HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Did Doctor Violate HIPAA for Political Campaign?

Did Doctor Violate HIPAA for Political Campaign? | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators are reportedly investigating whether a physician in Richmond, Va., violatedHIPAA privacy regulations by using patient information to help her campaign for the state senate.

The Philadelphia office of the Department of Health and Human Services' Office for Civil Rights is investigating potential HIPAA violations by Siobhan Dunnavant, M.D., a Republican state senate candidate, after a complaint alleged the obstetrician-gynecologist used her patients' protected health information - including names and addresses - to solicit contributions, volunteers and votes, according to an NBC news report.

Conservative blogger Thomas White tells Information Security Media Group that he reported to HHS earlier this year that letters and emails about Dunnavant's candidacy were sent to her patients prior to the June primary race in the state's 12th district, which includes western Hanover County. White says he notified HHS after receiving a copy of a letter from a Dunnavant patient who was annoyed at receiving the campaign-related communications from her doctor.

"I would love for you to be involved," Dunnavant wrote to patients, also reassuring them that their care would not be impacted if she's elected, according to a copy of a campaign letter posted on the NBC website."You can connect and get information on my website. There you can sign up to get information, a bumper sticker or yard sign and volunteer," the posted letter states. Other campaign-related material included emails sent to patients that were signed by "Friends of Siobhan Dunnavant," NBC reports and White confirmed, citing reports from patients.

The physician is one of three candidates seeking the state senate seat in the Nov. 3 election.

Patient Confidentiality

A spokeswoman for Dunnavant's medical practice declined to confirm to Information Security Media Group whether OCR is investigating Dunnavant for alleged HIPAA privacyviolations. However, in a statement, the spokeswoman said, "We are aware of concerns regarding patient communication, and we are reviewing the issue with the highest rigor and diligence. Please be assured we hold confidentiality of patient information of paramount importance, and thank patients for entrusting us with their care."

A spokeswoman in OCR's Washington headquarters also declined to comment on the situation. "As a matter of policy, the Office for Civil Rights does not release information about current or potential investigations, nor can we opine on this case," she says.

White, editor of varight.com, says he first received a copy of one of Dunnavant's campaign letters in May, and that he was the first to report on the issues raised by the letters. He tells ISMG he filed a complaint with the federal government after he confirmed that the use of patient information for campaign purposes was a potential violation of privacy laws.

Nearly four months later, an investigator in OCR's regional office in Philadelphia, which is responsible for Virginia, on Sept. 29 responded to White's complaint, indicating the doctor's actions would be examined. White says he also confirmed again in a call to OCR on Oct. 28 that the case is still under investigation.

"You allege that Dr. Dunnavant impermissibly used the protected health information of her patients. We have carefully reviewed your allegation and are initiating an investigation to determine if there has been a failure to comply with the requirements of the applicable regulation," OCR wrote to White, according to a copy of the OCR letter that appears on White's website.

HIPAA Regulations

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says Dunnavant's alleged use of patient information raises several HIPAA compliance concerns.

"HHS interprets HIPAA to cover demographic information held by a HIPAA-covered healthcare provider if it is in a context that indicates that the individuals are patients of the provider," he notes. "Healthcare providers must be careful when using patient contact information to mail anything to the patient - even if no specific diagnostic or payment information is used. If a patient's address is used to send marketing communications or other communications unrelated to treatment, payment, or healthcare operations without the patient's authorization, then this may be an impermissible use of protected health information under HIPAA."

If patient contact information is shared with someone else, such as a political campaign, that also could be a HIPAA violation, Greene adds. "The same information that can be found in a phone book - to the extent anyone uses phone books - may be restricted in the hands of healthcare providers."

Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, notes that the HIPAA Privacy Rule has "a blanket prohibition" on a HIPAA covered entity disclosing the protected health information of their patients without first seeking authorization of the individual - except where specifically permitted or required by the rule.

"There is no provision in the privacy rule where a healthcare provider who is a HIPAA covered entity can disclose patient information to a political campaign," he points out.

Because of those restrictions, federal regulators will carefully scrutinize the case, Holtzman predicts. "It is likely that OCR will look closely at the doctor's correspondence for its communication about her candidacy for political office, how to contact the campaign or obtain campaign products as well as the statement that the letter was paid for and authorized by the campaign organization."

An OCR investigation into the alleged violations of the HIPAA Privacy Rule could result in HHS imposing a civil monetary penalty, Holtzman notes. "There are criminal penalties under the HIPAA statute for 'knowingly obtaining or disclosing identifiable health information in violation of the HIPAA statute,'" he adds.

Potential Penalties

Offenses committed with the intent to view, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm are punishable by a fine of up to $250,000 and imprisonment for up to 10 years, Holtzman notes.

"The Department of Justice is responsible for investigating and prosecuting criminal violations of the HIPAA statute," he says. "And changes in the HITECH Act clarified that a covered entity can face both civil penalties for violations of the privacy rule and criminal prosecution for the same incident involving the prohibited disclosure of patient health information."

The U.S. Department of Justice did not respond to ISMG's request for comment on whether it's planning to investigate the Dunnavant case.

No comment yet.

HIPAA Compliance and EHR Access

HIPAA Compliance and EHR Access | HIPAA Compliance for Medical Practices | Scoop.it

In light of the recent massive security breaches at UCLA Medical Center and Anthem Blue Cross, keeping your EHR secure has become all the more important. However, as organizations work to prevent data breaches, it can be difficult to find a balance between improving security and maintaining accessibility. To that end, HIPAA Chat host Steve Spearman addresses digital access controls, common authentication problems, and how authentication meets HIPAA compliance and helps ensure the integrity of your EHR, even after multiple revisions.

Q: What are access controls?

A: Access controls are mechanisms that appropriately limit access to resources. This includes both physical controls in a building, such as security guards, and digital controls in information systems, such as firewalls. Having and maintaining access controls are a critical and required aspect of HIPAA compliance, and is the first technical HIPAA Security Standard.

Q: What’s the most common form of digital access control we see in healthcare?

A: The username and password is the most common form of access control by far. The Access Control Standard requires covered entities to give each user a distinct and unique user ID and password in order to access protected information. These unique credentials for each employee enable covered entities to confirm (“authenticate”) the identity of users and to track and audit information access.

Q: What are the most common problems with access controls and use of passwords in healthcare?

A: The most common problem is that covered entities often use multiple systems which each may require its own set of usernames and passwords along with varying requirements for these credentials, such as minimum character length or use of capital letters. Memorizing multiple sets of passwords and usernames for multiple systems is difficult for most people. In addition, there is a conundrum between password complexity and memorization. Complex passwords (longer with multiple required character types) are better for security but much harder to memorize. This is the conundrum.

Q: Are stricter password policies always more secure?

A: No, if passwords requirement are too strict, users then use coping mechanisms such as writing them down or re-using the same password over and over and across multiple systems. This compromises security rather than enhancing it. For example, a policy that required 14 digit passwords and required, lower-case, upper-case, numbers and symbols and expired every 30 days would create huge problems for most organizations. With these policies, staff would simply write down their passwords. But this compromises security. If a bad person gets a hold of a written list of passwords they have the “keys to the kingdom”, the ability to access the accounts on that written list. So passwords should not be written down.

In addition, overly strict password policies tend to overwhelm technical support staff with password reset requests.

So passwords should be sufficiently complex to make them hard to crack which also makes them hard to memorize.

Q: This sounds like a big problem. Do you have any suggestions to make things better?

A: At a minimum, organizations need to provide training to staff on straightforward techniques to create memorable but complex passwords. I have an exquisitely terrible memory. But I have great passwords using one particular technique. Just google “create good memorable passwords” and you can find dozens of videos demonstrating how to do it. But, of course, our favorite is the video featuring our very own, Gypsy, the InfoSec Wonderdog.

Enterprises should seriously consider additional technical solutions such as two factor authentication with single sign on (2FA/SSO).

Q: What is a good, reasonable password policy?

A: I recommend a policy that:

  • Requires a minimum of 8 characters
  • Requires two or three of the options of lower-case, upper-case, numbers and symbols
  • Expire every 3 to 6 months
  • And limit limit use of historical passwords so that the previous two cannot be used.

Q: You mentioned authentication before. What is that? What is two-factor or multi-factor authentication?

A: Authentication is the process of confirming the identity of a person before granting access to a resource. Computer geeks refer to the three factors of authentication:

  • What a user has (an ID badge or phone).
  • What a user knows (a PIN number)
  • Who a user is (biometrics)

For example, ATMs use two-factor authentication:

  1. What the user has: an ATM card and
  2. What they know: a PIN.

One of my favorite tools for two factor authentication is Google Authenticator which runs as an app on my mobile phone. Another common form of two factor authentication is text codes. With this method, the website or app, after entering a correct username and password, sends a text with a numeric code that expires after a few minutes to your phone that is entered into another field in the website before access is granted.

Everyone should enable two factor authentication on their most essential systems such as to online banking and to email accounts such as gmail.

In healthcare, there is a growing trend toward biometric authentication, the use of fingerprint readers or palm readers, etc. to authenticate into systems. Biometric authentication is generally very secure and is also very easy to use since there is nothing to memorize.

Q: What is SSO?

A: Single sign-on (SSO) lets users access multiple applications through one authentication event. In other words, one password allows access to multiple systems. It enhances security because users only have to remember one password. And because it is just one, it is commonly a good complex password. Once entered, it will allow access to all the core systems (if enabled) without having to re-authenticate.

Single sign-on combined with two factor authentication or biometrics work great together in tandem and are often sold together by vendors. The leading SSO/2FA vendor in healthcare is Imprivata, but there are other vendors making great in-roads into healthcare such as Duo Security2FA.com and Secureauth.com.

Q: What do you mean by “integrity” and what does it have to do with access control and authentication?

A: Integrity in System Standards is the practices used to track and verify all changes made to a health record. It is a condition that allows us to prevent editing or deleting of records without proper authorization.

Authentication and access controls are the primary means we use to preserve integrity of a record. If the information system is programmed to track its users’ activity, then it’s possible to track who made changes to a record and how they changed it.

This is why users should never share usernames and passwords with other users. Integrity becomes impossible if a username does not signify the same user every time it appears.

Q: Any final thoughts?

A: Finding that balance between HIPAA compliance, security and accessibility can be tricky. We recommend reducing digital access controls to a single multi-factor authentication or biometrics event. This single, secure method of authentication could be the balance between security and efficiency needed to keep your EHR secure and yet accessible. In addition to improving accessibility to your system, an MFA or biometrics sign-in method could help improve your organization’s EHR integrity.

No comment yet.

Suits pile up after U.S. reveals data breach affected millions

Suits pile up after U.S. reveals data breach affected millions | HIPAA Compliance for Medical Practices | Scoop.it

On Friday, Labaton Sucharow filed a class action on behalf of about 21.5 million (!) federal employees, contractors and job applicants whose personal information was exposed in an epic breach of security at the U.S. Office of Personnel Management, which screens applicants for federal government jobs and conducts security clearance on employees and contractors. Labaton’s complaint is at least the seventh class action against OPM and its private contractor, KeyPoint Government Solutions, including two suits by government employee unions and one with a federal administrative law judge as the lead plaintiff.

Although there is some variation in the alleged causes of action, the suits mostly assert violations of the Privacy Act and the Administrative Procedures Act, as well as negligence against KeyPoint. Late last month, the Justice Department asked the Judicial Panel on Multidistrict Litigation to consolidate the cases and transfer all of them to U.S. District JudgeAmy Jackson of Washington, D.C., who is already presiding over the American Federation of Government Employees’ class action against OPM and KeyPoint.

The JPML said Friday that it would hear oral arguments on Oct. 1 on the government’s motion. Briefs are due before Sept. 14.

It certainly seems likely that the JPML will consolidate the suits, but where they end up transferring them could make a big difference in how this case turns out. The threshold question in data breach suits, as I’ve written many times, is constitutional standing: Can plaintiffs whose personal information has been stolen allege an actual or “certainly impending” threat of injury? That is the standard the U.S. Supreme Court set out in its 2013 decision in Clapper v. Amnesty International, and data breach defendants have since used the Clapper definition to knock out at least 10 class actions by plaintiffs who claimed – like the plaintiffs in the OPM suits – that they have been injured by the increased risk their personal information will be misused.

