Dedicated to providing the latest
HIPAA compliance news

The Health Insurance Portability and Accountability Act (HIPAA) is not technology specific, so HIPAA updates are not made frequently, although regulators do issue new guidance for covered entities on specific aspects of HIPAA Rules on a relatively frequent basis.

HIPAA was initially signed into the legislature by President Bill Clinton in 1996. As the name suggests, the legislation was primarily concerned with regulating the availability and breadth of health insurance policies for individuals and groups. However, in the two decades since the legislation was introduced there have been several major HIPAA updates.

The most notable HIPAA updates were the introduction of the HIPAA Privacy Rule and Security Rule in 2003, the HIPAA Enforcement Rule in 2006, the incorporation of HITECH Act requirements in 2009 and the HIPAA Omnibus Final Rule in 2013.

While compliance with HIPAA Rules was never optional, the HIPAA Enforcement Rule allowed OCR to take action against covered entities discovered to be in violation of HIPAA Rules. Even though the Enforcement Rule was written into the legislature in 2006, it took until 2009 for the first settlement to be reached with a covered entity for non-compliance with HIPAA Rules – A $2.25 million fine for CVS Pharmacy for the improper disposal of protected health information.

The most recent HIPAA updates were introduced with the passing of the Omnibus Final Rule, which amended the Privacy Rule, Security Rule, Breach Notification Rule and incorporated HITECH Act requirements into HIPAA. The Omnibus Rule also introduced new regulations for business associates of covered entities, allowing fines to be issued directly for the failure to comply with HIPAA Rules.

These key HIPAA updates have helped to ensure healthcare organizations protect the privacy of patients and safeguard the confidentiality, integrity, and availability of PHI, while placing restrictions on how patient health information can be used and shared.

This news section also includes details of new guidance for covered entities on HIPAA Rules. Guidance is issued primarily by the Department of Health and Human Services’ Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC), and to a lesser extent, other regulators such as the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC).

The guidance is intended to help covered entities improve their compliance programs and address specific aspects of HIPAA Rules that are causing confusion or are proving to be problematic. Guidance is usually developed after issues have been identified during investigations of HIPAA breaches and privacy complaints, through HIPAA compliance audits and highlighted by questions submitted by HIPAA-covered entities via the HHS website.

It has now been four years since the last major HIPAA updates were issued and many healthcare professionals, privacy groups and security experts believe that further updates are long overdue. When updates to HIPAA are proposed, HIPAA requirements are changed, or when new guidance is issued, you will find the details in the posts below.

In What Year Was HIPAA Passed into Legislature?
Nov13

In What Year Was HIPAA Passed into Legislature?

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill. Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud. Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced. There have been several important dates in the past...

Read More
HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California
Oct17

HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California

The Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires. As was the case with the waivers issued after Hurricanes Irma and Maria, the limited waiver of HIPAA sanctions and penalties only applies when healthcare providers have implemented their disaster protocol, and then only for a period of up to 72 hours following the implementation of that protocol. In the event of the public health emergency declaration ending, healthcare organizations must then comply with all provisions of the HIPAA Privacy Rule for all patients still under their care, even if the 72-hour period has not yet ended. Whenever the HHS issued a limited waiver of HIPAA sanctions and penalties, healthcare organizations must still comply with the requirements of the HIPAA Security Rule and the Privacy Rule is not suspended.  The HHS simply exercises its authority under the Project Bioshield Act of...

Read More
Amida Care Mailing Potentially Revealed HIV Status of its Members
Oct13

Amida Care Mailing Potentially Revealed HIV Status of its Members

The New York not-for-profit community health plan Amida Care has reported a HIPAA breach that has potentially impacted 6,231 of its members. Amida Care specializes in providing health coverage and coordinated care to Medicaid members suffering from chronic health conditions such as HIV. On July 25, 2017, Amida Care sent a flyer to some of its members who had contracted HIV, advising them of an opportunity to take part in a HIV research project. The double-sided flyers contained details of the HIV research project on one side, and information on an Amida Care Summer Life Celebration event on the other. The decision had originally been made to send out the flyer in windowless envelopes, and those instructions were provided to the mailroom. However, due to fault with the envelope printer, and in order to make sure individuals received the flyer in time, the decision was made to send out the flyer in windowed envelopes. Care was taken to prevent any sensitive information being visible through the clear plastic windows of the envelopes. A blank sheet of paper was included with the...

Read More
Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS
Oct10

Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS

In January 2014, the HHS proposed a new rule for certification of compliance for health plans. The rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate compliance with electronic transaction standards set by the HHS under HIPAA Rules. The main aim of the proposed rule – Administrative Simplification: Certification of Compliance for Health Plans – was to promote more consistent testing processes for CHPs. The HHS has now announced that the proposed rule has now been withdrawn. Had the proposed rule made it to the final rule stage, CHPs would have been required to demonstrate compliance with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. The failure to comply with the new rule would have resulted in financial penalties for CHPs. Most employers’ health plans were handled by their insurance carriers, so the proposed rule would not have affected them...

Read More
HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
Sep22

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

The U.S. Department of Health and Human Services has already issued two partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes this year. Now a third HIPAA waiver has been issued, this time in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands. As was the case with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered entities in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster protocol, and only for specific provisions of the HIPAA Privacy Rule: The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b). The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a). The requirement to distribute a notice of privacy practices. See 45 CFR 164.520. The patient’s right to request privacy restrictions. See 45 CFR 164.522(a). The patient’s right to request confidential...

Read More
Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone
Sep12

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma. As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma. OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act. In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived: 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care 45 CFR 164.510(a) – Honor requests to opt out of the facility directory. 45 CFR 164.520 – Distribute a notice of...

Read More
AHA Urges Congress to Reduce Regulatory Burden on Hospitals
Sep01

AHA Urges Congress to Reduce Regulatory Burden on Hospitals

In a recent letter to the House Ways and Means Health Subcommittee, the American Hospital Association (AHA) suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems. The AHA says the regulatory burden on hospitals and health systems is substantial and unsustainable and increased regulatory activity is making the situation worse. One example provided refers to the Centers for Medicare & Medicaid Services, which in 2016 released 49 rules related to hospitals and health systems that spanned almost 2,400 pages. There has also been an increase in sub-regulatory guidance such as FAQs and blogs to help hospitals and health systems understand how to implement administrative policies. In the letter, the AHA points out that “In addition to the sheer volume, the scope of changes required by the new regulations is beginning to outstrip the field’s ability to absorb them.” The AHA has suggested a number of ways that Congress can take action to immediately reduce the regulatory burden on hospitals, health systems and their...

