HIPAA Authorization for Research: HHS Issues Interim Guidance on Authorization Sufficiency – Lexology

HIPAA Authorization for Research: HHS Issues Interim Guidance on Authorization Sufficiency
Notably, by December 2017, the US Department of Health and Human Services (“HHS” or the “Department”) was to issue guidance clarifying when an individual's authorization for a HIPAA-covered entity or others to use or disclose his or her protected ...
Privacy and Security Round-up – Colorado Data Breach Law, Guidance from OCRThe National Law Review

all 3 news articles »

Is Rackspace HIPAA Compliant?

The Windcrest, TX-based managed cloud computing company Rackspace offers public cloud and email hosting services, but can they be used by HIPAA-covered entities without violating HIPAA Rules? Is Rackspace HIPAA compliant?

Will Rackspace Sign a Business Associate Agreement with HIPAA Covered Entities?

Rackspace is aware that by allowing healthcare organizations to use its services, the company is classed as a HIPAA business associate and must agree to comply with the HIPAA Privacy and Security Rules.

Rackspace has obtained HITRUST and HITRUST CSF certifications which demonstrate the company meets the data and privacy security standards demanded by HIPAA for managed public, private, and hybrid cloud environments. The company uses extended SSL encryption and meets PCR DSS data security requirements.

The company provides assistance to healthcare companies to help them use its services and comply with HIPAA Rules and develop an approach that satisfies HIPAA Rules and meets their business needs.

Rackspace will also sign a business associate agreement for its dedicated hosting services, which is included by default for customers in the healthcare industry.

Is Rackspace HIPAA Compliant?

Rackspace is prepared to sign a business associate agreement with healthcare organizations and has implemented all the necessary safeguards to ensure that its hosting services can be used by healthcare organizations without violating HIPAA Rules.

Rackspace can therefore be considered to be a HIPAA complaint hosting company, provided customers use its dedicated hosting services and obtain a business associate agreement prior to using its hosting services in connection with any PHI.

However, it is the responsibility of all users to ensure that the hosting services are configured correctly. Rackspace cannot determine whether its customers are using its services in a manner that complies with HIPAA Rules.

Covered entities must take full responsibility for ensuring the requirements of HIPAA are satisfied and appropriate safeguards are maintained.

The post Is Rackspace HIPAA Compliant? appeared first on HIPAA Journal.

Advisory Issued After 8 Vulnerabilities Discovered in Natus Xltek NeuroWorks Software

ICS-CERT has issued an advisory following the discovery of eight vulnerabilities in version 8 of Natus Xltek NeuroWorks software used in Natus Xltek EEG medical products.

If the vulnerabilities are successfully exploited they could allow a malicious actor to crash a vulnerable device or trigger a buffer overflow condition that would allow remote code execution.

All eight vulnerabilities have been assigned a CVSS v3 score above 7.0 and are rated high.  Three of the vulnerabilities – tracked as CVE-2017-2853, CVE-2017-2868, and CVE-2017-2869 – have been assigned a CVSS v3 base score of 10, the highest possible score. CVE-2017-2867 has been assigned a base score of 9.0, with the other four vulnerabilities – CVE-2017-2852, CVE-2017-2858, CVE-2017-2860, and CVE-2017-2861 – given a rating of 7.5. The vulnerabilities are a combination of stack-based buffer overflow and out-of-bounds read vulnerabilities.

CVE-2017-2853 would allow an attacker to cause a buffer overflow by sending a specially crafted packet to an affected product while the product attempts to open a file requested by the client.

CVE-2017-2868 and CVE-2017-2869 relate to flaws in how the program parses data structures. Exploitation would allow an attacker to trigger a buffer overflow and execute arbitrary code, allowing the attacker to take full control of the affected system.

The vulnerabilities were discovered by security researcher Cory Duplantis from Cisco Talos who reported them to Natus. Natus took immediate action and has now released an updated version of its software which corrects all of the flaws.

