Editorial

Editorial: HIPAA Enforcement Trends and Outlook

Considering the Health Insurance Portability and Accountability Act (HIPAA) is now in its third decade, the Privacy Rule took effect 20 years ago, and compliance with the HIPAA Security Rule has been mandatory for 18 years, there have been relatively few financial penalties over the years, with just 130 imposed by OCR to resolve HIPAA violations. There have been changing HIPAA enforcement trends over the years and a shifting of enforcement priorities at OCR. Today, OCR is having to pick and choose the cases where financial penalties are pursued, and while more financial penalties are now being imposed, the penalty amounts are a fraction of the level that they were just a few years ago.

A Brief History of HIPAA Enforcement

The HIPAA Enforcement Rule – Final Rule was issued on February 16, 2006, and took effect on March 16, 2026. The Enforcement Rule gave the U.S. Department of Health and Human Services the authority to investigate HIPAA-regulated entities to determine whether they are in compliance with the HIPAA Rules and impose financial penalties if noncompliance is discovered. The HITECH Act, which took effect on February 18, 2009, established four categories of HIPAA violations based on the level of culpability and set minimum/maximum penalty amounts and penalty caps in each of the four penalty tiers, increasing the maximum penalty amount to $1.5 million for violations of an identical provision in a calendar year.

Then in FY 2020, the HHS reassessed the language of the HITECH Act and determined that the penalty amounts stipulated in the HITECH Act had been misinterpreted, and reduced the penalty amounts in three of the four tiers, only keeping the maximum penalty of $1.5 million for the most serious violations when there is determined to have been willful neglect of the HIPAA Rules with no attempt to correct violations.

Since the effective date of the HIPAA Enforcement Rule (up to and including February 2023), the HHS’ Office for Civil Rights has imposed 130 penalties for HIPAA violations, including violations of a single provision of the HIPAA Privacy Rule such as the failure to provide individuals with timely access to their medical records to egregious violations and widespread noncompliance with the HIPAA Rules. The penalties imposed so far range from $3,500 to $16,000,000.

Financial Penalties for HIPAA Violations are Relatively Rare

While OCR has the authority to impose financial penalties for HIPAA violations, the vast majority of investigations have not resulted in financial penalties. OCR investigates all large data breaches of 500 or more records and more than 5,000 such breaches have been reported since 2009, yet only 130 financial penalties have been imposed. OCR has stated that in the majority of cases, HIPAA violations are resolved through voluntary compliance and technical assistance, where OCR helps regulated entities address the violation to avoid further compliance issues.

In a February 28, 2023, update on its HIPAA enforcement actions, OCR explained that it has received more than 322,579 complaints about potential HIPAA violations. 14,355 cases were investigated and no violation was identified, and OCR failed to establish a case for enforcement in 215,125 cases. Technical assistance was provided in 53,661 cases.

From those cases, OCR has initiated more than 1,160 compliance reviews and said 97% of all cases have been successfully resolved. More than 30,013 cases have required changes to be made to privacy practices or corrective actions to be implemented by HIPAA-covered entities and business associates.  The 130 cases that warranted financial penalties have resulted in $134,828,772 being paid to OCR in civil monetary penalties and settlements.

HIPAA Audits Identified Widespread Noncompliance

In addition to the investigations of complaints and data breaches, OCR has conducted two phases of HIPAA audits. These audits were not conducted from a HIPAA enforcement perspective, rather the primary goal was to identify the areas where HIPAA-regulated entities were struggling with compliance. The audits have helped OCR to develop pertinent guidance to address the most common HIPAA violations. The first round of audits identified widespread HIPAA violations as covered entities struggled to get to grips with what was required, but more than a decade after the HIPAA Privacy and Security Rules were enacted, noncompliance was still common.

In the second round of compliance audits, the most common violations identified were related to Notices of Privacy Practices, a lack of information in breach notifications, HIPAA Right of Access failures, business associate breach notifications to covered entities, and risk analysis and risk management failures, with the latter common with covered entities and business associates.

According to OCR, the same areas of noncompliance are identified frequently in its investigations, along with impermissible uses and disclosures of protected health information, a lack of safeguards for protected health information, a lack of patient access to their protected health information, a lack of administrative safeguards for electronic protected health information, and the use or disclosure of more than the minimum necessary protected health information.

HIPAA Enforcement Trends

In the early years after the HIPAA Enforcement Rule was enacted, OCR showed a reluctance to resort to financial penalties for HIPAA violations, typically only pursuing financial penalties in the most egregious cases when widespread noncompliance was identified and for the most serious compliance failures.  In the 29 enforcement actions from 2008 to 2015, 9 penalties were imposed for risk analysis/risk management failures, 9 for the failure to safeguard PHI, 6 for widespread non-compliance with the HIPAA Rules, and one each for denying access to medical records, disclosing PHI without consent, the failure to encrypt PHI, improper disposal of PHI, and the failure to permanently erase PHI.

There was an uptick in HIPAA penalties in 2016, 10 years after the Enforcement Rule was published. Since then, the enforcement actions have addressed a much broader range of HIPAA violations. Risk analysis and risk management failures are still one of the most common HIPAA failures cited in its enforcement actions, along with other HIPAA Security Rule violations and impermissible disclosures of PHI.

In the fall of 2019, OCR launched a new enforcement initiative launched targeting organizations that were not compliant with the HIPAA Right of Access, with the penalties arising from complaints rather than data breaches. Since then, 65 penalties have been imposed to resolve HIPAA violations, 43 of which have been for HIPAA Right of Access violations. The main reason for this HIPAA enforcement trend has been a massive increase in OCR’s workload and extremely limited resources for HIPAA investigations.

Lack of Funding Hampering HIPAA Enforcement

OCR has been struggling with a lack of funding for several years as its budget has remained flat despite a significant increase in its workload. OCR has made multiple requests to Congress for additional funds, but those requests have been denied. Since fiscal year 2017, complaints about potential HIPAA violations have increased by 28% and reports of large data breaches – more than 500 records – have increased by 100%. All complaints must be assessed and when the allegations are substantiated, the violations must be investigated. OCR also investigates all large healthcare data breaches to determine if they are the result of non-compliance with the HIPAA Rules. As such, OCR’s limited budget and resources have been squeezed and that is limiting the ability of OCR to enforce compliance. OCR also has an increasing workload in other areas – OCR enforces 55 statutory authorities including civil rights and non-discrimination statutes in addition to HIPAA and for several years the small HHS department has not been given adequate resources to do its job.

To help address the budgetary shortfall, the HHS has undertaken a restructuring of OCR which has seen the creation of three new divisions to get more from its limited budget and resources, including a new enforcement division. The HHS hopes the restructuring will improve efficiency, which will help OCR deal with its increased caseload and reduce its backlog of investigations. It is worth noting that OCR’s enforcement staff has been reduced by 45% due to flat budgets and inflation increases, so while the restructuring will help, restructuring alone is unlikely to solve the problem.

OCR could use funds from its enforcement actions to address the budgetary shortfall; however, civil monetary collections have declined since 2019, despite an increase in enforcement actions. This is due to the reinterpretation of the language of the HITECH Act and the reduction in minimum and maximum penalty amounts and the annual penalty caps. In 2019, OCR raised almost $23 million in fines and settlements, but following the reassessment, the total fell to just over $2 million in 2022, even though a new record was set that year for the number of financial penalties imposed. The number of penalties has increased, but there has been a notable shift from imposing penalties on large HIPAA-covered entities for egregious violations of the HIPAA Rules to enforcement actions against small healthcare providers for HIPAA Right of Access violations.

This year, the HHS requested an additional $78 million in funding for FY 2024, which almost doubles its FY 2023 budget, with a requested increase of $38 million from the $40 million received in 2023. OCR Director, Melanie Fontes Rainer, said OCR now has to pick and choose its battles carefully, as it is forced to operate under incredible resource constraints and its staff is incredibly overworked. Data from 2020 indicates OCR has just 77 investigators, and they are not all investigating HIPAA violations. Some are investigating violations of other statutes such as anti-discrimination and civil rights violations. For FY 2023, the HHS requested a 58% increase to its budget to $60 million, which would have allowed OCR to hire a further 37 investigators. The HHS was unable to get a budget increase when Democrats had a majority in the House and Senate, so it seems even more unlikely now.

