HIPAA Compliance for Medical Practices
76.2K views | +31 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Two More Health Insurers Report Data Breach

Two More Health Insurers Report Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Today, medical insurance providers LifeWise and Premera Blue Cross each reported, separately, that they had been the target of sophisticated cyberattacks, which initiated May 5, 2014. Premera will be notifying approximately 11 million affected customers; LifeWise 250,000. Neither organization has evidence that any customer data has been used fraudulently, and has not yet confirmed that any patient data has indeed been compromised.

They say attackers "may have gained unauthorized access to" members' information, including name, date of birth, Social Security number, mailing address, email address, telephone number, member identification number, bank account information, and claims information, including clinical information.

Individuals who do not have medical insurance through these companies, but do other business with them, might have had their email addresses, banking data, or Social Security numbers exposed.  

These attacks, when combined with the Anthem Healthcare breach reported last month and the Community Health Systems breach in the summer, clearly indicate that health insurance providers have become a popular new target -- and Chinese cyberespionage groups are being implicated.

Anthem first detected suspicious activity Jan. 27 and confirmed on Jan. 29 that an attack had occurred, over the course of several weeks in December 2014.

LifeWise and Premera also say they discovered their breaches Jan. 29 -- possibly as a result of Anthem sharing information about their own intrusion with HITRUST's Cyber Threat Intelligence and Incident Coordination Center. However, after investigations by Mandiant -- the same organization conducting the investigation at Anthem -- both Premera and LifeWise report that their first intrusions occurred several months earlier, in May.

Both Premera and LifeWise are providing two years of free credit monitoring and identity theft protection to affected individuals. More information is available at premeraupdate.com and lifewiseupdate.com.


more...
No comment yet.
Scoop.it!

HIPAA breach puts blame on business associate

HIPAA breach puts blame on business associate | HIPAA Compliance for Medical Practices | Scoop.it

A New York healthcare provider is notifying its patients that their medical data has been compromised after one of its business associates reported the theft of an employee-owned laptop and unencrypted smartphone.    The New York-based Senior Health Partners, part of the Healthfirst health plan, has mailed out breach notification letters to 2,700 of its members after discovering that a laptop and mobile phone belonging to a registered nurse employed by its business associates were reported stolen.    Officials say the nurse's laptop, which was stolen back on Nov. 26, was encrypted, but the encryption key was in the laptop bag that was taken. The mobile phone stolen was neither encrypted nor password-protected. The nurse was employed by Senior Health Partners' business associated with Premier Home Health, which notified the long-term care provider on Dec. 10. Affected patients were mailed notification letters Jan. 30.    An investigation into the theft found that the privately-owned laptop included a "potentially accessible" email, containing patient names, demographics, Social Security numbers, Medicaid IDs, dates of birth, clinical diagnoses and treatment information and health insurance claim numbers. "Senior Health Partners sincerely regrets that this incident occurred," read a Jan. 30 press statement. "It takes the privacy and security of members' health information very seriously and expects its vendors to do the same. SHP values the trust its members have placed in it as their health plan, and it is SHP's priority to reassure its members that it is taking steps to ensure its members' information is protected."   Asked what Senior Health Partners' policy was around encryption and using privately owned devices for work purposes, Healthcare IT News did not receive a response before publication time.    To date, nearly 42 million individuals have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to data from the Department of Health and Human Services.


more...
No comment yet.
Scoop.it!

Commentary: HIPAA's reach often overextended

Commentary: HIPAA's reach often overextended | HIPAA Compliance for Medical Practices | Scoop.it

Recently, I was told by a court official in Outagamie County that federal law prohibited the release of the name of a man I had just heard speak in open court. He was a participant in the county's Drug and Alcohol Treatment Court. He had been charged with driving while intoxicated as a fourth offense, but was offered a chance to go through a treatment program instead of serving jail time.

I attended the proceeding as a reporter for the Appleton Post-Crescent, working on a story for Gannett Wisconsin Media's statewide probe into repeat drunken drivers. The man had made a point about the costs of the program and I wanted to verify his charge history.

