The Overdose Prevention and Patient Safety Act: What’s the Story ? – American Council on Science and Health

American Council on Science and Health
The Overdose Prevention and Patient Safety Act: What's the Story ?
American Council on Science and Health
Health information, like diabetes and hypertension, can be shared under the already applicable HIPAA rules. Cirrhosis, which may be a result of alcoholism, cannot be re-disclosed. One additional distinction is that disclosure of substance abuse records ...

Can You Make WordPress HIPAA Compliant?

WordPress is a convenient content management system that allows websites to be quickly and easily constructed. The platform is popular with businesses, but is it suitable for use in healthcare? Can you make WordPress HIPAA compliant?

Before assessing whether it is possible to make WordPress HIPAA compliant, it is worthwhile covering how HIPAA applies to websites.

HIPAA and Websites

HIPAA does not specifically cover compliance with respect to websites, HIPAA requirements for websites are therefore a little vague.

As with any other forms of electronic capture or transmission of ePHI, safeguards must be implemented in line with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of ePHI. Those requirements apply to all websites, including those developed from scratch or created using an off-the-shelf platform such as WordPress.

Websites must incorporate administrative, physical, and technical controls to ensure the confidentiality of any protected health information uploaded to the website or made available through the site.

  • HIPAA-covered entities must ensure there are access controls in place to prevent unauthorized individuals from gaining access to PHI or to the administration control panel
  • Audit controls must be in place that log access to the site and any activity on the site that involves ePHI
  • There must be integrity controls in place that prevent ePHI from being altered or destroyed
  • Transmission security controls must be implemented to ensure any ePHI uploaded to the site is secured (and encrypted in transit) and data must be appropriately secured at rest (encrypted on a third-party server or encrypted/otherwise secured on a covered entity’s web server)
  • Physical security controls must be implemented to prevent unauthorized access to the web server
  • Administrators and any internal users should be trained on use of the website and made aware of HIPAA Privacy and Security Rules
  • The website must be hosted with a HIPAA-compliant hosting provider (or internally)
  • If a third-party hosting company is used, a business associate agreement is required

Once all the necessary controls have been implemented that satisfy the requirements of the HIPAA Security Rule, the website (and plugins) and all associated systems that interact with the site must be subjected to a risk analysis. All risks to the confidentiality, integrity, and availability of ePHI must be identified and those risks and addressed via risk management processes that reduce those risks to a reasonable and acceptable level.

WordPress and Business Associate Agreements

WordPress will not sign a business associate agreement with HIPAA covered entities and there is no mention of BAAs on the WordPress site. So, does that mean that the platform cannot be used in healthcare?

A business associate agreement is not necessarily required. If you simply want to create a blog to communicate with patients, provided you do not upload any PHI to the site or collect PHI through the site (such as making appointments), a business associate agreement would not be required.

You would also not need a BAA if PHI is stored separately from the website and is accessed via a plugin. If the plugin has been developed by a third party, you would need a business associate agreement with the plugin developer.

If you want to use the website in connection with PHI, there are several steps you must take to make WordPress HIPAA compliant.

How to Make WordPress HIPAA Compliant

A standard off-the-shelf WordPress installation will not be HIPAA compliant as WordPress does not offer a HIPAA-compliant service. It is possible to make WordPress HIPAA compliant, but it will be a major challenge. You will need to ensure the following before any ePHI is uploaded to or collected through the website.

  • Perform a risk analysis prior to using the site in connection with any ePHI and reduce risks to a reasonable and acceptable level
  • Use a HIPAA compliant hosting service for your website. Simply hosting the site with a HIPAA compliant hosting provider does not guarantee compliance. Ensure that all access, audit, and integrity controls are in place and safeguards implemented to secure data at rest and in transit
  • Perform a security scan of the site to check for vulnerabilities
  • Only use plugins from trustworthy sources
  • Ensure all plugins are updated and the latest version of WordPress is installed
  • Use security plugins on the website – Wordfence for example
  • Use a SaaS provider that can interface the ePHI component into your website or develop the interface internally
  • Ensure ePHI is stored outside of WordPress
  • Set strong passwords and admin account names to reduce the potential for brute force attacks. Use rate limiting to further enhance security and use two factor authentications for administrator accounts
  • Ensure that users cannot sign up for accounts directly without first being vetted
  • Ensure any data collected via web forms is encrypted in transit
  • Obtain business associate agreements with all service providers/plugin developers who require access to ePHI or whose software touches ePHI

WordPress was not developed to confirm to HIPAA standards so making WordPress HIPAA compliant is complicated. Ensuring a WordPress site remains HIPAA compliant is similarly difficult. There have also been several security issues with WordPress over the years and vulnerabilities are frequently identified. WordPress is not the only problem. Plugins are frequently found to have vulnerabilities and there is considerable potential for those vulnerabilities to be exploited.