This year, in addition to the sizeable budget increase, OCR has submitted a proposal to get the authority to work with the Department of Justice and seek injunctive relief, which will improve OCR’s ability to prevent additional or future harm to individuals from non-compliance. OCR is also seeking help from Congress to increase the caps for financial penalties for HIPAA violations to provide additional funding for its enforcement activities.

The Future of HIPAA Enforcement

OCR is continuing with its enforcement initiative targeting HIPAA Right of Access violations and has already announced one settlement this year due to untimely breach notifications. These enforcement actions are relatively cut and dry. A patient complains that they have not been provided with their records, can provide proof that the request has been sent, and the healthcare provider must provide proof that the requested records have been provided and evidence of staff training.  It is difficult for covered entities to contest the findings when records have not been provided in a set time frame, so legal disputes are unlikely, especially considering the penalties imposed are relatively small. These enforcement actions are therefore a good use of OCR’s limited resources.

What is needed, however, is investigations of hacking incidents, which are behind the massive increase in large data breaches. OCr needs additional funding for these investigations to determine if they have been caused by noncompliance with the HIPAA Security Rule. These investigations are, however, much more complex, time-consuming, and resource-intensive. OCR faces a potential problem. The approach taken in the past in its enforcement actions has been called into question when the $4.3 million penalty for University of Texas MD Anderson Cancer Center was overturned on appeal.

OCR’s enforcement actions were deemed to be “‘arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law,” and the penalty was reduced by a factor of 10. That case could embolden other HIPAA-regulated entities to challenge penalties, further draining OCR’s resources and its ability to enforce HIPAA. While it is unclear exactly how much impact the overturning of the MD Anderson Cancer Center penalty has had, OCR has only fined four entities for Security Rule failures related to data breaches since that decision out of 37 enforcement actions – Excellus Health Plan, AEON Clinical Laboratories (Peachstate), Oklahoma State University – Center for Health Sciences (OSU-CHS), and Banner Health.

OCR also needs to start sharing a percentage of the settlements and civil monetary penalties it collects with victims of HIPAA violations, which is likely to reduce the funds OCR can use from those enforcement actions further still. Without an increase in its budget – which appears likely – the future of HIPAA enforcement is likely to depend in a large part on an increase to the penalty caps and improvements to efficiency from its restructuring.

A reduction in data breaches would certainly help ease OCR’s caseload, but with a relative lack of enforcement of noncompliance and extensive targeting of the healthcare industry by malicious actors, that seems somewhat unlikely. OCR is now considering the recognized security practices that have been implemented when making determinations about fines and penalties which could encourage healthcare organizations to improve security, but for many smaller healthcare organizations, budgets are already limited and there is a global shortage of skilled cybersecurity professionals. Regulatory moves by the government could help to address this by providing incentives for healthcare organizations to make further investments in security and to deal with the staff shortage by introducing incentives for cybersecurity professionals to take on roles in healthcare.

The HHS has also increased the guidance issued to help healthcare organizations improve their defenses. The Health Sector Cybersecurity Coordination Center (HC3) is now issuing more threat advisories specific to the healthcare sector along with recommendations and resources to help healthcare organizations improve their defenses by focusing their efforts on the most pertinent threats. That help has been welcomed, and while more healthcare-specific threat intelligence would be of great help to the sector, HC3 also has considerable budget constraints and also requires additional funding to increase its output.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: HIPAA Enforcement Trends and Outlook appeared first on HIPAA Journal.

Editorial: Time to Stop Blocking a National Patient Identifier System

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was signed into law and one of its requirements was for the Department of Health and Human Services (HHS) to develop a national patient identifier system. Under such a system, every person in the United States would be provided with a unique permanent ID number that would allow them to be tracked across the entire U.S. health system, not for any form of control, government interference in healthcare, or any other nefarious purpose, but to address a pressing public health and safety issue: To ensure patients can be reliably and accurately connected with their health information. 27 years later and we are no closer to a national patient identifier than we were in 1996.

The reason for the lack of action goes back to 1998, when Representative Ron Paul (R-TX) introduced a ban on the HHS developing a national patient identifier system by ensuring no funding was provided by Congress for that purpose. Language has been included in every appropriation bill since then that prevents any funding from being given to the HHS to use for that purpose. In 2019, Senator Rand Paul (R-KY), son of Rep. Ron Paul, tried to take this a step further by introducing a bill that sought to remove the national patient identifier provision from HIPAA entirely, although the effort did not succeed. Then in 2021, House and Senate appropriators removed the language from the appropriations bill – a move widely applauded by many healthcare stakeholder groups – to allow this long-standing issue to be addressed and permit the HHS to start exploring potential methodologies for introducing a national patient identifier.

Later that year, Sen. Rand Paul wrote to Senate appropriators requesting the reintroduction of the language into the appropriations bill, then – along with Senator Marsha Blackburn (R-TN) – introduced the National Patient ID Repeal Act; standalone legislation calling once again for the provision to be stripped from HIPAA. The bill was not passed, but Sen. Rand Paul’s advocacy helped ensure that the funding ban was reintroduced.

The Mismatching of Patient Records is a Common and Serious Patient Safety Issue

The primary reason for introducing a national patient identifier system was to ensure patients could be accurately matched with their healthcare information, no matter where in the country they sought healthcare. Such a system would ensure an individual’s healthcare data could not be mismatched with another individual, which was a problem in 1996 and remains a serious patient safety issue today. Each year, the Joint Commission publishes a list of National Patient Safety Goals. and top of the list for 2023, as has been the case for several years, is the correct identification of patients. A national patient identifier could solve this important patient safety issue.

The lack of a universal patient identifier results in duplicated medical records. If a patient visits a healthcare provider and their records cannot be found, a new medical record is created, resulting in the patient’s records being split between two different records. Important information about the patient will be missing from their records, which could include information vital to ensuring that patient’s safety. Patient mismatching often results in repeated, medical tests, which can delay care and cause patients to incur unnecessary costs. There can, of course, be far more serious consequences from the mismatching of patient records, such as medication mix-ups, transplant errors, and catastrophic delays to care resulting in loss of life. These are not uncommon events and occur repeatedly throughout the healthcare system.

The problem of incorrectly identifying patients and mismatching records was exacerbated during the pandemic when thousands of duplicate records were created in the rush to get the population vaccinated. There were many cases of patients being unable to get COVID vaccines as their medical records stated – through mismatching with similarly named patients – that they had already received the vaccine. Misidentification and duplicate health records also caused disruptions to the registration process and vaccine availability at provider sites, hampering efforts to ensure rapid vaccination of the population. When the next pandemic hits, the same problems will likely be experienced again.

In 2020, the Patient ID Now Coalition was founded, an advocacy group whose founding members include the American College of Surgeons, AHIMA, CHIME, HMMS, Intermountain Healthcare, and Premier Healthcare Alliance. Patient ID Now is attempting to build bipartisan momentum to support accurate patient identification by removing the legislative barriers that are preventing the development of a national patient identifier system. Patient ID Now believes the creation of a national patient identifier is one of the most important patient safety issues to address.

Patient ID Now provided an example of the devastating consequences of mismating patient records. A woman visited her physician who arranged for her to have a mammogram; however, she never received the results. She mistakenly assumed that she was not contacted about the results because nothing bad was found, when the reality was the mammogram results had been mismatched with a patient who shared the same name. The mismatching was only identified when she mentioned the mammogram to her physician during an annual check-up. The mammogram showed she had cancer, and the one-year delay in receiving treatment had allowed the cancer to progress to the point where it was terminal.

This is far from an isolated example. A January 2019 Government Accountability Office Report found that matching patients with the right records was an incredibly common problem. 45% of large hospitals reported experiencing difficulty with accurately identifying patients. CHIME estimates that matching records within hospitals can be as low as 80%, which means 1 in 5 patients may not be matched with their entire medical records. Further, the matching rate may be even lower between organizations that share the same EHR vendor, dropping to just 50%. AHIMA reports that inaccurate patient identification results in $1,950 in duplicative medical care costs per inpatient and causes $1.5 million in denied claims each year.

Why Does the Funding Ban Continue?

A national patient identifier can help to prevent medical errors, save lives, and cut costs, and also has other benefits. A national patient identifier would support clinical and public health research and population health initiatives, which would help with the transition from fee-for-service to value-based care, and that would benefit patients, providers, payers, and the country as a whole. So, what are the main reasons why the funding ban continues?