Read More
HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone
Aug31

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts. In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need. The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)). In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed. However, disasters often call for a...

Read More
U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses
Aug09

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient. Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months. Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use. The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed...

Read More
OCR Data Breach Portal Update Highlights Breaches Under Investigation
Jul25

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal. The data breach list contacts a wide range of breaches, many of which occurred through no fault of the covered entity and involved no violations of HIPAA Rules. OCR has received some criticism for its breach portal for this very reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current form. For example, burglaries will occur even with reasonable physical security in place and even with appropriate controls in place, rogue healthcare employees will access PHI out of curiosity or with malicious intent on occasion, with some considering it unfair for those breaches to remain on public display...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected. The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches. Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list. Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently...

Read More
Mississippi Division of Medicaid Announces Exposure of 5,220 Individuals’ PHI
Jun09

Mississippi Division of Medicaid Announces Exposure of 5,220 Individuals’ PHI

The Mississippi Division of Medicaid (DOM) has announced that 5,220 Medicaid recipients have had some of their protected health information (PHI) exposed via email as a result of an error with an online form service. DOM discovered that the online form service was sending emails containing PHI to staff members, but those emails were not encrypted. The online service was used by staff members to create forms that were posted on its medicaid.ms.gov website. When a form was submitted via the website, emails containing the form information were sent to designated staff members. Once the emails were received they were securely stored; however, it is possible that the information contained in the emails could have been intercepted in transit and could have been accessed by unauthorized individuals. DOM stopped using the online service once the error was discovered and all forms were removed from the website. The service transmitted six different online forms. Those forms contained the following PHI elements: Names, addresses, phone numbers, dates of birth, email addresses, health insurer...

Read More
DA Launches Criminal Investigation into Actions of Curious Healthcare Employee
Mar22

DA Launches Criminal Investigation into Actions of Curious Healthcare Employee

Healthcare employees discovered to have improperly accessed the medical records of patients are likely to be terminated by their employers for breaching internal policies as well as HIPAA Rules. However, loss of employment is not the only punishment. Employees could also face a criminal investigation into their conduct, regardless of the reason why medical data were accessed. A criminal investigation is likely if medical records have been accessed with malicious intent, but as has been highlighted this week, even accessing medical records out of curiosity can result in police investigation. Earlier this week, St. Charles Health System announced that a caregiver had improperly accessed the medical records of around 2,500 patients over a period of 27 months. An internal investigation into the incident was conducted and the employee was confronted. St. Charles Health System was satisfied that medical records were accessed out of curiosity and the employee was appropriately disciplined. The employee in question also signed an affidavit in which she confirmed that she had not used any...

Read More
Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management
Mar02

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks. While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework. While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations. The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more...

Read More
Will HHS Secretary Tom Price Ease HIPAA Regulations?
Feb13

Will HHS Secretary Tom Price Ease HIPAA Regulations?

Tom Price was appointed as secretary of the Department of Health and Human Services on February 10, 2017, replacing Sylvia Matthews Burwell. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities of the Office for Civil Rights. The appointment of a new director for the Office for Civil Rights may not be first on Price’s to do list, although the new HHS secretary is expected to appoint a new OCR director soon. Price’s leadership and choice of OCR director could have a major impact on how OCR enforces HIPAA Rules and how rigorous those enforcement activities are. Since taking up the position of OCR Director in July 2014, Jocelyn Samuels oversaw a major increase in HIPAA enforcement activity. Last year, Jocelyn Samuels announced 12 settlements (and one CMP) with covered entities who were discovered to have violated HIPAA Rules during investigations into data breaches – a record year of enforcement for OCR. Jocelyn Samuels also oversaw the second phase of the much delayed second phase of HIPAA compliance audits. Last...

Read More
OCR Updates HIPAA Privacy Rule Guidance for Healthcare Professionals
Jan11

OCR Updates HIPAA Privacy Rule Guidance for Healthcare Professionals

The Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance for healthcare professionals to help clear up confusion about allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones. The majority of healthcare professionals are aware that the HIPAA Privacy Rule permits them to share the protected health information of a patient with a relative or loved one. However, the 2016 Orlando nightclub shooting incident revealed that many healthcare professionals are unsure about how the HIPAA Privacy Rule – 45 CFR 164.510(b) – applies to same sex couples. OCR has confirmed that the Privacy Rule permits a covered entity to “share [PHI] with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care.” OCR has also confirmed that covered entities are allowed to disclose relevant information “to notify, or assist...

Read More
Quest Diagnostics Announces 34,000-Record ePHI Breach
Dec13

Quest Diagnostics Announces 34,000-Record ePHI Breach

Madison, New Jersey-based clinical laboratory service provider Quest Diagnostics is alerting 34,000 patients that some of their electronic protected health information (ePHI) has been stolen. Quest Diagnostics is business associate of many healthcare providers across the United States. Consequently, patients across the United States have been impacted by the breach. On November 26, 2016, an unknown individual gained access to the MyQuest by Care360® Internet application and successfully exfiltrated a range of patient data. The intrusion was detected two days later when staff returned to work on Monday. Upon discovery of the breach, access to the Internet application was blocked to prevent any further data from being accessed or copied and a leading cybersecurity firm was contracted to conduct a thorough investigation of the breach. The investigation revealed that patients’ test results were copied along with names, dates of birth, and some telephone numbers, although no highly sensitive data such as Social Security numbers, health Insurance information, or financial data were...

Read More
Further 4,100 Cardiac Patients Notified of Breach of ePHI
Dec13

Further 4,100 Cardiac Patients Notified of Breach of ePHI

A further 4,100 cardiac patients have been notified that some of their protected health information was exposed due to a security breach at Wilmington, DE-based Ambucor Health Solutions (AHS). The patients had previously had cardiac devices fitted at the New Mexico Heart Institute in Albuquerque. The Heart Institute contracted Ambucor Health Solutions to provide a cardiac monitoring service for its patients. AHS had implemented appropriate technical, physical, and administrative safeguards to prevent the unauthorized disclosure of patients’ electronic protected health information in accordance with HIPAA Rules; however, a former AHS employee breached company policies and accessed and copied patients’ ePHI to two flash drives prior to leaving employment. The data copied to the devices included patients’ names, birthdates, phone numbers, addresses, medication information, testing data, information about patients’ medical devices, where the patient had the device fitted, the name of the technician who fitted the device, and the name of patients’ physicians. It is unclear why the data...

