By now, many are aware that Jones Day, a giant law firm, had some of its files stolen due to vulnerabilities in the standalone file transfer administration system by Accellion. Jones Day is one of dozens of Accellion clients that have found themselves investigating and dealing with breaches affecting their businesses and clients.
The Jones Day data dump is a good opportunity to remind people that what would be protected health information under HIPAA in one setting may — or may not — lose some of its security protection when it winds up in a law firm’s custody. It depends, in part, on what the law firm’s role is. If a law firm is providing services to a HIPAA covered entity that involves the use or disclosure of protected health information (PHI), then they may be a Business Associate under HIPAA. Software firms that access PHI, collection agencies that access or use PHI, and law firms that use or disclose PHI on behalf of a covered entity would all be examples of business associates. Business Associates are supposed to have contracts in place with the Covered Entity.
Some of the files in the Jones Day data dump that DataBreaches.net examined are spread sheets with details on prescriptions issued by a named physician in Florida.
It took only minutes of searching on Google to learn that this physician had been the subject of a disciplinary action by the state. As a result of a complaint related to prescribing practices and the death of a patient, the state had restricted the physician’s license to practice medicine and imposed some conditions. Those conditions include a permanent restriction barring him from prescribing any Schedule I – Schedule IV controlled substances, and a requirement that he practice with indirect supervision/monitoring, presumably including access to his records and logs.
In Jones Day’s files are spreadsheets pertaining to this physician’s prescriptions. The records begin in 2013 (the year that the patient died) and the most recent pharmacy fill date was January 6, 2021. The spreadsheets list every prescription the physician wrote. Each record includes detailed information on the pharmacy, the patient, and the prescription. The patient information fields include first and last name, their date of birth, their patient ID, phone number, full postal address, and the name of their insurer. Information on the prescription included the prescription number as filled by the pharmacy, the medication tradename, the generic name, the drug strength, the date the prescription was written, when it was filled, how many refills were left, and what drug schedule the medication is on. The prescribing physician was also listed for every prescription with their DEA number.
All told, there were 182,409 records in the spread sheets. DataBreaches.net did not attempt to deduplicate them but notes that there were often dozens of prescriptions for a single patient, and the number of unique patients will be only a fraction of the number of records.
The information in these records were undoubtedly PHI when on the pharmacies’ systems. But were they PHI on Jones Day’s server? Jones Day is not a HIPAA covered entity, but is Jones Day a Business Associate to the physician? Or were they retained by the state or some other entity that would make them a Business Associate under HIPAA?
Their purpose in collecting and using the records makes a difference. If they were hired by the physician to provide a service related to complying with a state order, then that is a healthcare operation and I would think there should be be a Business Associate contract in place. But were they hired by the physician for that function? And was there any Business Associate agreement in place?
DataBreaches.net reached out to Dr. Ramesh M. Patel on February 21 via his web site chat contact to ask him about the breach and whether Jones Day was a Business Associate. He never replied.
DataBreaches.net also contacted Jones Day to ask whether Jones Day had a Business Associate agreement in place with Dr. Patel, and to ask who was going to be notifying the patients about this breach. Jones Day did not respond by time of this publication (See update at bottom of story).
DataBreaches.net notes that Accellion may also have been required to have a Business Associate agreement in place with Jones Day if the data Jones Day was transmitting was covered by HIPAA.
If it turns out that Jones Day had a BAA in place with Dr. Patel and that Accellion had a BAA in place with Jones Day, who is responsible for notifying the patients?
And who would be responsible for notifying the U.S. Department of Health and Human Services of this breach?
As I understand it, under HIPAA and HITECH, the business associate has an obligation to notify the covered entity, but it is the covered entity who is responsible for notifying the patients and HHS. So if Jones Day had a BAA in place with Dr. Patel, then they must notify him, and he must notify the patients and HHS (in this case, a four-factor risk assessment does not seem to be needed as it is obvious that the PHI fell into unauthorized hands and there is a risk of misuse).
The pharmacy-related records were not the only medically related information DataBreaches.net spotted in the files that this site spotted in the data dump by CLOP. Other files contained:
- releases to obtain medical records for a named patient. Will anyone notify that patient of this breach?
- a response to a subpoena that contained the names, medical record numbers, dates of admission and discharge for other named patients. Will anyone notify them? and
- an archive that contained 129 files with detailed information on patients, where each patient’s file might be 14 pages with their history, personal information, and medical notes and updates, lab results, etc. The hospitals involved included West Anaheim Medical Center, Huntington Beach Hospital, and Garden Grove Hospital and Medical Center, among others. Will anyone notify them?
DataBreaches.net has no information as to how or why Jones Day came into possession of the above records. Were any of them provided by the patients themselves as part of litigation where Jones Day was representing them? Or were they in response to subpoenas where there might be a protective order in place? DataBreaches.net does not know, but the answers are relevant to determining if the records are covered by HIPAA and HITECH. DataBreaches.net did not ask Jones Day about the records described above — we only asked about the spread sheets with pharmacy records relating to Dr. Patel’s prescriptions.
As always, keep in mind that I am not a lawyer, and am just offering my understanding of how the law would apply to a speculative scenario. This site is not accusing anyone of wrongdoing or failing to comply with any obligations under HIPAA or HITECH. This site is simply raising the obvious question as to who is responsible for notifications in a situation like this one. Actual lawyers and parties with answers are welcome to contact this site with helpful information or clarification.
Update: Post-publication, Jones Day sent the following statement:
We are informed that the FBI has an active criminal investigation ongoing relating to the Accellion FTA incident. Although we will not comment about specific clients, we anticipate all appropriate regulatory filings and notifications associated with this incident will be made on a timely basis.
Well, that doesn’t really clarify whether there was a Business Associate agreement in place or who will be notifying the patients, but I do appreciate that they responded.