HIPAA Compliance for Medical Practices
82.7K views | +34 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Province set to double health data breach fines

Province set to double health data breach fines | HIPAA Compliance for Medical Practices | Scoop.it

Following several "high profile" healthcare data breaches, the health minister of one Canadian providence has promised to make patient privacy more of a priority by doubling the fines for a healthcare breach.

In a Wednesday press conference Ontario Health Minister Eric Hoskins, MD, said he will again be introducing health privacy legislation in the fall that would effectively double fines for individuals and organizations found to have violated the province’s health privacy law, CTV News reported. The fines, Hoskins said, would increase to $100,000 for individuals and $500,000 for organizations.

"Over the course of the past almost year, there have been a number of, perhaps I can call them high profile breaches, that have occurred in hospital environments of Ontarians – all of them completely unacceptable," Hoskins said to the press. "Electronic medical records, health records, are a very positive development, but we need to make sure we're providing the safeguards."

This announcement follows several Ontario health privacy breaches that have made big headlines in recent months, including the compromise of former Toronto Mayor Rob Ford's medical record, after two hospital employees inappropriately accessed his files.

Despite the province's health privacy law, Personal Health Information Protection Act, being established back in 2004, there have been no full prosecutions by the government under the law, leading to criticism over lack of action.

Currently, in the U.S., civil penalties for HIPAA privacy and security violations stand at up to $50,000 per violation for breaches involving willful neglect that remain uncorrected.

Most recently, the U.S. Department of Health and Human Services' Office for Civil Rights, the division responsible for enforcing HIPAA, hit Cornell Prescription Pharmacy with a $125,000 settlement for violating HIPAA. The Denver-based pharmacy disposed of paper medical records in a unsecured public location on site, without shredding.

No comment yet.

Coast Guard called to task for insufficient health data privacy

Coast Guard called to task for insufficient health data privacy | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. Coast Guard has made progress in developing a culture of privacy, but still faces challenges because it lacks a strong organizational approach to resolving health privacy issues, according to a reportfrom the Department of Homeland Security's Office of Inspector General (OIG).

The report is based on an audit to determine whether the Coast Guard complies with privacy regulations, including the Health Insurance Portability and Accountability Act.

The report cites five areas of concern:

  1. Coast Guard privacy and HIPAA officials do not formally communicate to improve privacy oversight and incident reporting, which limits USCG's ability to assess and mitigate the risks of future privacy or HIPAA breaches. The OIG urges a formal mechanism be set up to ensure that communication takes place.
  2. USCG does not have consistent instructions for managing and securing health records. The report calls for consistent instructions for managing health record retention and disposal.
  3. The Cost Guard's clinics have not completed contingency planning to safeguard privacy data from loss in case of disaster. The report shows photos of rooms full of paper records in tubs and others of water damage to a ceiling. OIG says the Coast Guard should make a plan of action and milestones to ensure it is safeguarding privacy data in the event of emergency or disaster.
  4. Clinics lack processes to periodically review physical security, placing privacy data at unnecessary risk. The OIG calls for an action plan and periodic review of physical safeguards to mitigate risks to protected health information at clinics.
  5. USCG has not assessed the merchant mariner credentialing program and processes to identify and reduce risk to merchant mariners' privacy data managed throughout its geographically dispersed program operations. The report says there needs to be a plan to improve controls to better protect this data.

The Coast Guard agreed with all recommendations made by the OIG. It is the only branch of the Department of Homeland Security that has an EHR system for its work force, FierceEMR previously reported. It adopted an Epic system in 2012. 

DHS has a system for immigrant detainees, but not its own employees. The system fully implemented earlier this year at U.S. Immigration and Customs Enforcement is considered one of the largest and "most robust" EHR systems in the federal government, according to an ICE announcement. It's sure to be eclipsed in size, though, by the $11 billion contract to be let later this year to modernize the Department of Defense system.

No comment yet.

Researchers examine balancing privacy risk, utility of de-identified health data

Researchers examine balancing privacy risk, utility of de-identified health data | HIPAA Compliance for Medical Practices | Scoop.it

Researchers have shown how easy it is to re-identify patients in de-identified data, yet de-identified data can lose its value as more identifying factors are stripped out.