One of the most commonly cited arguments against the introduction of a National Patient Identifier, and one that has been often stated by Sen. Rand Paul, is to stop government involvement in an individual’s healthcare. “As a physician, I know firsthand how much the doctor-patient relationship relies on trust and privacy, which would be undermined by a National Patient ID,” said Sen. Rand Paul when introducing the National Patient ID Repeal Act in 2021. He explained that the move to strip this provision from HIPAA was to “prevent the government from centralizing patients’ personal health records or interfering with their medical decisions,” and warned that removing the ban “would open the floodgates for a government-issued ID to be linked with the private medical history of every man, woman, and child in America.”

Sen. Blackburn, who supported the bill, said, “The federal government has no right to dictate individual medical decisions or gain access to your private medical records. The existing National Patient ID sets a dangerous precedent for Big Brother to exert even more control over your life, and it is paramount that we prevent the Biden administration from creating it.” It has also been suggested that creating a “cradle-to-grave medical record” would allow individuals’ entire medical records to be used to conduct medical research without consent, although the HIPAA Privacy Rule prevents such uses and disclosures without consent, and there is no reason why additional safeguards could not be introduced with a National Patient Identifier system.

Another argument often put forward is a national patient identifier would make it easier for nation-state actors to steal patient data. “Now, more than ever, it is crucial to protect Americans’ genetic information from theft by foreign actors like China,” said Sen. Rand Paul when introducing the National Patient ID Repeal Act. While these are valid concerns, it is worth bearing in mind that big tech companies and data brokers are already compiling huge amounts of incredibly personal data on individuals, including health information, and are using and selling that information without restriction. Companies such as AncestryDNA and 23andMe (and many others) provide hugely popular services to the public that involve sequencing DNA, and these companies are not even bound by the protections of HIPAA.

It is also important to point out that healthcare data theft is a problem without a national patient identifier. As of January 31, 2023, more than 383 million healthcare records have already been stolen along with identifiers such as Social Security numbers. If a healthcare-only identifier was introduced, patients would not have to disclose their Social Security numbers to their healthcare providers, thus helping them to protect themselves against identity theft and fraud. While it has been suggested that patient trust could be lost due to a national patient identifier, a system could be set up akin to the credit monitoring system, and patients would be able to monitor access to their healthcare data and see exactly who accesses it and for what reason.

National Patient Identifiers Have Been Successfully Introduced in Many Developed Countries

A national patient identifier has been introduced in many developed countries with great success and has helped to eliminate patient misidentification. For instance, in the United Kingdom, all patients are issued with a unique National Health System ID number, which allows patients to be matched with their medical records no matter where they receive healthcare through the NHS system. Sure, if the NHS is hacked, then entire medical records could be stolen, but in the UK, it is seen as far more important to ensure patient safety by correctly matching patients with their entire medical records than any potential risks of worries about government control.

While there are clear benefits to a national patient identifier – which I feel far outweigh any negatives – introducing such a system is not without problems, one of the biggest is the cost. which has been estimated to be in the region of $1.5 billion and $11.1 billion, and there will undoubtedly be challenges in implementing any such system.

Removing the appropriations bill language will at least allow the HHS to start exploring how a national standards-based system could be introduced to ensure patients can be accurately matched with their medical records and start obtaining feedback from stakeholders on potential methodologies. Surely, it would be better to actively address the pressing public health and safety issue of mismatched patient records, than to keep rejecting the idea due to outdated fears about the government controlling individuals’ healthcare decisions.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Time to Stop Blocking a National Patient Identifier System appeared first on HIPAA Journal.

Editorial: The Three Pillars of HIPAA Compliance

Achieving compliance with the Rules of the Health Insurance Portability and Accountability Act (HIPAA) can be a challenge for healthcare organizations and their business associates. The HIPAA Rules were developed to cover healthcare organizations of different types and sizes, so the Rules needed to be flexible to accommodate this diversity. They also needed to be capable of standing the test of time without requiring regular updates in response to changing technology and operating practices.

While HIPAA sets standards for privacy, security, and administrative processes, the Rules can seem complex and often lack important details and they do not include an easy-to-follow HIPAA compliance checklist, so it’s no surprise that achieving and maintaining HIPAA compliance can be a daunting prospect. One of the biggest challenges for compliance professionals is interpreting the HIPAA Rules and applying those requirements to their organization. For smaller healthcare organizations with limited resources, achieving and maintaining compliance can be harder still.

If HIPAA compliance is causing you headaches or keeping you up at night, it is worthwhile considering partnering with a compliance company and getting advice on how to achieve and maintain compliance for peace of mind. For those considering going it alone, there are three pillars of HIPAA compliance that you need to get right.

Pillar 1: Implement a HIPAA Compliance Program

HIPAA-regulated entities need to implement an effective HIPAA compliance program, covering all standards and implementation specifications of the HIPAA Rules. HIPAA-compliant policies and procedures must be developed and implemented, and staff trained on those policies. While compliance responsibilities can be split between multiple individuals – such as a Privacy and Security Officer – one individual should have overall responsibility for compliance throughout the entire organization. You should also consider forming a compliance committee that meets regularly to discuss the state of compliance with HIPAA and other federal and state regulations.

One of the first things the Department of Health and Human Services’ Office for Civil Rights (OCR) will seek to establish when investigating complaints and data breaches is whether the entity has implemented a formal HIPAA compliance program and is taking its HIPAA compliance obligations seriously. Proving your organization takes HIPAA compliance seriously and has not ignored its obligations means compliance efforts must be thoroughly documented.

The first stage of an OCR investigation involves a document request. OCR will contact a covered entity and ask for specific documentation relative to the complaint or data breach, and that information needs to be provided promptly. If there a HIPAA-regulated entity is unable to prove they have a HIPAA compliance program in place, then a financial penalty is all but guaranteed. If you have invested time and effort into complying with the HIPAA Rules and can provide documentation demonstrating your good faith effort, the HHS is more likely to provide technical assistance than impose a financial penalty. OCR says the vast majority of investigations are resolved through voluntary compliance or technical assistance, and financial penalties will be avoided if entities can demonstrate satisfactory compliance.

When investigating data breaches, organizations will be asked to provide evidence that comprehensive, accurate risk analyses have been conducted. You may be asked to provide evidence of risk analyses for the past 5 or 6 years. If you can’t provide that documentation, it doesn’t matter whether those risk analyses have been conducted or not, from OCR’s perspective, at best they were incomplete and at worst were not conducted at all. Both are likely to result in a fine.

If a complaint is investigated about an alleged employee HIPAA violation, OCR will want to see evidence that a HIPAA training program is in place and proof that employees have received appropriate training. The sanctions policy may be requested, along with evidence of any ongoing corrective actions and sanctions, further training that has been provided to the workforce in response to discovered violations, and samples of breach notifications.

It is therefore imperative that you maintain accurate, detailed records of all of your compliance efforts and store that documentation in a central data repository with your policies and procedures. That will ensure that you can respond quickly to any request and provide evidence of compliance. The failure to provide the requested documentation could trigger a much more extensive review of your compliance program.

Pillar 2: Develop a Security Awareness and HIPAA Training Program

Policies and procedures must be developed on all aspects of HIPAA but not just to allow boxes to be ticked in a HIPAA compliance checklist. That may be sufficient to pass a very basic document review, but policies alone will not make an organization HIPAA compliant. All members of the workforce must be provided with the policies and must receive training relevant to their role. Every individual in a healthcare organization has a role to play in making their organization HIPAA compliant and must be trained to allow them to perform their duties in a HIPAA-compliant way.

Employees should not have to guess how HIPAA applies. In addition to training, employees must be made aware of the sanctions policy and the repercussions of HIPAA violations and the sanctions policy must be enforced.

HIPAA calls for training to be provided during the onboarding process, regardless of whether a new hire is a seasoned healthcare professional or is new to the industry. It is the responsibility of the compliance officer to ensure that appropriate training programs are developed and that all members of the workforce receive adequate training. While HIPAA violations can take many different forms, most HIPAA violations are due to mistakes by employees and a lack of appropriate training is often the cause.

It is unreasonable to expect employees to gain the knowledge of a compliance professional from HIPAA training provided during the onboarding process. The goal is to ensure that everyone is aware of how HIPAA applies to their role, the rules regarding uses and disclosures, and how to protect patient data. Training needs to be an ongoing process, so refresher training should be provided annually to ensure standards do not slip. HIPAA calls for the staff to be trained on internal policies relative to their role and for all members of the workforce to receive security awareness training.