One of the cases that foundered under Clapper was In re Science Applications International Corp (SAIC) Backup Tape Data Theft Litigation, an MDL consolidated for pretrial proceedings in federal district court in the District of Columbia. The case involved the theft of SAIC data tapes containing personal information, including Social Security numbers, on about 4.7 million members of the U.S. military and their families. U.S. District Judge James Boasberg of Washington concluded in May 2014 that under the Supreme Court’s ruling in Clapper, plaintiffs do not meet constitutional standing requirements when their only alleged injury is the loss of their data and the risk it will be misused.

He did hold plaintiffs had standing when they could plausibly allege their personal information was stolen and misused – one plaintiff, for instance, asserted he had received letters from a credit card company thanking him for a loan application he said he never filed – but Judge Boasberg’s dismissal opinion gutted the case. Plaintiffs ended up voluntarily dismissing what remained.

Plaintiffs’ lawyers have gotten savvier about pleading data breach cases after the initial wave of Clapper dismissals, framing complaints around class members who can show that their information has been misused or that their bank accounts or credit ratings have been impacted by the data theft. But cases redrawn to satisfy standing requirements present cramped damages theories, as we’ve seen in the Target and Sony data breach cases, if the only plaintiffs who can recover are those whose injury is more concrete than the mere loss of personal data and risk that it will be exploited. You can see why the Justice Department wants the OPM case litigated in a district skeptical of standing based on the risk of data misuse.

In one jurisdiction, however, all 21.5 million alleged victims of the OPM data breach may have standing. Last month, a three-judge panel of the 7th Circuit ruled in a data breach case against Neiman Marcus that plaintiffs have standing if they can show they incurred reasonable costs or spent considerable time to mitigate a “substantial risk” of harm. Under the 7th Circuit’s decision, just about anyone whose data has been stolen by hackers can sue because their information may be misappropriated.

Neiman Marcus’ lawyers at Sidley Austin filed a petition for rehearing earlier this month, but unless and until the 7th Circuit grants its motion, the panel’s ruling is the only post-Clapper federal appellate decision on standing in a data breach class action. It’s binding on trial judges in Illinois, Wisconsin and Indiana.

So far, none of the OPM class actions have been filed in those states. Two were brought in Washington, D.C., which, as the Justice Department pointed out in its request for consolidation in that court, is the district of universal venue for the Privacy Act claim at the heart of the OPM suits. Two other plaintiffs filed in California. Others sued in Idaho, Colorado and Kansas. It’s going to be very interesting to see which court plaintiffs ask the JPML to send the OPM litigation to.

No comment yet.

Data Breaches Expose Nearly 140 Million Records

Data Breaches Expose Nearly 140 Million Records | HIPAA Compliance for Medical Practices | Scoop.it

The latest report from the Identity Theft Resource Center (ITRC) reveals that there has been a total of 472 data breaches recorded through August 11, 2015, and more than 139 million records have been exposed. The annual total includes 21.5 million records exposed in the attack on the U.S. Office of Personnel Management in June and 78.8 million health care customer records exposed at Anthem in February.

A June report by cybersecurity firm Trustwave said that of the 574 hacking incidents and data breaches the company was asked to investigate in 2014, 43% came in the retail industry, 13% came from the food and beverage industry and 12% from the hospitality industry. More striking, perhaps: 81% of victims did not discover on their own that they had been hacked. In cases where a company discovers the attack on its own, it takes about two weeks to stop it. When companies do not run their own security programs, it takes more than five months to contain the breach.

E-commerce sites were compromised in 42% of attacks and point-of-sales systems were hit in 40%. The totals were up 7% and 13%, respectively, from 2013.

The total number of data breaches increased by six in the week, according to the ITRC. The business sector accounts for about 645,000 exposed records in 184 incidents so far in 2015. That represents 39% of the incidents, but just 0.5% of the exposed records.

The medical/health care sector posted the second-largest percentage of the total breaches so far this year, 35.6% (168) out of the total of 472. The number of records exposed in these breaches totaled 109.5 million, or 78.6% of the total so far in 2015.

The number of banking/credit/financial breaches totals 45 for the year to date and involves more than 411,000 records, some 9.7% of the total number of breaches and 0.3% of the records exposed. These numbers are unchanged from the prior week.

The government/military sector has suffered 36 data breaches so far this year, just 7.7% of the total, but about 20% of the total number of records exposed. These numbers were also unchanged from the prior week.

The educational sector has seen 39 data breaches in 2015, accounting for 8.3% of all breaches for the year. Nearly 740,000 records have been exposed, about 0.5% of the total so far in 2015.

In all of 2014, ITRC tracked an annual record number of 783 data breaches, up 27.5% year over year. The previous high was 662 breaches in 2010. Since beginning to track data breaches in 2005, ITRC had counted 5,497 breaches through August 11, 2015, involving more than 818 million records. Compared with 2014, the number of data breaches is about 2.3% lower to date in 2015.

No comment yet.

Reminders for HIPAA Compliance with Business Associates

Reminders for HIPAA Compliance with Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance is clearly a top priority for covered entities. With technology evolving, third-party partnerships are also becoming more common, which means that more healthcare organizations are likely working with business associates.

Whether a covered entity is working with a cloud services provider, or a company to assist in handling their financials, it is critical that HIPAA compliance stays a top priority. The HIPAA Omnibus Rule even changed how business associates can be held liable for potential HIPAA violations. All parties should have a thorough understanding of their relationship, and how they are expected to maintain patient data security.

This week, HealthITSecurity.com will discuss the intricacies of the relationship between a coverd entity and a business associate. Moreover, the importance of a comprehensive business associate agreement will be explained, and examples will be given of what the consequences could be should either entity violate HIPAA.

What is a business associate?

A business associate could be any organization that works on behalf of, or for, a covered entity. For example, if a hospital employs a company to assist with its claims processing, then that third-party becomes a business associate. Or, an attorney who is working for a healthcare provider and has access to patients’ PHI, would also be considered a business associate.

“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” according to the Department of Health and Human Services (HHS).

The business associate agreement must also include the following information, according to HHS:

  • Describe the permitted and required PHI uses by the business associate
  • Provide that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law;
  • Require the business associate to use appropriate safeguards to prevent inappropriate PHI use or disclosure

Essentially, business associates are also responsible for the protection of PHI. As previously mentioned, the HIPAA Omnibus Rule made this a federal requirement. Let’s go back to the example of a claims processing firm. The business associate agreement between that firm and a hospital should outline requirements for how the claims processing firm is expected to keep PHI secure while it is working with the hospital. Should a health data breach occur, the claims processing firm could face serious consequences if it is determined that it violated the business associate agreement.

Not only does the business associate agreement dictate how and when PHI could be disclosed, it also outlines the potential consequences should sensitive information be exposed:

“A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.”

The contract between a covered entity and business associate can also have a termination date. For example, perhaps a medical transcriptionist was hired for six months. At the end of that six month period, the business associate agreement can require that any PHI that had been received in that time to be destroyed.

Moreover, the covered entity can require that medical transcriptionist to make “internal practices, books, and records relating to the use and disclosure” of received PHI available to HHS to ensure that the covered entity is HIPAA compliant. It is also important to note that any contract can be terminated if the business associate is found to have violated “a material term.”

What happens if a business associate exposes PHI?

When a covered entity experiences a health data breach, it will likely have to deal with a federal and state investigation, as well as potential public backlash. There may even be potential fines due to possible HIPAA violations. Business associates will go through the same process should they suffer from their own data breach that potentially puts patients’ PHI at risk.

For example, in June 2015, Medical Informatics Engineering (MIE) announced that it had been the victim of a “sophisticated cyber attack,” and some of its clients may be affected. Affected clients included Concentra, Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc. Fort Wayne, and Rochester Medical Group.

Possibly exposed information included patient names, mailing addresses, email addresses, and dates of birth. Some patients may have also had Social Security numbers, lab results, dictated reports, and medical conditions exposed.

Not long after, a class action lawsuit was filed against MIE, alleging that MIE failed “to take adequate and reasonable measures to ensure its data systems were protected,” and also failed “to take available steps to prevent and stop the breach from ever happening.”

Similarly, third party facility Medical Management LLC reported that approximately 2,200 patients at one of its healthcare providers may have had their records exposed by a Medical Management employee. Medical Management handles the billing for numerous healthcare providers across the country, and organizations in several states notified patients of the incident.

The data breach occurred when a now former Medical Management employee copied individuals’ personal information from the billing system over the past two years. That former employee then illegally disclosed that information to a third party.

“MML takes this matter very seriously and terminated this employee after being informed of this criminal investigation,” Medical Management said in a statement. “MML is cooperating with federal law enforcement authorities in their criminal investigation.”

Covered entities and business associates must be able to work together when it comes to patient PHI security. Health data breaches can happen at any organization, regardless of size. By keeping health data security policies current, and regularly reviewing them, both types of facilities have a better chance of detecting potential weaknesses. Having comprehensive business associate agreements in place will also ensure that all parties understand how they are required to keep PHI secure.

No comment yet.

Ex-Hospital Worker Sentenced in $24 Million Fraud Case

Ex-Hospital Worker Sentenced in $24 Million Fraud Case | HIPAA Compliance for Medical Practices | Scoop.it

A former military hospital worker has been sentenced to 13-plus years of federal prison time for her involvement in a $24 million identity theft and tax fraud scheme, which also involved a former Alabama health department employee and several other co-conspirators.

On Aug. 10 in the U.S. District Court for the Middle District of Alabama, Tracy Mitchell, a former worker at a military hospital at Fort Benning, Georgia, was sentenced to serve 159 months in federal prison for crimes including one count of conspiracy to file false tax claims, one count of wire fraud and one count of aggravated identity theft, to which she pleaded guilty in April.

Eight others were also sentenced on Aug. 10 for their roles in the same fraud ring, which federal prosecutors say involved the theft of 9,000 identities stolen from the U.S. Army, various Alabama state agencies, an unidentified Georgia call center, and an unidentified Columbus, Georgia company.

Case Details

The U.S. Department of Justice in a statement says that while Mitchell worked at the military hospital, she had access to the identification data of military personnel, including soldiers who were deployed to Afghanistan. Mitchell stole personal information of soldiers and used them to file false tax returns. Court documents do not specify the job Mitchell held at the hospital.

Prosecutors say that between January 2011 and December 2013, Mitchell and a co-conspirator, Keisha Lanier, led the large-scale identity theft ring in which they and their co-defendants filed over 9,000 false tax returns that claimed in excess of $24 million in fraudulent claims. The IRS paid out close to $10 million in fraudulent refunds, the justice department says. Sentencing for Lanier is scheduled for Aug. 24.

Other members of the fraud ring who were sentenced on Aug. 10 included Sharondra Johnson, who worked at a Walmart money center in Columbus, Georgia. As part of her employment, Johnson cashed checks for customers of the money center. Prosecutors say Johnson cashed tax refund checks issued in the names of other individuals whose identities were stolen by the fraud ring. For her crimes, Johnson received a 24-month prison sentence.

Also, in another related case linked to the same fraud ring, Tamika Floyd, a former worker of the Alabama Department of Public Health from 2006 to May 2013, and the Alabama Department of Human Resources from May 2013 to July 2014, was sentenced in May to serve 87 months in federal prison after pleading guilty to fraud conspiracy and ID theft crimes. While working in her state jobs, Floyd had access to databases that contained identification information of individuals, which she stole and provided to the crime ring's co-conspirators for the filing of false tax returns, prosecutors say.

Of those sentenced so far, Mitchell received the stiffest penalty. Sentences for the other defendants in the case so far range from 60 months of prison time to two years of probation. Restitution will be determined at a later date, the DOJ says.

Preventing Insider Crimes

There are steps that healthcare organizations can take to deter insiders from committing fraud related crimes using patient data, say privacy and security experts.

Mac McMillan, CEO of security consulting firm CynergisTek suggests that entities enhance personnel screening, improve authorization practices, eliminate excess access, invest in monitoring technologies and diligently and proactively monitor users. Also, "we need to change our monitoring and audit practices and focus more on behavioral analysis," he adds.

Indeed, some healthcare CISOs say their organizations are putting those types of efforts in place to help safeguard patient data from being used in identity crimes.