But when I asked for his name, the court official said it could not be released, citing the federal Health Insurance Portability and Accountability Act of 1996. That law, commonly called HIPAA, protects private health information.

It also, as this episode attests, is often misapplied.

In this case, there was no valid reason for withholding the man's name, and after a discussion with the circuit judge, I was able to obtain it. I ended up using his comment but not naming him in my story.

This was a public program, run by publicly paid officials, involving criminal defendants serving court-ordered sentences. The decision of whether to use this person's name should be up to the media, not the court official.

As the Reporters Committee for Freedom of the Press has noted, HIPAA remains a "prickly" obstacle for journalists. To help reduce conflicts and confusion, the group has sorted out just who and who isn't impacted.

Health care organizations like hospitals, life insurers, ambulance services and public health authorities are all subject to HIPAA rules. Firefighters, police, court officials, reporters and patients themselves are not.

Neither are public officials who have nothing to do with the delivery of health care services. And yet, in one instance, a Louisiana State University representative told reporters he couldn't discuss a player's knee injury. "Due to these new medical laws, our hands are tied," the official said.

Often, the most valuable information available to reporters is found on health facility directories, which are not protected by HIPAA. Hospitals may release an individual's name, location in the facility and general condition. HIPAA also doesn't bar reporters from interviewing patients in a waiting room.

Statistical information related to hospitals, including their billing data, is not covered by HIPAA. Much of this information can be released electronically without names attached.

The Association of Health Care Journalists has produced another useful list of what HIPAA does not protect, including police and fire incident reports, court records, birth and autopsy records.

Felice Freyer, the association's treasurer and a member of its Right to Know Committee, said HIPAA overreach is widespread.

"Often times, people are unsure about the law and can't be bothered to check so it's easier to say 'no' and refer to HIPAA," said Freyer, a health care reporter for the Boston Globe. "Frequently, hospitals say they can't let you talk to a patient, but that's not true."

No one disputes that people have a right to privacy when it comes to personal medical matters. But that right should not be taken to absurd lengths, beyond what the law prescribes.



more...
No comment yet.
Scoop.it!

Feds Reach Settlements With Groups Over HIPAA, Consent Violations - iHealthBeat

Feds Reach Settlements With Groups Over HIPAA, Consent Violations - iHealthBeat | HIPAA Compliance for Medical Practices | Scoop.it

Under a settlement with HHS' Office for Civil Rights, Alaska-based Anchorage Community Mental Health Services has agreed to pay a $150,000 fine and undertake corrective action after failing to comply with HIPAA, Health Data Management reports.

ACMHS reported a March 2012 malware data breach to HHS that affected the personal health information of 2,743 individuals (Goedert, Health Data Management, 12/9). A subsequent OCR investigation found that while the organization had adopted HIPAA policies and procedures in 2005, they were not followed by company employees from 2005 to 2012 (McCann, Healthcare IT News, 12/9). Specifically, OCR found that ACMHS did not:

    Carry out a risk assessment or implement security measures to mitigate risk;
  • Put security measures, such as threat monitoring or firewalls, into place to prevent unauthorized access of protected data transmitted over its network;
  • Update patches to its health IT system on a regular basis (Health Data Management, 12/9); or
  • Update its IT system software (Healthcare IT News, 12/9).

As part of its settlement, ACMHS will be required to provide OCR with updates of its security rule procedures and policies and potentially revise them if recommended by OCR. In addition, ACMHS will be required to:

  • Carry out yearly risk assessments and document the steps they are taking or plan to take to mitigate identified risks;
  • Give the updated policies and procedures to staff members and provide them with general security awareness training; and
  • Notify OCR of any compliance failures and, if applicable, steps ACMHS takes to mitigate harm from such failures and prevent their reoccurrence.

ACMHS will need to report to OCR for a two-year period and keep compliance-related documents for six years (Health Data Management, 12/9).

