HIPAA Compliance for Medical Practices
84.8K views | +27 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Average Cost of Data Breach Rises to $3.8 Million

Average Cost of Data Breach Rises to $3.8 Million | HIPAA Compliance for Medical Practices | Scoop.it

Based on a study of 350 companies in 11 countries, the average data breach costs a company an average of $3.79 million, or $154 for every lost or stolen record. The amounts represent an increase from the overall average cost of $3.52 million in 2014 and a per-record cost of $145.

Massive data breaches such as the estimated 56 million credit and debit card numbers stolen from Home Depot Inc. (NYSE: HD) in 2014 and the 40 million exposed by the Target Corp. (NYSE: TGT) in the attack against the company during the 2013 holiday shopping season cost the companies far more than that average. One estimate of the cost to Home Depot came in at $10 billion by 2020 (an average of $177 per lost record).

Over the next 24 months, companies and organizations in Brazil and France are the most likely to experience a data breach involving a minimum of 10,000 records, while organizations in Canada and Germany are the least likely to have such a breach. The somewhat good news is that any company is more likely to have a breach involving 10,000 or fewer records (22% chance) than a breach involving more than 100,000 records (less than 1% chance).

The data was released earlier this week by International Business Machines Corp. (NYSE: IBM) and the Ponemon Institute, a data security consulting and research firm. All 350 companies included in the study have experienced a data breach at some time, with the breaches ranging from a low of about 2,200 comprised records to a high of more than 101,000 breached records.

The research notes three major reasons for the higher costs in 2015:

  • Cyberattacks occur more frequently and the cost to repair the damage is higher.
  • The cost of the lost business is higher while repairs are being made.
  • Costs to detect breaches are higher.

In the United States, the cost of a data breach averages $6.5 million, the highest in the world, followed by Germany which has an average total cost of $4.9 million. The lowest costs are posted in Brazil ($1.8 million) and India ($1.5 million).

The cost of a data breach to a health care organization could be as much as $363 per record. From 2014 to 2015, the retail industry has seen its costs for a data breach rise from $105 to $165 per lost or stolen record.

Data breaches are most often the result of malicious or criminal attacks (47% of the time), with system glitches accounting for 29% of data breaches and human error accounting for the remaining 25%. More than half of all breaches are the result of a system glitch or human error in all but three locations: Canada, Germany and the combined Saudi Arabia-United Arab Emirates region. In the United States, malicious or criminal attacks account for 49% of data breaches.

No comment yet.

Calculating The Colossal Cost of A Data Breach

Some targets have spent tens of millions just to notify customers and provide identity-theft monitoring.In the past two years, there have been dozens of highly publicized data breaches, including recent ones at Community Health Systems, Anthem, and now Premera Blue Cross.

Just from those three, hackers stole medical information and other data of 136 million Americans, some records dating back a decade.

And that’s just in health care. Add Target, Sony, and Home Depot to the list and we’re talking tens of millions more Americans affected.

When breaches of this size become almost commonplace in the retail, health care, and movie industries, many CFOs wonder: How vulnerable is my company? The simple answer is that if you don’t know your risks, you’re extraordinarily vulnerable — and the financial costs of a data breach can be staggering.

CFOs are realizing that information risk management needs to be approached from a strategic, proactive perspective — not in an ad hoc, reactive way.

If Anthem had done that two years ago, they might have avoided the recent mega-breach. The company had a wake-up call in 2013 when it was cited by Health and Human Services’ (HHS) regulators for not having completed a risk analysis after implementing a new consumer portal. It settled the case for $1.7 million. That’s a drop in the bucket compared with the costs of their 2015 breach involving 80 million people.

According to many media reports, Anthem will soon deplete its $100 million cyber-insurance coverage just to notify the victims and provide free identity-theft and credit monitoring.

Ponemon Research conducts annual studies on the cost of a data breach, which consistently hovers around $200 per record. But that number doesn’t include the hard-to-calculate costs like reputational repercussions, business distraction, class-action lawsuits, and regulatory fines.
Here’s a more complete breakdown of the kinds of costs associated with a data breach:

Investigation. A forensics team needs to determine how the system was compromised and what data was affected — and whether anything was deleted or deliberately altered. Then that team has to ensure that malware, if the culprit, isn’t still lurking somewhere in the system.

Remediation. This is the cost of putting in the controls or safeguards that should have already been put in place to avoid the breach.

Notification. The cost of this alone is daunting. In the health-care field, any breach involving more than 500 patient records requires immediate notification to the affected individuals, federal regulators, and the media.

Notification to individuals must be by first class mail unless the individual has agreed to electronic notice. At 49 cents per stamp, that’s a $40 million price tag for Anthem and that may not be all, since more than one mailing may be required as more information becomes available.

Identity-theft repair and credit monitoring. These costs can run anywhere between $8 and$12 per month per victim, and the term length can be either one or two years. While this attempt to reduce the probability of further unauthorized disclosure may provide some solace to the victims, it’s unlikely to prevent lawsuits.

Regulatory fines. Depending on the industry, fines and penalties can be quite steep. In the health-care field, for example, the minimum fine for a Health Insurance Portability and Accountability Act violation involving willful neglect is $1.5 million — and most data breaches involve multiple HIPAA violations. Even if the civil monetary penalty system isn’t invoked, HHS has secured settlements as high as $4.8 million.

Disruptions in normal business operations. Because many resources are diverted to clean up after a data breach, a company’s operational health can be adversely affected. Most organizations set up a call center to reduce the business distraction, and some will set up a website to keep victims informed, but the messaging needs to be developed, edited, and approved. And then there’s the communications and FAQs for employees, customers, the media, and stakeholders.

Lost business. Data breaches often cause customers to flee to a competitor and it’s difficult to calculate those costs. But here are some examples:

A Ponemon study determined that the industries with the highest churn rate were pharmaceuticals, communications, and health care (all at 6%), followed by financial services (5%).
A Symantec study documented industry “abnormal churn” rates following a breach, with the financial, communications, and health-care fields leading the pack with loss rates of 5.6%, 5.2%, and 4.2%, respectively.

The Sony brand didn’t lose its luster after this year’s highly publicized hack related to its film The Interview, but it completely lost the box office revenue from that movie, which could have totaled tens of millions.

Class-action lawsuits. What’s the probability of one? Three lawsuits were filed against Anthem less than 24 hours after the breach announcement. Target recently announced a $10 million proposal to settle a class-action lawsuit, offering up to $10,000 for any of the 110 million victims able to prove they were harmed by its breach.

The asking price in health-care data breach lawsuits has typically been in the $1,000 per victim range, but few have come to fruition due to the courts’ reluctance to confer standing on the potential of future harm — until now. In the Adobe Systems breach case, the U.S. District Court recently found that such potential future harm is sufficient to allow a putative class of plaintiffs to proceed in federal court. Stay tuned.

Here’s another thing that could cause CFOs to lose sleep: hackers only account for about six percent of health-care data breaches. The other 94% are caused by employee errors and transgressions: losing laptops containing unencrypted data, snooping into celebrity files, improperly disposing paper records, and so on. Those breaches don’t always have the magnitude of the Anthem hack, but they can still carry six-figure price tags.
The main takeaway here is that information risk management is much more than a technical or compliance issue.

There needs to be a company-wide culture of information security and a formal program to assess and manage risks. That’s why it’s important to conduct annual information risk analyses and use “maturity models” to see how your organization stacks up against industry benchmarks and best practices. Just by doing so, you can reduce the chances of a breach, save your company millions of dollars, and stay out of the headlines.
No comment yet.

Another Day…Another Healthcare Breach

Another Day…Another Healthcare Breach | HIPAA Compliance for Medical Practices | Scoop.it

We all know about the Anthem Healthcare breach of millions of patient records. That’s been followed by an announcement by Premera Blue Cross that they’ve had 11 million records breached as well. Plus, I’m sure we’re just at the start of healthcare data breaches that are going to occur.

What’s astonishing to me is that many seem to be playing this up as a new thing. I remember about 15 years ago when I was in college and a guy I knew told stories about hacking through an entire hospital system. In fact, he casually made the comment, “You don’t want to hack the government cause they’ll come after you, but hospitals and universities you can easily hack and nothing will happen.”

This story illustrates two points. First, breaches of healthcare organizations have been happening for a long time. This isn’t something new. Second, we’re just now starting to put in place the technology that will detect breaches. That’s a good thing. In fact, in some ways we should applaud the fact that we actually know these breaches are happening now. I’m certain that many of these breaches happened before and we just never knew about it because you don’t have to report a breach you don’t know about.