"We are in close partnership with all the three-letter [law enforcement] agencies, and are constantly reviewing the crimes, such as identity theft, which continues to be on the FBI's top list of crimes throughout the nation in general," says Connie Barrera, CISO of Jackson Health System in Miami.

Unfortunately, "South Florida is a big repository of different kinds of issues, and crimes" involving identity fraud, including tax refund fraud, she says. "It's not only about educatingour population [of workers] but having the right monitoring in place."

For instance, "with our medical records, we have various ways to monitor that [access], and we let our workforce and constituents know that we are monitoring, and we do that on a regular basis," she says. "Employees are made aware, and word spreads."

Also, the organization provides access to data only "on a need to know basis, and we review that on a periodic basis." Still, "ensuring that the people who do have [authorized] access to data are only using it appropriately, that's a huge challenge."

On top of those efforts, law enforcement, prosecutors and the justice system pursuing fraud cases involving patient identities are also an important deterrent, McMillan says.

"These sentences should send the message that the government is serious about punishing those that abuse their trust and take advantage of others," he says. "If you do the crime and get caught, you can get serious time."

No comment yet.

Reminders on HIPAA Enforcement: Breaking Down HIPAA Rules

Reminders on HIPAA Enforcement: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA enforcement is an important aspect of The HIPAA Privacy Rule, and also one that no covered entity actually wants to be a part of. However, it is essential that healthcare organizations of all sizes understand the implications of an audit from the Office for Civil Rights (OCR), and how they can best prepare.

This week, HealthITSecurity.com is breaking down the major aspects of OCR HIPAA enforcement, and what healthcare organizations and their business associates need to understand to guarantee that they keep patient data secure. Additionally, we’ll review some recent cases where the OCR fined organizations because of HIPAA violations.

What is the enforcement process?

OCR enforces HIPAA compliance by investigating any filed complaints and will conduct compliance reviews to determine if covered entities are in compliance. Additionally, OCR performs education and outreach to further underline the importance of HIPAA compliance. The Department of Justice (DOJ) also works with OCR in criminal HIPAA violation cases.

“If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it,”according to HHS’ website. “Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.”

Sometimes OCR determines that HIPAA Privacy or Security requirements were not violated. However, when violations are found, OCR will need to obtain voluntary compliance, corrective action, and/or a resolution agreement with the covered entity:

“If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. Complainants do not receive a portion of CMPs collected from covered entities; the penalties are deposited in the U.S. Treasury.”

During the intake and review process, OCR considers several conditions. For example, the alleged action must have taken place after the dates the Rules took effect. In the case of the Privacy Rule, the alleged incident will need to have taken place after April 14, 2003, whereas compliance with the Security Rule was not required until April 20, 2005.

The complaint must also be filed against a covered entity, and a complaint must allege an activity that, if proven true, would violate the Privacy or Security Rule. Finally, complaints must be filed within 180 days of “when the person submitting the complaint knew or should have known about the alleged violation.”

Recent cases of OCR HIPAA fines

One of the more recent examples of HIPAA enforcement took place in Massachusetts, when the OCR fined St. Elizabeth’s Medical Center (SEMC) $218,400 after potential HIPAA violations stemming from 2012.

The original complaint alleged that SEMC employees had used an internet-based document sharing application to store documents containing ePHI of nearly 500 individuals. OCR claimed that this was done without having analyzed the risks associated with the practice.

“OCR’s investigation determined that SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome,” OCR explained in its report. “Separately, on August 25, 2014, SEMC submitted notification to HHS OCR regarding a breach of unsecured ePHI stored on a former SEMC workforce member’s personal laptop and USB flash drive, affecting 595 individuals.”

OCR Director Jocelyn Samuels reiterated the importance of all employees ensuring that they maintain HIPAA compliance, regardless of the types of applications they use. Staff at all levels “must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner,” she stated.

In April of 2015, the OCR also agreed to a $125,000 settlement fine with Cornell Prescription Pharmacy (Cornell) after allegations that also took place in 2012. In that case, Cornell was accused of improperly disposing of PHI documents. Papers with information on approximately 1,600 individuals were found in an unlocked, open container on Cornell’s property.

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” OCR Director Samuels said in a statement, referring to the fact that Cornell is a small, single-location pharmacy in Colorado. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

However, not all OCR HIPAA settlements stay in the thousand dollar range. In 2014, OCR fined New York and Presbyterian Hospital (NYP) and Columbia University (CU) $4.8 million from a joint breach report that was filed in September 2010.

NYP and CU were found to have violated HIPAA by exposing 6,800 patients’ ePHI when an application developer for the organizations tried to deactivate a personally-owned computer server on the network that held NYP patient ePHI. Once the server was deactivated, ePHI became accessible on internet search engines.

“In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections,” OCR explained in its statement. “Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.”

Regardless of an organization’s size, HIPAA compliance is essential. Regular risk analysis and comprehensive employee training are critical to keeping covered entities up to date and patient data secure. By reviewing federal, state and local laws, healthcare organizations can work on taking the necessary steps to make changes and improve their data security measures.

No comment yet.

Data Breaches, Lawsuits Inescapable, but Liability Can Be Mitigated

Data Breaches, Lawsuits Inescapable, but Liability Can Be Mitigated | HIPAA Compliance for Medical Practices | Scoop.it

If your organization experiences a data breach—an increasingly likely scenario—and PHI is exposed, chances are you will be hit with a lawsuit in short order.

There's not much you can do about that, just like it's impossible to prevent every criminal attack. What you can do, though, is take steps to minimize the likelihood of being found liable for damages in court, says Reece Hirsch, Esq., a partner and regulatory attorney at Morgan Lewis in San Francisco, and a BOH editorial advisory board member.

Hirsch says companies should have two things in place as part of standard policy and procedure: an evolving breach response plan and an incident response team that meets on a regular basis. While class-action suits haven't gained much traction with judges yet—except in cases of clear financial damage to consumers—most of the claims boil down to some form of alleged negligence, he says.

"Given the increasingly sophisticated cyberthreats that companies face … you cannot have perfect security and you cannot completely insulate yourself from these types of events, but what you can do is show you acted reasonably and took reasonable measures to prevent a breach and not make yourself a target," Hirsch says.

Organizations demonstrate this with a good breach response plan to show they've identified the problem, mitigated damage, notified victims, and taken further action as necessary, he says. The team should represent each department that might be affected by a breach or that has to be mobilized to interact with the public, including legal, human resources, privacy, security, IT, communications, and investor relations. Part of the team's role is to analyze risks to data, data flow, and worst-case scenarios.

"Everything needs to be encrypted, data at rest as well as data in transit, which is something HIPAA specifically points out," says Jan McDavid, Esq., the compliance officer and general legal counsel at HealthPort, an Atlanta-based healthcare services firm. McDavid, who is a regular speaker on this subject, agrees that it's essential to have proper security policies as well as dedicated staff to regularly review systems and respond to incidents.

Comprehensive risk analyses, which HIPAA requires, should not just be done after a breach to assess the extent of damages after private data is "let out the door," she says, but up front as well to identify the risks. Inevitably, though, healthcare organizations with large electronic databases will likely experience a data breach.

"Once [companies] are put on notice that something has happened, they need to immediately stop the bleeding," McDavid says. Even though public breach notification may not be required on day one, the company should immediately shut off or fix whatever happened so it can't occur again, she says.

One of the issues she sees often is that as healthcare organizations struggle to keep pace with technology, security is affected too. In the rush to automation and interoperability with limited funds available, parts of older systems and databases may get upgraded and replaced, but in the process, new vulnerabilities may be created, McDavid says. It seems organizations don't always realize how their systems interact, leading them to overlook peripheral connections that may allow access to protected systems, she adds.

Federal legislation that called for providers to implement EHRs didn't contain the funding to help facilities make the switch—those incentives came later. Many of the hospitals McDavid works with have a hodgepodge of computer systems that were installed piecemeal as the hospitals received technology funding, and that may inadvertently lead to vulnerabilities.

Taking proactive measures to have strong security policies, plans, and personnel in place goes a long way toward mitigating company liability in a class-action suit, Hirsch and McDavid say.

Lawsuits may be unavoidable

"If people are going to sue you, they're going to sue you," Hirsch says. "But [proactive preparation] will position the company much better to defend the lawsuit." And even more importantly, he adds, it may deflect some of the greatest damage to a company's reputation and image, which occurs in the "court of public opinion" and in news media reports.

McDavid agrees. "Their name becomes mud when the news is out that they've had a major breach," she says, although she believes the public has become oversaturated with the plethora of recent breaches in the news to the point that such incidents are no longer viewed as alarming or unusual.

Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, and a BOH editorial advisory board member, says the breach announced by Anthem, Inc., in February 2015 actually offers a good example of how to take the right approach to a data breach.

Apgar doesn't believe the health insurer took a big hit to its reputation because it acted relatively quickly to put security experts on the case and notify consumers and law enforcement authorities about the breach as required by HIPAA security regulations. In addition, he says, Anthem had relatively good security protections; however, those protections could only slow down a sufficiently skilled hacker, not stop the breach from occurring.

By comparison, Apgar says the class-action suits against Community Health Systems, Inc., are for actual negligence in responding to a known security vulnerability. The Franklin, Tennessee-based company announced hackers accessed data of 4.5 million individuals who were referred to or received care from physicians affiliated with its system over the last five years, according to an August 18, 2015, filing with the U.S. Securities and Exchange Commission.

Anthem disclosed on February 4 that it uncovered a massive breach affecting 80 million people that had occurred two months earlier. Less than 12 hours later, an Indianapolis attorney was already filing a class-action suit against the health insurer for failure to secure customers' data, negligence, breach of contract, and failure to notify victims in a timely manner.

In the days and weeks that followed, the class-action suits started to pile up across the country—dozens of complaints argued Anthem was lax in securing members' personal data, which wasn't encrypted. Plaintiffs argued Anthem only implemented reasonable security measures after it discovered the breach January 29—more than a month after the incident occurred.

Even if it were eventually proven in court that Anthem didn't follow industry best practices to secure data or that the breach was due to negligence, the bigger question is whether the plaintiffs can demonstrate harm as a result, Apgar says.

Building up case law

Currently, legal precedent favors the defendants, but that's an evolving process too.

McDavid explains there is no established federal law that stipulates companies are liable for damages just because they experienced a data breach that exposed clients' or patients' personal information.

That's where class-action attorneys enter the picture, she says. They're trying to make case law by obtaining favorable court opinions to set a legal precedent, but it's an uphill battle, she says. Under many federal and state laws, victims have to prove they were harmed in order to win damages.

"In the majority of cases now, the courts are ruling that you cannot certify a class unless you can prove the class has damages," McDavid says. "What that means is that even if you've breached 2 million records, if you don't have any notice that any of that [data] has been misused, then in most courts right now you have no damages."

In April, a federal judge dismissed a class-action suit against Horizon Blue Cross Blue Shield of New Jersey, ruling the plaintiffs didn't demonstrate they suffered financial harm. Two company laptop computers were stolen in 2013 from the health insurer's Newark headquarters, and nearly 840,000 customers' personal information was potentially exposed.

McDavid also points to a May Pennsylvania case where a county judge dismissed a suit from 62,000 employees of the University of Pittsburgh Medical Center following a criminal breach of the hospital's payroll database. Several hundred employees were victims of tax fraud, but the judge ruled the plaintiffs didn't prove that they were all financially harmed, that the medical center was negligent in its actions, or that there was any contract holding the university liable for security breaches.

What usually happens, Hirsch explains, is that the parties reach a settlement outside of court, and that's where many of the large payouts to affected consumers or patients happen.

Finding other ways in

It's becoming increasingly common, however, for class-action attorneys to file suit for violations of state privacy and security laws or various other federal statutes, which may contain stronger protections than HIPAA, McDavid says. Arguments under those laws have been more successful at convincing courts that the victims still have legal standing to sue even if they haven't experienced actual harm.

Apgar notes that 2010 contained an early example of this, when the Connecticut Attorney General's office sued Health Net of Connecticut in federal court for violations of HIPAA and state privacy protections regarding personal data. The attorney general's office alleged the health insurer failed to secure PHI and financial information prior to a 2009 data breach in which a computer disk drive was lost that contained unencrypted records on more than 500,000 Connecticut residents and 1.5 million consumers nationwide. Health Net also allegedly delayed notifying plan members and law enforcement authorities until several months after it discovered the breach.