PaymentsMD Settlements

In related news, medical billing company PaymentsMD and its former CEO Michael Hughes have reached a proposed settlement with the Federal Trade Commission over charges that the company misled consumers by inappropriately obtaining consent to collect their personal health data, Clinical Innovation & Technology reports (Pedulli, Clinical Innovation & Technology, 12/8).

According to FTC, as part of an effort to develop a separate Patient Health Report Service, PaymentsMD changed its registration process for its patient portal to include a request to authorize the company and its affiliated partners to contact insurers, medical labs and pharmacies to obtain patient data (FTC release, 12/3). Such data included patients':

  • Diagnoses;
  • Lab tests;
  • Lab test results;
  • Prescriptions; and
  • Procedures.

FTC said that PaymentsMD asked for four separate authorizations in small windows with only six lines of text at a given time and gave patients the opportunity to accept all the authorizations at once.

FTC Bureau of Consumer Protection Director Jessica Rich said, "Using deceptive tactics to gain consumers' 'permission' to collect their full health history is contrary to the most basic privacy principles."

Under the proposed settlement, PaymentsMD would:

  • Destroy any collected patient data; and
  • Obtain affirmative express consent from patients prior to collecting patients' data from third parties (Clinical Innovation & Technology, 12/8).



more...
No comment yet.
Scoop.it!

Lawmakers to rethink requiring encryption in HIPAA

Lawmakers to rethink requiring encryption in HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

In light of the cyberattack against Anthem, federal officials plan to review whether HIPAA should require encryption, according tothe Associated Press.

The Senate Health, Education, Labor and Pensions committee on Friday said it will take up the matter as part of a bipartisan review of health information security.

"We need a whole new look at HIPAA," David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information, told the AP.

Information on up to 80 million consumers--including names, birth dates, addresses, email addresses, employment information and Social Security/member identification numbers--were compromised in the attack on Anthem. That information reportedly was not encrypted.

However, Anthem spokeswoman Kristin Binns told the AP that the hacker also had a system administrator's ID and password, which would have made encryption a moot point. Binns said the company normally encrypts data that it exports.

Some security experts, however, say a stolen credential by itself shouldn't be a key to the whole data kingdom, and that information should be encrypted wherever it resides, whether in transit; sitting in a database, as Anthem's was; or on a mobile device.

When the HITECH Act promoting computerized medical records was passed in 2009, it seemed to be a reasonable balance, creating incentives for encryption without imposing a one-size-fits-all solution, Indiana University law professor Nicolas Terry told the AP. Now he's concerned that events may have shown the compromise is unworkable.

Only slightly more than half of healthcare employees (59 percent) use full-disk encryption or file-level encryption on computing devices at work, a Forrester research report published last September found.

There have been various calls to review HIPAA based on the security and privacy risks for consumers posed by the Internet of Things and for research, among other reasons.

Mac McMillan, current chair of the HIMSS Privacy and Security Policy Task Force, however, has said he doesn't see much happening before the next presidential election.


more...
No comment yet.
Scoop.it!

HIPAA rules on privacy taken too far

HIPAA rules on privacy taken too far | HIPAA Compliance for Medical Practices | Scoop.it

Recently, I was told by a court official in Outagamie County that federal law prohibited the release of the name of a man I had just heard speak in open court.

He was a participant in the county's Drug and Alcohol Treatment Court. He had been charged with driving while intoxicated as a fourth offense, but was offered a chance to go through a treatment program instead of serving jail time.

I attended the proceeding as a reporter for The Post-Crescent, working on a story for Gannett Wisconsin Media's statewide probe into repeat drunken drivers. The man had made a point about the costs of the program and I wanted to verify his charge history.

But when I asked for his name, the court official said it could not be released, citing the federal Health Insurance Portability and Accountability Act of 1996. That law, commonly called HIPAA, protects private health information.

It also, as this episode attests, is often misapplied.

In this case, there was no valid reason for withholding the man's name, and after a discussion with the circuit judge, I was able to obtain it. I ended up using his comment but not naming him in my story.