In a study published in the Journal of the American Medical Informatics Association, researchers from Vanderbilt University and elsewhere extended an algorithm to explore policy options that balance risk of violating a patient's privacy vs. the use of data for society.

The Safe Harbor model defined by HIPAA is one policy that specifies 18 rules, including suppression of explicit identifiers such as names, and generalization of "quasi-identifiers," such as date of birth, requiring recording the age of all patients over 90 as 90+. This rigid rule-based policy might not be ideal for sharing every data set, such as studies on dementia patients.

So the law allows alternatives, provided the risk of re-identification is appropriately measured and mitigated. A Centers for Medicare & Medicaid Services dataset, for instance, published on the Internet would carry a high risk because the system is completely open and the users unknown. Health data to be used by a trusted party with a data-use agreement and strong information security practices could be allowed a policy that favors utility over risk.

The researchers used the Sublattice Heuristic Search algorithm with U.S. census data from 10 states to show it can be applied to recommended rule-based de-identification policy alternatives for patient-level datasets with less risk and more utility than Safe Harbor and other models.

Harvard researchers have shown that patients can be re-identified with just their Zip code, date of birth and gender, along with other publicly available data such as voter rolls.

The Health Information Trust Alliance recently released a new framework for de-identification of sensitive patient information as part of a risk-management strategy.

No comment yet.

Biggest Health Data Breaches in 2014

Biggest Health Data Breaches in 2014 | HIPAA Compliance for Medical Practices | Scoop.it

The five biggest 2014 health data breaches listed on the federal tally so far demonstrate that security incidents are stemming from a variety of causes, from hacker attacks to missteps by business associates.

The top breaches offer important lessons that go beyond the usual message about the importance of encrypting laptops and other computing devices to prevent breaches involving lost or stolen devices, still the most common cause of incidents. They also highlight the need to bolster protection of networks and to carefully monitor the security practices of business associates.

The Department of Health and Human Services' Office for Civil Rights adds breaches to its "wall of shame" tally of incidents affecting 500 or more individuals as it confirms the details. A snapshot of the federal tally on Dec. 22 shows that 1,186 major breaches impacting a total of nearly 41.3 million individuals have occurred since the HIPAA breach notification rule went into effect in September 2009.

According to the tally, the top five health data breaches in 2014 affected a combined total of nearly 7.4 million individuals.

The largest breach in 2014 was the hacking attack on Community Health System, which affected 4.5 million individuals. In that incident, forensic experts believe an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the hospital chain's systems.

The Community Health Systems incident is also the second largest health data breach since the enactment of the HIPAA data breach notification rule in 2009. The largest breach is a 2011 incident involving TRICARE, the military health program, and its contractor, Science Applications International Corp., which affected 4.9 million individuals.

Business Associate Troubles

The second largest HIPAA incident in 2014 implicated a business associate. That breach, affecting 2 million individuals, involved an ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, which had provided administrative services for the Texas Medicaid program. The breach arose when the state ended its contract with Xerox. The vendor allegedly failed to turn over to the state computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals.

Another top five health data breach in 2014 involved both a business associate and a more familiar culprit - stolen unencrypted computing devices. That Feb. 5 incident involved a vendor that provided patient billing and collection services to the Los Angeles County departments of health services and public health. The theft of eight unencrypted desktop computers from an office of Sutherland Healthcare Services - L.A. County's vendor - affected more than 342,000 individuals, the federal tally shows. Initially, that breach was believed to have impacted about 168,000 individuals, but the figure was subsequently revised.

Unsecure Files

The fourth largest 2014 breach on the federal tally involved Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services, which became aware in May "that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the Internet. The breach affected more than 307,000 patients.

The fifth largest breach of the year occurred at the Indian Health Services, an HHS agency. That incident, which affected 214,000 individuals, involved an unauthorized access or disclosure involving a laptop computer, according to the tally.

Shifting Trends

The largest health data breaches in 2014 highlight some shifting trends compared with previous years.

"In our opinion, hacker attacks are likely to increase in frequency over the next few years," says Dan Berger, CEO of security services firm Redspin. "Personal health records are high value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes." That trend puts a spotlight in the need to do comprehensive penetration testing, as well as taking other steps to bolster security, he says. "If I was a hospital executive ... I'd want to know the most likely means by which a hacker can break in."