The importance of the latter was highlighted in the 2022 Verizon Data Breach Investigations Report, which revealed the human factor was involved in 82 percent of data breaches. Security awareness training is concerned with teaching security best practices, making the workforce aware of security threats, and training employees on how to recognize and report those threats. Through training, organizations can eradicate risky practices and significantly reduce the risk of a successful cyberattack and data breach.

Training programs should be tailored to each role and include the specific threats those individuals are likely to encounter. Given the extent to which healthcare employees are targeted with phishing attempts and BEC attacks, there needs to be a particular focus on identifying, avoiding, and reporting these threats to the security team.

Security awareness training is a requirement of the HIPAA Security Rule but the frequency of training is left to the discretion of each regulated entity. HIPAA-regulated entities should go above and beyond the minimum requirements for training and should implement an ongoing security awareness training program, with training delivered throughout the year. The goal should be the creation of a security culture, which is unlikely to happen with infrequent training. As with all aspects of HIPAA compliance, training must be documented. One of the first things OCR will seek to establish when investigating data breaches is whether a security awareness training program is in place.

Pillar 3: Develop, Implement, and Continuously Improve an Information Technology Security Program

There are 20 standards in the HIPAA Security Rule, but within each standard are many more implementation specifications. There are more than 60 implementation specifications that must be considered and implemented, including required and addressable specifications.

HIPAA Security Rule compliance primarily involves developing and implementing a comprehensive information security program that incorporates administrative, technical, and physical safeguards to protect against reasonably anticipated threats and hazards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The information security program must incorporate access controls to protect against internal and external unauthorized access to ePHI, continuous evaluation of security controls, monitoring information systems for unauthorized activity, security awareness training, and developing and implementing contingency and incident response plans.

The risk analysis is one of the fundamental implementation specifications of the HIPAA Security Rule, and one of the main areas where mistakes are made. Risk analyses must be accurate, comprehensive, and organization-wide, and should identify all potential risks and vulnerabilities to ePHI. Those risks must then be subjected to a risk management process and be reduced to a low and acceptable level. Risks must be documented, assessed for criticality, prioritized, and managed, and the process must be fully documented, including how the risks were addressed, when they were resolved, ongoing unresolved issues, and the time frames and steps for addressing any unresolved issues. Risk analyses should be conducted annually and in response to any material change in policies, procedures, or new technology.

When investigating data breaches, OCR seeks to establish the underlying cause of a data breach and will require evidence of risk analyses and risk management. OCR will look for the mitigations in response to a data breach, the actions taken to prevent further incidents, and the entity’s compliance prior to the breach. Recognized security practices will also be considered as a mitigating factor, so these must be thoroughly documented.

HIPAA Security Rule compliance will ensure a baseline level of security is achieved but given the extent to which the healthcare industry is targeted, organizations should look beyond HIPAA Security Rule compliance and should continue to develop the information security program. Adopting a cybersecurity framework such as the NIST Cybersecurity Framework or HITRUST CSF will greatly improve an organization’s security posture and will be considered a mitigating factor by OCR when investigating data breaches and HIPAA Security Rule violations.

Organizations unable to take this step should consider adopting the HHS 405(d) Program, which serves as a stepping stone between HIPAA Security Rule compliance and the full implementation of a cybersecurity framework. The HHS 405(d) Program documentation outlines the main current cybersecurity threats to the sector, offers best practices for mitigating those threats, and technical assistance tailored to the size and capabilities of small, medium, and lar-sized healthcare organizations.

HIPAA Compliance is a Continuous Process

There is much more to HIPAA compliance than developing and documenting policies, training staff, and developing an effective information security program, but if you get the basic structure in place, achieving HIPAA compliance will be much more straightforward and you will be able to demonstrate that you are taking your obligations seriously.

Adopting a methodical checklist-style approach to HIPAA compliance will help to ensure compliance with all HIPAA standards, but becoming compliant is just the start. Maintaining compliance requires regular internal audits, updates to policies and procedures to account for new HIPAA requirements and changing technology, and ensuring that safeguards remain effective in a rapidly changing threat landscape.

Signing up to receive updates from the HHS 405d Program is a good place to start, a plan should be developed for adopting a cybersecurity framework to improve the maturity of your cybersecurity program, and there are advantages to be gained from using HIPAA compliance software, especially for healthcare organizations and business associates that feel a little overwhelmed about HIPAA compliance.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: The Three Pillars of HIPAA Compliance appeared first on HIPAA Journal.

Editoirial: Benefits of HIPAA for Patients

This is the third article in the ‘Benefits of HIPAA’ series, this time around exploring how the Health Insurance Portability and Accountability Act (HIPAA) and its subsequent amendments have benefited patients. The first article in the series explored how HIPAA has benefited healthcare organizations and the second covered the key benefits of HIPAA for healthcare professionals.

A World of Change for Patients

It has now been 27 years since HIPAA was signed into law by President Clinton. Memories of what the healthcare industry was like before that time may be starting to fade, but it should not be forgotten just how important HIPAA was at that time and has continued to be for more than a quarter of a century since. The initial Act introduced standards in healthcare to improve efficiency and make sure that healthcare providers, health plans, and healthcare clearinghouses followed standard practices and used the same code sets.

No system can function efficiently if the different components do not speak the same language, yet this was essentially how the healthcare system operated at the time. That system worked well when healthcare was provided on a one-to-one basis between a clinician and a patient, but as the healthcare ecosystem was becoming more complex, change was desperately needed to ensure healthcare information could be easily transferred to where it was needed, without requiring time-consuming and costly manual processes to convert the data into a usable form. In addition to helping clinicians have access to the data they need, HIPAA has also helped health plans process claims more efficiently and ensures funds are rapidly transferred to pay for healthcare services.

HIPAA made it easier for healthcare providers and health plans to share data electronically and that has helped patients by improving the continuity of care. Recent rules introduced by the HHS have helped to remove some of the barriers to information sharing and ensure that healthcare organizations and electronic health record providers do not engage in practices that could block or hamper the sharing of patient data. That is helping to prevent patients from incurring unnecessary costs, such as having to redo medical tests when they change healthcare providers.

HIPAA has helped to improve the accuracy of record keeping, making it easier to match medical records with the right patients, thus preventing medical errors. HIPAA has also played an important role in reducing healthcare fraud, which was forcing health insurance providers to massively increase their premiums to cover the losses.

One of the initial aims of HIPAA was to improve the portability of health insurance and help to prevent Americans from falling into a job lock situation, where they felt unable to change jobs due to the fear of losing health insurance coverage. While HIPAA has not solved the problem of job lock, it has certainly helped. HIPAA also helped to expand health insurance coverage and prevent discrimination, by ensuring individuals could not be denied health insurance due to pre-existing medical conditions.

Privacy and Security of Healthcare Data

HIPAA called for the Secretary of the Department of Health and Human Services to adopt standards to ensure patient privacy and data security, which were added a few years later in the Privacy and Security Rules. Before the HIPAA Privacy Rule was signed into law, patients did not have a federal right to healthcare data privacy and there were no federal restrictions on disclosures of that data or how healthcare data could be used. A patient’s healthcare information could be used for marketing purposes without restriction, and before the HIPAA Privacy Rule, healthcare providers were not required by law to provide a patient with a copy of their medical records.

The HIPAA Privacy Rule introduced standards for privacy, stipulating exactly when healthcare data could be disclosed and required patients to provide their authorization before their healthcare information could be used for most purposes other than the provision of healthcare, payment for healthcare, and other essential uses necessary for healthcare organizations to provide their services. HIPAA ensured that disclosures of healthcare data were limited to the minimum necessary amount, prohibiting a patient’s entire medical records from being disclosed when the entire record was not required. HIPAA has ensured that, in general, healthcare information cannot be provided to an employer, be used for marketing or advertising purposes, or be sold without written authorization from the individual.

These privacy protections and the need to keep healthcare data secure seem like basic rights today, yet before the HIPAA Privacy and Security Rules were signed into law, there wasn’t a legal requirement to ensure the privacy and security of healthcare data, and healthcare providers and health plans were not accountable for privacy violations and security failures.

HIPAA Gave Patients New Rights

In addition to benefitting patients in these ways, HIPAA gave patients several new rights over their healthcare data. One of the most important rights is the ability to inspect healthcare data. Healthcare providers accurately record patient information, but errors can be made. The Privacy Rule gave patients the right to check their medical records for errors and have those errors corrected. Before the Privacy Rule was introduced, those errors would likely have remained, threatening patient safety. Patients were also given the right to obtain a copy of their healthcare data, which allows them to take it to a new healthcare provider and disclose that information to whomever they wish, be that a friend, family member, or a medical research institution. Recent changes have also allowed patients to have their healthcare information sent to the health app of their choosing.

