Health Law Pointers
Volume XIX, No. 4
December 15, 2017
Lawrence M. Ross
Nicholas A. Pusateri
As a public service, we are pleased to present this issue of our health law newsletter addressing the legal concerns of health practitioners. The primary purpose of this newsletter is to provide timely educational information and commentary for our clients and subscribers. In some jurisdictions, newsletters such as this may be considered: Attorney Advertising.
If you know of others who may wish to subscribe to this free publication, please feel free to forward it. If you wish to subscribe or unsubscribe, please send an e-mail or call the Editor, Lawrence M. Ross, at (716) 849-8900. Special thanks to our colleagues, Larry E. Waters and Marina Barci, for their contributions to this issue.
New York Taking a Stance Against Data Breaches
Last month, New York State Attorney General Eric T. Schneiderman introduced a proposal for new legislation, titled the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”), aimed at increasing protection for New Yorkers’ personal information, as New York’s current data security laws are said to be outdated. The SHIELD Act, if adopted, would impose a legal responsibility on companies holding New Yorkers’ sensitive data to adopt “reasonable” administrative, technical and physical safeguards for such data, among other obligations.
The SHIELD Act was introduced in response to an increase in the number of reported data security breaches, both locally and nationally. For example, in 2016, there were over 1,300 data breaches of businesses and healthcare providers conducting business in New York, including one announced by the Capital District Physicians’ Healthcare Network, Inc., which exposed the protected health information (PHI) of over 700,000 New York residents. And earlier this year, Equifax, Inc., one of the country’s three major credit reporting agencies, announced a major security breach that affected nearly 143 million people, including 8 million residents of New York.
Currently under New York law, companies can collect and hold an individual’s sensitive and private personal data (as distinguished from PHI) without adhering to any security requirements, as long as the data doesn’t include an individual’s social security number. Furthermore, existing law requires only companies that “conduct business” in New York to notify the New York State Attorney General’s Office and an affected New York resident upon the company’s discovery that an unauthorized individual (e.g., a “hacker”) has acquired a New York resident’s “private information.” What constitutes “private information” under current law, however, is outdated; it includes only (i) a social security number, (ii) driver’s license number or non-driver identification card number, or (iii) an account, credit or debit card number, in combination with any security code or password that would permit access to such account. Therefore, a hacker’s acquisition of personal information more common to 21st century technology users, such as username-and-password combinations and biometric data like fingerprints used to unlock a smartphone, does not trigger the law’s notification requirements.
The SHIELD Act, conversely, would require companies to adopt reasonable safeguards for protecting individuals’ personal and private information, regardless of whether the data includes a social security number. The SHIELD Act would also subject all businesses holding New Yorkers’ private data to the aforementioned notification requirements, not just those companies “conducting business” in New York State. Moreover, the act would expand the types of data which, if compromised, would trigger the notification requirements, including username-and-password combinations, biometric data and HIPAA-covered health data.
Naturally, many small to medium sized businesses, including many healthcare providers, will be concerned about any increased administrative costs associated with improving their internal data security systems to comply with the SHIELD Act’s requirements. Our analysis of the SHIELD Act, however, shows that the law would create a special “carve-out” for companies that are already regulated by, and compliant with, existing or future regulations of any federal or New York State government entity, such as HIPAA/HITECH. As a result, many healthcare providers that abide by HIPAA’s data security regulations will be considered compliant with the SHIELD Act’s security requirements by virtue of their compliance with HIPAA, and thus they will not otherwise be penalized for failure to adhere strictly to the SHIELD Act’s security requirements. In addition, the proposed SHIELD Act provides a flexible standard for small businesses (i.e., those with less than 50 employees and under $3 million in gross revenue, or those with less than $5 million in assets), requiring security safeguards appropriate to the small business’s size and complexity. If the SHIELD Act becomes law, Hurwitz & Fine, P.C.’s attorneys can analyze and discuss with you the law’s effect on your business or professional practices and your security safeguards.
