“I would like to tell you about something, but could you keep my name out of it?” That’s how so many of my investigations begin these days – with a request to protect the identity of independent researchers who want to be helpful but are afraid that they will wind up getting raided or hassled like Justin Shafer has been. I agreed to try to keep this researcher’s name out of it all, and they told me how a newborn photography service, Mom365, seemed to have babies’ photos too easily accessible from their server.
If you just input random 6-digit “guest access codes” the researcher told me, you might retrieve web pages with a baby’s first name, the parents’ first names, the baby’s date of birth, the hospital where the baby was born, and their height and weight. And oh yes, you could see some adorable newborn pictures, although some of the web pages no longer had the newborn pictures available.
The information might not be enough by itself to commit identity theft, the researcher told me, but it was enough to start socially engineering either the hospital or the parents for more information. And that was the researcher’s main concern: there was enough information too readily available that could be used to support social engineering schemes.
A quick check/test confirmed the claims about how easy it was to retrieve pages with personal information. I was finding pages from more than 10 years ago, and some pages still had the babies’ pictures available with their names, parents’ names, date of birth, name of hospital, and height and weight.
So I started looking at Mom365’s web site, and the first thing that struck me was that I had absolutely no firm sense of whether they would be a business associate (BA) under HIPAA or not. My non-lawyerly impression was that they were likely a vendor and not a BA, but if the hospital provided them with the mother’s name and the fact that she just had a baby, didn’t that put them in possession of protected health information (PHI)? And if so, didn’t they need to be a BA to receive that information? So maybe they were a business associate? I was definitely confused.
At that point, I reached out to one of the hospitals whose name had turned up as using Mom365 (Kaiser Baldwin Park) to see what they would say about whether Mom365 was a vendor or a BA to them. And of course I also reached out to Mom365 to alert them to the concern.
Adam Greene of Davis Wright Tremaine, external counsel for Mom365, responded to my notification and inquiry to the photography service. Let’s start with his explanation of Mom365’s business arrangements with hospitals.
According to Greene, Mom365 enters into one of two types of business models with hospitals. In the first model, the hospital obtains a HIPAA authorization before disclosing limited information to Mom365. The limited information (e.g., mother’s name, room number, and the fact that the mother delivered a child) is provided to Mom365 so that Mom365 can offer newborn photography services. The hospital only provides that information to Mom365 if the mother first signs a HIPAA authorization. In this model, all of the information that Mom365 collects would then be outside of HIPAA.
The second model is that Mom365 is a business associate of the hospital for the limited purpose of obtaining the initial HIPAA authorization. This is analogous to guidance in the research setting, Greene explained, where a researcher can be a business associate for the limited purpose of obtaining authorizations for disclosure of protected health information for the research. In this model, the hospital provides the limited information about new mothers to Mom365 for the sole purpose of Mom365 seeking authorizations. Mom365’s policy is that the Mom365 employee would contact the new mother and ask if she would like to sign a HIPAA authorization authorizing the Mom365 employee to provide information about the newborn photography services. If the mother signs the HIPAA authorization, then the Mom365 employee then provides information about the newborn photography services. If the mother chooses not to sign the authorization, then the Mom365 employee leaves without providing information about the newborn photography services. Under this model, then, Mom365 is acting as a business associate solely for purposes of offering a HIPAA authorization, and is not a business associate or subject to HIPAA after execution of the HIPAA authorization, when Mom365 is providing information about its newborn photography services or delivering the service on its own.
No wonder I was having trouble figuring out whether Mom365 would be a business associate or not under HIPAA. There was more than one model. Thankfully, though, I had also reached out to two HIPAA lawyers who helpfully offered their opinions.
Three Professionals, Four Opinions
Prior to my conversation with Adam Greene, I had sent some information to Jeff Drummond of Jackson Walker that was based on Mom365’s web pages and site. I had asked Jeff whether he thought that this would be a BA situation or not. Jeff had initially opined that he saw it as an open issue as to whether there would be a BA relationship or not. But when I asked him about any liability for photos and information that was not rigorously secured despite the service’s claims, he replied:
The photography company seemed to say all the right things, so I think it’d be hard to blame a hospital for not knowing they weren’t providing appropriate protections. But once the hospital has reason to know something is up, they have responsibility to make sure the photo company fixes things, or they must terminate the relationship. The hospitals also need to consider whether they have a reporting obligation, either under HIPAA or state law; even if they don’t, they probably want to report it anyway. The photo company may have a state-law obligation to report a data breach, unless they can audit access and determine that your tipster was the first and only person to discover the password taxonomy. They certainly need to fix the problem, though.
Keep in mind that Jeff offered that statement before we had any response from Mom365’s counsel, but it still is food for thought. If you accept Greene’s explanation of the models, are there any reporting requirements for this type of situation and what responsibility(ies) do the hospitals have?
Matthew Fisher of Mirick, O’Connell, DeMallie & Lougee also shared his thoughts about the business associate question after reviewing what Greene told DataBreaches.net about the two models. In an emailed statement to DataBreaches.net, Matt wrote, in part:
Under either model, it looks like the argument is being made that a HIPAA authorization is needed for purposes of marketing a service. In model 1, the hospital needs the authorization, which ostensibly would be an authorization allow marketing, although it would really be an authorization to allow immediate transmittal of information to the outside company that would then directly market its services. It is nearly similar in model 2, where the hospital is just not acting as the middleman, but enabling Mom365 to come in directly and seek the authorization to then in turn market the services.