To date there have been no reported instances of the vulnerabilities being exploited in the wild, and no public exploits for the vulnerabilities are known. Natus recommends all users of the vulnerable software to update to NeuroWorks/SleepWorks 8.5 GMA 3 as soon as possible.

The update is available free of charge for users of NeuroWorks/SleepWorks Version 8.0, 8.1, 8.4, or 8.5. The Natus Neuro technical support department should be contacted for further information.

In addition to updating to the latest version of the software, organizations can take further steps to limit the potential for zero-day vulnerabilities to be exploited.

The National Cybersecurity & Communications Integration Center (NCCIC) recommends minimizing network exposure for all control systems and devices and ensuring they are not accessible over the Internet. Control systems and remote devices should be located behind firewalls and should be isolated from the business network. If remote access is necessary, secure methods should be used to connect, such as Virtual Private Networks (VPNs), which should be kept up to date.

The post Advisory Issued After 8 Vulnerabilities Discovered in Natus Xltek NeuroWorks Software appeared first on HIPAA Journal.

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated.

While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access.

The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident.

Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile case.”

The accessing of medical records without any legitimate work reason for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA only permits the accessing of PHI by employees for treatment, payment, or healthcare operations.

Any healthcare employee discovered to have violated HIPAA Rules faces disciplinary action which can involve suspension, termination, loss of license and, potentially, criminal charges.

There have been several recent cases where employees have been fired snooping on the medical records of high profile patients.

In February 2018, 13 employees of the Medical University of South Carolina were fired for HIPAA violations after they accessed the medical records of patients without authorization, many of whom accessed the medical records of high profile patients.

One of the most recent actions taken against a healthcare employee for a HIPAA violation was taken by the New York nursing board’s Office for Professional Discipline. Martha Smith-Lightfoot was provided with a list of patients prior to leaving her employment at University of Rochester Medical Center (URMC) to take up a new position at Greater Rochester Neurology. Smith-Lightfoot provided that list to her new employer and patients were contacted in an attempt to solicit business.

Smith-Lightfoot signed a consent order with the nursing board admitting the violation and had her license to practice suspended for one year, received a stayed suspension for another year, and three years of probation when she returns to practice.

Snooping on medical records is likely to be discovered as logs are created when health records are accessed. Those logs are periodically checked and if inappropriate PHI access is discovered it is likely to result in termination and will make it hard to obtain future employment in healthcare.

The post Washington Health System Suspends Several Employees for Inappropriate PHI Access appeared first on HIPAA Journal.

What are the GDPR Rules for Recording Calls?

Many companies record telephone calls for ‘quality and training purposes’ and to help resolve customer disputes, but since May 25, 2018 GDPR Rules for recording calls must be followed.

GDPR Rules for Recording Calls

Any company, regardless of its location, must comply with GDPR Rules for recording calls if the company has dealings with EU residents.

Call recording can continue under GDPR, as recording telephone conversations is not prohibited, but there are now additional requirements to protect the rights and freedoms of data subjects under GDPR. As with the use of cookies on websites and other forms of data collection, it can only take place if the data subject gives their consent (GDPR Article 7).

Previously, in order to comply with existing regulations, companies would advise people that the calls may be recorded for a particular purpose and consent was obtained when the customer continued with the telephone call. The customer’s silence or lack of action was taken to mean that consent was being provided. However, GDPR Rules for recording telephone calls require consent to be provided by an affirmative action. Silence or inactivity is no longer sufficient.

An unambiguous action is now required, such as pressing a specific key on the telephone or providing verbal consent. A recording of consent should be retained by the company.

GDPR Rules for recording calls involve more than consent. The recording of telephone conversations is only possible if there is a valid and legal reason for that information to be collected.

For all companies, at least one of the following criteria must be met in addition to obtaining consent:

  • Recording is required to comply with a contract
  • Recording is required to satisfy legal requirements
  • Recording is required to protect the interests of one or more participants
  • Recording of calls is necessary for safety or is in the public interest
  • Recording is in the legitimate interests of the recorder, provided those interests are not overwritten by the interests of the participants in the calls.