Now that we know about these breaches, will that spur action? I think it will in some organizations. It certainly won’t be a bad thing for security and privacy. Unless we’ve become so callous to the breaches (like the title of this post suggests) that we stop caring about breaches because “they’re bound to happen.”

I hope that this post doesn’t encourage apathy on the part of healthcare organizations security and privacy. I assure you that no hospital wants to go through a breach of healthcare data. While impossible to guarantee it won’t happen, a sincere effort to create a culture of compliance in your hospital can go a long way to preventing many breaches.

As my college hacker friend told me many years ago, “You can never make something 100% secure, but you can make it hard enough for someone to hack that it’s not worth their time.” If it’s not worth their time, they’ll usually move on to someone easier.

No comment yet.

Premera says data breach affects up to 11M people

Premera says data breach affects up to 11M people | HIPAA Compliance for Medical Practices | Scoop.it

Premera Blue Cross said Tuesday it was a victim of a cyberattackand the personal information of 11 million customers may have been exposed.

Premera, based in Mountlake Terrace, Wash., said it discovered the attack on Jan. 29 but the initial attack occurred on May 5.

The attackers may have gained access to customers' sensitive information, including names, dates of birth, Social Security numbers and bank account information. That information dates back as far as 2002.

Premera said that while the attackers may have gained access, there is no evidence thus far that any of the data has been used illegally.

"I'm very concerned about this and other data breaches that put Washingtonians at risk," Washington Attorney General Bob Ferguson said in a statement. "My team is looking into what happened, and we will do everything we can to protect consumers."

Premera said it will provide two years of free credit monitoring and identity theft protection services to those affected. A call center is also being set up. More information can be found at its website, www.premeraupdate.com

The company said it is working with the FBI and the cybersecurity firm Mandiant to investigate the attack and fix the problem.

The attack affects Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and its affiliate brands Vivacity and Connexion Insurance Solutions Inc.

Companies ranging from retailers Target and Home Depot to Sony Pictures Entertainment have disclosed expensive and embarrassing data breaches recently.

In February, Anthem, the second-largest health insurer in the U.S., disclosed a breach that affected about 80 million customers. Cybersecurity experts say that attack was a sign that hackers are shifting their focus away from retailers and looking at targets in health care and other fields because their systems may be more easily breached.

No comment yet.

Montana broadens data breach notification law

Montana broadens data breach notification law | HIPAA Compliance for Medical Practices | Scoop.it

Montana has amended the state’s data breach notification law to both broaden the definition of “personal information” that triggers individual notice and to require notice to the state’s attorney general. The changes become effective on October 1, 2015.

Montana has joined several other states, including California and Florida, that include medical-related information in the definition of personal information. Montana’s statute specifies that the medical information that would trigger individual notice, in combination with an individual’s full name or first initial and last name, “(a) relates to an individual’s physical or mental condition, medical history, medical claims history, or medical treatment; and (b) is obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian.” The revised statute also includes the individual’s full name or first initial and last name in combination with a taxpayer identification number or identity protection PIN issued by the Internal Revenue Service.

In contrast to recent updates made in California and Florida, however, Montana does not include an email address or username in combination with password to an online account in its definition of personal information.

In addition, the amended law adds notification to Montana’s attorney general once individual notice is triggered. Notice to the attorney general is required “simultaneously” with individual notices, and must include the number of individuals in the state who received notification.

No comment yet.

69,000 Oregonians Hit by Health Data Breaches

69,000 Oregonians Hit by Health Data Breaches | HIPAA Compliance for Medical Practices | Scoop.it

Over 69,000 Oregonians have been affected by health data security breaches since 2010, according to data maintained by the U.S. Department of Health and Human Services' Office for Civil Rights.  

Fifteen businesses, including Oregon Health and Science University, Portland Veteran Affairs Medical Center, and Lower Umpqua Hospital, each compromised private information for over 500 of their clients. However, some breaches affected as much as 17,000 people.  

SLIDES:  See the Security Breaches BELOW

Health data breaches can lead to medical identity theft, a growing problem with serious consequences for victims, according to Bob Gregg, CEO of ID Experts, a company specializing in data breach prevention and response. 

“It’s not an overstatement to say medical identity theft could kill you,” said Gregg. “It’s the fastest growing identity crime in the country.”  

When records gathered by health organizations are breached, information on medical history and insurance is compromised. Gregg said this information is used to purchase medical supplies and services, or harvested by health providers who use it to bill Medicare or Medicare for services never rendered. 

However, Gregg said the consequences for medical identity theft victims are more serious than having to cancel a credit card. 

“If you got to the ER and you’re unconscious, you can’t talk to the doctors when they pull up your record and your drug allergies or even blood type has been changed,” Gregg said. 

In 2014, 2.3 million Americans were victim to some form of medical identity theft, a 23 percent increase from the previous year, according to a study by the Ponemon Institute. 
The growth is because the montaryvalue of the medical information is 10 to 50 times more valuable than Social Security numbers, according to Gregg. 

Protecting your information
If personal information is compromised in a data breach, it is important to act quickly. Paul Stephens is the Director of Policy and Advocacy at Privacy Rights Clearinghouse, a nonprofit consumer rights and privacy advocate.  

“If it involves your Social Security number, you need to look into a credit report freeze and Social Security freeze. If it’s medical information, you want to monitor the explanation of benefits from your insurance carrier,” Stephens said. 

Of the sixteen health data breaches in Oregon since 2010, 11 resulted from thefts of papers or laptops. Stephens said these cases are generally carelessness on the company or employer’s part. 
“They’ll lose a laptop and it won’t be encrypted,” Stephens said.  

The Government’s Role
Under the federal HITECH Act, health security breaches that affect 500 people or more must be reported to the Secretary of Health and Human Services. 

In Oregon, businesses are required to notify anyone whose information may have been compromised in a breach. However, they do not have to report it to any state regulators, such as the Oregon Attorney General. 
Last December, Oregon Attorney General Ellen Rosenblum urged the Oregon Senate and House Judiciary Committee to expand the state's data breach law and require breaches be reported to her office, giving her enforcment power.  

“As technology changes, so must the legal infrastructure which protects that technology. Oregonians want—and should—know who is collecting their personal information and data, how it is being used and protected, as well as to whom it is being sold,”  Rosenblum said in her testimony.

Only fifteen states have laws that require data breaches be reported to state police. 

Gregg said he has been lobbying this year in Salem, urging legislators to require medical identity monitoring in the case of a breach, along with financial monitoring.  

“90 percent of the public has no clue what medical identity theft is,” Gregg said. “They have to start understanding the biggest risk for citizens of Oregon in breaches of this kind.”

No comment yet.

Key Factors for the HIPAA Privacy Rule in Emergencies

Key Factors for the HIPAA Privacy Rule in Emergencies | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Privacy Rule was designed to help keep protected health information (PHI) from becoming exposed or easily accessible to the public. But what happens in an emergency situation? When does the public’s safety trump the privacy of one individual?

That debate is currently underway in Texas, as a nurse who worked at Texas Health Presbyterian Hospital Dallas is now suing her former employer for allegedly violating her patient privacy, as well as not properly training her for emergency situations. Specifically, Nina Pham told the Dallas Morning News that the hospital “failed her” and her colleagues when a patient diagnosed with the Ebola virus was admitted back in Oct. 2014.

In terms of patient privacy violations, though, did the hospital actually do anything that went against HIPAA guidelines? While the impending court case will make the final decision, HealthITSecurity.com will break down the finer points of the HIPAA Privacy Rule, and discuss exactly what should happen in an emergency situation.

HIPAA privacy and patient consent

According to the HIPAA Privacy Rule, a covered entity is permitted – but required – to use and disclose PHI without the patient’s consent in certain situations:

  • To the Individual (unless required for access or accounting of disclosures);
  • Treatment, Payment, and Health Care Operations;
  • Opportunity to Agree or Object;
  • Incident to an otherwise permitted use and disclosure;
  • Public Interest and Benefit Activities;
  • Limited Data Set for the purposes of research, public health or health care operations.

Moreover, there are instances where covered entities need to obtain written consent from individuals. This is for what are referred to as “authorized uses and disclosures.” For example, a covered entity must get written consent to disclose psychotherapy notes and for marketing purposes. This includes “any communication about a product or service that encourages recipients to purchase or use the product or service.”