Read More
Security Cameras Could Be Your Biggest Security Weakness
Dec09

Security Cameras Could Be Your Biggest Security Weakness

Could a networked device that’s designed to enhance security be exploited by hackers to gain access to your network? In the case of security cameras, it is a distinct possibility. Security and surveillance camera security weaknesses could be exploited by hackers to gain access to the networks to which they connect. The cameras could also be used to check for physical security weaknesses or to spy on workers and patients. The past few weeks have clearly shown the need for better security controls to be incorporated into these IoT devices. Hackers have taken advantage of scant security controls to gain access to cameras (and other IoT devices) and have used them for massive Distributed Denial of Service (DDoS) attacks. Many device manufacturers are guilty of failing to incorporate adequate security controls, although not all of the blame can be placed at the door of the manufacturers. IT departments have installed the devices, yet have failed to change default passwords. Weak passwords can easily be guessed by hackers, and in many cases, the default passwords are readily available...

Read More
ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities
Dec09

ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities

The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) and Office of Civil Rights (OCR) have published a new fact sheet explaining some of the circumstances under which the sharing of electronic healthcare information without patients’ written consent is permitted by Health Insurance Portability and Accountability Act (HIPAA) Rules. The HIPAA Privacy Rule came into effect in April 2003 and set new standards to protect individuals’ personal health information. The HIPAA Privacy Rule sets limits and conditions on when personal health information can be used or disclosed without prior consent being obtained from patients. For example, the HIPAA Privacy Rule allows HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities) to share the personal health information of patients for treatment purposes and healthcare operations. Health information many need to be shared between two healthcare providers involved in the treatment of a patient and...

Read More
Malvertising Campaign Highlights Importance of Patching Browsers
Dec09

Malvertising Campaign Highlights Importance of Patching Browsers

The importance of ensuring browsers and plugins are kept up to date has been highlighted by the discovery of a malverstising campaign that is targeting readers of popular news websites such as Yahoo and MSN. In the past two months, millions of individuals have been exposed to malicious adverts which automatically redirect users to websites where malware is downloaded. The campaign – termed Stegano – is being used to distribute a range of malware and spyware including keystroke loggers and Trojans. The aim of the attackers is to capture email login credentials and other sensitive information that can be used for further attacks. The campaign uses a technique called steganography – The hiding of messages (or code) inside images. In this case, malicious scripts are embedded in the code that controls the transparency of images displayed by third party advertising networks on popular websites. The inclusion of the code changes the appearance of the banner images making them appear slightly pixelated, although the change is hardly noticeable to an untrained eye. Unlike other malvertising...

Read More
OCR Warns Covered Entities of Risk of DDoS Attacks
Dec08

OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action. DDoS attacks on healthcare organizations could prevent patients from accessing web services such as patient portals during an attack, but they can also prevent healthcare employees from accessing systems that are critical for healthcare operations. EHRs, payroll systems, or even software-based medical equipment such as drug infusion pumps and MRIs can potentially be taken out of action. Not only do DDoS attacks prevent these systems from being accessed, they can also result in substantial hardware damage and the cost of repair can be considerable. The scale of the recent attacks has been astonishing. Whereas last year, DDoS attacks of the order of 300 Gbps something of a rarity, this year we have seen...

Read More
Lost CD Contained Social Security Numbers of 18,854 Health Plan Members
Dec08

Lost CD Contained Social Security Numbers of 18,854 Health Plan Members

18,854 health plan members have been notified of a potential breach of their protected health information following the loss of a compact disc in the mail. An employee at Aetna Signature Administrators (ASA), a provider of network and management services to group health plans, mailed a CD containing sensitive health plan members’ information to another ASA employee. The CD was mailed on September 6 and the envelope was delivered on September 9; however, the CD was missing from the envelope. The CD contained reports that had been provided to ASA by health plans or health plan administrators. The reports were used by ASA to evaluate and select programs and services for health plan members. The reports contained the dates of birth of health plan members along with their Social Security numbers, and in some instances, names and addresses. Individuals impacted by the incident were notified of the potential ePHI breach last month. Since Social Security numbers were exposed, ASA has offered all affected individuals a year of identity theft protection services through Equifax (Equifax...

Read More
Ransomware Attack Reported by East Valley Community Health Center
Dec08

Ransomware Attack Reported by East Valley Community Health Center

West Covina, CA-based East Valley Community Health Center (EVCHC) has started notifying patients that some of their electronic protected health information was compromised when ransomware was installed on one of its servers. The ransomware attack occurred on October 18, 2016 and involved a ransomware variant called Troldesh/Shade. As with other forms of ransomware, Troldesh conducts scans of its local environment and encrypts a wide range of file types with an asymmetric encryption algorithm, preventing the files from being accessed. Troldesh is supplied by the ransomware author as a development kit, which allows affiliates to run their own ransomware campaigns. The ransomware is usually distributed via spam email campaigns via file attachments containing malicious JavaScript code. However, in this case, an unauthorized individual logged onto a EVCHC server and installed the ransomware. Many different files were encrypted, one of which contained the electronic health information of EVCHC patients. The file was used by EVCHC for logging claims that had been submitted to health...

Read More
21st Century Cures Bill Sails Through Senate
Dec08

21st Century Cures Bill Sails Through Senate

Last week, the House of Representatives unanimously voted in favor of the 21st Century Cures Act. Yesterday, the bill sailed through the Senate with a vote of 94-5. All that remains is for President Obama to add his signature to the bill, which is expected to happen in the next few days. President Obama has already said he is happy to sign the new bill. The bill will provide funding for a number of initiatives that are intended to hasten the development of new cures and medical devices to treat cancer and other diseases. The bill makes more funds available for mental health treatment as well as for programs to tackle the growing problem of opioid abuse in the United States. $500 million per year will be made available for the latter to prevent new cases of opioid abuse and to fund treatment programs for addicts. The bill had originally called for changes to be made to the Health Insurance Portability and Accountability Act to improve data sharing for research purposes. By classifying research under healthcare operations, it would have been possible for the identifiable protected...

