Analysis is an interdisciplinary initiative comprising IT Health Information Management, Risk Management, Legal and Clinical Departments (front-line HIT users). It is, in our experience, best facilitated by experienced outside counsel who will also sign the Analysis documentation. Please contact us to discuss preparation of the HIPAA Security Risk Analysis before you receive an Audit Letter. If you are the subject of an Audit we can provide counsel at every step of the way.

Download this presentation in PDF format

Presentation given at the inFusion11 conference about privacy and data protection concepts beyond the U.S.

Topics covered include:

• Privacy and data protection concepts beyond the U.S.
• Recent developments in privacy and data protection
• Practical suggestions for collection, review and disclosure or discovery of offshore data

Download the full presentation by completing the form on the right.

Download the article in PDF format