“A covered entity must obtain an authorization to use or disclose protected health information for marketing, except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value,” according to HHS.

Additionally, it must be revealed immediately if the marketing involves a covered entity’s receipt of direct or indirect remuneration from a third-party. Essentially, for certain disclosures of information, a healthcare provider or hospital needs to have a patient’s written consent to reveal their PHI. However, there are several instances where written consent is not required. This is where emergency situations fall into play.

Extra guidance from the OCR

When Ebola was making headlines in the US last fall, partly due to what was happening at the Texas hospital, the Office for Civil Rights (OCR) released its own guidelines. These were meant to further clarify the HIPAA Privacy Rule, and ensure that the public and covered entities understood exactly what was allowed and why it was allowed.

“The HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” according to the OCR.

Moreover, it is important for public health authorities and facilities responsible for ensuring public health and safety to have access to PHI that helps them fulfill their mission to keep the public safe. For example, the Centers for Disease Control (CDC) or state health departments could be given that information. Along similar lines, a foreign government agency that is working with a public health authority can be privy to certain information.

Finally, notification can also be given to individuals who are at risk of contracting or spreading a disease. This will help dangerous diseases from spreading.

Even so, it is essential that the “minimum necessary” is kept, according to the OCR. Only the minimum amount of information necessary should be disclosed.

“For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum 3 necessary for the public health purpose. Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”

A key point to the HIPAA Privacy Rule discussed by the OCR is that a covered entity can share information about a patient “as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death.” This could even include the police, the press, and the general public.

That being said, the healthcare organization must still try and receive verbal permission from the patient. If the individual is deemed to be incapacitated, then a covered entity can disclose certain information if they decide that it is in the best interest of the patient.

Finding the right balance

HIPAA is meant to protect sensitive data from being public knowledge. However, covered entities need to also prevent serious or imminent threats to the health and safety of the public. It is not going to be easy to strike that perfect balance between patient privacy and public safety. Having current and comprehensive administrative, physical, and technical safeguards are key, as are having staff members fully educated on HIPAA rules. It is unlikely that a data breach or patient privacy violation will never occur, but covered entities must remain diligent in prevention.

No comment yet.

Data Breach Reporting Requirements for Medical Practices

Data Breach Reporting Requirements for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

By now, almost everyone who watches the news or reads any major newspaper has heard about the Anthem, Inc. data breach. Anthem, the nation's second-largest health insurer, is considered a covered entity under HIPAA and, in turn, must comply with the federal laws and regulations governing such entities.

On Feb. 4, the company announced that it was the target of a cyber attack that enabled hackers to penetrate its data system and access members' identifying factors and personal information including: names, dates of birth, employers, and social security numbers. In the aftermath of this announcement, class action lawsuits were filed around the country. This means that in accordance with Rule 23 of the Federal Rules of Civil Procedure, "one or more members of a class may sue or be sued as representative parties on behalf of all members" with certain conditions such as the number of claimants, commonality among questions of law and fact, as well as defenses.

The suit filed in the U.S. District Court for the Southern District of Indiana, Meadows v. Anthem, Inc., indicated that the data breach exposed the information of up to 80 million consumers. The suit alleges that people would not have obtained health insurance and relied on the representations of Anthem had they have known that their data was at risk. Hence, numerous contractual issues were raised. In light of this occurrence, physicians should evaluate the own contracts, HIPAA compliance, and what they are indicating in their attestations and assurances to patients and business partners.

The new Office of Civil Rights HIPAA breach protocol

With the upgrade to the HHS' Breach Portal, additional information is required there, too.

45 CFR §164.408 and the alterations to the Breach Portal, may impact certain entities, who are planning on submitting their 2014 breach notification reports for incidents impacting fewer than 500 people within 60 days of the end of the calendar year, pursuant to 45 CFR §164.408(c). So, what do these new report requirements entail?

• Disclosure of a "breach end date" and "discovery end date" are required.

• The "Safeguards in Place Prior to the Breach" now utilizes general categories (i.e., none and privacy rule safeguards) instead of specifics (i.e., strong authentication and encrypted wireless).

• "Actions Taken in Response to Breach" are much more detailed and included "adopted encryption technologies, security rule risk analysis, and revised policies and procedures."

It is important to note that in the event of an investigation, any identified area may be delved into in greater detail. The March 2, 2015, 60-day, deadline for reporting 2014 breaches is coming shortly. These changes are a signal that close attention should be given to HIPAA, the HITECH Act, and the related rules. It can save a lot of time, money and reputational costs

No comment yet.

Why Anthem Was Wrong Not to Encrypt

Why Anthem Was Wrong Not to Encrypt | HIPAA Compliance for Medical Practices | Scoop.it

Being provocative isn’t always helpful. Such is the case with Fred Trotter’s recent headline ‒ Why Anthem Was Right Not To Encrypt.

His argument that encryption wasn’t to blame for the largest healthcare data breach in U.S. history is technically correct, but lost in that technical argument is the fact that healthcare organizations are notably lax in their overall security profile. I found this out firsthand last year when I logged onto the network of a 300+ bed hospital about 2,000 miles away from my home office in Phoenix. I used a chrome browser and a single malicious IP address that was provided by Norse. I wrote about the details of that here ‒ Just How Secure Are IT Network In Healthcare? Spoiler‒alert, the answer to that question is not very.

I encourage everyone to read Fred’s article, of course, but the gist of his argument is that technically ‒ data encryption isn’t a simple choice and it has the potential to cause data processing delays. That can be a critical decision when the accessibility of patient records are urgently needed. It’s also a valid point to argue that the Anthem breach should not be blamed on data that was unencrypted, but the healine itself is misleading ‒ at best.

I don’t disagree with Fred’s narrow technical argument, but there is definitely a larger issue that he chose to ignore. That larger issue ‒ and one I’ve written about frequently ‒ is what industry experts call a “culture of security.” The sheer volume of data breaches suggests a serious lack of that culture specifically in healthcare.  The SANS Institute report last year highlights the dire state of cybersecurity in healthcare. New Cyberthreat report by SANS Institute Delivers Chilling Warning to Healthcare Industry

Less than 6 months prior to the time Anthem pulicized their breach earlier this month, Community Health Systems (CHS) announced their breach of 4.5 million patient records. Some of the top security analysts have already begun to link the two (Anthem and CHS) ‒ right down to the lethal vulnerability that was discovered last April ‒ the Heartbleed bug. There’s even speculation that the actual breaches at both Anthem and CHS may have occurred in fairly close proximity to each other (after April of last year). Again, something I covered here: Are the Data Breaches at Anthem and CHS Linked?

That “culture of security” means that there’s a technical basis ‒ and logic ‒ to use the appropriate technology (both software and hardware in tandem) to ensure that adequate data (and network) security is in place. Note the use of that word ‒ adequate.

There will never be a perfect. The attack surface in increasing ‒ exponentially with IoT ‒ and the attackers have only to find one vulnerability once. Defenders, on the other hand, need to defend against all vulnerabilities ‒ all the time. That equation gives the attackers the upperhand and the gap between attacker and defenders is widening.

In the end ‒ we’ll likely see at least 2 outcomes from these new mega breaches.

  1. If it’s determined ‒ in court ‒ that the breach was the result of the Heartbleed bug,  both Anthem and CHS will have a much harder time defending against negligence ‒ which means the damage awards will be significant.
  2. Whatever the final cost of both breaches (and those yet to come), as always, they will be passed on to each of us as patients and healthcare consumers in the form of higher premiums.

This last one is simply an extension of many other perverse incentives that exist throughout our for‒profit healthcare system. Why bother paying for an expensive barn door that locks when we can simply pass the cost of the all the lost animals onto someone else? Sure there will be hits to profits and earnings, for awhile, and some heads may actually roll (the CIO at Sony was summarily dismissed), but will these mega breaches (and others yet to happen) be enough to change the “culture of security” inside healthcare? Probably not ‒ and certainly not if strong technical voices like Fred’s continue to defend what amounts to a cavalier attitude of security on the basis of a narrow argument – even if that argument is technically correct.

No comment yet.