While it is possible to make WordPress HIPAA compliant, the potential risks to ePHI are considerable. WordPress makes website creation simple, but not as far as HIPAA compliance is concerned.

Our recommendation is to develop your own website from scratch that is easier to secure and maintain, host the site with a HIPAA compliant hosing company, and if you do not have employees with the correct skill sets, use a vendor that specializes in developing HIPAA compliant websites and patient portals.

The post Can You Make WordPress HIPAA Compliant? appeared first on HIPAA Journal.

ATI Physical Therapy Data Breach Impacts 35,000 Patients

ATI Physical Therapy has discovered the protected health information of more than 35,000 patients has potentially been accessed after threat actors gained access to the email accounts of some of its employees.

A security breach was identified on January 18, 2018 when ATI Physical Therapy discovered the direct deposit information of some of its employees had been changed in its payroll platform. Prompt action was taken to protect its employees and external forensic investigators were called in to determine the full extent and scope of the breach.

The investigation revealed the email accounts of certain employees had been compromised and were accessed by unauthorized individuals between January 9 and January 12, 2018. An analysis of the emails in the accounts revealed they contained the protected health information of tens of thousands of patients.

The types of information potentially compromised varied per impacted individual, but may have included names, dates of birth, credit/debit card numbers, driver’s license numbers, state ID numbers, Social Security numbers, Medicare/Medicaid information, health insurance information, billing/claims information, medical record numbers, patient ID numbers, financial account numbers, disability codes, diagnoses, treatment information, prescription information, and physicians’ and therapists’ names.

ATI Physical Therapy reports that only a small number of patients had their Social Security numbers exposed.

Patients impacted by the phishing incident have now been notified by mail and have been offered credit monitoring services without charge. Patients will also be protected by a $1 million identity theft insurance policy. No evidence of misuse of information has been uncovered by ATI Physical Therapy of the forensic investigators.

ATI Physical Therapy’s investigation into the breach is ongoing and steps have been taken to strengthen email security to prevent future breaches and employees have been provided with training to help them identify phishing emails.

The Department of Health and Human Services’ Office for Civil Rights breach report indicates 35,136 patients have potentially have their protected health information accessed.

The post ATI Physical Therapy Data Breach Impacts 35,000 Patients appeared first on HIPAA Journal.

Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack

According to a financial report issued by Banner Health, OCR is investigating the colossal 2016 Banner Health data breach which saw the protected health information of 3.7 million patients exposed. The breach involved Banner Health facilities at 27 locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada, and Wyoming and resulted in the exposure of highly sensitive protected health information including names, dates of birth, Social Security numbers, and health insurance information.

The attackers gained access to the payment processing system used in its food and beverage outlets with a view to obtaining credit card numbers. However, once access to the network was gained, they also accessed servers containing PHI.

Banner Health reports that it has cooperated with OCR’s investigation into the breach and has supplied information as requested. However, OCR was not satisfied with its response and the evidence supplied on its HIPAA compliance efforts. Specifically, OCR was not satisfied with the documentation supplied to demonstrate “past security assessment activities” with its responses rated as “inadequate”.

Banner Health has respond and provided additional evidence of its security efforts but “negative findings” are anticipated. Banner Health suspects a financial penalty may be pursued by OCR, although it is not known how much the penalty is likely to be.

The Department of Health and Human Services’ Office for Civil Rights investigates all data breaches over 500 records. OCR can issue fines of up to $1.5 million per violation category, per year. HIPAA violations that have been allowed to persist over several years, and cases where there have been multiple violations of HIPAA Rules, can see multi-million-dollar financial penalties pursued. Fines have been issued of $25,000, although there have also been settlements in excess of $4 million dollars.

Based on previous HIPAA settlements, a breach of this magnitude is likely to see a fine toward the upper end of the spectrum.

In addition to a potential fine from OCR for non-compliance with HIPAA Rules, nine lawsuits were filed by plaintiffs affected by the 2016 data breach which have since been consolidated into a single class action lawsuit.

While many data breach lawsuits have been dismissed for lack of standing, this lawsuit appears to be going the distance. The plaintiffs have already demonstrated impending injury as a result of the exposure and theft of their health information.

Banner Health holds an insurance policy against cyberattacks although the extent of insurance coverage is not known. Banner Health is vigorously defending the lawsuit, but should its efforts fail, the health system believes a substantial proportion of the legal costs and any settlement will be covered by its cyber risk insurance policy.

The post Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack appeared first on HIPAA Journal.