This was a public program, run by publicly paid officials, involving criminal defendants serving court-ordered sentences. The decision of whether to use this person's name should be up to the media, not the court official.

As the Reporters Committee for Freedom of the Press has noted, HIPAA remains a "prickly" obstacle for journalists. To help reduce conflicts and confusion, the group has sorted out just who and who isn't impacted.

Health care organizations like hospitals, life insurers, ambulance services and public health authorities are all subject to HIPAA rules. Firefighters, police, court officials, reporters and patients themselves are not.

Neither are public officials who have nothing to do with the delivery of health care services. And yet, in one instance, a Louisiana State University representative told reporters he couldn't discuss a player's knee injury.

"Due to these new medical laws, our hands are tied," the official said.

Often, the most valuable information available to reporters is found on health facility directories, which are not protected by HIPAA. Hospitals may release an individual's name, location in the facility and general condition.

HIPAA also doesn't bar reporters from interviewing patients in a waiting room.

Statistical information related to hospitals, including their billing data, is not covered by HIPAA. Much of this information can be released electronically without names attached.

The Association of Health Care Journalists has produced another useful list of what HIPAA does not protect, including police and fire incident reports, court records, birth and autopsy records.

Felice Freyer, the association's treasurer and a member of its Right to Know Committee, said HIPAA overreach is widespread.

"Often times, people are unsure about the law and can't be bothered to check so it's easier to say 'no' and refer to HIPAA," said Freyer, a health care reporter for the Boston Globe.

"Frequently, hospitals say they can't let you talk to a patient, but that's not true."

No one disputes that people have a right to privacy when it comes to personal medical matters. But that right should not be taken to absurd lengths, beyond what the law prescribes.


more...
No comment yet.
Scoop.it!

Does Walgreens Loss Set a Precedent for Employer Liability for HIPAA Violations? | AIS Health

Does Walgreens Loss Set a Precedent for Employer Liability for HIPAA Violations? | AIS Health | HIPAA Compliance for Medical Practices | Scoop.it

When the Indiana Court of Appeals released its decision upholding the $1.44 million jury verdict against Walgreens for privacy violations by an employee pharmacist, the press and blogosphere started buzzing about the precedent it was setting — an employer could be held liable for the HIPAA violations of an employee. This was the view espoused by the plaintiff’s attorney, Neal F. Eggeson, in a statement to the Indianapolis Star on Friday, Nov. 14, the date of the decision.

The plaintiff, Abigail Hinchy, had sued Walgreens and its pharmacist, Audra Withers, for viewing her prescription records without authorization and then disclosing the information to her husband, who was a former boyfriend of Hinchy’s and the father of her child, who threatened to use the information in a paternity lawsuit. After contacting the company, Walgreens acknowledged the HIPAA violation to Hinchy and said that it had given Withers a written warning and required her to retake a HIPAA computer training program.

Hinchy sued both Walgreens and the pharmacist. In her complaint, Hinchy alleged negligence and professional malpractice, invasion of privacy and public disclosure of private facts, and invasion of privacy/intrusion against Withers. She alleged the same causes of action against Walgreens, under the theory of “respondeat superior,” under which an employer is held responsible for the actions of employees performed within the scope of their employment. Walgreens argued that an employer should not be held liable for acts of an employee who knowingly violated company policy, in this case, HIPAA policies and procedures.

In its decision, the court of appeals cited a number of Indiana cases to explain the concept of respondeat superior. In particular, it focused on when an employee is “acting within the scope of employment when performing work assigned by the employer or engaging in a course of conduct subject to the employer’s control.” After reviewing the case law, the court concluded that “Wither’s actions were of the same general nature as those authorized, or incident to the actions that were authorized, by Walgreens.... Hinchy belonged to the same general category of individuals to whom Withers owed a duty of privacy protection by virtue of her employment as a pharmacist.”