Ultimately, the company agreed to a settlement that included the following:

  • Extended credit monitoring for affected plan members
  • Increased identity theft insurance and reimbursement for security freezes
  • An internal corrective action plan for stronger security measures
  • A $250,000 state fine
  • A $500,000 contingent payment to the state if it was established that affected individuals later became victims of identity theft or fraud

This was the first legal action taken by an attorney general since the HITECH Act in 2009 authorized state attorney generals to enforce violations of HIPAA.

Federal laws, such as the Fair Credit Reporting Act (FCRA), are also becoming an avenue for class-action attorneys. Hirsch says although it's not related to healthcare, one case winding its way through the U.S. Supreme Court—Spokeo, Inc. v. Robins—could change the legal landscape if the nation's highest court issues an opinion against the online company.

In February 2014, federal appellate judges for the 9th Circuit reversed a district court ruling that had originally dismissed plaintiff Thomas Robins' class-action suit alleging willful violations of the FCRA. He claimed Spokeo, an online information gathering service, published and marketed inaccurate personal information about him on its website, which he had no control over. While not claiming actual financial damages, he argued that since he was unsuccessful in securing employment, he was concerned the inaccurate report was affecting his ability to obtain employment, insurance, credit, etc.

The appellate panel found Robins did have constitutional standing to sue under the FCRA. This speaks to the same issues that are raised by victims of healthcare data breaches, who worry they will suffer financial harm from the exposure of their PHI, Hirsch says. Large technology companies urged the Supreme Court to take up an appeal of the 2014 decision, fearing it could cripple the industry by paving the way for billions of dollars in damages to consumers, he says.

In addition, there's another federal healthcare data breach suit—Smith, et al. v. Triad of Alabama—making a case for violations under the FCRA that will have big implications if the court finds the plaintiffs have legal standing for a class-action suit, McDavid says.

"They can keep it in court if the judge buys into their theory that they don't have to have damages in order to sue," she says.

No comment yet.

Three Steps to Preventing Data Breaches in Your Practice

Three Steps to Preventing Data Breaches in Your Practice | HIPAA Compliance for Medical Practices | Scoop.it

Every few weeks, there’s a headline about a healthcare organization that’s been victimized by a hacker or a disgruntled employee. What is your practice doing to protect its data against theft? It can be a balancing act for physician practices that want to provide access to patient information in the EHR and elsewhere, while preventing data breaches. Here are a few steps that can help practices avoid those unfortunate headlines:

Know where your data is

First, you have to know where your data is, said Jim Kelton, managing principal at Costa Mesa, Calif,-based Altius Information Technologies. If you don’t know where your data is transmitted or where it’s stored, you can’t provide the layers of protection that are needed.

 "You have to know where [your data is] transmitted and where it’s stored," he said. Part of this exercise includes determining the practice’s EHR and other clinical information systems—and whether that software is hosted on the cloud. It can also be as mundane as making sure that printed e-mails from patients aren’t sitting around the office.

"There are 18 forms of protected health information, even an e-mail address can identify someone and needs to be protected,” he said.

Know what assets provide access to your data

Once this is done, you need to determine the assets that provide access to the practice’s data. This could be in the doctor’s office, within computer systems, on a server, or in the EHR and other clinical applications themselves. There are often multiple threats to consider, said Kelton. For example, the threat with a laptop is it’s portable and it’s vulnerable because it contains protected patient information.

Having a BYODT – or Bring Your Own Device and Technology – policy is very important, he said. This requires surveying your staff and doing an inventory of the types of technology you’re using to run the practice. It’s during this step that you should determine whether your employees are using smart phones and tablets, cloud storage, flash drives, or external hard drives. It’s also important to keep in mind any data sharing with external contractors doing software development for the practice. "For smaller practices that outsource a lot of services, they need to make sure their business agreements [with vendors and consultants] are solid,” said Kelton.

Identify threats to those assets and build in controls

Those threats could be physical, such as someone entering the practice and stealing a laptop. They could also mean your practice is the intended victim of hackers or viruses, which can infiltrate the EHR and other clinical systems. Some practices even need to be prepared for the actions of a disgruntled employee who sends your client list to their future employer, an action that puts your practice at risk, Kelton said.

Password protection for laptops is a pretty simple solution that works. Also to consider is encrypting the laptop’s hard drive. This action will mean that the hacker won’t be able to access protected patient data on the EHR and other information about your practice, Kelton said

HIPAA requires that each practice identify a security official to develop and implement security policies, implement procedures, and oversee and protect protected health information. According to Kelton, putting together a plan in advance is the most cost-effective way to ensure that data breaches don’t occur.

No comment yet.

The UCLA Health System Data Breach: How Bad Could It Be…?

The UCLA Health System Data Breach: How Bad Could It Be…? | HIPAA Compliance for Medical Practices | Scoop.it

Just hours ago, a Los Angeles Times report broke the news that hackers had broken into the UCLA Health System, creating a data breach that may affect 4.5 million people. This may turn out to be one of the biggest breaches of its kind in a single patient care organization to date, in the U.S. healthcare system. And it follows by only a few months the enormous data breach at Anthem, one of the nation’s largest commercial health insurers, a breach that has potentially compromised the data of 4.5 million Americans.

The L.A. Times report, by Chad Terhune, noted that “The university said there was no evidence yet that patient data were taken, but it can't rule out that possibility while the investigation continues. And it quoted Dr. James Atkinson, interim president of the UCLA Hospital System, as saying “We take this attack on our systems extremely seriously. For patients that entrust us with their care, their privacy is our highest priority we deeply regret this has happened.”

But Terhune also was able to report a truly damning  fact. He writes, “The revelation that UCLA hadn't taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.” And he quotes Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas, as saying, “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links.”

What’s startling is that the breach at the Indianapolis-based Anthem, revealed on Feb. 5, and which compromised the data of up to 80 million health plan members, shared two very important characteristics with the UCLA Health breach, so far as we know at this moment, hours after the UCLA breach. Both were created by hackers; and both involved unencrypted data. That’s right—according to the L.A. Times report, UCLA Health’s data was also unencrypted.

Unencrypted? Yes, really. And the reality is that, even though the majority of patient care organizations do not yet encrypt their core, identifiable, protected health information (PHI) within their electronic health records (EHRs) when not being clinically exchanged, this breach speaks to a transition that patient care organizations should consider making soon. That is particularly so in light of the Anthem case. Indeed, as I noted in a Feb. 9 blog on the subject, “[A]s presented in one of the class action lawsuits just recently filed against it,” the language of that suit “contains the seeds of what could evolve into a functional legal standard on what will be required for health plans—and providers—to avoid being hit with multi-million-dollar judgments in breach cases.”

As I further stated in that blog, “I think one of the key causes in the above complaint [lawsuits were filed against Anthem within a few days of the breach] is this one: ‘the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal and financial information being placed in the hands of hackers; damages to and diminution in value of their personal and financial information entrusted to Anthem for the sole purpose of obtaining health insurance from Anthem and with the mutual understanding that Anthem would safeguard Plaintiff’s and Class members’ data against theft and not allow access and misuse of their data by others.’ In other words, simply by signing up, or being signed up by their employers, with Anthem, for health insurance, health plan members are relying on Anthem to fully safeguard their data, and a significant data breach is essentially what is known in the law as a tort.”

Now, I am not a torts or personal injury lawyer, and I don’t even play one on TV. But I can see where, soon, the failure to encrypt core PHI within EHRs may soon become a legal liability.

Per that, just consider a March 20 op-ed column in The Washington Post by Andrea Peterson, with the quite-compelling headline, “2015 is already the year of the health-care hack—and it’s going to get worse.” In it, Peterson,  who, according to her authoring information at the close of the column, “covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government,” notes that “Last year, the fallout from a string of breaches at major retailers like Target and Home Depot had consumers on edge. But 2015 is shaping up to be the year consumers should be taking a closer look at who is guarding their health information.” Indeed, she notes, “Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data reviewed by The Washington Post.” Well, at this point, that figure would now be about 124.5 million, if the UCLA Health breach turns out to be as bad as one imagines it might be.

Indeed, Peterson writes, “Most breaches of data from health organizations are small and don't involve hackers breaking into a company's computer system. Some involve a stolen laptop or the inappropriate disposal of paper records, for example -- and not all necessarily involve medical information. But hacking-related incidents disclosed this year have dramatically driven up the number of people exposed by breaches in this sector. When Anthem, the nation's second-largest health insurer, announced in February that hackers broke into a database containing the personal information of nearly 80 million records related to consumers, that one incident more than doubled the number of people affected by breaches in the health industry since the agency started publicly reporting on the issue in 2009.”

And she quotes Rachel Seeger, a spokesperson for the Office for Civil Rights in the Department of Health and Human Services, as saying in a statement, following the Anthem breach, “These incidents have the potential to affect very large numbers of health care consumers, as evidenced by the recent Anthem and Premera breaches."

So this latest breach is big, and it is scary. And it might be easy (and lazy blogging and journalism) to describe this UCLA Health data breach as a “wake-up call”; but honestly, we’ve already had a series of wake-up calls in the U.S. healthcare industry over the past year or so. How many “wake-up calls” do we need before hospitals and other patient care organizations move to impose strong encryption regimens on their core sensitive data? The mind boggles at the prospects for the next 12 months in healthcare—truly.

No comment yet.

Before a Medical Data Breach, Begin Your Response Plan

Before a Medical Data Breach, Begin Your Response Plan | HIPAA Compliance for Medical Practices | Scoop.it

In the last 18 months, there have been three massive data breaches involving the healthcare industry, scores of smaller breaches, and a growing trend of insider threats posed by employees who have sold protected health information (PHI) for their own personal gain. Unlike stolen credit card numbers that can be deactivated, the personal identifying information needed to commit identity-theft type crimes, such as name, address, Social Security number, and date of birth, cannot be changed easily, if at all. Because of the permanent nature of the information that they contain, health records are approximately 10 times more valuable than stolen credit card numbers on Internet black markets where they can be bought and sold in bulk.

Now more than ever, because of new threats posed by such cybercriminals, any organization that collects, uses, discloses, or stores PHI is a potential breach victim. Covered Entities and their Business Associates subject to HIPAA who suffer a data breach must act quickly and correctly in assessing the situation. They must thoroughly investigate and mitigate risks caused by the breach, attempt recovery of the lost information, and provide required notifications to affected individuals and others. Throughout this process, organizations experiencing a breach should strive to demonstrate publicly that the data loss is being handled responsibly and appropriately.

Defining a "Breach"

HIPAA defines a breach as the acquisition, access, use, or disclosure of PHI in a manner inconsistent with the Privacy Rule that compromises its security or privacy.  In most cases, a breach is presumed to have occurred unless it can be demonstrated that there is a "low probability" that the PHI has been compromised. When performing this initial inquiry, an organization must consider:

1. The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;

2. The unauthorized person who used the PHI or to whom the disclosure was made;

3. Whether the PHI was actually acquired or viewed; and

4. The extent to which the risk to the PHI has been mitigated.

Plan Ahead for Breach Notification

Leonardo M. Tamburello
Every Covered Entity and Business Associate that handles PHI should develop its own unique breach response plan, built upon its most recent Security Risk Assessment (SRA), itself a fundamental step in the development of a comprehensive HIPAA security program. This security program should include a complete inventory of all devices containing sensitive data and policies and procedures requiring the immediate reporting of any lost, stolen, or compromised devices or media.

Using the most critical vulnerabilities identified in the SRA as a blueprint, the "worst case" scenario should be used to develop a detailed response plan. This discussion and handling of the "crisis" in a benign environment should be memorialized and refined into a formal breach response plan that identifies clear lines of communication and responsibility, including what gets done, who does it, and when they are supposed to do it.  

Merely having a breach response plan on paper is not enough. Individuals who are expected to implement the plan must understand and be equipped to execute their responsibilities.  