Other GDPR Rules for recording calls are detailed below:

Data Protection Requirements

As with all other forms of data collection, call recordings must be stored securely and appropriate security controls applied to prevent stored call data from being accessed by unauthorized individuals. Organizations must conduct a risk analysis to determine the level of risk involved, and apply policies, physical, and technical safeguards to reduce risk to an acceptable level.

Data Retention Rules

Article 5 (e) of the GDPR explains that data can only be retained for the length of time that it is required to fulfil the purpose for which the data were collected. Recital 30 of the GDPR requires time limits to be applied for how long data can be retained. When call recordings are no longer required, data must be disposed of securely.

Right to Access Personal Data

Data subjects have the right to access their personal data (GDPR Article 15), which extends to recordings of telephone calls. If a request is received from a data subject to access their personal data, it is necessary to comply with that request within 30 days. A company must therefore have the ability to be able to search for call recordings and provide copies as necessary.

Right to be Forgotten

A mechanism must be implemented that allows all personal data of an EU subject to be deleted if a request to do so is received from a data subject (GDPR Article 17). When an EU resident exercises their right to be forgotten, all data – including call recordings – must also be deleted, provided that the deletion of such information does not violate state or federal laws and the data are no longer necessary for the purpose for which the information was originally collected. The right to erasure similarly doesn’t apply for the establishment, exercise or defense of legal claims, for archiving purposes in the public interest, or to exercise the right of freedom of expression and information.

If GDPR Rules for recording calls are not followed, stiff financial penalties can be issued. The maximum fine is €20 million or 4% of global annual turnover, whichever is the greater.

The post What are the GDPR Rules for Recording Calls? appeared first on HIPAA Journal.

Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents

Two HIPAA-covered entities have recently disclosed they have been victims of phishing attacks that have potentially resulted in the exposure of patients’ protected health information (PHI).


Further Phishing Attack Reported by Florida Agency for Persons with Disabilities

The Florida Agency for Persons with Disabilities (FAPD), which provides support services for people with disabilities such as autism, cerebral palsy, spina bifida, and Downs syndrome, has experienced another phishing attack

The phishing attack occurred on April 10, 2018 and was limited to a single email account; however, that account contained the PHI of 1,951 customers or guardians.

While no evidence was uncovered to suggest any PHI was viewed or copied by the attacker, PHI access could not be ruled out with 100% certainty. The compromised email account contained information such as names, birth dates, addresses, telephone numbers, health information, and Social Security numbers.

All patients have now been notified of the breach and have been offered credit monitoring services for a year without charge.

Three days after the attack, FAPD implemented a security upgrade to prevent unauthorized individuals from accessing its email system and further training on email security protocols was provided.

This is not the first phishing attack to be reported by the agency in 2018. In February, a more extensive phishing attack occurred that resulted in multiple email accounts being compromised. That phishing attack affected more than 55,000 customers, whose names, birth dates, and Social Security numbers were potentially compromised.

Following the February attack, FAPD said it had implemented multi-factor authentication to prevent unauthorized accessing of its email accounts and provided further training for employees on email security protocols.

Patients Notified of Black River Medical Center Phishing Attack

Poplar Bluff, MO-based Black River Medical Center is alerting some of its patients that their protected health information has potentially been accessed by an unauthorized individual.

On April 23, 2018, a response to a phishing email allowed a hacker to gain access to the email account of a single employee. The email account contained a limited amount of protected health information, but not financial information or Social Security numbers. The breach was limited to names, addresses, phone numbers, and in some cases, treatment information.

The investigation confirmed that the incident was limited to the email account and no other systems were affected. No evidence was uncovered to suggest any PHI was accessed, obtained, or misused by the attacker.

Patients were notified of the incident on June 13, 2018, and a notice was posted on the healthcare provider’s website. The breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many patients have been impacted.

The post Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents appeared first on HIPAA Journal.