Read More
Tampa General Hospital Settles Class Action Data Breach Lawsuit
Dec07

Tampa General Hospital Settles Class Action Data Breach Lawsuit

According to figures from the Federal Trade Commission, Florida is one of the top three states for fraud and identity theft. Criminals in the state use stolen consumer data to steal identities and file fraudulent tax returns, with the data often coming from healthcare organizations. Fraudsters often target the lowest paid healthcare workers and pay them to steal patients’ personal information and Social Security numbers. Many Florida hospitals have fired employees who have been discovered to have abused their access to patient health information and passed stolen information on to identity thieves. Victims of fraud can suffer considerable losses which can prove difficult to recover. Legal action can be taken against the healthcare organizations that experience internal data breaches, although the lawsuits very rarely succeed. One such lawsuit was filed against Tampa General Hospital. The class action lawsuit – John Doe v. Florida Health Sciences Center Inc. d/b/a Tampa General Hospital – alleged the hospital had been negligent for failing to protect patient data;...

Read More
Half of IT Pros Most Concerned About Insider Threats
Dec06

Half of IT Pros Most Concerned About Insider Threats

A considerable proportion of IT security budgets are directed to securing the network perimeter and with good reason. Hackers are breaking through security defenses with increasing frequency and this year has seen some of the biggest cyberattacks ever reported. However, internal threats should not be ignored. According to a recent Dimensional Research/Preempt study, most IT security professionals believe internal threats have increased over the past few years to the point that they are now of greater concern than cyberattacks by hackers. For the study, 317 independently verified IT security professionals from organizations that employed more than 1,000 staff members were asked a range of questions about insider threats, including the barriers preventing organizations from mitigating risk and the measures employed to deal with the threat. When asked about whether they were concerned about internal threats, only one respondent out of 317 said they had no concerns and 49% of survey respondents said they were more concerned about internal threats than they are about external attacks....

Read More
Medical Devices Can Be Hacked Using Black Box Approach
Dec05

Medical Devices Can Be Hacked Using Black Box Approach

Researchers in the UK/Belgium have discovered it is possible to hack certain medical devices even when no prior understanding of how the devices work is known. Cyberattacks could be conducted to gain access to sensitive patient data or to cause patients to be harmed. The research team discovered that malicious messages could be sent to the devices and signals sent to prematurely drain batteries. The study was conducted by researchers at the University of Birmingham in the UK and the University of Leuven / University Hospital Gasthuisberg Leuven in Belgium. The researchers discovered at least 10 different commonly used medical devices were vulnerable to these attacks, including pacemakers and the latest generation of implantable cardioverter defibrillators (ICDs). The researchers were able to extract medical records from the devices – including patients’ names – and claim these attacks could be pulled off by a relatively weak adversary. By repeatedly sending signals to the devices they were able to prematurely drain batteries by preventing the devices going into sleep mode. It...

Read More
Glendale Adventist Medical Center Fires Nurse for Inappropriately Accessing ePHI
Dec05

Glendale Adventist Medical Center Fires Nurse for Inappropriately Accessing ePHI

A nurse employed by Glendale Adventist Medical Center in Glendale, CA has been fired for inappropriately accessing the medical records of 528 patients of the medical center and White Memorial Medical Center in Boyle Heights, CA. The privacy breach was discovered in June 2016, although it is unclear when the nurse first started inappropriately accessing patient data. Glendale Adventist Medical Center discovered patient data were being accessed during a routine security review. An investigation into the privacy violations was launched after access logs showed that the employee had been abusing data access privileges. The nurse had been provided with access to ePHI in order to perform work duties. The former employee worked as a per-diem nurse according to a report in the Los Angeles Times. The investigation into the privacy breaches is ongoing, and as such, only a limited amount of information has been released. A spokesperson for Glendale Adventist Medical Center did confirm with the L.A Times that sensitive patient information that was potentially accessed included names,...

Read More
Sagewood Retirement Community Attacked with Ransomware
Dec02

Sagewood Retirement Community Attacked with Ransomware

Sagewood, a retirement community in Phoenix, AZ, has notified 800 current and former residents about a ransomware attack that has potentially resulted in some of their electronic protected health information (ePHI) being accessed by the attackers. Sagewood enlisted the services of a computer forensics firm to investigate the attack. According to the substitute breach notice on the Sagewood website, the attack was short-lived. It was possible to isolate and contain the infection within an hour of it being discovered. Since it is possible that access to ePHI was gained, the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights in accordance with HIPAA Rules. Patients have also been notified of the incident by mail if they have been affected. Ransomware locks files with powerful encryption which prevents the victims from gaining access to their data. After files are locked, the victims are presented with a ransom demand. Payment must be made in order to receive the key to unlock the encryption. Ransomware could also potentially give the...

Read More
OptumHealth New Mexico Announces 2000-Record Data Breach
Dec02

OptumHealth New Mexico Announces 2000-Record Data Breach

OptumHealth New Mexico has notified 2,006 patients of a privacy breach that was caused by one of its vendors. The vendor had downloaded some electronic protected health information to a flash drive, which was then sent to an undisclosed recipient by mail using the U.S. Postal Service. The flash drive did not arrive at its destination. Upon discovery of the loss, the U.S. Postal Service was notified but attempts to locate the device have so far failed, although according to the substitute breach notice issued by OptumHealth, the matter is still being investigated. It is unclear why, with many secure methods of sending sensitive data, the vendor chose to post the flash drive nor why the contents of the drive were not encrypted. OptumHealth was notified of the potential privacy breach on September 26, 2016 and breach notification letters were mailed to all affected individuals on November 17. A substitute breach notice was recently uploaded to the OptumHealth website as it was not possible to contact all affected individuals by mail. Patients have been informed that the data stored on...