The HIPAA Privacy Rule ensured transparency of privacy practices, ensuring patients are enforced about how their healthcare data will be used – through Notices of Privacy Practices – and to whom the information has been disclosed – Accounting of Disclosures, a copy of which can be obtained on request. Patients were also given the right to request restrictions on disclosures of their healthcare information, putting them in control of who is provided with their sensitive healthcare information.

HIPAA does not have a private cause of action, which means a patient can’t sue for a HIPAA violation; however, patients do have the right to file a complaint about a HIPAA violation with a healthcare provider or health plan and can submit a complaint to the HHS’ Office for Civil Rights, which will investigate and take action. Further, when there is an unauthorized disclosure of healthcare information, or when that information has been exposed, patients need to be notified, which allows them to take action to protect against identity theft and fraud.

How the Pending HIPAA Privacy Rule Update Will Benefit Patients

It has been two decades since the HIPAA Privacy Rule was signed into law and a lot has changed in that time. Certain aspects of the Privacy Rule have proven to be cumbersome for HIPAA-covered entities, and there are several areas where improvements are required for patients. Fortunately, some important updates are about to be made that will deliver even more benefits for patients and will improve access to medical records.

Obtaining a copy of medical records is a fundamental right of HIPAA, but the timescale for providing those records is hardly appropriate in the digital age. The latest update will see the time shortened for providing a copy of a patient’s records from 30 days to 15 days, and if an extension is permitted, that time frame has similarly been reduced to 15 days. That means a maximum of 30 days to obtain a copy of the requested records. To further improve access, patients will also be allowed to take notes and photographs of their records, should they so wish. The burden of identity verification when requesting access to records has also been reduced and it has been made easier for patients to direct their healthcare providers to transfer their records to another healthcare provider.

Patients can be charged for copies of their medical records, and while there are restrictions on what can be charged, the update will help to prevent patients from incurring unnecessary or unexpected costs. There has been clarification on when copies of electronic medical records must be provided free of charge, and healthcare providers are required to publish how much patients will typically be charged if they want paper copies of their records.

Another important change will help to improve patient safety, as the ability of healthcare providers to disclose patient information to avert a threat to health or safety has been expanded. They will be able to disclose patient information when harm is “serious and reasonably foreseeable,” instead of a “serious and imminent” threat to health or safety. The changes will also facilitate the sharing of patient information to improve care coordination and case management for individuals, which is intended to improve family and caregiver involvement in the care individuals need when experiencing emergencies or health crises.

Moving Forward – Where HIPAA Needs to Change

The updates to the Privacy Rule will certainly benefit patients, but there is one area where HIPAA lets patients down. HIPAA only applies to healthcare data when it is collected, maintained, stored, or transmitted by a HIPAA-regulated entity. The same healthcare data could be collected, maintained, stored, or transmitted by another entity, and would not be protected by HIPAA. For instance, healthcare information could be stored in a health app, and that information would fall outside the protections of HIPAA. What is now needed is an expansion of HIPAA to cover all healthcare data or new HIPAA-like regulations to be introduced to cover healthcare data when the information is collected by an entity not covered by HIPAA.

One common criticism of HIPAA is the lack of a private cause of action, which prevents patients from suing for HIPAA violations. While this is unlikely to change, there is some good news for patients. The HHS’ Office for Civil Rights will soon be distributing a percentage of the funds raised from its enforcement actions to victims of HIPAA violations, as soon as a suitable methodology for doing so is developed. OCR recently sought information from industry stakeholders and the public on how best to implement this requirement and ensure the funds are fairly distributed.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editoirial: Benefits of HIPAA for Patients appeared first on HIPAA Journal.

Editorial: Benefits of HIPAA for Healthcare Professionals

It has been almost 27 years since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law, more than 2 decades since the Privacy Rule was enacted, and this February will be the 20th anniversary of the HIPAA Security Rule. This article is the second in a series that explores the benefits of HIPAA, focusing on some of the ways that HIPAA has benefited healthcare professionals. The first article in the series covered the benefits of HIPAA for healthcare organizations.

HIPAA was signed into law in 1996 by President Clinton and introduced standards in healthcare to improve efficiency, eliminate waste, combat fraud, and ensure that Americans could retain health insurance coverage when they are between jobs. When penning the legislation, Congress recognized the importance of the confidentiality of healthcare data and included provisions requiring the Secretary of the Department of Health and Human Services to establish standards for patient privacy and the transmission of electronic health information. Today, HIPAA is best known for these Rules, which restrict the uses and disclosures of protected health information and require HIPAA-covered entities to keep health information secure and protected against unauthorized access. HIPAA also helped the healthcare industry move into the digital age by encouraging the adoption of electronic health records, stipulating the controls that must be implemented to secure healthcare data.

There was considerable resistance to legislation introducing standards for the entire healthcare industry, despite a clear need for change. HIPAA gave healthcare organizations the prod they needed to implement those changes, which have improved efficiency, profitability, and helped healthcare providers deliver better patient care. Before the Privacy Rule was introduced there was a cavalier attitude to patient privacy. Patient records were often left unsecured, and before access controls were a legal requirement, huge numbers of healthcare professionals could view sensitive patient data. The American Health Information Management Association determined that, on average, around 150 individuals in a hospital could access a patient’s medical records during a typical hospitalization and there were no restrictions on the amount of information those individuals could view. There were also no restrictions on disclosures of patient information, and disclosures often occurred without the knowledge of patients. Prior to HIPAA, any information disclosed to a healthcare provider by a patient essentially became the property of the healthcare provider and there was no obligation to share that information with the patient.

HIPAA Ushered in Much-Needed Change

The Administrative Simplification Regulations of HIPAA had three main aims: To protect and enhance the rights of consumers by providing them with access to their health information and preventing inappropriate uses; to improve the quality of healthcare by restoring trust in the healthcare system; and improve the efficiency and effectiveness of healthcare delivery through a national framework of health privacy protection. HIPAA built on the privacy legislation introduced by individual states and ensured privacy protections were in place across the entire country.

Congress understood that it was not possible to achieve administrative simplification without also protecting the privacy and confidentiality of personal health information. High-quality healthcare can only be delivered if patients trust that their sensitive, private health information will be protected and kept confidential, and with healthcare delivery becoming more complex, privacy and security were becoming even more important.

The Benefits of HIPAA for Healthcare Professionals

Healthcare organizations have benefited greatly from HIPAA through the standardization of healthcare transactions, which has improved efficiency and profitability. Patients have benefited by being given rights over their personal health information and transparency over how their health information is used, and HIPAA has also delivered many benefits to healthcare professionals.

A Clear Set of Rules to Follow

One of the most important benefits of HIPAA for healthcare professionals is being provided with a clear set of rules to follow with respect to healthcare data. HIPAA is often criticized for being vague in certain areas, but the rules covering allowable uses and disclosures are clear about how to protect patient privacy. Having clear rules to follow makes it easier for healthcare professionals to work efficiently and concentrate on providing care. HIPAA has also helped improve patient safety by encouraging the adoption of electronic health records, which makes it easier to match medical records with the right patients and ensure patient information is accurately recorded and always available.

HIPAA Has Improved Trust and Helped Healthcare Professionals Deliver Better Care

HIPAA has provided all Americans with a basic level of protection for their healthcare data, giving them peace of mind about disclosing their most personal information, which is critical to ensuring their full participation in their own healthcare. The relationship between a clinician and a patient is built on trust. A clinician must trust the patient to provide honest information about their symptoms and the patient must trust the clinician to keep sensitive information confidential or that information will not be disclosed.

The restrictions on the uses and disclosures of health information introduced by HIPAA have helped to build trust, which in turn helps clinicians make correct diagnoses and develop effective treatment plans. Studies have shown that patients who do not believe their privacy will be protected are much less likely to fully participate in the diagnosis and treatment of medical conditions.

Keeping healthcare data private and confidential is an important part of improving patient well-being. Disclosures of private health information, whether through careless discussions in non-private settings or cyberattacks through noncompliance with the HIPAA Security Rule, can greatly affect a patient’s mental health. Invasions of privacy are a major source of stress, potentially resulting in stigma, discrimination, loss of opportunity, and an increased risk of identity theft and fraud, all of which can have a profound impact on patient well-being.