Nonetheless, while incidents involving hackers in the healthcare sector appear to be on an uptick, insiders still pose the biggest threat to most entities, says Michael Bruemmer, vice president of Experian Data Breach Resolutions.

"Of all the incidents we service, regardless of the vertical [market], 80 percent of the root cause is employee negligence," he says. That includes such mistakes as losing laptops or clicking on a phishing e-mails. "Employees are still the weakest link," he says in a recent interview with Information Security Media Group, calling for the ramping up job-specific privacy and security training.

Meanwhile, incidents such as the Texas Medicaid/Xerox breach also highlight the need for organizations to bring more scrutiny to their business associate relationships. Business associates, as well as their subcontractors, are directly liable for HIPAA compliance under the HIPAA Omnibus Rule that went into effect in 2013.

The breach tally also illustrates the need for HIPAA covered entities and business associates alike to strengthen their security risk management programs.

"The data tells us that a HIPAA security risk analysis, while mandatory, is necessary but not sufficient. The remediation plan is even more important," Berger says.

"Too often healthcare organizations do not allocate enough resources to fix the problems identified in the risk analysis. We also see a need for more frequent vulnerability analysis, Web application assessments and social engineering testing. Stated another way, the healthcare information security programs need to mature."

No comment yet.

Health system's data breach insurance claims get challenged

Health system's data breach insurance claims get challenged | HIPAA Compliance for Medical Practices | Scoop.it

What happens when a health system with liability insurance fails to secure protected health information of its patients and is hit with a $4.13 million class action settlement for it? The civil actions of one insurance company are suggesting the claims money doesn't come easy if you fail to follow minimum required security practices.

The three-hospital Cottage Health System in California back in December 2013 notified 32,755 of its patients whose protected health information had been compromised after the health system and one of its third-party vendors, inSync, stored unencrypted medical records on a system accessible to the Internet. Resultantly, the data may have been publicly available on search engines like Google.

The health system, which had a liability policy with Columbia Casualty Company, is now being challenged by the insurance company in court. The Chicago-based insurance company, which operates as a subsidiary of Continental Casualty Company, is challenging the claims of Cottage Health System, which thus far total nearly $4.13 million settlements filed by patients, saying the health system "provided false responses" to a risk control self assessment when it applied for a liability policy.

Columbia officials in a complaint filed this May point to an exclusion pertaining to failure to follow minimum required practices. This exclusion, they write, "precludes coverage for any loss based upon, directly or indirectly, arising out of, or in any way involving '(a)ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application.'"

The health system's data breach, as Columbia officials allege, was caused by Cottage's "failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network."

In its application for the liability policy, Cottage Health System made "misrepresentations" regarding its security practices, and as such, Columbia is seeking reimbursement from the health system for the full $4.13 million that it had paid to Cottage thus far, in addition to attorney fees and related expenses.

In part of the application, Cottage answered "yes" to performing due diligence on third-party vendors to ensure their safeguards of protecting data are adequate; auditing these vendors at least once per year and requiring these third-party vendors have "sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality." The vendor who contributed to the data breach, inSync, according to the complaint, does not have sufficient assets or insurance that covers the breach.

No comment yet.

Criminal Attacks on Health Data Rising

Criminal Attacks on Health Data Rising | HIPAA Compliance for Medical Practices | Scoop.it

Criminal attacks in the healthcare sector - including those involving hackers and malicious insiders - have more than doubled in the last five years, according to a new study.

The "Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data" by the research firm Ponemon Institute concludes that criminal attacks in healthcare are up 125 percent since 2010. Cybercriminal incidents involving external and internal actors were the leading cause of a data breaches over the past two years, the study shows. In previous studies, lost or stolen computing devices had consistently had been the top breach culprit.

"The root cause for health data breaches had been mistakes and incompetency, but now criminal attacks are number one," Larry Ponemon, founder and chairman of the Ponemon Institute, tells Information Security Media Group. "Year to year, it's getting worse. We've seen it in large-scale incidents like Anthem," which in February revealed a hacker attack that compromised protected health information of 78.8 million individuals, he notes.