Insider Threat: Mitigating the Risk

Insider Threat: Mitigating the Risk | HIPAA Compliance for Medical Practices | Scoop.it

You've screened your candidate, hired them into the position, assigned them resources and granted them access...now what? Hope they don't rob you blind? Trust them completely? The real job has just begun, now you have to:

  • Translate risk levels into appropriate levels of scrutiny, the greater the access, the greater the need for review;
  • Implement an ethical and legal approach to people security and protective monitoring;

SpectorSoft will present a practical approach to mitigating employee risk from hires to fires. Attend this webinar if you answer 'No' to the following question: Do you believe that, once a position is filled, the company should simply trust that the person in the position will not exceed or misuse that access in a way that could harm the company?


Employees are an organization's greatest asset and greatest risk. With a single click an employee can devastate a business by transferring or damaging huge amounts of data. Finding the balance between trust and scrutiny/control represents a tremendous challenge and a huge opportunity if executed correctly. Most organizations use intense pre-hire screening and background checks to ensure they are bringing in valuable talent that will benefit the organization without the propensity to do harm. Once the employee is hired they are given the "keys to the castle" to do great things for their new employer...or they could cause great damage.

No comment yet.

Cyber-Insurance: How Much Is Enough?

Cyber-Insurance: How Much Is Enough? | HIPAA Compliance for Medical Practices | Scoop.it

Mega-breaches, including the recent hacking attack on Anthem Inc., always result in an uptick of interest in cyber-insurance; but determining how much coverage to buy is an ongoing challenge, says data privacy attorney Marc Voses.

"Every single industry after an event like this sees an uptick in the interest in purchasing cyber- insurance," says Voses, a partner at law firm Kaufman Dolowich & Voluck, LLP. "Over the years since cyber-insurance has been made available, the limits [for dollar value of coverage] ... are increasing at an exponential rate."

After the Target data breach, "the retail industry went streaming into the brokers wanting to find out more about the products and shift more risk onto the insurance carriers in the event of a data breach," Voses says.

Organizations considering cyber-insurance need to ponder how much is enough to offset the potential costs involved not only with breach response expenses, such as notification, but also potential lawsuits and government fines, he says in an interview with Information Security Media Group.

In the aftermath of the Anthem incident, several class action lawsuits already have been filed, including a suit seeking $5 billion that was filed in California just one day after Anthem announced the breach, he notes.

For Home Depot, breach-related expenses are estimated at about $70 million so far, while the company reportedly had cyber-insurance coverage for $100 million, Voses says. In the Target breach, expenses are estimated at about $150 million, which apparently exceeds the company's cyber-insurance coverage, which was reportedly only $40 million, he notes.

In this interview, Voses also discusses:

  • Possible regulatory investigations and other government actions that might result from the Anthem breach;
  • What the HIPAA security rule says about the use of data encryption to prevent breaches;
  • The key privacy and other lessons that are emerging from the Anthem breach so far.

Voses is a partner at the New York City office of national law firm Kaufman Dolowich & Voluck, representing domestic and international insurers and reinsurers, and their insureds, in coverage and liability disputes. He is a litigator who has been called upon to address complex coverage and liability issues involving cyber, data and privacy exposures, management and professional liabilities, environmental liabilities and commercial general liability matters.

No comment yet.

Anthem data breach extremely dangerous

Anthem data breach extremely dangerous | HIPAA Compliance for Medical Practices | Scoop.it

The Anthem data breach is, in my opinion, the most significant and dangerous data breaches to ever occur in US history. The reason is that the criminals have obtained the most sensitive information possible, and this information can be used to 1) obtain federal and state tax refunds, 2) open credit accounts, 3) apply for government issued identify cards, 4) apply for government benefits (health, unemployment, social security).

The other problem is that while most data breaches end up being inconveniences forcing the victim to monitor and report fraudulent charges for a year or two, this breach will require each victim to monitor their credit file, tax refunds, and other government benefits keyed to their SSN for the rest of their lives.

The information is out there, and it is just a question of when — not if — the identify of NH residents will be stolen. The owner of LifeLock was foolish enough to publish his SSN to launch his service. He quickly found that hundreds of people stole his identify, obtained drivers licenses in his name, and opened credit accounts in his name. The owner of this credit protection company learned a hard lesson and quickly stopped publishing his SSN, but the damage was already done.

In this case, we have 80 million of these situations!

In the State of NH, I cannot freeze my credit file without paying a $10 fee to each credit reporting agency (there are 3 of them), and then another $10 every time I want to apply for credit. There is a provision in state law to allow free freezing of credit files, but this provision only applies to individuals who can document actual identify theft via a police report. I’m telling you that due to Anthem’s negligence, my identity has already been stolen and now I am just waiting to see which criminal will be the first to steal from me.

If the breach itself is not disheartening enough, even worse is that the Attorney General of NH, Joseph Foster, has not uttered a single word or published any information on the state website regarding the most significant breach of personal information in the history of the state. I would like to hear from the NH Attorney General’s office as to what is being done, and how the chief law enforcement officer in the state intends to protect the state’s residents from the criminals who stole their most sensitive personal data. In addition, I want to know what demands will he make of Anthem.

By recent reports at least 22% of the state’s residents will be affected by this breach (probably more). I believe that the AG’s office should facilitate protective actions and advise NH residents what they should be doing rather than waiting to respond to problems after the fact. For example in Indiana where Anthem has their national headquarters, Attorney General Greg Zoeller has advised his state’s residents that monitoring their credit file is not enough — instead they should freeze their credit file — in Indiana this can be done at no charge to residents.

In most other states (including California, Connecticut, Ohio, Florida, Indiana, Massachusetts, Arkansas, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania, and Rhode Island, and North Carolina), the State Attorney Generals are taking an active public role in protecting state residents via dissemination information and through requests to Anthem. Why haven’t NH residents seen even a single public statement from our state’s chief law enforcement official regarding this breach?

Anthem isn’t the only one who has been negligent in this matter.

No comment yet.

Getting the balance right with privacy and e-health

Getting the balance right with privacy and e-health | HIPAA Compliance for Medical Practices | Scoop.it
Recent advances in data management and analysis, such as the introduction of Electronic Health Records (EHRs) have the potential to save lives – and on a huge scale. However, it is increasingly clear that such innovations will only be realised if we can overcome a significant hurdle: the public’s concern that private medical data could fall into the wrong hands. To do that, we must convince people to play a more active role in establishing which information they want to keep private and which they are willing to share.

EHRs and the transformation of patient outcomes

Before we look at privacy, it is worth discussing just how transformative EHRs promise to be for the prevention and treatment of illnesses.

EHRs are much more than just a digital version of the paper-based health records of the past. In fact, EHRs embody a totally new approach to healthcare in which the wider ecosystem expands the centre of gravity beyond hospital borders. In this ecosystem, care becomes more distributed, with the burden shared by an extended family of health providers – GPs; physiotherapists; pharmacists; home-carers; family members; private health clinics; gyms; etc.

The patient is at the centre of a network bound together by his or her data, which in turn is shared and managed across all members of the healthcare web through the EHR. The EHR therefore is the main source of a comprehensive view of patient information.

> See also: Tackling the scourge of paper-based patient data

The advantages of this approach are compelling: primary care givers are provided with an unprecedented view of the patient, allowing them to come to more accurate decisions in shorter timeframes and improving patient outcomes.

The empowered patient

Importantly, however, the same data innovations that are driving connected healthcare are also empowering patients to play a much more direct role in managing their own health. This is due in great part to the proliferation of wireless health devices and apps as well as social media platforms.

In the IDC/EMC Whitepaper ‘Taking-On the Chronic Disease Burden in the Hyper-Connected Patient Era’ the analysts Massimiliano Claps and Nino Giguashvili discuss how through smartphones and tablets, patients can monitor their daily activities, such as exercise and diet, and share results with their healthcare network. They can also, if they choose to, share their results through social networks, using gamification to drive health benefits.

It is not just through smartphones that such data can be shared; today a wide range of wearable devices such as smart watches, wristbands and even clothing can track wearers’ physical activity, calorie intake and other vital statistics. These data sources can be used by the wearer to manage their lifestyle, helping to prevent illness. Through EHRs moreover, this data can be shared with the user’s healthcare web, enabling their healthcare providers to deliver the best possible treatments over the course of the patient’s life.

As IDC puts it: 'The vast amount, wide variety, and velocity of data that is pushed to and pulled from the hyper-connected patient ecosystem represents an unprecedented opportunity to generate insights that can enhance the appropriateness of prevention and care.'

This is, of course, only if the patient is willing to share such information.

Privacy – a stumbling block to integrated healthcare?