Read More
21st Century Cures Act Unanimously Passed by House
Dec01

21st Century Cures Act Unanimously Passed by House

The 21st Century Cures Act has been passed by the House of Representatives with a vote of 392-26. One Democrat and twenty Republicans voted against the bill. The legislation will now go to the Senate for the vote, which will take place early next week. The legislation was passed by the House last year, although the bill failed in the Senate in July 2015. Numerous revisions have been made since last summer and this time around the 21st Century Cures Act is expected to be passed by the Senate. However, not unanimously. Some senators are certain to vote against the legislation, including Senators Bernie Sanders (I-Vt.) and Elizabeth Warren (D-Mass.). Both strongly oppose the changes that have been made to the legislation to appease the pharmaceutical industry. The main purpose of the $6.3 billion bill is to advance medical innovation. A sizable chunk of cash will be given to a number of programs introduced by the Obama administration. NIH will receive $4.8 billion in funding over the next 10 years which will go towards programs such as the cancer moonshot research project, the...

Read More
OCR Warns Healthcare Organizations of Fake HIPAA Audit Emails
Dec01

OCR Warns Healthcare Organizations of Fake HIPAA Audit Emails

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning to healthcare organizations about a new phishing email campaign that uses an official-looking OCR letterhead and the signature of OCR Director Jocelyn Samuels. Phishing emails usually encourage the recipients to click on malicious links that direct them to websites where malware is downloaded, to open infected email attachments, or to reveal sensitive information. In this case, the emails contain a link to the website of a cybersecurity firm. The website does not appear to be malicious in nature, instead, the email appears to be a marketing ploy to get healthcare organizations to sign up for the firm’s services. The firm uses the HIPAA compliance audits to lure email recipients into clicking on the link. The emails claim to be official communications about the current round of HIPAA compliance audits and the possible inclusion of the recipient’s organization in the audit program. Samuels says in the OCR’s official email about the scam, “In no way is this firm associated with the...

Read More
Healthcare Organizations Main Target for Hackers in 2017
Nov30

Healthcare Organizations Main Target for Hackers in 2017

Experian’s Data Breach Resolution team has released its annual data breach industry forecast for 2017. Experian has evaluated current cybersecurity trends and has made a number of predictions for the coming year. One of the key predictions is hackers will continue to be laser-focused on attacking healthcare organizations. New attack methods will be used and cyberattacks are likely to become much more sophisticated as healthcare organizations improve their security defenses. The primary target will continue to be the electronic protected health information of patients. The volume of healthcare data stolen in the past two years has been extraordinary. Figures from the Department of Health and Human Services’ Office for Civil Rights show more than 113 million healthcare records were exposed or stolen in 2015. 270 breaches of PHI were reported by healthcare providers, health plans, and business associates of HIPAA-covered entities in 2015. 2016 has seen fewer records stolen or exposed, although the number of reported data security incidents has already surpassed last year’s total. With...

Read More
1,745 Berkshire Medical Center Patients Impacted by Ambucor Health Solutions Breach
Nov30

1,745 Berkshire Medical Center Patients Impacted by Ambucor Health Solutions Breach

Berkshire Medical Center (BMC) in Pittsfield, Massachusetts has been informed that 1,745 patients of its cardiology department have been impacted by the security breach at Ambucor Health Solutions (AHS). The Wilmington, DE-based business associate provides a remote monitoring service for BMC patients that have been fitted with cardiac devices. In July, AHS discovered an employee had emailed the protected health information of 41 patients to a personal email account prior to leaving the company. However, an investigation into the incident revealed that more patient had been affected than was initially thought. The employee had also copied some protected health information onto two thumb drives. Those devices were recovered via law enforcement and were found to contain the sensitive data of thousands of patients. AHS has now contacted all healthcare providers whose patients have been impacted by the breach and is notifying all affected individuals by mail, although it is the responsibility of each impacted healthcare provider to notify the Department of Health and Human Services’...

Read More
50% of U.S. Companies Have Experienced a Ransomware Attack in the Past 12 Months
Nov29

50% of U.S. Companies Have Experienced a Ransomware Attack in the Past 12 Months

A recent survey conducted by Vanson Bourne on behalf of endpoint protection software vendor SentinelOne has cast light on the extent to which ransomware is being used to attack organizations around the globe. 500 cybersecurity decision makers were asked questions about recent ransomware attacks experienced by their organization. 48% of respondents said they had experienced at least one ransomware attack in the past 12 months, and those organizations were attacked an average of six times in the past year. 50% of respondents in the United States said they had experienced a ransomware attack in the past 12 months. Not all attacks resulted in files being encrypted. 27% of respondents said ransomware was installed, but the attackers were not able to encrypt any data. 25% said some files were encrypted but it was possible to recover the files from backups. 45% said files were encrypted but it was possible for the company to decrypt the files. Only 3% of organizations said attacks resulted in file encryption that their organization was unable to decrypt. Ransom payments were not always...

Read More
CHI Franciscan Health Alerts Patients to ePHI Exposure
Nov28

CHI Franciscan Health Alerts Patients to ePHI Exposure

CHI Franciscan Health has started notifying patients about the potential exposure of some of their electronic protected health information after a laptop computer was stolen from an employee. According to The News Tribune, a CHI Franciscan Health employee had a backpack stolen on October 18. The backpack contained documents that included some patient health information, a work laptop computer, and a mobile phone. The backpack also contained a day planner, in which the login credentials for the laptop were recorded. The information in the documents could potentially have been viewed and the login credentials could have been used to gain access to the electronic protected health information stored on the laptop. CHI Franciscan Health has not received any reports to suggest any information has been accessed or used inappropriately, although patients have been informed to take precautions against identity theft. All affected individuals have been offered a year of credit monitoring services without charge. The exposed ePHI/PHI includes the names, phone numbers, Social Security numbers,...

Read More
Healthcare Industry Targeted with Gatak Trojan
Nov28

Healthcare Industry Targeted with Gatak Trojan

The healthcare industry is coming under attack by the actors behind the Gatak Trojan. Gatak, or Stegoloader as it is otherwise known, is not a new malware. The Trojan was first identified in 2011 and has since been used to attack a wide range of targets. However, according to a recent report by Symantec, the actors behind the malware have now set their sights firmly on the healthcare industry. 40% of the most affected organizations are now in the healthcare sector. This signifies a change in targeting, as previously the Trojan has been primarily used to attack insurance companies. While 40% of attacks have not been attributed to any industry sector, the next most targeted industries – which each account for 5% of attacks – are the automotive, education, gambling, and construction. It is currently unclear how the attackers are using the malware to profit from infections, although it is believed that healthcare companies are being targeted due to the value of their stored data. Gatak is primarily an information stealer There are two components of the malware. One component performs...