HIPAA Helps Providers Deliver Patient-Centric Care

Providing the best quality care possible is essential to the success of a healthcare organization, but healthcare providers need to also provide a quality patient experience, which involves more than delivering high-quality care. Delivering patient-centric care is key to improving the patient experience and satisfaction metrics such as HCAHPS scores, which are vital to the long-term success of a healthcare organization. The cost of healthcare is increasing, insurance premiums are rising, and so are the deductibles. If patients do not get the service they need and feel they are getting value for money, they will simply switch providers.

HIPAA has helped the healthcare industry transition into patient-centric care by empowering patients to participate more actively in their own healthcare. By taking a more active role in their healthcare, patients are more likely to comply with the advice their healthcare providers give them and make healthier lifestyle choices, which improves patient outcomes. Healthcare providers need to continue to find new ways to improve patient engagement, and HIPAA compliance helps them to do so while ensuring patient privacy is protected. In today’s digital world, information security is essential as cyberattacks have the potential to expose patients’ highly sensitive data. With the number of attacks now being conducted, HIPAA Security Rule compliance has never been more important and is critical to achieving patient-centric objectives. Further, when patient satisfaction improves, so does employee morale, as healthcare professionals get more job satisfaction.

HIPAA Compliance Helps Increase Profits

HIPAA has standardized healthcare, improved efficiency, and helped to eliminate waste and fraud, which has been key to improving the profitability of the healthcare industry and job security for healthcare professionals. Through HIPAA compliance, healthcare organizations can improve patient loyalty, which means fewer resources need to be invested into attracting new patients and more money can be directed into improving healthcare services and giving healthcare professionals the resources they need to deliver high-quality care.

HIPAA Compliance Makes You a Better Healthcare Professional

HIPAA is a work in progress, far from perfect, and compliance may be cumbersome at times, but the legislation has delivered many benefits to healthcare organizations, healthcare professionals, and patients. HIPAA has helped transform the healthcare industry, and through continued compliance, healthcare professionals can deliver high-quality care, improve relationships with patients, and get more job satisfaction.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Benefits of HIPAA for Healthcare Professionals appeared first on HIPAA Journal.

Editorial: Benefits of HIPAA for Healthcare Organizations

One of the problems with developing legislation for the entire healthcare industry is rules must be written for organizations of different sizes, with vastly different business models, budgets, staffing levels, and capabilities. Rules need to be written that are sufficiently flexible to accommodate this variety and be appropriate for all organizations and their unique operating structures.

One of the challenges with developing HIPAA was to create rules that would correct inefficiencies and get the healthcare system working more harmoniously. They also needed to stand the test of time and be flexible enough to accommodate changes that could not be envisaged when the legislation was signed into law. When the Privacy and Security requirements were introduced, they needed to be specific enough to serve as a practical framework for healthcare organizations to follow yet be flexible enough to account for changes in technology and operating practices over time.

This was vital as the process of updating legislation is simply too slow to allow for regular changes to be made. The HHS needs to issue a request for information to find out what needs to change, process the feedback, then a notice of proposed rulemaking, review the comments on the proposed changes, pen the final rule, issue that rule, and provide sufficient time for healthcare organizations to comply with the changes. That process spans several years, yet working practices evolve and new technology is constantly being introduced.

The way that HIPAA needed to be written has naturally led to the legislation receiving a lot of criticism. HIPAA has been criticized for having too many requirements and also not enough in certain areas, and for being too inflexible and difficult to interpret, and challenging to comply with. Despite the challenges of compliance and the gaps in HIPAA, the legislation has provided many benefits for healthcare organizations, healthcare professionals, patients, and health plan members. The legislation is far from perfect and HIPAA is in desperate need of updating – new HIPAA regulations will soon be introduced – but in its current form, the benefits of this important legislative act far outweigh any disadvantages.

In this article – and the next two in the series – I will explain the benefits of HIPAA and how the proposed Privacy Rule changes will help to address some of the current pain points and should significantly improve HIPAA for healthcare organizations, their employees, patients and members. You can read about the benefits of HIPAA for healthcare professionals here.

How HIPAA has Benefited Healthcare Organizations

HIPAA was signed into law more than 25 years ago in 1996 before many current healthcare workers had even been born. For those in the industry old enough to remember, at that time there was a desperate need to improve efficiency in the healthcare industry, as a huge amount of time and effort was wasted on inefficient manual processes, the cost of which was driving up the cost of healthcare at an unsustainable level.

HIPAA improved efficiency by standardizing healthcare transactions across the industry, including requiring all healthcare organizations to use the same standard code sets and follow standard administrative practices. Not only did the standards introduced by the HIPAA Administrative Simplification Rules help to eliminate waste and reduce the administrative burden on healthcare organizations, they have also helped to improve patient safety by reducing the potential for medical errors by making it easier to match records with the right patients. Before the introduction of HIPAA, healthcare fraud was rife and was costing the healthcare industry around $7 billion a year. The standardization of healthcare transactions has helped to reduce significantly reduce fraud.

The introduction of the HIPAA Privacy, Security, and Breach Notification Rules brought many benefits to healthcare organizations, but also some of the biggest pain points for HIPAA-covered entities. These updates required considerable changes to working practices and came with a significant administrative burden. HIPAA set clear – and sometimes not so clear – rules on how health information can be used and disclosed, how health information must be handled, and the policies and procedures that need to be implemented to ensure the confidentiality, integrity, and availability of protected health information. The HIPAA Privacy Rule has empowered patients to take a much more active role in their healthcare, allowing them to check their medical records for errors and get any errors corrected, which has helped to reduce the risk of medical errors and improve patient outcomes, which naturally has many benefits for healthcare organizations. By having standard rules in place, patients have the same rights no matter where they obtain care, and the safeguards to ensure the confidentiality of health information have helped to build trust between patients and their healthcare providers.

The HIPAA Security Rule set standards for all covered entities to follow to ensure the confidentiality, integrity, and availability of electronic health information and helped healthcare providers successfully transition from paper records and charts to electronic health records and encouraged the adoption of new technologies for improving efficiency and the quality of care in a safe and secure way. The HIPAA Security Rule was not meant to be a comprehensive checklist of every security measure that should be considered or implemented, rather it is a set of minimum standards for security that must be achieved. By adopting those standards, healthcare organizations have prevented many data breaches and avoided the considerable costs of those breaches. Many of the data breaches now being reported are due to employee errors and non-compliance with the HIPAA Security Rule.

The HIPAA Breach Notification Rule provides important benefits to patients, but there are also benefits for healthcare organizations. Compliance with this aspect of HIPAA ensures transparency about unauthorized access and disclosures of protected health information and promptly notifying patients about data breaches – which are often out of the control of healthcare organizations –can improve trust in healthcare organizations and reduce the reputational damage caused by data breaches. Importantly, HIPAA lacks a private cause of action, which helps HIPAA-covered entities avoid the considerable legal costs of defending lawsuits from patients who believe their privacy has been violated.

How the Proposed Updates to the HIPAA Privacy Rule will Benefit Healthcare Organizations

While the HIPAA Rules lack specificity in certain areas and incorporate flexibilities to avoid the need for regular updates, updates to HIPAA are required to accommodate changes in working practices and advances in technology, and to correct the elements that are either not achieving the purpose they were intended to or are no longer important. There has also been considerable criticism over the years that HIPAA continues to place an unnecessary administrative burden on healthcare organizations. After issuing an RFI, OCR published a Notice of Proposed Rulemaking in 2021 to update the HIPAA Privacy Rule, mostly to strengthen individuals’ rights to access their own health information and to reduce the administrative burden on healthcare organizations.

These Privacy Rule changes should help to improve information sharing, which will make patient care coordination and case management easier, including the coordination and management of care through social and community services. The updates will also facilitate family and caregiver involvement in the care of individuals that are experiencing emergencies or health crises. The restrictions of HIPAA have been clear became clear throughout the opioid and COVID-19 public health emergencies. The update helps to address this by incorporating flexibilities to permit disclosures in emergencies and threatening circumstances. These updates will help healthcare providers deliver better care and improve patient outcomes.

The amount of paperwork involved in providing healthcare also needed to be addressed. Finally, some of the time-consuming tasks that healthcare organizations still need to perform manually are being eliminated, such as the requirement for a covered entity to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices and retain copies of that documentation for 6 years.