EMC’s recent Privacy Index revealed that when it comes to privacy in the healthcare sector people have some major worries. In fact, a full 72% of people around the world are concerned about the future of the privacy of their medical data. While this figure is less than for other sectors – such as finance or retail – it is still intolerably high.

People do not, it appears, trust healthcare organisations with their data. This is largely understandable. People have a natural anxiety about organisations collecting too much data about them – it has a whiff of ‘big brother’ about it. With a news agenda that is full of stories of privacy breaches, data loss and the misuse of data by businesses it is understandable why people may wish to keep their medical data private.

The digital world is still very new and it is evolving rapidly. The evolution of what we can do with data is moving so fast that many people have been caught unprepared. Fundamentally, allowing a select group of medical professionals to access data in order to help you is a very different proposition to businesses or governments accessing/using your data without your consent. Unfortunately at present the two things are often conflated.

As we grow used to our digital world however we will soon begin to understand that we can both ensure privacy while also enjoying the full benefits that a free flow of information promises. Technologies already exist to make digital records more secure than paper – it is now our behaviours that need to change.

Taking control of digital privacy

The change will come when people take more control of their online selves and take more steps to protect their own privacy.

People are already able to protect their privacy on social media sites through privacy settings, although far too few currently choose to do so. This needs to change.

When it comes to EHRs, privacy settings can easily be enabled. Patients need to select exactly who can access what portions of their health record. To that extent they will make decisions on how much of their privacy they are willing to trade off in order to receive better treatment. They will in short be empowered to use their own data as a discretionary tool.

> See also: How big data can turn around our National Health Service

This has implications beyond the health sector too. For example, if I am a fitness fanatic who exercises every day and only eats the healthiest of foods, I will be able to input this information into my EHR via my smart devices. Then, if I so chose, I could allow my life insurance company access to this data in order to help lower the premiums I pay each month. The key here is that it would be my choice to do so. I would have made a conscious and positive choice to trade a small portion of privacy for a clear benefit.

The future is in our hands

The promise of EHRs is not illusory. Already today innovative projects are improving the lives of people worldwide. Take Finland where its ePrescription service allows doctors to dispense with paper prescriptions and instead communicate electronically with pharmacies. Crucially, Finland has also implemented consent management and patients are therefore able to filter exactly what information is viewed by whom.

Implementations such as these will gather in pace and as they do so patients will better understand why the controlled sharing of private information benefits them – as long as the control rests firmly with them.

Secure EHRs really do have the power to transform healthcare, but it is important patients are aware and ready to make decisions about who has access to their data. Part of these decisions will be made on how secure the systems are that hold their data. Part will be based on what benefit they can receive from allowing access to this data. Through this process patients will be empowered to take greater ownership of their data and given the chance to improve their wellbeing through a more efficient approach to healthcare. While a new concept, we would argue that this is something patients should embrace rather than be concerned about.
No comment yet.

It’s Time to Rethink Security

It’s Time to Rethink Security | HIPAA Compliance for Medical Practices | Scoop.it

I had a conversation with the CEO of a very progressive hospital recently and as I sat in my home office afterwards reflecting on that discussion, and the rest of that week’s events which included near miss security incidents at two other hospitals we work with, it occurred to me that we are addressing cyber security all wrong. And because we are coming at it all wrong, we are rewarding and punishing the wrong behaviors. 

If we accept the fact that breaches are inevitable—which I believe we should due to the complexity of the environment today, the nature of the threat, the hyper-connected ecosystem we operate in, the sheer volume of transactions occurring, and the value placed on personal health information—then we should be focusing more attention on detection, both proactive and reactive, and our ability to respond. We should be rewarding CISOs who actively hunt for weaknesses in the operations, processes, controls, etc. at the organizations they support and who bring those risks to management’s attention early and work to remediate them. We should see boards and executive managers asking questions and expecting to be briefed on potential issues that could impact patient care or safety. We should see risk management programs that recognize information systems security incidents as a critical business risk that can affect hospital operations. We should see general counsels and compliance officers who view this as an important business issue that deserves independent audit just as finances and tax matters do. Information technology incidents should receive their own code (color/name) and be a part of the organization’s incident response process. The bottom line is: it’s high time that we start treating information security as what it is -- a critical business issue.

We need to attack our culture and change it. We need to provide our workforce with the knowledge and awareness that will protect our patients, information systems and data, and just as importantly the workforce themselves.  All over the country we are seeing healthcare systems beginning to perform social engineering and phishing exercises and failing miserably. The positive side of this is that they are doing it and raising their organizations’ awareness, but the negative side is that we are simply not changing fast enough. Challenging someone you don’t know or don’t recognize should not be a stressful decision. It should be a customer service issue. Challenge them to identify themselves and their purpose for being there. If they are in the wrong area help them to get to the right area and turn them over to another coworker. Explain that privacy and security are important at the institution and aid them in getting the assistance they need. It’s an opportunity to be helpful and at the same time reinforce an important cultural ethic of patient privacy and safety. We need to talk about and celebrate the things that go right, such as the incidents that are averted, or the ones that are detected and stopped before serious harm or compromise occurs. We should acknowledge the number of workforce members who identified a phishing email, not just the ones who clicked on and opened it.

As Gerry McGuire said, it's a cynical world out there, but we don’t have to, and shouldn’t, give into that perception. Yes, incidents are inevitable but compromise is not. Throwing in the towel and giving up is just not an option.  The Ponemon Institute just recently published its 5th Annual Medical Identity Theft Study. It’s an easy read, and every healthcare executive should read it.  It has some pretty illuminating things to say about what the consumer feels and expects, and it’s important to remember that consumers are your patients. Their confidence level that healthcare organizations can effectively protect their information is very low, but their expectation that we should be protecting their information is very high. That said, we should be assessing more often, testing our environment on a regular basis, running exercises and table tops to increase readiness, providing more useful and relevant training for the workforce, as well as regularly reporting to committees, executive leadership and the board. The board should be requiring independent third party assessment and audit of controls. In short, we should be investing in the business and our patients, in order to achieve our mission of providing quality care.

No comment yet.

When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t)

When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t) | HIPAA Compliance for Medical Practices | Scoop.it

Patient Assistance Programs (PAPs) have proliferated in recent years, despite the fact that many commonly-prescribed medications have lost patent protection and the Affordable Care Act (ACA) has attempted to eliminate pre-existing condition discrimination by insurance companies.  Still, drug costs remain unaffordable to many patients, particularly those with high-cost, chronic conditions, even when patients have insurance coverage.  An article published recently in the New England Journal of Medicine suggests that the ACA has increased insurance coverage for an estimated 10 million previously uninsured individuals in 2014, some insurers are structuring drug formularies in a manner that discriminates against (and discourages enrollment of) patients suffering from particular high-cost conditions.

Regardless of the cause, the need for and utilization of PAPs raises interesting questions related to privacy and security of protected health information (PHI).  I had the opportunity to co-present a workshop session on HIPAA at CBI’s 16th Annual Patient Assistance and Access Programs Conference in Baltimore, MD this week with Paula Stannard, Esq. of Alston & Bird.  The conference was well-attended, and Paula and I were asked a number of questions during and after our workshop that showed interest in HIPAA compliance by PAP entities, as well as confusion regarding it.

Paula and I crafted a scenario in which a PAP’s data system is hacked, and the hacker gains access to individually identifiable health information stored on the system.  Both Patient A and Patient B have insurance, but suffer from a condition requiring a medication not on their carriers’ formularies.  Patient A put his own information into the PAP system after learning about the PAP from TV ad.  Patient B let his physician put her information into the PAP system, after the physician explained that the hospital at which the physician works has an arrangement with the PAP whereby the PAP will help with getting insurance coverage.

We asked the audience whether the hacker’s access to Patient A’s and Patient B’s information in the PAP was a HIPAA breach.  A follow up to this blog will discuss the factors relevant to deciding when HIPAA applies to PAPs (and individually identifiable information they maintain) and when it doesn’t.

No comment yet.

Seven Tips for Avoiding HIPAA Penalties in 2015

Seven Tips for Avoiding HIPAA Penalties in 2015 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA violations may result in penalties of $100 to $50,000 per violation, depending on the conduct at issue.  If the violation results from “willful neglect” the party is subject to mandatory fines of $10,000 to $50,000 per violation. 

A single data breach may result in numerous violations.  For example, the loss of a laptop containing PHI of 2,000 patients may constitute 2,000 violations.  Additional penalties may be assessed if the breach resulted from failure to implement required policies or practices.  To make matters worse, covered entities must self-report breaches of unsecured protected health information (PHI) to the affected individual and HHS. 