To become law, the SHIELD Act must first receive majority approval by the Senate Rules Committee in the State Senate and the Consumer Affairs and Protection Committee in the State Assembly. After, both houses of the New York Legislature must approve the bill before it is sent to Governor Cuomo, who can then sign the bill into law or veto it. We will provide you with updates on the SHIELD Act’s progress as more information is made available.
The proposed SHIELD Act demonstrates an increased emphasis on protecting New Yorkers’ private information, including their health information, and regardless of whether and when it becomes law, healthcare providers should, from time to time, review their internal security safeguards, especially those providers that have expanded in size and complexity since their last substantive review.
Use of Smart Phones and Cameras May Result in HIPAA Violations and Other Discipline
Use of personal cell phones and recording devices at work is increasingly becoming common, and in the world of health care, their use raises serious concerns related to patient privacy which may result in violations of HIPAA regulations. A problem occurring with some frequency seems to be the physicians, nurses, and staff members who are taking, or allowing, photographs and videos of patients to be taken.
In December 2016, at the University of Pittsburgh Medical Center, a man went in for surgery related to a genital injury. A crowd of UPMC doctors and nurses heard about the man’s unique injury and lined up at the door of his operating room to take photos and videos of the man’s genitals while he was under anesthesia.
Upon hearing of the events, UPMC administrators reported the incident to the Pennsylvania Department of Health and undertook an internal investigation. The hospital took action against the attending physician, as well as another doctor, who both received suspensions from work and mandatory HIPAA training; the disciplinary action will remain in the physicians’ personnel files. The DOH also launched an investigation, and found that the photos and videos, which had been shared with others uninvolved in the patient’s care, had “no clinical justification.” The DOH approved the hospital’s corrective action plan and required no further discipline.
In April 2016, New York-Presbyterian Hospital agreed to pay a $2.2 million penalty to federal regulators for allowing television crews from “NY Med” to film two patients without their consent.
One of the patients was Mark Chanko who was hit by a garbage truck and filmed as the doctors unsuccessfully tried to save his life. Mr. Chanko’s son, Kenneth, filed a complaint with the Office for Civil Rights after Mr. Chanko’s wife recognized her husband while watching the episode. The Office for Civil Rights made clear that it is “not sufficient for a health care provider to request or require media personnel to mask the identities of patients (by blurring, pixilation or voice alteration) when no [patient] authorization has been obtained.”
The New York Court of Appeals unanimously decided that the Chanko family could proceed in suit against the hospital and its former chief surgical resident for breach of doctor-patient confidentiality related to this filming. Legislation has also been proposed to make it a crime in New York to film patients without consent, subject to certain exceptions.
In 2015 at Parkside Manor, an assisted-living facility in Kenosha, Wisconsin, a nursing assistant was fired for taking a video of a 93 year old Alzheimer’s patient in her bra and sharing it on Snapchat because the she thought it was funny. One of the nursing assistant’s Snapchat friends reported her to Parkside Manor, which resulted in her termination, as well as a criminal complaint being filed against her in which she was charged with a felony for taking a nude photo without consent.
PTSD Now a Qualifying Condition under New York State’s Medical Marijuana Program
In our September issue of Health Law Pointers, we informed you that both houses of the New York Legislature passed a bill that would add post-traumatic stress disorder (PTSD) to the list of “qualifying conditions” under New York’s medical marijuana program, meaning that qualified medical practitioners could prescribe medical marijuana to sufferers of PTSD in New York. PTSD patients in other states have used medical marijuana to successfully treat symptoms such as anxiety, insomnia, and hypervigilance, as well as to improve coping abilities. Governor Andrew Cuomo, however, had the power to veto this bill, and many in the State’s medical marijuana community were uncertain if the governor would sign the bill into law because he has taken a cautious and conservative approach to New York’s medical marijuana program. But, last month, Governor Cuomo signed the legislation and added PTSD to the list of conditions that can legally be treated with medical marijuana.
Currently, researchers are moving forward on the first federally-approved study looking at how smoked cannabis affects PTSD; smokable medical marijuana, however, is currently not permitted under New York’s program. Advocates of smokable medical marijuana in New York remain cautiously optimistic about the study, and they hope that the study’s results will promote more change to New York’s program.