"A lot of organizations are easy targets," he says. "The combination of highly valuable information and easy access makes the sector a huge target."

Ponemon's research, conducted in February and March, generated responses from 90 healthcare organizations and, for the first time this year, 88 business associates. Under the HIPAA Omnibus Rule that went into effect in 2013, business associates and their subcontractors are directly liable for HIPAA compliance.

Hacking Trends

In recent months, the Department of Health and Human Services' "wall of shame" website tracking health data breaches affecting 500 or more individuals has shown a growing number of hacking incidents of various sizes - far more than in previous years. And the Anthem breach alone represents nearly 60 percent of the 133.2 million breach victims listed on the tally since September 2009, when the HIPAA breach notification rule went into effect.

Among the latest hacking breaches added to the wall of shame was an incident reported to HHS on May 1 by Partners HealthCare System, which operates several large hospitals in Boston.

"Unfortunately, the rise in both hacker attacks and criminal activities involving malicious insiders comes as no surprise," says Dan Berger, CEO of the consultancy Redspin, which was recently acquired by Auxilio. "A few years ago, I remember many people being surprised at how few hacker attacks there were in healthcare. We warned our clients of the 'risk of complacency' in this regard."

With more electronic health records than ever before, there's a growing awareness of their "exploitation value," Berger says. "At the same time, healthcare spending on IT security continues to lag almost all other industries. So with a greater amount of valuable data behind lower than average defenses, it should not be a surprise that PHI has become a favorite target of hackers. It is basic economics."

Hackers are the No. 1 "emerging" cyberthreat that healthcare entities are worried about this year, according to the 2015 Healthcare Information Security Today survey of 200 security and privacy leaders at healthcare organizations, which was conducted in December 2014 and January 2015 by ISMG. Coming in at a close second as the biggest "emerging threat" is business associates taking inadequate security precautions with PHI; that's also the top threat respondents are worried about "today." Complete results of that survey, and a webinar analyzing the results, will be available soon.

The Ponemon study found that nearly 45 percent of data breaches in healthcare are a result of criminal activity. However, the researchers found that criminal-based security incidents, such as malware or distributed denial-of-service attacks, don't necessarily result in breaches reportable under HIPAA. In fact, 78 percent of healthcare organizations and 82 percent of business associates had Web-borne malware attacks.

Breach Costs

Based on its study, the Ponemon Institute estimates that the average cost of a data breach for healthcare organizations is more than $2.1 million, while the average cost of a data breach to business associates is more than $1 million.

Rick Kam, U.S. president and co-founder of security software vendor ID Experts, which sponsored the Ponemon study, tells ISMG that stolen healthcare information is currently valued at about $60 to $70 per record by ID theft criminals, while the current value of credit card information is about 50 cents to $1 per record.

"We see recognition of medical ID theft being a problem, but we don't see many healthcare providers stepping up" in addressing the issue, he says. The Ponemon study found that nearly two-thirds of healthcare organizations and business associates do not offer any medical identity theft protection services for patients whose information has been breached.

The Ponemon study found that information most often stolen in these targeted healthcare sector attacks include medical files and billing and insurance records.

Privacy and security expert Kate Borten, founder of the consulting firm The Marblehead Group, offers a dire prediction: "I believe we will continue to see the number of reported breaches rise, despite stronger efforts to protect data. Personally identifiable health data continues to have high street value, leading to more attacks."

Scopidea's curator insight, June 22, 2015 3:03 AM

Many great points in this well written article.


HIPAA Data Breaches on the Rise

HIPAA Data Breaches on the Rise | HIPAA Compliance for Medical Practices | Scoop.it

CHICAGO -- The number of health data breaches has been increasing in recent years, and the most frequent type was theft, Marion Jenkins, PhD, said here at the annual meeting of the Healthcare Information and Management Systems Society.

Since 2009, there have been 1,185 data breaches as defined by the Health Insurance Portability and Accountability Act (HIPAA), said Jenkins, who is chief strategy officer at 3t Systems, a healthcare consulting firm in Denver. And the pace is accelerating, with an increase of more than 50% in the last 12 months. Breaches have so far affected 133 million patient records.