The good news is that a covered entity may avoid HIPAA penalties if it does not act with “willful neglect” and corrects the violation within 30 days. 

Here are seven tips for avoiding “willful neglect” penalties, especially those arising from breaches of electronic PHI:

1. Conduct or update your security risk assessment required by the security rules.  This is a first step in identifying and preventing potential security breaches.  In 2014, HHS made available a risk assessment tool to help providers conduct and document their own risk analysis. 

2. Implement the administrative, technical, and physical safeguards required by the HIPAA security rule.  Most physician practices have polices required by the privacy rule, but comparatively few have properly addressed the safeguards required by the security rule.  Implementing the required safeguards is necessary not only for regulatory compliance; it is also simply a good business practice given the potentially disastrous consequences of system failures or cybercrimes.  Again, the government’s HealthIT website, HealthIT.gov, contains helpful tools and guides that practices may use to achieve compliance. 

3. Execute business associate agreements (BAAs) with business associates.  A good BAA is not only required by HIPAA; it will also help insulate the practice from HIPAA liability if its business associate violates HIPAA.  Ensure the BAA confirms that the business associate is acting as an independent contractor, not an agent of the practice.

4. Train your employees and monitor their performance.  According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee.  Unfortunately, there is no similar guarantee that policies and training will protect a provider from liability for state privacy claims:  An Indiana jury recently returned a $1.44 million verdict against Walgreens based on an employed pharmacist’s privacy violations despite Walgreens’ policies and training.  Thus, physician groups need to ensure their training is effective.

5. Respond immediately to any suspected breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA.  Second, an entity may be able to prevent the data from being compromised by taking swift action, thereby avoiding the obligation to self-report HIPAA violations.  Third, a covered entity or business associate may avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.  Corrective action may include modifying policies, implementing additional safeguards, disciplining employees, and providing additional training.

6. Report breaches in a timely manner. While the initial action resulting in the breach may not have been willful, the failure to timely report a reportable breach as required by the rules may constitute willful neglect. Under HIPAA, the unauthorized access, use, or disclosure of unsecured PHI is presumed to be reportable to the individual and HHS unless the covered entity can demonstrate there is a low probability that the data has been compromised based on factors such as the type of PHI disclosed; the recipient of the PHI; whether the PHI was actually accessed or disclosed; and steps taken to mitigate any breach. 

7. Document your actions. Documenting proper actions will help providers defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.

Although there is no guarantee that these steps will protect against breaches, they will help physician groups mitigate resulting liability under the HIPAA rules.

No comment yet.

Lessons Learned from the Anthem Cyber-Attack and Corresponding “HIPAA Actions”

Anthem Inc. (“Anthem”), the nation's second-largest health insurer, disclosed on Wednesday, February 4, 2015, that it was the victim of a major cyber-attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including member names, member health ID and Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information. As of date of this publication, it has not yet been determined whether the hackers obtained access to health information.

The day after Anthem’s announcement, the first of several class action lawsuits against Anthem for the data breach was filed. Approximately 40 additional cases have since been filed against Anthem. The class actions allege harm due to the disclosure and compromise of the plaintiffs’ personal, health and financial information resulting from the Anthem data breach and Anthem’s purported failure to provide timely and accurate notice. Moreover, the class actions claim that Anthem did not encrypt the data that was stolen. Amongst other causes of action, the lawsuits have alleged claims for negligence, negligence per se, breach of implied contract, and violations of various state laws.

These lawsuits demonstrate that the healthcare industry should be concerned about the privacy and security of the personal, health and financial information in their possession for reasons beyond just the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d, et seq. (“HIPAA”). HIPAA does not provide for a private right of action. However, as explained in more detail below, several states have recently allowed plaintiffs to sidestep HIPAA’s prohibition of a private right of action. Courts have allowed plaintiffs to use HIPAA to set the standard of care in state law claims, including negligence, invasion of privacy and state privacy claims.

State’s Highest Court Permits Claims Premised On HIPAA’s Standard of Care

Several state courts have recently permitted private claims related to HIPAA to go forward over state law.  Notably, the Connecticut Supreme Court recently held that HIPAA does not preempt common-law claims for negligence and negligent infliction of emotional distress against a health care provider. In Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433, 102 A.3d 32 (Conn. 2014), the court found that HIPAA may be considered in determining the standard of care governing the handling of medical records in connection with negligence claims under state law. Other courts have allowed similar claims. See, e.g., R. K. v. St. Mary’s Med. Ctr., Inc., 229 W. Va. 712, 718–21 (W. Va. 2012) (using HIPAA as standard of care for breach of medical confidentiality); Acosta v. Byrum, 180 N.C. App. 562, 568 (N.C. Ct. App. 2006) (acknowledging HIPAA as setting the standard of care); I.S. v. Washington Univ., 2011 U.S. Dist. LEXIS 66043, at *16 (E.D. Mo. June 14, 2011) (recognizing claim for negligence per se despite HIPAA). However, Byrne is the first by a state’s highest court.

In Byrne, defendant medical practice produced plaintiff’s medical records pursuant to a subpoena in the context of a paternity suit. The practice did not notify plaintiff of the disclosure despite her directions not to release the records. Byrne, 314 Conn. at 437. Plaintiff then filed a lawsuit alleging that the defendant medical practice: (1) breached its contract with plaintiff by violating its privacy policy and disclosing her protected health information (“PHI”) without authorization; (2) negligently failed to use proper and reasonable care in protecting her medical file; (3) negligently misrepresented that the privacy of her health information would be protected in accordance with law; and (4) engaged in conduct constituting negligent infliction of emotion distress. Id. at 438.

The Connecticut Supreme Court reversed the trial court’s dismissal of plaintiff’s tort claims by finding that state laws relating to the privacy of PHI, which are more stringent than HIPAA, are exempt from HIPAA preemption. State laws are only preempted if they are contrary to HIPAA by making it impossible to comply with both state and federal requirements or by posing as an obstacle in complying with HIPAA.  Moreover, the court pointed to the regulatory intent behind HIPAA, which expressly provides that state laws allowing individuals to file civil actions to protect privacy does not conflict with HIPAA penalty provisions. Id. at 454.  The Byrne court concluded that HIPAA and its implementing regulations can be used to inform the standard of care applicable to state law claims arising from allegations of negligence in the disclosure of a patient’s medical records.

Ultimately, the Connecticut Supreme Court sent the case back to the trial court for further proceedings.  The trial court still has to determine whether the defendant medical practice’s disclosure of the patient’s medical records was negligent, constituted negligent infliction of emotional distress, involved negligent misrepresentation of the records’ privacy protections, or was a breach of contract with the patient due violations of privacy policies. Based on the Supreme Court’s decision, the trial court can now use HIPAA as the standard to decide these causes of action.

Court’s Failure to Consider the Distinction Between “Required” and “Addressable” safeguards

The Byrne case was significant for being the highest court in a state to hold that Covered Entities and Business Associates could be liable under common law for their failure to comply with HIPAA. However, the Byrne case is also concerning due to its failure to distinguish between HIPAA’s “required” and “addressable” safeguards. As explained by the U.S. Department of Health & Human Service’s Office of Civil rights (“OCR”), some safeguard implementations are “required” and others are “addressable.”

Required implementation specifications must be implemented.  http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html (last visited February 15, 2015). However, “addressable implementation specifications” must be implemented if it is a reasonable and appropriate security measure to apply within its particular security framework.  Accordingly, addressable safeguards provide companies with some flexibility in complying with security standards.  The decision will be based on a number of factors such as, “the entity's risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.” Id.

Given that the Byrne court did not address the safeguard distinction, it is unclear whether a company that does implement an addressable safeguard under HIPAA, such as encrypting, would fall below the standard of care for state law claims. As mentioned above, the actions against Anthem assert that Anthem failed to implement appropriate encryption measures to secure its data. Whether this failure meets or falls below the standard of care may determine whether Anthem is found liable of any of the state law claims.

Due to the ambiguity in the Byrne decision, companies should consider their exposure and risks in connection with implementing both “required” and “addressable” safeguards.