Any update to HIPAA comes with a considerable workload initially but the benefits should be felt quickly. OCR believes the efficiencies introduced by the Privacy Rule changes will help to save $3.2 billion over five years, thus limiting the increase in the cost of healthcare. The Final Rule has yet to be published in the Federal Register, but that should finally happen in 2023.

Healthcare Organizations are Still Struggling with HIPAA Compliance After 26 Years

HIPAA has been in effect for 26 years, the Privacy and Security Rules for two decades, and the Omnibus Rule and Breach Notification Rules for 14 years, yet HIPAA compliance is still proving to be a challenge for many healthcare organizations.

One of the common complaints about HIPAA that makes compliance complicated is the frequent use of terms use as reasonable… exercise reasonable diligence, implement reasonable and appropriate policies and procedures, reduce risks and vulnerabilities to a reasonable and appropriate level. There are also ‘required’ and ‘addressable’ provisions, where addressable provisions are still required elements of compliance, in some form. These flexibilities are what make HIPAA workable for such a wide range of healthcare organizations and stay relevant, but they can present significant challenges for healthcare organizations, especially smaller practices that lack the staff and resources to devote to compliance.

One of the ways that many smaller healthcare organizations have simplified compliance and ensured all the i’s are dotted and t’s are crossed is by using HIPAA compliance software. These software solutions guide healthcare organizations through compliance with all aspects of the HIPAA Rules, eliminating the guesswork and making sure that no provisions are overlooked. The software can be used to achieve compliance and maintain the compliance program, prompting risk analyses, updates, and training, and ensuring compliance efforts are fully documented to ensure painless audits and investigations.

Security Rule compliance can be particularly challenging, as the Security Rule does not provide specifics about technologies that should be used to protect healthcare data. Many healthcare organizations have simplified compliance and gone above and beyond the requirements of HIPAA by adopting a cybersecurity framework. Frameworks such as the NIST Framework for Improving Critical Infrastructure Cybersecurity and the HITRUST Cybersecurity Framework provide structure, transparency, and guidance for achieving compliance with HIPAA and other privacy and security regulations and provide clarity and consistency while reducing the burden of compliance.

In 2021, the HITECH Act received an update to encourage the adoption of recognized security practices such as those developed under section 405(d) of the Cybersecurity Act of 2015 and covered by these cybersecurity frameworks to improve cybersecurity across the healthcare industry. The update provides incentives in the form of reduced penalties and sanctions and shorter audits and investigations by OCR, which considers the adoption of recognized security practices as a mitigating factor when making determinations about HIPAA Security Rule violations and data breaches.

HIPAA is Only the First Step

The main benefits of HIPAA for healthcare organizations are improvements in efficiency through standardized working practices which eliminate waste, improve patient safety, and boost profits. HIPAA compliance fosters trust between providers and patients and health plans and their members and helps to improve patient outcomes, increase patient and client loyalty, and improve retention.

However, HIPAA is just a set of minimum standards for privacy and security, so HIPAA compliance can be viewed as only the first step. Adopting a cybersecurity framework and implementing recognized security practices will further strengthen an organization’s security posture, and thanks to the HITECH Act update, there is now an added incentive for doing this.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Benefits of HIPAA for Healthcare Organizations appeared first on HIPAA Journal.

Editorial: Lessons from Biggest HIPAA Breaches of 2022

It has been another bad year for healthcare data breaches, with some of the biggest HIPAA breaches of 2022 resulting in the impermissible disclosure of well over a million records. While it does not currently look like last year’s record of 714 data breaches of 500+ records will be exceeded this year, with 674 data breaches reported up until December 22, 2022, any reduction is likely to be minimal. In addition to the high number of data breaches, 2022 stands out for the sheer number of healthcare records breached, which currently stands at 49.8 million records. That’s more than any other year to date apart from 2015 when Anthem Inc reported its 78.8 million-record data breach. In 2022, 12 data breaches were reported that exposed more than 1 million records, and a further 13 data breaches exposed between 500,000 and 1 million records.

The Biggest HIPAA Breaches of 2022

One notable observation from the biggest HIPAA breaches of 2022 is the number that occurred at business associates of HIPAA-covered entities. Many of these business associate data breaches affected dozens of healthcare clients, with one notable branch in the list below affecting 657 HIPAA-covered entities. Out of the 25 data breaches of 500,000 or more records, 52% occurred at business associates, including 60% of the 10 largest data breaches. The 12 biggest HIPAA breaches of 2022 affected almost 22.66 million patients and health plan members.

OneTouch Point – Ransomware Attack Involving 4.11 Million Records

On July 27, the mailing and printing vendor, OneTouchPoint (OTP), reported a hacking incident to the HHS’ Office for Civil Rights that affected more than one million individuals; however, as the investigation progressed it was determined that the breach was much more extensive than first thought, and had involved the protected health information of 4,112,892 individuals. Hackers had gained access to its network and used ransomware to encrypt files, with that information also potentially stolen in the attack. The compromised data included names, contact IDs, and information provided during health assessments. More than 35 of the company’s clients were affected, many of which were health plans.

Eye Care Leaders – Hacking Incident Involving at least 3.65 Million Records

Eye Care Leaders is a North Carolina provider of an electronic health record solution (myCare Integrity) to ophthalmology practices across the country. Affected providers started to be notified in March that hackers had gained access to its databases in December 2021. The databases contained extensive patient information, such as contact information, health insurance information, medical record numbers, Social Security numbers, driver’s license numbers, and medical information. As is relatively common in business associate data breaches, each affected healthcare provider reported the breach separately. Texas Tech University Health Sciences Center was one of the worst affected healthcare providers, with 1,290,104 records exposed. HIPAA Journal has tracked the reported data breaches and at least 41 eye care providers and 3,649,470 patients were affected.

Advocate Aurora Health – Impermissible Disclosure of up to 3 Million Records

On October 14, Wisconsin-based Advocate Aurora Health notified OCR about an impermissible disclosure of the protected health information of up to 3,000,000 patients. The disclosure occurred due to the addition of third-party tracking code on its websites, patient portals, and applications. The tracking code was used to gain insights into the use of its patient-facing digital services to improve the patient experience; however, the tracking code transmitted patient information to the developers of that code, including Meta (Facebook) and Google.  The information transmitted was based on each user’s interactions and may have included health information that could be tied to individuals. The transmitted information may have included names, appointment dates/times, provider names, procedure types, insurance information, and communications through the MyChart patient portal. Advocate Aurora Health was not alone. Several health systems had used the code on their websites and transferred patient data to third parties without consent or a business associate agreement in place.

Connexin Software – Hacking Incident Involving 2.2 Million Records

Connexin Software is a Wisconsin-based provider of an electronic health record solution to pediatric practices across the country, operating as Office Practicum. A breach of its network was detected in August 2022, with the investigation confirming the hackers accessed and exfiltrated an offline set of data used for data conversion and troubleshooting. That data set included names, Social Security numbers, health insurance information, billing and/or claims data, and clinical information such as treatment information, procedures, diagnoses, and prescriptions. The breach was reported to OCR on November 11, as affecting 2,216,365 individuals. 119 pediatric practices were affected by the data breach.

Shields Health Care Group – Hacking Incident Involving 2 Million Records

Shields Healthcare Group is a Massachusetts-based vendor that provides MRI, PET/CT, radiation oncology, and surgical services. On May 27, Shields notified OCR about a breach that affected up to 2,000,000 patients from 60 healthcare practices. Hackers had gained access to its network, with the investigation confirming files containing patient data were exfiltrated over two weeks in March. The stolen data included names, contact information Social Security numbers, insurance information, billing information, and clinical information such as diagnoses and treatment information.

Professional Finance Company – Ransomware Attack Involving 1.92 Million Records

Professional Finance Company is a Colorado-based vendor that provides debt recovery services. On February 26, the company detected and stopped what it described as a sophisticated ransomware attack, in which certain systems were accessed by the attackers and disabled. The forensic investigation revealed the attackers had access to files containing names, addresses, accounts receivable balances, information regarding payments made to accounts, Social Security numbers, health insurance information, and medical treatment information. The breach was reported to OCR on July 1 as affecting 1,918,941 patients at 657 of its healthcare provider clients.