Whether through a medical practice's in-house counsel or an outside law firm, there are important reasons to integrate counsel into a breach response plan. Privacy counsel with breach response experience can bring valuable insight and steadying presence to an unfamiliar and sometimes chaotic situation. In the event of a follow-up investigation by HHS' Office for Civil Rights (OCR) (which is mandated in breaches affecting 500 or more individuals) or civil litigation, an organization's deliberative processes and internal communications and/or actions involving their counsel regarding breach response may be kept confidential through these doctrines. Without the involvement of counsel, the entirety of an organization's actions and communications would be potentially discoverable in the now familiar class-action lawsuits that inevitably follow data breaches.

Activating the Breach Response Plan

If it is determined that a breach has occurred, an organization should immediately take all possible steps to minimize or limit the impact of the breach while documenting its efforts to do so. Mitigation often occurs parallel with an investigation, and its own document trail, into the cause of the breach. In some cases, such as when a device is physically lost or stolen, mitigation may be impossible unless there is a way to remotely wipe the data contained on it. If the breach involves media or paper that can be tracked or retrieved, every effort should be made to recover it.  Law enforcement should be contacted if criminal activity such as theft or intrusion is suspected.  

Like other aspects of breach response, a medical practice's internal investigation into a breach should be thoroughly documented. The Privacy Officer, in consultation with privacy counsel for the organization, should collect and preserve evidence in accordance with established policies and procedures. This information may include interviews, e-mails, chat logs, voicemails, cellular calling records, computer logs, and any other information regarding the data loss.

If the breach involves cyber intrusion, the Privacy Officer will likely require the assistance of IT vendors or others such as specially-trained law enforcement divisions. Expert forensic assistance from these individuals can be invaluable when investigating a possible breach or determining the scope of known breach.

Formal Notification to Individuals, HHS, and Others

Once a breach has been internally confirmed, HIPAA requires official notification to all affected individuals and the OCR. If the breach involves 500 or more individuals, media organizations in the area where the affected individuals live must also be notified. Most times, these notifications must occur within 60 days of when the breach actually was, or should have been, discovered.

This does not necessarily mean that the breach will remain private until further disclosure. In many instances, breaches become public knowledge long before formal notification is made. To prevent such situations from spiraling out of control, it is imperative that an organization's breach response team be prepared to make public limited information in which there is a high degree of confidence, while stressing that the investigation is ongoing and this information may evolve. Scrambling to figure out a breach response strategy while trying to investigate and mitigate the possible harm can easily lend to inaccurate and/or harmful information being disseminated. Responding with silence will only intensify the scrutiny in such situations. A breach response plan will help a practice follow a "script" through an otherwise unfamiliar and potentially high-stakes crisis.

Poor breach notifications can take many shapes. Some fail to acknowledge the seriousness of the situation. Others provide incomplete or incorrect information. Another poor "response strategy" is complete silence or other tone-deaf actions which demonstrate organizational discord or a misunderstanding of the severity of the situation. Any of these missteps can be severely damaging, not only from a reputational point of view, but also during later phases if there is a formal investigation by OCR.  

After the required notifications have been made, the organization should update its current risk management plan to reflect lessons learned and vulnerabilities addressed as a result of the breach.


Most cyber intrusions are not brutish acts of virtual "smash and grab" thuggery, but well-planned and strategic, with the hallmarks of stealth and patience. As data collection and information sharing among healthcare providers and their affiliates grows in the future, the threats to the security and integrity of this information will continue to increase.

Failing to prepare for a breach is the same as preparing to fail at responding to one. As electronic health information continues to multiply along with data sharing among multiple providers and affiliates, preparing for this threat must become an organizational priority for everyone.

No comment yet.

21.5M Data Breach Victims Left Clueless

21.5M Data Breach Victims Left Clueless | HIPAA Compliance for Medical Practices | Scoop.it

In the two months since discovering that the sensitive personal information of 21.5 million Americans was compromised by a hack of U.S. federal computer networks, the government has yet to officially notify any of the victims, Reuters reported Tuesday (July 14).

Officials from multiple agencies told Reuters the Office of Personnel Management (OPM), which oversaw the stolen data, is working to setup a system to alert those affected but the mechanism will most likely still take weeks to complete.

While OPM recently claimed to impede 10 million intrusion attempts in an average month, the fact that such a massive breach in security was able to take place has cast a dark shadow over the office and its management. Just last week, OPM Director Katherine Archuleta resigned shortly after the office released the actual number of those left exposed by the considerable personnel data breach.

While it may have been understandable for OPM to take time confirming the full scope of the cyberattacks, as it needed time to perform its own forensic investigation, it remains unclear why there has been such a delay in reaching out to those impacted by the attacks.

An OPM official, who requested not to be identified, told Reuters the complicated nature of the data, coupled with the fact that government employees and contractors frequently move among various agencies, means it may be some time before all of the victims are notified. The government is attempting to establish a centralized system for notification rather than relying on separate agencies, the official said, also noting there is an expectation OPM may hire an outside contractor to perform the work.

Considering the nature of the data exposed, along with reports of the data breach going undetected for a full year, it seems there would be a higher priority placed on protecting those who have been impacted by first providing them with official notification.

In a recent agency release outlining the details of its internal investigation into the attacks, OPM said: “Following the conclusion of the forensics investigation, OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.”

“Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen,” the statement continued.

While no official communication may be sent to victims for some time, OPM has confirmed that anyone who went through a security clearance background investigation performed by the office since 2000 can likely assume their information was compromised by the data breach.

No comment yet.

Potential HIPAA Violations Found in LA County DPH Audit

Potential HIPAA Violations Found in LA County DPH Audit | HIPAA Compliance for Medical Practices | Scoop.it

An IT security audit at the L.A. County Department of Health (DPH) revealed potential HIPAA violations, and that there are several areas of improvement for DPH.

There need to be better system access controls, IT equipment control, and computer encryption, according to a report by the County of Los Angeles Department of Auditor-Controller. The review included testing system access to five systems DPH identified as mission critical, including systems containing sensitive health information. Physical security over IT equipment was also reviewed, along with computer encryption, antivirus software, equipment disposition, and IT security awareness training.

“DPH needs to restrict unneeded access to sensitive/confidential information in their systems, and determine whether unneeded access resulted in a HIPAA/HITECH violation,” the report stated.

In terms of inappropriate systems access, the Auditor-Controller explained that DPH did not remove systems access for 13 users after they were terminated from DPH employment. One of those employee accounts was used for three years after they were terminated to view PHI and to order laboratory tests for approximately 100 DPH clients, according to the report.

DPH’s attached response indicated they determined that a current employee used the terminated employee’s account in performing her job duties. The current employee failed to obtain her own system account, which violated County policy. However, she wa authorized to view PHI and no reportable HIPAA/HITECH violation occurred. DPH indicates it has reminded IT managers to promptly remove terminated employee access. DPH is also developing a procedure to notify managers of personnel changes so they can immediately updates systems access.

Device encryption is another area that needs improvement, according to the audit report. DPH needs to ensure that portable computers are encrypted because it is a Board Policy requirement. However, DPH did not have encryption documentation for 18 percent of its 1,773 portable computers. DPH also did not have enough detailed documentation, the report found, as the remaining items’ tag or serial numbers could not be matched to any of the computers in inventory.

“DPH’s response indicates they will recall all portable computers to validate and document that each device is encrypted,” the audit stated. “DPH also worked with the Chief Information Office to acquire software that will allow them to monitor the encryption status of all portable and desktop computers.”

One aspect of the audit that was especially disturbing is that DPH reportedly is lacking in its computer incident response. Specifically, the report stated that DPH managers/staff failed to report 131 missing or stolen IT equipment items to the Department’s Information Security Office (DISO) between 2011 and 2013.

Not only is this another Board Policy requirement, the oversight did not allow DISO to assess the impact of any of the data or software loss. Furthermore, DISO  could not make required notifications to the Chief Information Office, the Auditor-Controller HIPAA Privacy Officer or the Auditor-Controller Office of County Investigations.

DPH’s response indicates they have reminded all employees to immediately report missing or stolen IT resources to their supervisor. DPH management also told us that subsequent to our review, they investigated and accounted for 100 (76%) of the 131 missing IT equipment items. Of the 31 that remain unaccounted for, DPH indicated that three could have contained PHI, but DPH indicated they believe the risk of a breach is low.

Following this audit, and a less than ideal audit at the L.A. County Probation Department, Supervisor Mark Ridley-Thomas requested that county staff report back on how feasible it would be to conduct annual IT and security review audits on all county departments. The Board of Supervisors unanimously approved the request, according to The Los Angeles Daily News.

“We want to foster accountability and transparency in the county, that’s the move we’re making,” Ridley-Thomas told the news source. “Our security, quality, safeguards and monitoring efforts need to keep up. We need to improve what we’re doing ... We need to step up our game.”

No comment yet.

HIPAA Compliance is a Business Risk

HIPAA Compliance is a Business Risk | HIPAA Compliance for Medical Practices | Scoop.it

Medicine is Risky

The practice of medicine is a risky business. There is always the risk that a certain treatment will fail to help a patient. There is a risk of being accused of malpractice. There is a risk of being accused of incorrectly billing a patient, insurance company or government agency. There is a risk of being sued by an employee or ex-employee for HR related issues. The list of risks goes on and on.

Healthcare is not unique when it comes to risk. Lawyers, accountants, architects and engineers all have associated business risk. In fact, it can be argued that every business has associated risk. The risk of a business failing is with every business no matter what vertical that business operates in. Just ask Enron and RadioShack and Joe’s pizza.

Manage Risk

The key to business risk is how an organization manages the risk. Healthcare organizations have malpractice insurance which usually comes with a malpractice risk management program. The program identifies areas of risk, provides steps to reduce risk and defines steps to minimize impact of losses when they occur 

Risk management refers to strategies that reduce and minimize the possibility of an adverse outcome, harm, or a loss. The systematic gathering and utilization of data are essential to loss prevention. Good risk management techniques improve the quality of patient care and reduce the probability of an adverse outcome or a medical malpractice claim. This core curriculum outlines the attitudes, knowledge, and skills currently recommended for residents in the area of risk management. The primary goal of a successful risk management is to reduce untoward events to patients. Risk management programs are designed to reduce the risk to patients and resulting liability to the health care provider. Standard of care is the foundation for risk management. The main factors in risk management include the following.

Nonmedical and medical risk management is a three-step process which involves: 1) identifying risk; 2) avoiding or minimizing the risk of loss; and 3) reducing the impact of losses when they occur. Medical risk management focuses on risk reduction through improvement of patient care.

Patient Data Risk

The practice of creating, storing and accessing electronic patient data brings with it new risks to healthcare organizations. Sure in the past there was a risk of someone breaking into an office and stealing patients’ paper charts but the risk exponentially increases now that a majority of new patient data is electronic. All this data is spread across electronic health records (EHRs), patient portals, digital x-ray machines, email, desktops, laptops, USB drives, smartphones and tablets. There are risks of an employee mistake like losing a laptop with patient information or falling for a fake email that tricks them into giving up information that thieves can use to access and steal patient data.

Like any other business risk, the risk to patient data needs to be properly managed. Just like with a malpractice risk management program, the risk to patient data needs to be addresses with 3 steps:

  1. Identifying Risk – it is critical that organizations understand what risks are associated with electronic patient data. Where is the data stored or accessed? As mentioned previously, the data could be stored on servers in an office, in a cloud-based EHR, on laptops or mobile devices. It is critical to get a thorough inventory of all patient data that is created, stored or accessed. The next step is understanding the risk to all of this patient data. The risk to data stored on a digital ultrasound machine is much different than data stored on laptops that leave an office.
  2. Minimize Risk – once the various risks are identified to patient data, it is critical to take steps to reduce the risk. Implementing the proper safeguards such as security policies and procedures and employee training can go a long way to lower the risk to patient data.
  3. Reduce the Impact – unfortunately it is very difficult to eliminate the risk to patient data. Steps can be taken to lower the risk but the amount of patient data is increasing every day and the risk of employee mistakes or criminals stealing the data increases as well. Organizations need to have a plan in place to respond to a patient data breach. That plan may include a breach response program that defines the steps the organization will take if there is a breach, or ensuring that an organization’s IT department or company is prepared to respond and/or stop a suspected data breach. Reducing the impact of a patient data breach might include cyber insurance that will provide financial resources to help the organization in the event of a data breach.