The smallest reported breach was of 441 records at the Hospice of Northern Idaho. "You don't have to be a really large organization to end up on the list," Jenkins said. The largest breach involved 80 million records at the health insurer Anthem; the latter case, which involved hacking, was "particularly disturbing" because it involved both employee and patient data, he added.

Paper, Electronic Data Covered

HIPAA requires providers to "secure all electronic protected health information against accidental or intentional causes of: unauthorized access, theft, loss or destruction, from either internal or external sources," Jenkins explained. HIPAA security regulations govern electronic records, while HIPAA's privacy rules apply to paper records.

Healthcare providers should also be aware that in addition to regulating the privacy of paper records, HIPAA also covers data from all types of electronic media -- not just EHRs and data stored on laptops and computers, but also any data that winds up on memory sticks and cards, smartphones, and even fax machines and copiers, since most of them aren't just fax machines and copiers any more but also function as scanners and printers, which means they hold electronic data, Jenkins said.

The amounts of money involved can be astronomical, according to Jenkins, who noted that two companies with large breaches -- Sutter Health and SAIC -- are both facing multibillion-dollar class action lawsuits.

In terms of the cause of the breaches, thefts were the most common, at 55%, followed by unauthorized access (19%) and "loss" (12%). The rest of the breaches -- 14% -- were listed as "other," according to Jenkins, citing data from the Department of Health and Human Services.

The largest single source of data breaches has been laptops, accounting for 25% of breaches. That fact "begs the question: why is healthcare data on a laptop?" Jenkins said. Laptop theft is a particular problem: Stanford Children's Hospital in California is a five-time data breach offender, and at least three of the breaches involved laptops being stolen from physicians' cars.

Laptops were followed by paper records (23%), other portable electronic devices (12%), computers (11%), and servers (10%). Another 19% were listed as "other."

Making It Easier to Do the Right Thing

One reason people end up having protected health information on a laptop is that, in many cases, it takes so long to get into the EHR system that people think, "'By golly, when I get into the system, I'm going to download the data and put it on my local workstation so I can get some dang work done," Jenkins said. "As IT professionals, we have to design and implement systems that make the right way the easiest way.

"It won't work to try to make longer usernames and passwords, because they'll just put in the longer usernames and passwords and download the data so they can work on it locally; that drives them even more toward the behavior we don't want them to do. We need to have the cloud services [be] the fastest way rather than downloading the data so they can get their work done."

Some organizations say they don't have anything to worry about because they use an electronic health record (EHR) that is "HIPAA-certified." However, said Jenkins, there are two problems with that assertion; first, there is no such thing as a HIPAA-certified EHR. Second, "the EHR isn't the problem ... it's the user behavior when they're pulling reports, pulling data out of the EHR and then having a breach with that," he said.

Moving healthcare data to the cloud does not necessarily solve a problem with data breaches. Although some cloud services are HIPAA-compliant, "most public cloud services [such as Gmail and Hotmail] are not," Jenkins said. "And if you have poorly designed and poorly run IT, and you simply move it to the cloud, you just shifted your local problems to the cloud; you didn't solve them."

If, on the other hand, moving records to the cloud is done properly, "it's a heckuva lot better than having [the data] on a laptop," he added.

What's Missing From HIPAA

There are some things the HIPAA regulations don't address, Jenkins said, such as how long passwords have to be or how often they should be changed. Regulations also don't address timeout or logoff intervals or the type of encryption required for use with Wi-Fi -- technically, that means WEP encryption is HIPAA compliant, even though it's easily breached, he noted.

He said he was "shocked" that the words "laptop" and "smartphone" don't appear in the HIPAA regulations.

What are the biggest data breach threats to a healthcare organization? That depends on the amount of records being held. Those with 500,000 to 1 million records are attractive targets to hackers; but "in little organizations, the biggest threat is from an internal user," he said.

"Now that credit card companies can shut down cards quickly once they are stolen, credit card numbers aren't worth very much to hackers, maybe a dollar each on the open market," Jenkins said. "Health records are five to ten times more valuable [because] they can use them to do unauthorized or fraudulent Medicare or Medicaid billing; they set up a sweatshop where they can bill over and over again."

No comment yet.