Read More
Vascular Surgical Associates Hacking Incident Reported
Nov25

Vascular Surgical Associates Hacking Incident Reported

Vascular Surgical Associates – A group of specialty-trained vascular surgeons in Atlanta – has announced that it has been the victim of a hacking incident that has potentially resulted in certain protected health information being viewed by unauthorized individuals. IT staff noticed unusual activity on one of the company’s servers on or around September 13, 2016. An investigation into the anomaly was launched, which revealed the server had been improperly accessed using login credentials supplied to some of the group’s vendors. Access to patient data was first gained on March 25, 2016 when a software application upgrade was performed. The investigation did not confirm whether patient health information had been obtained by the hackers, although for more than five months it would have been possible for the login credentials to have been used to view patient data. As soon as IT staff determined the server had been compromised access was immediately terminated. The server is now secure and Vascular Surgical Associates is confident that no further unauthorized access is possible....

Read More
Privacy Breach Reported by Wentworth-Douglass Hospital
Nov25

Privacy Breach Reported by Wentworth-Douglass Hospital

Wentworth-Douglass Hospital in Dover, New Hampshire has started alerting patients to a privacy breach experienced by one of its vendors, Ambucor Health Solutions. Ambucor Health Solutions provides a remote-monitoring service for cardiac devices for hospitals throughout the United States. Earlier this month, the company started notifying its clients of a privacy breach caused by one of its former employees. Prior to leaving employment, the employee downloaded sensitive company data onto two flash drives. The data breach was discovered by Ambucor Health Solutions over the summer and an investigation was launched. The incident was reported to law enforcement, and the subsequent investigation resulted in the flash drives being recovered in July. An analysis of the contents of the drives, which was completed in September, revealed the downloaded data included a range of electronic health information of cardiac patients from a number of the company’s clients, and included the protected health information of 775 patients of Wentworth-Douglass Hospital. Social Security numbers, financial...

Read More
New Attack Vector Used to Spread Locky Ransomware
Nov24

New Attack Vector Used to Spread Locky Ransomware

This year, hospitals throughout the United States have been targeted by cybercriminals using ransomware. The malicious file-encrypting software is used to lock files that are critical for healthcare operations in the hope that a ransom payment will be made in order to regain access to locked data. In February, Hollywood Presbyterian was attacked and its computer systems were taken out of action for more than a week while the infection was removed. A ransom demand of $17,000 was issued and was paid by the Medical Center after attempts to recover files from backups failed. The attack is understood to have involved Locky ransomware. Locky encrypts a wide range of file types including office documents, pdf files, databases, and images. Files are renamed and new extensions are added to make it harder for victims to identify which files have been encrypted. Windows Shadow Copies are also deleted. Locky can spread laterally through a network and is capable of encrypting files on portable storage devices, such as those used for backing up data. The actors behind Locky distribute the...

Read More
UMass to Pay OCR $650K to Resolve HIPAA Violations
Nov23

UMass to Pay OCR $650K to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. In early 2013, malware was installed on a workstation in the Center for Language, Speech, and Hearing. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Those individuals had their names, addresses, social security numbers, birth dates, health insurance information, diagnoses, and procedure codes disclosed to the actors behind the malware attack. Following the discovery of the infection in 2013, UMass conducted a detailed analysis of the infected workstation. The malware was a generic remote access Trojan and infection occurred because the workstation was not protected by a firewall. UMass ascertained that access to ePHI had been gained. OCR investigates all data breaches that impact more than 500 individuals to determine whether...

Read More
Chiropractic Clinics Alert Patients to Billing Vendor Breach
Nov23

Chiropractic Clinics Alert Patients to Billing Vendor Breach

Two providers of chiropractic services in California have started notifying their patients of a security breach affecting their billing software company. Luque Chiropractic, Inc., and Watsonville Chiropractic, Inc., were alerted to a cloud storage account breach on November 18, 2016., following a data security incident that saw patient data accessed by an unauthorized individual. The breach was experienced by EMR4all, Inc., and affected clients that used the company’s associated billing service. EMR4all, Inc provides free EMR software for physical therapy, occupational therapy, and chiropractic practices throughout the United States, while billing services are provided by Rehab Billing Solutions. In early September, security researcher Chris Vickery discovered a cloud storage account used by EMR4all/Rehab Billing Solutions could be freely accessed via the Internet. The cloud storage account contained the health records and personal information of many thousands of patients from more than 30 providers of physical therapy and chiropractic services. Vickery was able to access and...

Read More
Briar Hill Management Notifies 2,000 Individuals of February Laptop Loss
Nov22

Briar Hill Management Notifies 2,000 Individuals of February Laptop Loss

Briar Hill Management, a Ridgeland, MS-based provider of management services for skilled nursing facilities in Mississippi, has lost a laptop computer containing the sensitive data of 2,000 nursing facility residents. The laptop was discovered to be missing on February 26, 2016, although at the time it was not believed that the laptop contained any resident health information. However, according to the breach notice recently uploaded to the company website, an investigation into the incident revealed that the employee who had been assigned the laptop computer had breached company policies and had downloaded sensitive information onto the device. The data stored on the unencrypted laptop included residents’ names, addresses, birth dates, dates of service, Social security numbers, prescription information, and medical records. Briar Hill Management says “the laptop did not contain all of these types of information for every affected resident.” The breach notice does not state when Briar Hill Management discovered sensitive information had been exposed. Briar Hill Management conducted...

Read More
MIFA Shares Industry Wisdom on Medical Identity Theft and Fraud
Nov03

MIFA Shares Industry Wisdom on Medical Identity Theft and Fraud

Last year, more than 113 million healthcare records were exposed or stolen as a result of healthcare data breaches. With so much healthcare data available it is no surprise that medical identity fraud is increasing. Medical identity fraud is now the fastest-growing type of identity fraud. Each year, more than two million individuals in the United States discover their medical data have been fraudulently used by cybercriminals and the problem is getting worse. Medical identity fraud involves the use of personally identifiable information (PII) and protected health information (PHI) to fraudulently obtain medical services, healthcare devices, and prescription medications. False identities are also used for fraudulent healthcare billing. Medical identity theft can have a devastating impact on patients. Victims incur an average of $13,500 in out-of-pocket expenses after their identities have been stolen. Losses can be considerably higher. Medical identity fraud can go undetected for long periods of time and healthcare patients are not protected by the same legislation that protects...