Don’t Hate HIPAA

Many people I talk to tell me they hate HIPAA regulations. I don’t blame them. Most people don’t like forced government regulations that have the threat of audits and fines. But HIPAA regulations are really just a risk management program for patient data. HIPAA calls for organizations to take inventory of where patient information is created, stored or accessed. It requires organizations to identify and manage associated risk to patient data. And it calls for organizations to be prepared to respond and lower the impact if patient data is lost, stolen or breached. When compared to a malpractice risk management program, the HIPAA risk management program is very similar.

When I talk to people about HIPAA I make it clear that the risk of a random HIPAA audit is very low. But the risk that patient data is lost, stolen or breached is increasing every day. Patient data needs to be thought of as a business risk that needs to be properly managed.

AACS Atlanta's comment, October 18, 2019 2:19 AM
If you have been charged with a DUI, or if the DUI charge was reduced to reckless driving, the state of Georgia will most likely require you to attend a 20-hour Risk Reduction Program. For detail https://www.aacsatlanta.com/dui-school/ for directions https://g.page/aacs-dui-school?share
DUI SCHOOL Marietta, Decatur and Atlanta-GA's comment, November 28, 2019 2:51 AM
What Is DUI School? How Can It Help With My DUI Case?
A DUI School is something that is required as a condition of probation by the court when you're convicted of a DUI. There are different levels of school… Helpline Number: 404-594-1770

5 keys to managing a data breach

5 keys to managing a data breach | HIPAA Compliance for Medical Practices | Scoop.it

Unfortunately, data breaches have become an extremely common occurrence. Not all of them have the high-profile of a Target, Ashley Madison, Home Depot or Anthem breach, but the damage to a company and its reputation is very real.

While companies can purchase cyber insurance to help manage the risks associated with a breach, there are also steps a business can take to maximize the relationship with their breach team and minimize the fallout following the cyber event.

Here are five factors to consider when it comes to managing a company’s cyber attack or data breach.

 1. Assess the risk

So how does a company prepare for such an eventuality and what steps should be taken after a breach occurs?

“Start with what you will face if a breach occurs,” advises Anthony Roman, president of Roman & Associates, a global investigation, risk management and computer security consultation firm. “Corporations of all sizes that hold any information that can be deemed private or personal are going to face a number of very serious hurtles in a breach that will encourage them to have a breach plan.”

Roman says this includes class action suits for the “undue release or allowing the release of personal and private information. The average class action suit is settling for $2.9 to $3 million.” He estimates the legal costs to defend a company in a class action suit will range anywhere from several hundred thousand dollars to well over one million.

“You may face government sanctions for local, state, federal or legal violations, some of which are criminal in nature and some which are civil in nature,” he explains. Criminal violations can pierce the corporate veil and involve specific individuals within the corporation.

There could also be regulatory sanctions if the company violated any Federal Communications Commission (FCC) regulations or any other regulatory agency’s regulations regarding cyber security. “That should be a wonderful motivator for anyone to have a robust and compliant breach program,” he adds.

Roman recommends that companies work with their brokers to craft coverage that will reduce their risk, review the policy exclusions, and ensure that they are insured to cover the types of information that will be affected and the resulting exposures from a breach.

2. Avoid these mistakes

The saying goes, “Fail to plan and plan to fail,” and nowhere is that more true than with cyberattacks and breaches. “Not having a well thought out and documented roadmap for the ‘what, when, where, who and how’ of responding to a suspected data breach is a recipe for disaster,” says Paul Nikhinson, Esq., privacy breach response services manager for Beazley.

Related: Many businesses unprepared for cyber attacks

“Most post-incident mistakes could be avoided or mitigated by implementing appropriate pre-incident prevention and response plans,” adds Kevin Kalinich at Aon. He says that some of the major mistakes companies make include:

  • Internal company denial regarding the potential magnitude of the incident. Appropriate resources and attention must be allocated immediately to determine the magnitude of the incident. The financial impact of cyber incidents is not always directly correlated with the size of the incident, but the financial statement impact is often correlated to the effectiveness of the response.
  • Automatically characterizing an “incident” (no immediate legal liability connotations) as a “breach” (immediate legal liability connotations under various laws, regulations and insurance policies).
  • Passing the buck rather than developing a comprehensive coordinated response.
  • Defensive reaction to regulators rather than an open and frank dialogue.
  • Failure to timely notify any and all potentially applicable insurance carriers.

Overreacting or underreacting to the event can also be a problem says Nikhinson. “Where there’s smoke, there’s fire; however, not every bit of smoke necessarily means a five-alarm fire. Going too quickly to the media and clients without an adequate command of the facts often causes far more harm than good.”

He also says that a company can’t just put its “head in the sand and hope for the best. This isn’t just an ‘IT’ problem. It’s something that could result in catastrophic financial and reputational damage to the company.”

Other problems include not having a plan at all, not following the established plan, not engaging a breach coach or team, and having poor communication between breach team members.

3. Working effectively with your breach team

After a company experiences a breach is not the time to be pulling together a team to address the problem. Assuming that a company already has a highly qualified team in place involving legal, IT, security, human resources, risk management and public relations professionals, experts recommend notifying legal counsel as soon as a cyber incident is discovered. “Counsel should handle retaining outside experts to maintain privilege, which puts the company in the best defensible position possible,” counsels Bob Parisi, Marsh’s cyber product leader


Kalinich concurs. “Legal counsel should be involved as soon as a cyber incident is identified for a variety of risk mitigation, contractual liability, privacy liability, legal compliance and financial statement impact reduction reasons. Thereafter, depending upon the nature of the incident, the chief information security officer (CISO), IT security, privacy officer and management responsible for cyber incident response should be simultaneously notified. Outside parties such as customers, partners, vendors, suppliers, etc. need not be notified until the entity understands what happened (subject to notification laws, of course).”

Roman recommends activating the company’s internal breach team as soon as a breach is revealed since most breaches occur way before they are discovered. “As you’re noticing it happened, it probably occurred earlier and they are sucking you dry of confidential information, client information, individuals’ personal information, corporate secrets and information that may be sensitive from a public relations perspective.”

There should also be a designated team leader and decision-maker says Roman, “Someone who can take all of the advice and says this is what we will do and has the authority to do it.” He also recommends that executives resist the urge to micromanage the problem. “They should assess the decisions made by the professionals and act accordingly.”

Communication between team members is critical to successfully managing the breach. “Do your best to break down internal information silos,” recommends Beazley’s Nikhinson. “Does legal know what IT/IS is investigating and how it is being documented? Does IS know that risk purchased a cyber-insurance policy and that it has certain reporting requirements? At what point do you bring in corporate communications? Coordination between all of the internal stakeholders is essential, and having someone akin to a project manager to facilitate that coordination can make all the difference in the world.”

4. Experience matters

Insurance brokers, legal counsel, public relations professionals and other vendors on the breach team should have extensive experience in cyber attacks and breaches. An experienced insurance broker can help a client find a cyber policy that best matches their needs and risks says Parisi. “The broker should have assisted the client in fully understanding coverage as well as the value-added services that are part of today’s cyber coverage. By doing that the client will be able to fully utilize the benefits of the coverage when a breach or event happens.”

Clients should report a breach to their broker or agent as soon as it occurs. According to Aon’s Kalinich, an experienced cyber broker will be able to:

  • Identify the applicable insurance policies.
  • Provide the insured with the required insurance notice requirements.
  • Detail any specific insurance policy requirements (i.e., third-party forensic experts must be selected from the insurance company panel in order to be covered by the insurance policy).
  • Arrange a call between insurance broker legal cyber incident claims specialist and the insured.
  • Determine whether, and in what manner, notice is required to insurers.
  • Describe past cyber incident best practices that reduce the total cost of risk.
  • Maintain consistent and timely communications between the insured and the insurers.

5. Practice makes perfect

Roman recommends that companies hold periodic breach rehearsals, which can be conducted by a firm outside of the business. “Surprise your team. Tell them this is a drill and there is a breach,” he advises. This gives executives an opportunity to see how quickly the breach team can be pulled together and how they will react to a real breach. It also gives them an opportunity to role play some of the critical elements of the plan.

Brokers can assist their clients by ensuring they have the right coverage for their business exposures as well as “a proactive relationship with their carrier’s breach response team so their first meeting doesn’t occur in the middle of a firefight,” adds Nikhinson.

Waiting until after a cyber breach occurs is too late to begin managing its effects, and can have dire consequences to a company’s reputation and its bottom line. Being proactive will help mitigate some of the damage and give the company a roadmap for successfully managing the breach.

AACS Atlanta's comment, October 18, 2019 2:21 AM
If you have been charged with a DUI, or if the DUI charge was reduced to reckless driving, the state of Georgia will most likely require you to attend a 20-hour Risk Reduction Program. For detail https://www.aacsatlanta.com/dui-school/ for directions https://g.page/aacs-dui-school?share

Moving in Front of Healthcare’s Connectivity Curve

Moving in Front of Healthcare’s Connectivity Curve | HIPAA Compliance for Medical Practices | Scoop.it

As a clinician, technology is a significant interest in my life. I have always felt that one way in which to stay young is to embrace technology, and to understand how technology integrates into our professional and personal lives.

This past April, I was intrigued by the announcement of ResearchKit by Apple.. The first research apps developed covered five areas of study: Asthma, breast cancer, cardiovascular disease, diabetes, and Parkinson’s disease. However, the number of commercial and institutional research organizations using the open-source platform of ResearchKit is expanding daily.

More than 75,000 people have enrolled in ongoing health studies using ResearchKit apps to gather health data. Smartphones and wearable technology, with their microphones, cameras, motion sensors, and GPS devices, have unique advantages for gathering health data, and, in some cases, can serve as a valuable addition to regular care from a provider.

The possibilities for benefiting the body of health knowledge are endless. However, it is important for patients to be mindful and use these tools wisely in this modern world of connectivity.

More than a few people are commenting on the possible risks of gathering data in this way. As always in our modern society, available technology is way ahead of regulations. For example, we have strong laws and regulations regarding patient confidentiality enshrined in medical tradition and HIPAA.

Recognizing this vulnerability, Apple added the following to their app store submission guidelines: “All studies conducted via ResearchKit must obtain prior approval from an independent ethics review board.” Meaning, all studies must obtain Institutional Review Baords (IRB) approval. This is a good step in the right direction, but much more care is needed to gather data with the expanding number of ResearchKit apps, to ensure that personal health data is protected and that this technology is used in an ethical, and lawful, way.

Regardless of the all the caveats, I remain intrigued and hopeful that leveraging technology via tools such as smartphones and software like ResearchKit will be a great boon to the understanding of disease and treatments around the world.

I would recommend the following to put us ahead of the curve with these new tools:

  1. Ethical guidelines and procedures need to be developed by the research community in the U.S. to ensure that use of technology in research data gathering is done with the greatest protection of the patients’ individual health data.
  2. Laws and regulations need to be considered to ensure the integrity of the data as well as the protection of personal health information.
  3. Companies like Apple, who are leading the roll out of this technology, should not wait for state and federal governmental entities to regulate the use of technology in research and should be leaders in the ethical, responsible use of apps to gather and use health research data.

Technology in medicine is constantly evolving. We have to try to evolve with it, however, and recognize that the law of unintended consequences is always present, and will always present challenges as the vast universe of technology expands with every increasing speed in medicine and every other area of life.

No comment yet.

Millions Potentially Affected by Premera Data Breach

Millions Potentially Affected by Premera Data Breach | HIPAA Compliance for Medical Practices | Scoop.it
With so many data breach lawsuits in the news lately, a person would think that companies that have access to private consumer or patient information would take cyber security seriously. Unfortunately, every day there seems to be more news about companies that have been hit by hackers and have allowed customer information to be made vulnerable. One of the more recent of the data breaches is the Premera data breach, in which approximately millions of patients had their private information compromised.

Lawsuits have followed, with plaintiffs alleging Premera Blue Cross did not properly or adequately secure customer information. The lawsuits allege negligence on Premera’s part. As of July 15, 2015, the number of lawsuits consolidated for pretrial proceedings sits at around 35, according to court documents. But the multidistrict litigation (MDL Number 2633) was only just approved, and more lawsuits could certainly be filed, given the massive number of patients affected by the cyber attack.