I think the argument is running a fine line and question if the authorization contemplated is really one covering marketing, whether the financial benefit that could accrue to Mom365 is disclosed, and how/when the new mothers are approached.
Going with the idea that the authorization is for marketing purposes, I can see how Mom365 falls outside of HIPAA. It may not be readily apparent to the new mothers though. If there is confusion, that could come back on the hospital as a hit to its reputation.
Leaving aside the potential HIPAA implications, it just seems like a bad business practice to make information about newborns along with a picture easily obtainable. Having weak security in such a scenario given all of the attention on maintaining privacy does not seem like a good idea.
Matt has also written his own blog post about how some hospitals’ legacy nursery pictures are still online, and how that is Not a Good Idea At All. You can read his post here.
In response to Matt’s analysis of Mom365, Jeff wrote a lengthy analysis that gives us even more food for thought as he suggests that a marketing analysis overshoots the mark:
“Marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” 45 CFR 164.501. Does the hospital letting the mothers know that the service is available “encourage” them to purchase or use? Maybe, maybe not. If not, then it’s not an issue. It’s also not marketing if it’s a service the hospital itself provides (presumably either directly or through a subcontractor [“under arrangements,” if you will]), which would seem to make scenario 2 entirely non-marketing.
I’m omitting Jeff’s analysis of Scenario 1 for now, even though it’s fascinating, to focus on Scenario/Model 2:
In Scenario 2, we start the same: the hospital uses mom’s PHI (“hey, you just had a baby”) to let her know about Mom365; it may or may not be marketing, but we don’t need an authorization anyway, so we’re good to go. So far. We told mom, she’s interested. However, now, instead of getting mom’s authorization to provide her PHI to Mom365, the hospital gives a little bit of mom’s PHI to Mom365, so that Mom365 can contact mom and get an authorization. Here, you’ve got the hospital disclosing mom’s PHI to Mom365. The hospital does not have mom’s authorization. But, according to Adam, Mom365 is a “business associate” of the hospital. So, presumably, Mom365 is providing a service to or on behalf of the hospital. OK, I guess the hospital could have its own photography department, and instead it’s hired out Mom365 to do the work. Fair enough, but the hospital needs a BAA with Mom365 that covers this disclosure and correlates to Mom365 providing a service to the hospital, as opposed to providing the service directly to mom. If there’s a BAA in place, this is probably OK; however, I bet there isn’t one. I don’t know why Adam [Greene] would analogize to the research situation here: in the research situation, the researcher is definitely not working for the hospital, but rather for an outside research entity, but is still allowed to access the hospital’s PHI files to find potential research candidates. I see how the theory works here (researchers are looking for patients who would be good in their clinical study, photographers are looking for proud parents who want baby pix), but research and baby photos are not the same thing (social utility arguments notwithstanding), and research gets special protections while baby photos don’t.
And NONE OF THIS IMPACTS THE REQUIREMENTS THAT MOM365 HAVE REASONABLE ADMINISTRATIVE, PHYSICAL AND TECHNICAL SAFEGUARDS TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY OF THE PHI. The hospital may be in the clear if it had the BAA in place in scenario 2, and seems generally in the clear in scenario 1, but Mom365 is not if it failed to protect confidentiality and data security.
There’s a lot to process there. And it’s clear that Jeff Drummond isn’t persuaded by Adam Greene’s rationale and argument.
DataBreaches.net is extremely grateful to both Jeff Drummond and Matt Fisher for sharing their insights into these issues. This would have made for a great panel at some conference to figure out whether HIPAA applies and if so, how. But of course, my original concern was whether these babies’ and families’ information is being adequately secured. It seemed to me that it wasn’t, so I asked Adam Greene for a follow-up as to what Mom365 was doing now that they had been made them aware of the issue. Mom365 sent the following statement:
Mom365 is very appreciative that this website issue was brought to our attention. We have changed authentication requirements on the website to address this, and in the coming weeks will delete certain older web pages of our users. At Mom365, we strive to best balance information security with the best user experience for the new mothers and their family and friends. We are going to continue to do our best to ensure that information is secure, while also easily accessible to authorized family and friends.
They did not answer my question as to whether this would be reported to any federal or state regulators, but if I find out more, I will update this post.
Kaiser Baldwin Park and Kaiser Permanente’s national media coordinator did not respond to this site’s inquiries about what they were doing after having been made aware of the issue. Nor did Baldwin Park ever provide a response to the question of whether they had a BAA in place with Mom365 or not. While Kaiser Permanente and Kaiser Baldwin Park are obviously not the only hospitals that made some arrangement with Mom365, I am somewhat surprised that they have not responded more transparently to this site’s questions, as I have found KP to be very forthcoming in response to breach or privacy-related inquiries in past incidents.
Great thanks to the independent researcher who contacted me with this issue. This may not be the most serious or worrisome breach that I’ve covered this year, but it’s a great reminder that hospitals need to pay attention to what their vendors or business associates are doing.