First Case With Substantial Damages Premised On HIPAA’s Standard of Care

In another major case that broadened the exposure to Covered Entities and Business Associates, on November 14, 2014, the Court of Appeals of Indiana affirmed a $1.44 million judgment against Walgreen Company (“Walgreen”) based on a HIPAA violation. Walgreen Co. v. Hinchy, 21 N.E.3d 99, 2014 Ind. App. LEXIS 560 (Ind. Ct. App. Nov. 14, 2014). Equally notable is that the court held that the employer is subject to vicarious liability for state negligence claims stemming from a HIPAA violation committed by an employee.

In Walgreen, Defendant Withers a pharmacist at Walgreens, learned that her husband had been having an affair with plaintiff, which resulted in the birth of a child. Defendant Withers accessed plaintiff’s patient information through the Walgreen’s computer system, reviewed plaintiff’s prescription history for personal reasons and disclosed this history to her husband. Upon learning of the incident, Walgreen gave defendant Withers a written warning and required her to retake a computer HIPAA training program. Plaintiff was dissatisfied and sued Withers with claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion. Plaintiff also filed claims against Walgreen to hold them responsible for the actions of the employee, as well as direct claims for negligent training, negligent supervision, negligent retention, and negligence/professional malpractice. Essentially, plaintiff claimed that defendant Withers’ and Walgreen’s actions fell below the standard of care provided by HIPAA. The jury found for plaintiff and awarded her $1.44 million in damages, which notably included damages for emotional distress.


As demonstrated above and through the Anthem class actions, not only are Covered Entities and Business Associates now at risk due to OCR enforcement, but they must also be wary of state claims premised upon HIPAA regulations. The Byrne and Walgreen decisions allowed plaintiffs to use HIPAA to help determine the standard of care with respect to the duty to maintain confidentiality. Covered Entities and Business Associates should revisit their policies and procedures to ensure compliance with HIPAA’s privacy and security standards. Importantly, Walgreen was also found to be vicariously liable for its employee’s actions since the records were accessed under the scope of defendant’s employment. Accordingly, it is vital for Covered Entities, Business Associates and subcontractors to evaluate their privacy and security policies and programs to ensure compliance with HIPAA.

The lawsuits arising from the Anthem cyber-attack serve as a reminder to healthcare companies to be diligent about protecting against security and privacy risks. In particular, security compliance requires reassessments on a regular basis. There are many healthcare companies who have not reexamined their security practices and are ripe for such an attack and potential breach. To prevent such injuries, it is imperative to not only establish but also reevaluate a security infrastructure that will meet cybersecurity requirements (including HIPAA security and privacy).

No comment yet.

Two More Health Insurers Report Data Breach

Two More Health Insurers Report Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Today, medical insurance providers LifeWise and Premera Blue Cross each reported, separately, that they had been the target of sophisticated cyberattacks, which initiated May 5, 2014. Premera will be notifying approximately 11 million affected customers; LifeWise 250,000. Neither organization has evidence that any customer data has been used fraudulently, and has not yet confirmed that any patient data has indeed been compromised.

They say attackers "may have gained unauthorized access to" members' information, including name, date of birth, Social Security number, mailing address, email address, telephone number, member identification number, bank account information, and claims information, including clinical information.

Individuals who do not have medical insurance through these companies, but do other business with them, might have had their email addresses, banking data, or Social Security numbers exposed.  

These attacks, when combined with the Anthem Healthcare breach reported last month and the Community Health Systems breach in the summer, clearly indicate that health insurance providers have become a popular new target -- and Chinese cyberespionage groups are being implicated.

Anthem first detected suspicious activity Jan. 27 and confirmed on Jan. 29 that an attack had occurred, over the course of several weeks in December 2014.

LifeWise and Premera also say they discovered their breaches Jan. 29 -- possibly as a result of Anthem sharing information about their own intrusion with HITRUST's Cyber Threat Intelligence and Incident Coordination Center. However, after investigations by Mandiant -- the same organization conducting the investigation at Anthem -- both Premera and LifeWise report that their first intrusions occurred several months earlier, in May.

Both Premera and LifeWise are providing two years of free credit monitoring and identity theft protection to affected individuals. More information is available at premeraupdate.com and lifewiseupdate.com.

No comment yet.

St. Mary's: Patient information compromised in Email hack

St. Mary's: Patient information compromised in Email hack | HIPAA Compliance for Medical Practices | Scoop.it

Around 4,400 people were recently sent letters by St. Mary’s Medical Center informing them of a cyber attack on several hospital employees’ email accounts that happened in January, according to Randy Capehart, St. Mary’s spokesperson.

Hackers gained access to health information contained in the emails, according to Capehart. Patient information was compromised, including name, date of birth, gender, date of service, insurance information, health information and Social Security numbers in some cases. Capehart said St. Mary’s immediately shut down the email accounts

“It’s not clear if their information was shared because the shutdown was so quick,” Capehart said.

Capehart said the hospital had to figure out if there was a breach and investigate the incident before they alerted the public. Officials are not clear who is responsible for the attack. A forensic investigation is underway, according to Capehart.

St. Mary’s said no patients have reported identify theft.

According to a news release from St. Mary’s, “sophisticated” hackers gained access “through a fraudulent Email communication.”

No comment yet.

Anthem Refuses Full IT Security Audit

Anthem Refuses Full IT Security Audit | HIPAA Compliance for Medical Practices | Scoop.it

A federal watchdog agency says Anthem Inc. has refused to allow it to conduct vulnerability scans of the health insurer's systems in the wake of its recent massive data breach affecting 78.8 million individuals. Anthem also refused to allow scans by the same agency in 2013.

The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem has refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency on its systems.

"What we had attempted to schedule for the summer of 2015 was a sort of 'partial audit' - what we call a 'limited scope audit' - that would have consisted only of the work we were prevented from conducting in 2013," an OIG spokeswoman explains. "So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests."

OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Under the standard FEHBP contract that OPM has with insurers, however, insurers are not mandated to cooperate with security audits, the OIG spokeswoman tells ISMG. Sometimes, however, amendments are made to insurers' federal contracts to specifically require the full audits, she says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract, she adds.

The OIG says in a statement that after the recent breach was announced by Anthem, "we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is 'corporate policy.'"

In its statement, the OIG also notes: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."

Anthem did not respond to ISMG's request for comment.

2013 Audit

In January 2013, when the OIG initiated an IT security audit, Anthem imposed restrictions that prevented auditors from adequately testing whether it appropriately secured its computer information systems, according to the agency's statement.

"One of our standard IT audit steps is to perform automated vulnerability scans and configuration compliance audits on a small sample of an organization's computer servers. These scans are designed to identify security vulnerabilities and misconfigurations that could be exploited in a malicious cyber-attack," the OIG says.

The agency says its objective in conducting scans "is not to identify every vulnerability that exists in a technical environment, but rather to form an opinion on the organization's overall process to securely configure its computers."

When the OIG requested to perform this test at Anthem in 2013, "we were informed that a corporate policy prohibited external entities from connecting to the Anthem network," the agency said.

"In an effort to meet our audit objective, we attempted to obtain additional information about Anthem's own internal practices for performing this type of work," the OIG says regarding the 2013 audit. "However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers."

Earlier Findings

Although Anthem refused to allow OIG auditors to conduct the vulnerability testing, the insurer did allow the watchdog agency to conduct an information systems general and application control audit in 2013.

Among the findings of that more general 2013 audit, OIG found that Anthem, formerly known as Wellpoint, "has established a series of IT policies and procedures to create an awareness of IT security at the plan. We also verified that WellPoint has adequate human resources policies related to the security aspects of hiring, training, transferring, and terminating employees," according to the OIG audit report released in September 2013.

That more limited audit report also said in summary: "Nothing came to our attention to indicate that WellPoint does not have an adequate security management program."

However, the OIG says in its March 4 statement, "As a result of the scope limitation on our audit work and Anthem's inability to provide additional supporting documentation, our final audit report stated that we were unable to independently attest that Anthem's computer servers maintain a secure configuration."

After the 2013 partial audit, the OIG says it contacted OPM management about its concerns regarding auditors' limited access to Anthem systems. "After discussions with our office, OPM amended the FEHBP contract to allow a certain degree of auditor access. Since that time, this provision has proven to be insufficient, and we are currently working with OPM to further amend the contract."

No comment yet.

Anthem Breach Tally: 78.8 Million Affected

Anthem Breach Tally: 78.8 Million Affected | HIPAA Compliance for Medical Practices | Scoop.it

Anthem Inc. now confirms that the health insurer's recent data breach compromised a corporate database containing personal information on 78.8 million individuals. Earlier reports about the breach, which was revealed Feb. 4, estimated the total at 80 million.