Reports indicate that up to 11 million customers may have had their information compromised, although some reports put that number affected at around 4.5 million. Still, for those whose information was accessed, the results can be disatrous.

That’s because information stored by companies such as Premera could be used to commit identity theft, where thieves file for credit or tax refunds under someone else’s name. That puts the victim at risk of having his or her credit negatively affected and having lenders come after the victim for bogus mortgages and lines of credit, not to mention the trouble he or she could face for a fraudulent tax return.

Even those who aren’t victims of large-scale identity theft face the time and hassle of sorting out the consequences of having credit

Premera Data Breach Lawyer: Companies Must Face Consequences for Failing to Protect Identifying Information
Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions
Patient health information is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA also requires timely notification of information breaches, which critics say was violated here. According to some attorneys, Premera allegedly knew about issues in its security systems from an audit, but did not adequately address those issues, leaving patient information vulnerable.

Furthermore, the data breach allegedly started back in May 2014, but Premera reportedly didn’t warn customers until March 2015. Patients were notified by a letter that their personal information might have been accessed.
No comment yet.

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy | HIPAA Compliance for Medical Practices | Scoop.it

By now, most people have felt the effects of the HIPAA Privacy Rule (from the Health Insurance Portability and Accountability Act). HIPAA has set the primary standard for the privacy of healthcare information in the United States since the rule went into effect in 2003. It’s an important rule that creates significant baseline privacy protections for healthcare information across the country.

Yet, from the beginning, important gaps have existed in HIPAA – the most significant involving its “scope.” The rule was driven by congressional decisions having little to do with privacy, but focused more on the portability of health insurance coverage and the transmission of standardized electronic transactions.

Because of the way the HIPAA law was crafted, the U.S. Department of Health and Human Services (HHS) could only write a privacy rule focused on HIPAA “covered entities” like healthcare providers and health insurers. This left certain segments of related industries that regularly use or create healthcare information—such as life insurers or workers compensation carriers— beyond the reach of the HIPAA rules. Therefore, the HIPAA has always had a limited scope that did not provide full protection for all medical privacy.

So why do we care about this now?

While the initial gaps in HIPAA were modest, in the past decade, we’ve seen a dramatic increase in the range of entities that create, use, and disclose healthcare information and an explosion in the creation of healthcare data that falls outside HIPAA.

For example, commercial websites like Web MD and patient support groups regularly gather and distribute healthcare information. We’ve also seen a significant expansion in mobile applications directed to healthcare data or offered in connection with health information. There’s a new range of “wearable” products that gather your health data. Virtually none of this information is covered by HIPAA.

At the same time, the growing popularity of Big Data is also spreading the potential impact from this unprotected healthcare data. A recent White House report found that Big Data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in many areas including healthcare. The report also stated that the privacy frameworks that currently cover healthcare information may not be well suited to address these developments. There is no indication that this explosion is slowing down.

We’ve reached (and passed) a tipping point on this issue, creating enormous concern over how the privacy interests of individuals are being protected (if at all) for this “non-HIPAA” healthcare data. So, what can be done to address this problem?

Debating the solutions

Healthcare leaders have called for broader controls to afford some level of privacy to all health information, regardless of its source. For example, FTC commissioner Julie Brill asks whether we should be “breaking down the legal silos to better protect that same health information when it is generated elsewhere.”

These risks also intersect with the goal of “patient engagement,” which has become an important theme of healthcare reform. There’s increased concern about how patients view this use of data, and whether there are meaningful ways for patients to understand how their data is being used. The complexity of the regulatory structure (where protections depend on sources of data rather than “kinds” of data), and the determining data sources (which is often difficult, if not impossible), has led to an increased call for broader but simplified regulation of healthcare data overall. This likely will call into question the lines that were drawn by the HIPAA statute, and easily could lead to a re-evaluation of the overall HIPAA framework.

Three options are being discussed on how to address non-HIPAA healthcare data:

  • Establishing a specific set of principles applicable only to “non-HIPAA healthcare data” (with an obvious ambiguity about what “healthcare data” would mean)
  • Developing a set of principles (through an amendment to the scope of HIPAA or otherwise) that would apply to all healthcare data
  • Creating a broader general privacy law that would apply to all personal data (with or without a carve-out for data currently covered by the HIPAA rules).


It’s clear that the debate and policymaking “noise” on this issue will be ongoing and extensive. Affected groups will make proposals, regulators will opine, and legislative hearings will be held. Industry groups may develop guidelines or standards to forestall federal legislation. We’re a long way from any agreement on defining new rules, despite the growing consensus that something must be done.

Therefore, companies that create, gather, use, or disclose any kind of healthcare data should evaluate how this debate might affect them and how their behavior might need to change in the future. The challenge for your company is to understand these issues, think carefully and strategically about your role in the debate, and anticipate how they could affect your business going forward.

No comment yet.

Patients suing Fort Wayne medical company over data breach

Patients suing Fort Wayne medical company over data breach | HIPAA Compliance for Medical Practices | Scoop.it

Two lawsuits have been filed in federal court in Fort Wayne seeking class action status on behalf of patients who have had their data compromised by Medical Informatics Engineering.

The Fort Wayne-based medical software company has reported that the private information of 3.9 million people nationwide was exposed when its networks were hacked earlier this year. The compromised information includes patients' names, Social Security numbers, birth dates and addresses, The (Fort Wayne) Journal Gazette (http://bit.ly/1W3PLHO ) reported.

The company contacted the FBI to report the data breach in May and began issuing letters to patients, letting them know which provider's information was hacked and offering them credit monitoring services, in mid-July.

The first lawsuit was filed last week by one patient, while the second lawsuit was filed Tuesday by three other patients.

Both lawsuits are similar and accuse the company of negligence. The plaintiffs argue that the company should've realized the risks associated with collecting and storing patients' personal information, and that the company had a responsibility to protect their data, according to court documents.

The lawsuits allege that Medical Informatics Engineering failed to take steps to prevent and stop the data breach, failed to comply with industry standards for safeguarding such data, and failed to properly implement technical systems or security practices, the documents said.

"Given the risk involved and the amount of data at issue, MIE's breach of its duties was entirely unreasonable," the attorneys wrote in the lawsuit.

In addition to class action status, all four patients also are seeking damages and expenses.

Eric Jones, co-founder and CEO of Medical Informatics Engineering, confirmed to the Associated Press Thursday that the company is aware of the two pending lawsuits.

"Our primary focus at this time is on responding to requests for information to those affected and helping them to enroll in credit monitoring and identity protection services," he said.

No comment yet.

Pentagon Data Breach Shows Growing Sophistication Of Phishing Attacks

Pentagon Data Breach Shows Growing Sophistication Of Phishing Attacks | HIPAA Compliance for Medical Practices | Scoop.it

U.S. officials confirmed this week that the Pentagon was hit by a spearphishing cyberattack last month, most likely from Russian hackers, which compromised an unclassified email system.

The attack compromised the information of around 4,000 military and civilian personnel who work for the Joint Chiefs of Staff, a U.S. official confirmed to NBC News. Officials said no classified information was taken, but didn't specify in the report how much or what kind of non-classified information was involved.

The attack occurred around July 25 and used what officials called a "sophisticated cyberattack." The suspected Russian hackers, which may or may not be connected with the Russian government, used automated social engineering tactics to gain information from employee social media accounts and then used that information to conduct a spearphishing attack, according to CNN, which first reported the attack.

The news of the breach comes on the heels of the massive Office of Personnel Management (OPM) breachthat occurred earlier this year, compromising the personal information of more than 21.5 million federal employeesand contractors. While this latest breach was significantly smaller in number of records compromised, it speaks to the growing sophistication of phishing attacks as an entrance to move laterally across the network, Unisys Vice President of Security Solutions Tom Patterson said.

"Phishing attacks like this one aimed at the Pentagon’s joint staff are not new. What makes them more effective is the amount of advance knowledge the attackers have in order to trick the recipient into clicking on the link," Patterson said. "With so much personal information now in the wild, attackers are able to create a ‘pattern of life’ on targets which makes phishing attacks such as this one aimed at the Pentagon’s joint staff much more effective."

Patterson said the sophistication in this attack was not the phishing itself, which is fairly common, but in the hacker's "clever exfiltration of data."

"The days of the typo-ridden silly emails are long gone. Today’s phishing attack looks as real as an authentic message, and are only going to get better," Patterson said.

While it is important for a business to focus on phishing prevention through user education, Patterson said it is becoming clear that enterprises need to put more emphasis on mitigation once the hacker enters the network, as the "standard pattern of attack" is to gain access through phishing then escalate privileges and spread laterally. One way to do that, he said, is employing micro-segmentation of data, he said, which divides the data center into smaller zones for easier security enforcement.

"Enterprises in both government and private sector have begun to shift their defenses inward, understanding that it only takes one of these types of phishing attacks to be successful," Patterson said. "With this new drive toward mitigation, enterprises can use micro-segmentation to survive and manage these inevitable types of attacks."

No comment yet.

Healthcare Hacker Attacks: The Impact

Healthcare Hacker Attacks: The Impact | HIPAA Compliance for Medical Practices | Scoop.it

he recent string of major hacker attacks in the healthcare sector, including the cyber-attack on UCLA Health, calls attention to the urgent need for organizations to step up their security programs.

Security experts say healthcare organizations need to carefully reassess their risks and then take appropriate security measures, which, in many cases, will include implementing multifactor authentication; improving breach monitoring and detection; and ramping up staff security education, among other steps.

The sophistication of cyber-attackers is making defending against threats in the healthcare sector more challenging, says John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston.

"Five years ago, external attacks on healthcare were most often from single actors or curious students. Today they are from organized crime, state-sponsored cyberterrorism and hacktivism," he says.

Healthcare is becoming a bigger target for hackers and other cybercriminals for three main reasons, Halamka contends. "One, healthcare has traditionally under-invested in IT compared to other industries, leaving it more vulnerable. Two, healthcare tends to aggregate a large amount of personally identified information in one place, making it easy to breach a large number of records in a single attack. Three, medical identity theft - fraudulently receiving healthcare services - can be more profitable than financial identity theft."

Insufficient Efforts

Even some well-meaning healthcare organizations are also realizing that the diligent efforts they've been putting into information security aren't enough, notes privacy and security attorney Kirk Nahra, a partner at the law firm Wiley Rein.

"Many healthcare industry organizations thought they had pretty good information security. But these attacks have been eye-opening to many companies, that 'we really need to beef up' in terms of protection against these external risks," he says.

Christopher Paidhrin, who recently became information security manager for the city of Portland, Ore., after 15 years as an information security leader at West Coast healthcare provider PeaceHealth, offers a similar assessment. "If CISOs are not now assessing their cybersecurity posture - and exposure - they soon will," he says.

"The scope of vulnerabilities is increasing, and the 'defensive' security program model is failing to meet the challenge of the threats," he says. "Surveys over the past few years indicate that more than 90 percent of organizations sampled have already been hacked. That is a startling number that requires a national emergency-level response."

The attacks on the healthcare sector will only worsen, Paidhrin predicts. "Cybercriminals are motivated by money, easy money. Healthcare offers one of the greatest return on investment efforts with the lowest level of detection and risk. Medical information is data rich, and durable. Credit card data lasts for a month or two, before a bank disables an account. Health information is much more durable, with much of it unchangeable for the life of the affected individual."

UCLA Health Breach

In the latest headline-grabbing hack attack in the healthcare sector, UCLA Health estimates that data on as many as 4.5 million individuals potentially may have been impacted by a cyber-attack that is thought to have begun last September and is "believed to be the work of criminal hackers." UCLA Health says it is working with FBI investigators and has also hired private computer forensic experts to further secure information on network servers.

"In today's information security environment, large, high-profile organizations such as UCLA Health are under near-constant attack," the organization said. "UCLA Health identifies and blocks millions of known hacker attempts each year."

As for who was responsible for the UCLA Health breach, and how the hackers gained access to the systems, "the cyber-attack on UCLA Health is still under investigation, we are unable to discuss particulars or provide further information regarding the attack," a spokesman for UCLA Health tells Information Security Media Group.

With the exception of UCLA Health, most of the largest hacker attacks so far this year targeted insurers, including Anthem Inc., which was hit by a breach affecting nearly 80 million inidividuals; Premera Blue Cross and CareFirst Blue Cross Blue Shield.