The court also explained that for respondeat superior liability to attach “there must also be underlying liability of the acting party,” in this case, Withers. Hinchy sued Withers on two theories of direct liability — professional malpractice and public disclosure of private facts. The court did not express an opinion on whether Indiana recognized the tort of public disclosure of private facts, which could encompass a HIPAA violation, because Walgreens had not appealed the trial court’s denial of summary judgment on the claim of privacy invasion. Instead, it considered whether Withers committed “the tort of negligence by virtue of professional malpractice of a pharmacist.” It found that under Indiana law, Withers had a duty of confidentiality to Hinchy and that she had breached that duty when she examined Hinchy’s prescription records without authorization and subsequently disclosed the information. “Under these circumstances,” the court said, “we find that the jury verdict can be affirmed based upon the respondeat superior liability of Walgreens, which attaches via the liability of Withers for her negligence/professional malpractice.”

Employer Liability for Employees Is Not New

According to Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP, employer liability for employee actions when acting within the scope of employment has been around forever, and to conclude that the appeal confirmed that privacy breach victims may hold employers responsible is an “overreach.” The issue in the Walgreens case was whether the employee was acting in the scope of her employment when the employee breached HIPAA and violated company policy. In this case, the jury decided that the employee was, and the appellate court declined to overturn that decision. But, according to Drummond, “in this particular case, the appellate court gave too much credence to the fact that the employee’s wrongdoing (looking at medical records she shouldn’t have looked at) was very similar to activities the employee would take in the performance of her legitimate duties (looking at medical records she should look at); if that’s the case, a waiter stealing a customer’s credit card number would be attributable to the restaurant owner, which doesn’t seem fair.”

Walgreens also argued that the $1.44 million jury verdict was excessive and based on improper factors. The court cited evidence admitted at trial regarding the damages and dismissed Walgreens’ arguments because they amounted to a request to reweigh the evidence, which, the court said, it does not do when evaluating a damages award. It found the evidence presented sufficient to support the award.

Privacy attorney Adam Greene of the law firm of Davis Wright Tremaine points out, “Even if a plaintiff can demonstrate a violation of HIPAA, a challenge has been showing damages. What remains to be seen is whether the $1.4 million verdict in the Walgreens case leads to similar findings of harm in other state cases, or whether this was a particularly unique fact pattern.”

Drummond points out that “while the pharmacist definitely ‘used’ PHI improperly by accessing PHI she should not have accessed, the plaintiff’s damages came not from that use, but from a further ‘disclosure’ of the data” to Withers’ husband, the father of Hinchy’s child. While the pharmacist’s improper use of the PHI closely tracked the pharmacist’s proper uses of PHI, any disclosure (which would be required for the damages to occur) would not be within the pharmacist’s normal employment activities and might provide a good argument that the actions of the pharmacist were outside the scope of employment.”

Walgreens plans to appeal the court of appeal’s decision.

What Is the Impact on Other State Cases?

So how much impact will this decision have on other state cases alleging privacy violations using HIPAA as the standard of care? Are employers now more likely to be held liable for employees who violate HIPAA while on the job?

According to Drummond, “I don’t think there were too many plaintiffs sitting on the sidelines, not making legitimate state-law claims because they know there’s no private cause of action under HIPAA. I’ve thought all along that, while clearly you can’t sue for a HIPAA violation, you could still sue for a state law violation. These cases may make plaintiffs’ lawyers more interested in bringing marginal cases, where there’s no clear state law allowing a breach of confidentiality claim. But where there’s a clear state law right to sue, I don’t think HIPAA’s ‘no private cause of action’ standard has been much of an impediment,” even before the Walgreens case.

Covered entities, Drummond says, should “have strong, consistent, and enforced policies and procedures. Draft clear data use and disclosure rules and information pathways, and constantly remind your employees of their duties and obligations. Regularly audit your employees and their data access/use/disclosure activities, and encourage your employees to keep tabs on each other (to positively reinforce data rules, but also to report suspicious activities). Promptly correct errors and mistakes, and punish employees who willfully or carelessly violate policies and procedures. Covered entity employers must take visible steps to place HIPAA-violating activities outside the ‘scope of duties’ of their employees in any way they can.”



more...
No comment yet.