Last week, news broke that the Metro Public Health Department in Nashville, Tennessee, accidentally stored a database full of compromising and sensitive medical information concerning Tennesseans living with HIV or AIDS on an internal* server. Unbeknownst to Metro Health, the database remained on the internal server for nine months. Upon realizing this occurred Metro Public Health conducted an internal investigation that allegedly produced no findings that the information was ever made public. As a result, Metro Public Health determined the incident did not rise to the level of a breach under the Health Insurance Portability and Accountability Act (HIPAA) and therefore did not require notification to the thousands of people whose medical information resided on the database. I was contacted by News Channel 5 to offer my thoughts on the legal ramifications of the incident (the video can be found imbedded in a tweet below). I wanted to expound upon my comments with additional information for those who may be interested on what I believe to be the key questions. To be more specific, questions like whether the Health Department correctly determined this incident did not represent a reportable breach under HIPAA law and what legal options, if any, are available to those impacted.
Breach or No Breach?
The short answer: Maybe. At the very least, I think there’s a strong argument to be made that the lack of information surrounding the incident suggests Metro Public Health should have preemptively notified people of the incident. Let me explain.
Under HIPAA, there is a presumption that a breach occurs any time the acquisition, use or disclosure of protected health information (known as PHI) takes place. The burden is on the covered entity (or organization that possessed the information in the first place) to prove whether the information was/was not ultimately compromised. In order to make this determination, HIPAA instructs covered entities to perform a risk assessment. HIPAA lists a variety of factors covered entities should take into account when performing a risk assessment surrounding a possible breach, such as: (1) nature and extent of PHI involved; (2) the unauthorized person who used the PHI; (3) whether PHI was actually acquired or viewed; and (4) extent by which risk to PHI was mitigated.
Applying these factors to the incident in question, the facts more strongly support a breach categorization than harmless incident. The information at issue was about as sensitive and invasive as you could find. Whether a person has HIV or AIDS more than meets the criteria of protected health information, and moreover gets to the very heart of what HIPAA requires organizations to do — protect and secure the most sensitive of medical information. As Bradley Dale Morris noted in the Tennessean’s article, the ramifications of this information becoming public is huge. “They could lose their jobs. They could lose their insurance. They could lose their homes. They could be kicked out of their church . . . being HIV positive goes into every nook and cranny of our existence.” As for whether the information was actually acquired or viewed, no one — not even Metro Public Health — appears to know. Why? Because the auditing mechanism by which the Department could monitor whether or not a user actually accessed the public database was never turned on in the first place. According to Public Health Director Bill Paul, “[Metro] know[s] of no employees that opened the file and the private information remained, and remains, private and protected.” Without knowing the exact findings of Metro’s internal investigation, I have skepticism on how that sort of determination could be made in the absence of safeguards like server auditing. With seemingly no way of knowing if anyone accessed the database, no argument can be made the the Department mitigated the inordinate amount of risk surrounding the possible exposure of this information.
Because more questions seem to exist than answers, I’m of the opinion that the treatment of the incident as a breach was Metro’s most conservative (and likely appropriate) course of action.
If a HIPAA Breach Occurred, What Should Have Happened?
HIPAA requires a covered entity who suffers a data breach to notify both the affected individuals and the Department of Health and Human Services (HHS). HIPAA treats a breach as discovered when the covered entity knows of it or should have known of it by exercising reasonable diligence. Upon discovery, the covered entity must notify the affected individuals without “unreasonably delay” but no later than sixty days after the discovery was made. As for notification to HHS, the timeline depends upon how many affected individuals there were. For 500 or more affected individuals, a covered entity must notify HHS immediately; for 500 or fewer individuals, a covered entity can wait to notify HHS no later than sixty days after the end of the calendar year in which the breach occurred. As an example, a breach that occurred in 2017 with less than 500 affected individuals would mean a covered entity could wait until the end of February before reporting to HHS.
Operating under the premise that Metro’s incident was indeed a breach, Metro should have notified individuals in the database within sixty days from the discovery date. According to the Tennessean, Metro made this discovery in April. Had Metro notified individuals, notification would have had to occur by the end of June. Furthermore, Metro would have had to notify HHS immediately upon the discovery in April because the database featured (according to the Tennessean) “thousands” of people. Metro could have done so by way of an online submission form through HHS’ Office of Civil Rights breach portal.
Do Those Listed in the Database Have Any Legal Remedies?
Because I’ve covered this topic in a separate blog post, I’ll be short and to the point. HIPAA does not explicitly provide affected individuals with a right to sue. As such, lawsuits concerning a breach of PHI almost always exist on the basis of common law state claims like invasion of privacy or negligence. Unfortunately, these are tough cases for plaintiffs to prevail in because of the difficulty in proving certain elements of the case like harm and damages.
In the present instance, an individual who knows his/her information was on the HIV and/or AIDS database will likely have a difficult time proving (i) that the information was actually accessed; (ii) that the Plaintiff suffered harm from it; and (iii) that the harm resulted in quantifiable damages.
A less than satisfying alternative to a lawsuit would be for an affected individual to file a complaint with the HHS Office of Civil Rights (OCR). An individual who believes his/her information was the subject of a HIPAA violation can follow OCR’s online complaint process. Upon doing so, OCR might open an investigation of the incident. These investigations may result in the enforcement of corrective actions or penalty fees. In the last few years alone, the OCR has fined organizations in violation of HIPAA in excess of many millions of dollars.
With increasing public interest and outrage surrounding high-profile data breaches, particularly one with such contentious and controversial ramifications, I believe Metro Public Health should have taken the “better safe than sorry” approach. By staying silent up until the press got a hold of the story, speculation now exists over a perceived cover-up. Even more, Metro has its work cut out to restore the trust and confidence of those in the HIV and AIDS community.
*This post was amended on July 20, 2018 after a call from Metro’s legal representative, requesting clarification on my previous characterization that the server was “publicly accessible.” Per Metro, the server could only be accessed by someone within the Department.
Members of the gay community are concerned a breach of confidential HIV data may deter others from getting tested. pic.twitter.com/9pz7wccglZ
— Chris Conte (@chrisconte) July 18, 2018