Read More
Lack of Ransomware Protections Could Violate FTC Act
Sep19

Lack of Ransomware Protections Could Violate FTC Act

The Department of Health and Human Services’ Office for Civil Rights has recently issued guidance for HIPAA covered entities on ransomware to help covered entities deal with the increased threat of ransomware attacks. Now the Federal Trade Commission (FTC) has warned businesses that they must do more to deal with the ransomware threat. The failure to implement appropriate defenses against ransomware could constitute a violation of the FTC Act. At a recent FTC forum that explored the current ransomware problem and the strategies that can be adopted to mitigate the threat, FTC Chair Edith Ramirez issued a stern warning to businesses, explaining more must be done to prevent ransomware attacks. Ramirez explained that ransomware is now one of the “most troubling cyber threats.” The Department of Justice has reported that there has been a 300% increase in ransomware attacks in the past year, and an average of 4,000 ransomware attacks are now occurring every day. Ramirez also pointed out that an estimated 93% of all phishing emails are now being used to deliver ransomware, and that...

Read More
Another Employee is Fired for Emailing PHI to a Personal Account
Sep06

Another Employee is Fired for Emailing PHI to a Personal Account

Today, a breach notice has appeared – dated August 18 – on the Department of Health and Human Services’ Office for Civil Rights breach portal from Village of Oak Park Health Plan in Illinois. The breach involved the unauthorized accessing and disclosure of the personal information of 688 individuals. The breach in question dates back to January. On January 22, 2016, officials at Village of Oak Park discovered an employee had emailed spreadsheets containing the PHI of 688 individuals to a personal email account. The breach was discovered during a search of employees’ emails which was initiated after some employees claimed that their premiums had not been paid to their insurers. While searching for email correspondence between insurers and employees, the email containing the spreadsheets was discovered. The spreadsheets contained personal information of current and former employees of Village of Oak Park, Oak Park Library, Oak Park Township, the Park District of Oak Park, and the West Suburban Consolidated Dispatch Center. The spreadsheets included names, dates of birth,...

Read More
OCR Phase 2 HIPAA Audits: Documentation Requests Issued
Jul13

OCR Phase 2 HIPAA Audits: Documentation Requests Issued

The Department of Health and Human Services’ Office for Civil Rights (OCR) has now selected covered entities from its pool of eligible organizations and has chosen 167 for a HIPAA compliance audit. Covered entities selected for a compliance audit have now been notified by email. Those organizations now have just 10 days to respond to the emails and submit the requested documentation to the OCR. The audits – which are desk based – have been split between healthcare providers, health plans, and healthcare clearinghouses. The audits are being conducted on a geographically representative sample that includes healthcare organizations of all sizes. Desk audits of HIPAA business associates will follow in the fall. The desk audits comprise of a documentation check to ensure compliance with the Health Insurance Portability and Accountability Act’s Privacy, Security, and Breach Notification Rules. Earlier this year the OCR published details of the new audit protocol. The protocol contains a long list of different aspects of HIPAA Rules that could potentially be assessed by OCR...

Read More
Congressmen Call for Different HIPAA Rules for Malware and Ransomware Attacks
Jul07

Congressmen Call for Different HIPAA Rules for Malware and Ransomware Attacks

Ted Lieu, D-Calif. and Will Hurd, R-Texas., have written to OCR Deputy Director for Health Information Privacy Deven McGraw raising issues related to healthcare ransomware infections ahead of the release of new OCR guidance on ransomware attacks. The bipartisan pair of Congressmen have pointed out some important differences between ransomware infections and hacking, which they believe should be reflected in the upcoming guidance. They believe that ransomware should require different rules to other malware infections and hacking incidents, although there is some debate as to whether HIPAA Rules should treat different types of malware differently. The Congressmen point out in the letter that under 45 CFR § 164.402, a breach if ePHI is defined as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted.” This would mean that a ransomware attack qualifies as a data breach. In order to encrypt data, those data must be accessed. Consequently, covered entities would be required to perform a risk assessment under HIPAA Rules. While...

Read More
OCR Clears Up Confusion About the Charging of Flat Fees for Copies of PHI
May24

OCR Clears Up Confusion About the Charging of Flat Fees for Copies of PHI

Earlier this year the Office for Civil Rights issued guidance for healthcare providers and health plans on the general right of patients to obtain copies of their protected health information on request. The HIPAA Privacy Rule allows patients to obtain one or more designated record sets which a covered entity holds and maintains. By obtaining copies of their PHI, patients can take control of their own healthcare and wellbeing. Providing copies of PHI to patients involves a cost to the covered entity, such as the time taken to obtain and copy records and prepare summaries, the cost of paper and printing if record sets are supplied in physical form, the cost of media devices for electronic copies of PHI, and the cost of mailing records to patients if they are not collected in person. Covered entities are permitted to charge patients for providing copies of their PHI, which was explained in the OCR guidance; however, based on the questions submitted by covered entities there appeared to be some confusion over allowable charges, in particular regarding the charging of flat rate fees to...

Read More
Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits
May20

Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits

Deven McGraw – deputy director of health information privacy at the Office for Civil Rights (OCR) – has offered some advice to covered entities ahead of the HIPAA-compliance audits which are scheduled to take place later this year. The second round of HIPAA-compliance audits will be conducted on covered entities first, followed by business associates. OCR contacted covered entities earlier this year to verify contact information. That process is almost complete and a pool of healthcare providers, health plans, and healthcare clearinghouses will soon be finalized. OCR will select approximately 200 organizations from that pool for a desk audit. Covered entities selected for audit will be notified and given 10 days to submit the requested documentation to the OCR. This does not give covered entities much time so it is important that preparations are made early. In an interview with the Information Security Media Group, McGraw suggested that covered entities should start preparing now in case they are selected for a desk audit. Last month, OCR released the updated audit protocol which...