Will Spending More Help?

Some observers say all the recent headlines about hacker attacks could make it easier for CISOs and CIOs to win support from senior leaders for funding to ramp up information security efforts. But will increased spending make a difference?

"The argument for funding will be easier, because the frequency and size of healthcare sector attacks provide CISOs with mounting evidence to justify increased funding, but it will not guarantee action," Paidhrin says. "Funding generally occurs when the 'what, specifically, can be done?' question can be answered with a price tag less than the perceived cost of assuming the risk. ...Healthcare is struggling, as are all other sectors, to find affordable and effective technologies, skilled cybersecurity personnel and process maturity."

But technology investments won't necessarily stop hackers who rely on social engineering to scam users into providing their network credentials through phishing attacks. "Although spending increases on healthcare IT and cybersecurity will help, the most effective risk mitigator is education," Halamka says. "We are as vulnerable is our most gullible authorized user."

Paidhrin sees a "disturbing trend" toward advanced persistent threats and social engineering, which both largely bypass network perimeter defenses. "APTs are stealthy, very effective at exploiting under-the-radar vulnerabilities that do not trigger the alert thresholds of many security systems," he notes. "Social engineering, basically tricking an authorized user to assist an attacker into an action that exploits a vulnerability, is much simpler than a frontal assault on a network. Why break a lock when you can ask for the keys, and get them?"

Wake-Up Call

The most significant impact the recent hacker attacks will have on the healthcare sector is "information security will need to be considered as an integral part of the security and operations processes of healthcare organizations," says Mitch Parker, CISO of Temple University Health System. "They will need to become more proactive and consider risk as equally as utility."

The hacker attacks should serve as a wake-up call for some organizations that have skimped on their information security risk management practices. "Organizations are supposed to re-assess their information security programs, processes, and technologies on a regular basis to continually improve," Parker says. "That is the purpose of risk management. Incidents such as these should be used to evaluate your organization's current practices and make changes or improvements beneficial to your organization."

Paidhrin says many organizations need to take four "not-so-easy steps" to bolster their security. Those include:

  • Two-factor authentication. "Weak passwords, seldom if ever changed, are the bane of information security. Requiring a token, something other than a username and password - both things you know - is the cheapest big step up the security ladder," he says.
  • Data segmentation. "Valuable, sensitive information needs to be segmented from general user access, not all accessible from one network or one level of user account."
  • Proactive monitoring for unauthorized use. "When 90 percent or more of organizations are potentially compromised, real-time detection of threat actors is essential."
  • Rapid response. "The meme of today is 'It's not if, but when we will be breached.' If an organization cannot respond to an attack and penetration, with effective countermeasures, all of the other information security measures, funding, planning and effort will be undone."

Organizations in all sectors, not just healthcare, need to up their game, says Nahra, the attorney. "It's a real challenge. The healthcare sector isn't alone in terms of facing weaknesses and threats."

No comment yet.

The Cloud is Good, But Know Where Data Go

The Cloud is Good, But Know Where Data Go | HIPAA Compliance for Medical Practices | Scoop.it
A recent settlement announcement from the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) highlights the need to evaluate web-based applications and storage solutions. Web-based or cloud solutions are viable options and tools for healthcare entities to utilize, but those tools need to evaluated for compliance with HIPAA security requirements.

Saint Elizabeth’s Medical Center (“SEMC”), located outside of Boston, MA, learned this lesson the hard way. On November 16, 2012, certain workforce members at SEMC reported suspected non-compliance with HIPAA to OCR. The report focused upon use of an internet-based document sharing and storage application. The specific site is not identified in the OCR Resolution Agreement, but Dropbox is an example of an online storage site that does not meet HIPAA security requirements. OCR notified SEMC of the results of its investigation on February 14, 2013. Fast forward a year and SEMC then reported a breach regarding a workforce member’s unsecured laptop and USB storage device. The combination of events led OCR to conclude that SEMC failed to implement sufficient security measures required by HIPAA and SEMC did not timely identify or mitigate harmful effects from identified deficiencies.

As a result of the two reported incidents, SEMC is now paying $218,400 to OCR in settlement funds. The settlement continues to trend of not being able to accurately guess the amount of a fine that will be levied. As stated in the announcement, OCR “takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed.” This statement potentially gives some insight, which can be interpreted to mean that entities with bigger pockets will be hit with larger fines because such entities can absorb larger fines.

The other consideration raised by the SEMC settlement is what to do about cloud based storage and sharing solutions. Should all such tools be locked away from use healthcare organizations? This is not necessarily the answer because some tools do follow HIPAA security requirements. For example, some cloud storage services were built specifically for healthcare, and as such are more cognizant of applicable regulatory requirements. More general sites, such as Box, noted HIPAA requirements and claim to meet required standards. As such, it is possible for organizations to utilize cloud based options.

However, it is not necessarily the choices of an organization as a whole that are troublesome. In SEMC’s case, it is not clear whether the workforce members acted under SEMC’s direction or utilized the cloud sites without SEMC’s direct knowledge. The unsupervised actions of workforce members are what can cause an organization a lot of concern. Organization’s need to train and educate workforce members, but cannot always control their actions. Despite the inability to constantly track what a workforce member is doing, certain steps could be taken to alleviate concerns. One measure would be to block access to websites that could lead to a potential breach or other non-compliance. Such a measure may not make all workforce members happy, but an organization should assess its risks and take appropriate measures. Additionally, an organization can suggest sites that are compliant be used.

Regardless of the approach taken, organizations need to be cognizant of the risks posed by cloud based storage, especially on the individual level. OCR’s settlement with SEMC is only the most recent action to highlight the concern. As has been stated before, once OCR releases a settlement addressing an issue, subsequent organizations with the same issue can expect greater focus on the identified issue and less leniency when it comes to a violation.
No comment yet.

UCLA Health Cyber-Attack Affects Millions

UCLA Health Cyber-Attack Affects Millions | HIPAA Compliance for Medical Practices | Scoop.it

The FBI is investigating the latest in a string of major cyber-attacks in the healthcare sector. UCLA Health confirms that information on 4.5 million individuals may have been exposed when hackers breached its network in an attack that appears to have begun last September.

UCLA Health says in a July 17 statement that it appears that "criminal hackers" accessed parts of the organization's computer network that contain personal and medical information. "UCLA Health has no evidence at this time that the cyber-attacker actually accessed or acquired any individual's personal or medical information," the statement notes.

UCLA Health includes four hospitals on two campuses - Ronald Reagan UCLA Medical Center; UCLA Medical Center, Santa Monica; Mattel Children's Hospital UCLA; and Resnick Neuropsychiatric Hospital at UCLA - and more than 150 primary and specialty offices throughout Southern California.

Other Cyber-Attacks

The attack on UCLA Health is the latest of several massive hacker assaults on healthcare sector organizations in recent months. Most of the largest attacks so far this year have been on health insurers. Those include attacks against: Anthem Inc., which resulted in a breach impacting more than 79 million individuals; Premera Blue Cross, which affected about 11 million; and CareFirst Blue Cross Blue Shield, which impacted 1.1 million.

The largest recent hacker attack against a provider organization was last August, when Community Health Systems reported a breach affecting 4.5 million individuals. "Forensic investigators have said that an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems," according to Community Health System's 8-K filing to the U.S. Securities and Exchange Commission last year.

FBI Investigating

UCLA Health is working with investigators from the FBI, and has hired private computer forensic experts to further secure information on network servers, its statement says.

"We take this attack on our systems extremely seriously," says James Atkinson, the interim associate vice chancellor and president of the UCLA Hospital System. "We have taken significant steps to further protect data and strengthen our network against another cyber-attack."

UCLA Health says it detected suspicious activity in its network in October 2014, and began an investigation with assistance from the FBI. At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information. "As part of that ongoing investigation, on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information.

Based on the continuing investigation, it appears that the attackers may have had access to these parts of the network as early as September 2014. We continue to investigate this matter."

The organization says there is no evidence yet that the hackers actually accessed or acquired individuals' personal or medical information. But because the organization cannot conclusively rule out the possibility that the attackers may have accessed the information, UCLA Health is offering all potentially affected individuals 12 months of free identity theft recovery and restoration services as well as additional healthcare identity protection tools.

In addition, individuals whose Social Security number or Medicare identification number was stored on the affected parts of the network will receive 12 months of free credit monitoring.

Healthcare as a Target

Privacy and security attorney Kirk Nahra of the law firm Wiley Rein says this latest breach affecting UCLA Health is just another sign "that clearly, the healthcare sector is under cyber-attack."

"People can no longer say, 'this won't happen to me.' It will happen to you," he says. Organizations not only need to beef up their security controls, but they also need to be on the lookout for fraud that involves stolen IDs, he says. "If UCLA Health's patients' records are stolen, then other healthcare providers down the street should be watching out" for fraudsters using the compromised data to obtain medical services or to commit other fraud, he warns.

Privacy and security attorney Ron Raether of the law firm Faruki Ireland & Cox P.L.L. says healthcare organizations are following financial institutions, data aggregators and retailers in becoming prime targets for hackers in search of valuable data that can be used to commit fraud.

"Hackers look for the most data for the least effort. Hospitals have a lot of information both current and historical without any real limits," he says. "The character of the data is of high value - not just treatment and the usual identifiers but also payment information and family history and other data which could be used in security questions."

Hospitals need to learn from lessons of other business sectors and invest in sound data governance practices, he adds.

No comment yet.

Hospital to pay $218,400 for HIPAA violations

Hospital to pay $218,400 for HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

St. Elizabeth's Medical Center must pay $218,400 for HIPAA violations through an agreement with the Department of Health and Human Services' Office for Civil Rights.

In 2012, the OCR received a complaint alleging that the Brighton, Massachusetts-based health center did not analyze the risks of an Internet-based document sharing app, which stored protected health information for almost 500 individuals, according to anannouncement from OCR.

During its investigation, OCR found that the health center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome." In addition, St. Elizabeth's in 2014 submitted notification to OCR that a laptop and USB drive had been breached, putting unsecured protected health information for 595 consumers at risk.

OCR also is requiring that St. Elizabeth's adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.

"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," OCR Director Jocelyn Samuels said in an announcement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."

A recent report from application security vendor Veracode found that the healthcare industry fares poorly compared to other industries in reducing application security risk.

Healthcare also is near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated.

While Phase II of the federal HIPAA audit program remains "under development,"Samuels reiterated in March that OCR is "committed to implementing a robust audit program," FierceHealthIT previously reported.

No comment yet.

Avoid this little-known but costly HIPAA trap

Avoid this little-known but costly HIPAA trap | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare providers who call patients or send automated calls or text messages may be running afoul of federal law.

The law in question, the Telephone Consumer Protection Act (TCPA), was enacted in the 1990s to protect consumers against unwanted automated calls sent to residences or cellphones. The Federal Communications Commission recently established an exemption for healthcare messages that are regulated through HIPAA.

The problem? According to Christine Reilly, co-chair of the TCPA Compliance and Class Action Defense group at the law firm of Manatt, Phelps & Philips, HIPAA doesn't specifically define a "healthcare message."

"There really is not a lot there about those requirements," she told mHealth News. "It is not exactly a model of clarity."

The TCPA, Reilly says, was designed primarily to eliminate unwanted solicitations, and gave birth to the more-well-known Do Not Call Registry in 2003. But how does that translate to a healthcare message that may or may not be selling the provider's services – such as reminders for screenings or appointments, prescription refills and general health and wellness information?

"Those are a little bit more hybrid," Reilly said. "TCPA might consider it marketing, but with a healthcare message it likely falls under HIPAA."

Healthcare providers risk falling into the "TCPA trap," Reilly says, if they enable these types of messages without examining the legal implications. And those are costly – fines of between $500 and $1,500 per message.

Reilly, who will be presenting a webinar in July 30 on the TCPA, suggests healthcare providers check with legal counsel on whether their messaging protocols conform to TCPA or fall under HIPAA.

"Providers want to know what, in fact, qualifies as a healthcare message and what qualifies as an exemption," Reilly says. "A lot of the questions we're getting are about how this works in practical terms."

Gerard Dab's curator insight, July 16, 2015 8:03 PM

Technology still meets resistance!