Those affected include 60 million to 70 million of Anthem's current and former members, a spokesperson for Anthem confirmed in a statement provided to Information Security Media Group. The remainder include members of other Blue Cross and Blue Shield plans who used their insurance in a state where Anthem operates during the past 10 years, the insurer says.

Anthem, the nation's second largest health insurer, estimates tens of millions of individuals' records were actually stolen, and not just viewed, by the hackers, Reuters reports. In its statement provided to ISMG, Anthem notes that it's continuing to analyze how many members' information was stolen by the hackers. But the company says it anticipates the number affected by theft of data "to be less than the total number of consumers whose data could have been viewed."

The Hill reports that Robert Anderson, who leads the FBI's criminal, cyber, response and services branch, told reporters during a roundtable on Feb. 24 that the bureau is "close" to identifying the hackers responsible for the Anthem breach. But Anderson added that the FBI would not release the identity of the hackers until the bureau is "absolutely sure."

The records for approximately 14 million people in the database are incomplete, which has prevented the health insurer from identifying where the customers had enrolled, according to Anthem's statement. "It is important to note that there is a very low likelihood that these incomplete member records tie to current, active Anthem members," the company says.

The insurer says that information exposed in the breach did not include "credit card information, banking information or confidential health information." But the hack did expose names, dates of birth, Social Security numbers, member health ID numbers, home addresses, phone numbers, e-mail addresses and employment information, including income data, Anthem says.

On Feb. 24, attorneys general in several states issued statements confirming the number of impacted residents. For example, Connecticut Attorney General George Jepsen says the Anthem breach impacted more than 1.7 million residents. And the Minnesota Department of Commerce says the cyber-attack compromised data on more than 30,000 Minnesotans.

No comment yet.

Should HIPAA Encryption Be Legislated?

Should HIPAA Encryption Be Legislated? | HIPAA Compliance for Medical Practices | Scoop.it

A federal law from the 1990s says insurers aren’t required to encrypt consumer data. This law is now under review after the Anthem breach in which 80 million customers were left vulnerable.

According to Fierce Health IT, The Senate Health, Education, Labor and Pensions committee will be overseeing the matter as a bipartisan review of health information security. “We will consider whether there are ways to strengthen current protections,” said the spokesman for Chairman Lamar Alexander, R-TN.

“We need a whole new look at HIPAA,” said David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information. “Any identifying information relevant to a patient ... should be encrypted,” he told the AP.

Encryption has been controversial, according to the AP article, because it adds costs and makes daily operations cumbersome. It’s not foolproof protection either. If someone has the code or steals it, they can access information anyway.

Even Anthem spokeswoman Kristin Binns said encryption would not have prevented the highly publicized recent attack because the hackers gained access with a system administrator's ID and password. “These attackers gained unauthorized access to Anthem’s system and had access to names, birthdates, medical IDs/social security numbers, street addresses, email addresses, and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information were targeted or compromised,” said Anthem President and CEO Joseph R. Swedish in a statement. Anthem does encrypt information which is exported.

“In today's environment, we should expect all health care providers to encrypt their data from end to end,” says Indiana University law professor Nicolas Terry who specializes in health information technology. “HHS should amend the security rule to make encryption mandatory,” he said.

No comment yet.

Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches

Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches | HIPAA Compliance for Medical Practices | Scoop.it

Last year, several high profile security incidents occurred at healthcare organizations where a HIPAA Risk Assessment (HSRA) had previously been conducted. This should provoke some pointed questions: Was the HSRA comprehensive enough? Was the remediation plan implemented correctly and in a timely manner? Was an ongoing process of risk management adopted? In this webinar, attendees will learn why HSRA's are a necessary but not sufficient part of maintaining the security of protected health information (PHI).

  • What qualifies as a comprehensive HIPAA risk analysis?;
  • Learn why HIPAA Risk Assessments are necessary but not sufficient;
  • What are the elements of an ongoing security risk management program?
  • What else can be done to lower the risk of hacking incidents?.

HIPAA Risk Assessments are a valuable component of a healthcare organization's information security program. They fulfill a mandatory requirement of the HIPAA Security Rule, Omnibus Rule, and where applicable, the EHR Meaningful Use Incentive Program. Compliance, however, is not synonymous with security.

The purpose of an HSRA is to identify threats and vulnerabilities. But without a comprehensive remediation and ongoing risk management plan, the HSRA itself is of little value. Further, many HSRA's are too limited in scope, focusing only on policies or "low-hanging" fruit while ignoring more critical and complex risks.

From 2010-2013, the vast majority of breaches of PHI resulted from lost or stolen portable devices. In 2014, the landscape changed. Hackers went on the attack, attracted by high value of data stores of PHI. Millions of health records were stolen. Hackers typically exploit vulnerabilities in the network infrastructure or in web applications. In addition, individual credentials are often compromised through "phishing" email attacks. Were these risks identified in your HSRA?

No comment yet.

Tips for potential victims of the Anthem data breach

Tips for potential victims of the Anthem data breach | HIPAA Compliance for Medical Practices | Scoop.it
Consumers received more bad news last week as word spread of a massive data breach at Anthem, the country’s second-largest health insurer. At first glance, this incident may be far worse than previous breaches at Target and Home Depot, since the thieves were after personal information, like Social Security numbers, and other tools used to steal someone’s identity.

If you’re a current or former Anthem customer — even if you’re not — the Better Business Bureau has some advice for you to minimize your risk of identity theft:

•Do not take a “wait-and-see” approach as you may have done with breaches involving credit card data. You must act quickly. Breaches involving social security numbers have the potential to be far more detrimental to victims, and the damage can be difficult to repair.

•Consider taking a preemptive strike by freezing your credit reports. A security freeze would prevent anyone — even you — from accessing your credit report, a first step in establishing a new line of credit. This will not impact existing credit cards and financial accounts, but will create a roadblock for thieves seeking to create fraudulent accounts using your personal information. A freeze can be temporarily “thawed” by you, if necessary. In Wisconsin, the cost to both freeze and thaw your credit report is free for victims of identity theft, and $10 for each credit bureau for nonvictims.

•At a minimum, if you know your Social Security number has been compromised, place a fraud alert on your credit reports. A fraud alert flags your credit reports, alerting potential lenders to verify the identity of anyone attempting to open an account in your name. Fraud alerts are free and don’t interfere with your ability to receive instant credit. However, fraud alerts rely entirely on the diligence of the person performing the credit check. Fraud alerts are also temporary, and must be reinstated every 90 days in most cases.

•Take advantage of the free credit monitoring services Anthem will be offering to breach victims. While this is not a preventive measure, this will alert you to new accounts or inquiries using your social security number so that you can act quickly to repair the damage.

•Vigilance is key. Regularly check your credit reports at annualcreditreport.com for unauthorized charges or other signs of fraud. (Note: This is the only free credit report option authorized by the Federal Trade Commission.)

•Expect that scammers will take advantage of this data breach to send out phishing emails and other messages that appear to be from Anthem, a credit bureau or other legitimate companies. Do not click on links from any email, text or social media messages about this or any other data breach.
No comment yet.

Now that HIPAA has failed us, what are we to do?

My whole life I have been fortunate to own health care insurance.The HIPAA law, (Health Insurance Portability & Accountability Act), enacted in August 1996, has given me a false sense of security.

The major purpose of this law was to give the individual's health information proper confidentiality status. On almost every visit to a doctor's office, HIPAA forms are offered for us to sign and initial, reminding us that our health and personal data are being protected.

The HIPAA law encourages but does not require that personal and health information be encrypted. The health insurance companies state that encryption of data incurs additional financial costs and slows the process of moving this information. Under a 2009 federal law, the HITECH Act, the public must be informed of any health data breach of 500 people or more with unencrypted information.

A class-action suit against Anthem already has  been filed. But that does not help those affected for now. Once again, it falls to our personal responsibility. While we Anthem customers wait for snail mail to arrive on the status of our personal information, a few actions can be taken.

Since we cannot change our birth date nor our health history, do we consider changing our email address and phone number? I believe we should always be monitoring our credit card statements. But do we put a freeze on our credit?

From what I have learned, identity monitoring services can do just so much to help us watch over our credit and any fraudulent activity. Should we call the Social Security office to see how the office can help us protect our benefits?

Will any big changes come to the HIPAA laws? This recent news event takes on the aspect of a soap opera. Stay tuned for more drama. If only we could change the channel.

No comment yet.