Read More
OCR Publishes New HIPAA Audit Protocol
Apr05

OCR Publishes New HIPAA Audit Protocol

The Department of Health and Human Services Office for Civil Rights (OCR) has published a new HIPAA audit protocol for the second round of compliance audits. The audit protocol has been updated to incorporate 2013 Omnibus Final Rule changes, and OCR is encouraging covered entities to read the new protocol and submit comments. The 2016 HIPAA audits have a much narrower focus than the first round and will be conducted in modules. The modules will assess separate elements of the Privacy Rule, Security Rule, and Breach Notification Rule. OCR may decide to audit a covered entity on one or more modules, depending on the type of organization. If selected for audit, covered entities will be required to submit a range of documents to OCR via a dedicated web portal. The most current versions of documents must be submitted in PDF, Word, or Excel formats. Documentation will need to include evidence of implementation of each aspect of HIPAA. If no documentation is held, the covered entity will be required to submit a statement to that effect. Auditors will then be provided with a selection of...

Read More
Phase 2 HIPAA Compliance Audits Commence
Mar21

Phase 2 HIPAA Compliance Audits Commence

The Department of Health and Human Services’ Office for Civil Rights has announced that the phase 2 HIPAA compliance audits have officially started. According to the recent OCR announcement, “Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.” The announcement goes on to explain that the process of auditing covered entities allows OCR to “proactively uncover and address risks and vulnerabilities to protected health information.” Start Date for the Second Phase of HIPAA Compliance Audits While the audit process has now officially started, covered entities still have some time to get their policies and procedures in order. It will still be some time before the document checks for the 2016 compliance audits actually begin. The OCR announcement does not give a start date for the 2016 HIPAA compliance audits, but indicates that the first stage of desk audits will be completed by December 2016. The date when the first desk audits will actually be conducted was not detailed in the...

Read More
Deven McGraw Gives Update on OCR HIPAA Compliance Audits
Mar03

Deven McGraw Gives Update on OCR HIPAA Compliance Audits

Office for Civil Rights deputy director of health information privacy, Deven McGraw, has provided an update on the OCR’s planned HIPAA compliance audits, saying the revised protocol for the long awaited second round of compliance audits will be published next month. Late last year, OCR Director Jocelyn Samuels announced that the next round of audits would be taking place in early 2016. With the announcement of the planned publishing of the audit protocol in April, the next round of audits could start in Q2, although this seems unlikely. Once the audit protocol has been published there will be a period allowed for public comments. Those comments will need to be assessed, and may require changes to be made to the audit protocol. According to McGraw, the new protocol will be based on that used for the 2011/2012 round of audits, with amendments made to account for the changes to HIPAA following the introduction of the Omnibus Rule in 2013. Previously, OCR indicated the next round of compliance audits would be conducted in modules. A module would be developed to assess Privacy Rule...

Read More
OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges
Mar02

OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges

The Health Insurance Portability and Accountability Act’s Privacy Rule gives healthcare patients the right to obtain a copy of their personal health information from their healthcare providers. (45 CFR § 164.524) While HIPAA-covered entities should be aware of this aspect of the Privacy Rule, many patients have experienced difficulty obtaining a copy of their records. In some cases, patients have obtained a copy of their records but felt that they have not been provided with all information contained in their records. Some feel they have been unfairly charged for exercising their access rights. To address these and other issues, the Department of Health and Human Services’ Office for Civil Rights produced a fact sheet in January to clarify the responsibilities of HIPAA covered entities to comply with this aspect of the Privacy Rule. The new guidance explained the general right of patients to obtain a copy of their health records, to inspect their records, or have a copy of those records sent to a nominated individual of their choosing. Provided that the healthcare provider...

Read More
OCR Website Receives Long Awaited Upgrade
Jan07

OCR Website Receives Long Awaited Upgrade

The Department of Health and Human Services’ Office for Civil Rights website has been redesigned and upgraded, and features a responsive design and a more user-friendly interface. The redesign was part of the Reimagined HHS.gov initiative. The aim was to create a website that is faster, easier to use, and makes content sharing and syndication much more straightforward. The HHS site-wide overhaul has taken well over a year so far, with the OCR the first HHS department to receive its site upgrade. The upgrade and redesign was conducted in phases, with phase 1 of the project completed in May, 2015. OCRs overhaul was finished on schedule and was made live this week in time for the January 6 launch. The new crisp, clean, and simplistic design presents information clearly, while a fast and powerful search function has been incorporated to ensure visitors can quickly and easily gain access to the information they need. Typing in a search term will offer numerous suggestions based on the most common searches of the site, ensuring the most relevant information can be quickly retrieved. In...

Read More
HIPAA Privacy Rule Updated to Permit NICS Reports
Jan05

HIPAA Privacy Rule Updated to Permit NICS Reports

The Department of Health and Human Services has issued a final rule permitting certain covered entities to disclose specific elements of Protected Health Information (PHI) to the National Instant Criminal Background Check System (NICS), changing the HIPAA Privacy Rule. At the time of writing, HIPAA prevents healthcare providers from disclosing PHI, except in a very limited number of circumstances, without first having obtained permission from a patient. The rule change, which will become effective 30 days after publication in the federal register, will allow certain information about individuals to be divulged and entered into NICS by some HIPAA-covered entities. NICS is maintained by the FBI and is used by Federal Firearms Licensees (FFLs) to determine whether an individual is permitted to purchase a firearm. When an FFL starts a NICS background check on an individual, the system will search three separate databases: The Interstate Identification Index (III), The National Crime Information Center (NCIC), and the NICS Index. NCIC and III contain information on individuals who have...

Read More
Repeat HIPAA Violators Revealed: Database of Offenders Created
Dec30

Repeat HIPAA Violators Revealed: Database of Offenders Created

ProPublica has created a database of healthcare organizations that have violated patient privacy to make it easier for consumers to find repeat HIPAA violators. The biggest offenders have now been exposed. Since late 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing self-reported data breaches suffered by HIPAA-covered entities. The list of data breaches, often referred to as OCR’s “Wall of Shame” currently list 1425 data breaches dating from October 21, 2009. Some healthcare organizations have suffered a single data breach, while others have suffered more. However, it is difficult to quickly ascertain how many breaches have been suffered by a particular entity. Not all data breaches are listed under the same company name. A search for a particular healthcare provider may reveal just one breach has been suffered, when in actual fact a great deal more have occurred. One good example of a bad example is CVS Health; a search for which would produce one result: A 12,914 record breach suffered this year. A search for CVS Caremark would...

Read More