Baptist Medical Center – Malware Infection Involving 1.6 Million Records

Baptist Medical Center and Resolute Health Hospital in Texas were affected by a security breach that was detected on April 20. Malicious code was detected on its network that allowed hackers to exfiltrate patient data. The investigation into the breach determined the hackers first gained access to its network in late March. The analysis of the affected files revealed they contained protected health information such as names, Social Security numbers, health insurance information, medical record numbers, diagnosis information, and billing and claims information. The breach was reported to OCR on June 15 as affecting 1,608,549 patients of Baptist Medical Center and 54,209 Resolute Health Hospital patients.

Community Health Network – Impermissible Disclosure of up to 1.5 Million Records

The Indiana-based healthcare provider, Community Health Network, notified OCR on November 18 about the impermissible disclosure of the protected health information of up to 1,500,000 individuals. Third-party tracking code from Meta and Google had been added to its websites to provide insights that would allow the improvement of access to information about critical care services and its patient-facing websites. Community Health Network was unaware that adding the code to its websites would result in identifiable health information being transmitted to Meta and Google. The data transferred included IP addresses, appointment information, patient, portal communications, procedure types, and other information based on the interactions of users on its website.

Novant Health – Impermissible Disclosure of up to 1.36 Million records

The North Carolina-based healthcare provider, Novant Health, notified OCR on August 14 about an impermissible disclosure of the protected health information of 1,362,296 individuals. The notification was issued on behalf of Novant Health ACE, a contractor for NMG Services Inc. Novant Health was the first HIPAA-regulated entity to notify OCR about a HIPAA violation related to the use of third-party tracking technologies on its website. Novant Health said the tracking code had been misconfigured, which allowed patient information to be sent to Meta such as names, appointment types and dates, provider names, button/menu selection details that may have included information about health conditions, and information submitted by patients in free text boxes.

Broward Health – Hacking Incident Involving 1.35 Million Records

The Florida-based healthcare provider, Broward Health, reported a breach of the PHI of 1,351,431 patients to OCR on January 2, which was the result of hackers gaining access to its network in October 2021. The delay in reporting was at the request of the Department of Justice, so as not to interfere with the investigation. The network was breached via a connected third-party vendor and the hackers had access to the network for 4 days during which time employee and patient information was exfiltrated including names, Social Security numbers, driver’s license numbers, financial information, medical histories, and medical record numbers.

Doctors’ Center Hospital – Ransomware Attack Involving 1.2 Million Records

On November 9, Doctor’s Center Hospital in Puerto Rico reported a hacking incident to OCR involving the protected health information of 1,195,220 patients. Hackers gained access to its network and deployed ransomware on or around October 17. A ransomware group called Project Relic was behind the attack and claimed to have exfiltrated 211 GB of data prior to encrypting files, including employee data and patient information such as names, medical record numbers, and medical notes.

MCG Health – Hacking Incident Involving 1.1 Million Records

The Seattle, WA-based software company, MCG Health, which provides patient care guidelines to healthcare providers and health plans, notified OCR on June 10 about a cyberattack on its network. The investigation suggested the hackers gained access to its network as early as February 2020, but the security breach was not detected until March 2022. The hackers exfiltrated files that contained patient and plan member data such as names, addresses, phone numbers, dates of birth, medical codes, and Social Security numbers. The breach was reported to OCR by MCG Health as affecting 793,283 individuals, but some health plan and healthcare provider clients reported the breach separately.  More than 10 U.S. healthcare providers and health plans were affected and 1.1 million individuals are understood to have been affected.

Lessons Learned from the Biggest HIPAA Breaches of 2022

All of these breaches are being investigated by the HHS’ Office for Rights to determine if these organizations were fully compliant with HIPAA and if non-compliance with the requirements of HIPAA caused the data breach, and in some cases, state attorneys general have opened investigations. Class action lawsuits have also been filed against these entities seeking damages and reimbursement of out-of-pocket expenses and losses suffered as a result of misuse of patient and health plan member data. The investigations will uncover whether there have been any HIPAA violations or violations of state law and whether compliance with these regulations would have likely prevented these breaches. While specific information about HIPAA violations is not yet known, there are lessons to be learned by other healthcare providers, health plans, and business associates from these data breaches.

Business Associate Risks Must be Managed

What is clear from the largest HIPAA breaches of 2022 is cyberattacks on business associates can be particularly damaging, often affecting many HIPAA-covered entities. Business associates provide important services to healthcare organizations that are difficult or too costly to perform in-house, but providing patient information to any third-party increases the risk that the information will be exposed, and the more business associates that are used, the greater the risk to patient and plan member data.

Healthcare organizations cannot operate efficiently without third-party vendors, but prior to using any vendor their security measures and protocols should be assessed. HIPAA-covered entities must ensure that a signed business associate agreement (BAA) is obtained, but a BAA alone is not sufficient. The BAA should specify the responsibilities of the business associate with respect to cybersecurity, incident response, and breach reporting, and it may be necessary to enter into a service level agreement with the vendor. HIPAA-covered entities should review their relationships with vendors and their BAAs regularly, conduct annual audits of their vendors to check the cybersecurity measures they have in place, and they should stipulate that vendors must conduct annual risk assessments. It is also worth considering consolidating vendors, where possible.

Care Must be Taken with Tracking Technologies

The use of tracking technologies has come under the spotlight in 2022. These tracking technologies are usually provided by third parties such as big tech firms and are commonly used for website analytics. These tools can be incredibly useful but in healthcare, there is considerable potential for privacy violations. It should be noted that there is no problem with the tools themselves, the problem comes with how they are used and their potential to collect and transmit patient information based on the interactions of individuals.

Due to the potential for disclosures of PHI, HIPAA-compliant patient authorizations may be required and it may be necessary to enter into a business associate agreement with the developer of the code. So far, only a handful of healthcare organizations have reported data breaches associated with tracking technologies, but many hospitals and health systems have used these tracking technologies and may have violated HIPAA and patient privacy. A study by The Markup earlier this year indicated one-third of the top 100 hospitals in the United States had added tracking technologies such as Meta Pixel to their websites. These breaches have highlighted the risks associated with these tools and the importance of conducting a careful assessment of any third-party code prior to adding it to a website or application to verify that it is not transferring data to third parties. If it does, business associate agreements must be in place and patient authorizations may need tobe obtained. OCR has recently issued guidance on the use of these tracking technologies and the requirements for HIPAA compliance.

Develop and Test an Incident Response Plan for Ransomware Attacks

The healthcare industry continues to be targeted by ransomware gangs, who steal sensitive data and encrypt files for extortion. Stolen records are published or sold to other cybercriminal gangs, placing victims at a very real risk of identity theft and fraud, but these attacks also put patient safety at risk. Patients often have to be redirected to other facilities, the lack of access to EHRs requires appointments to be canceled, and the attacks delay diagnosis and essential medical care. In many attacks, electronic systems are taken out of action for several weeks and studies suggest mortality rates increase following a ransomware attack and patient outcomes are affected.

Protecting against ransomware attacks can be a challenge, as ransomware gangs use multiple attack vectors to gain initial access to healthcare networks. Healthcare organizations should keep up to date on the latest threat intelligence and adopt a defense-in-depth approach covering all potential attack vectors. Regaining access to patient data quickly can help to limit the harm caused, and in this regard, it is vital to follow best practices for backups and ensure multiple copies of backups are created with at least one copy stored securely off-site. The key to a fast recovery is contingency planning and implementing a comprehensive incident response plan. Those plans must also be regularly tested with tabletop exercises involving members of all teams involved in the breach response. Some of the most damaging ransomware attacks and hacking incidents were due to contingency and incident response planning failures.

Adopting Recognized Security Practices is Strongly Advisable

An update to the HITECH Act in January 2021 required OCR to consider the recognized security practices an organization has implemented continuously for the 12 months prior to a data breach when making determinations about penalties and sanctions. While HIPAA Security Rule compliance is mandatory, HIPAA-regulated entities are not required by law to implement recognized security practices, but it is strongly advisable. Not only will following recognized security practices reduce the risk of a cyberattack and limit the harm caused, OCR will reduce the length of audits and investigations and the financial penalties imposed.

Issue Breach Notifications Promptly

Several of the biggest HIPAA breaches of 2022 involved delays in issuing breach notifications to OCR and the individuals affected. HIPAA is clear about the maximum time frame for reporting breaches of protected health information, which is 60 days of the discovery of a data breach; however, branch notifications should be issued to OCR and affected individuals without necessary delay. Prompt notification is important as it allows the individuals affected by the breach to take steps to protect themselves against identity theft and fraud. OCR recently issued a reminder about the requirements for responding to security incidents, in which the breach notification requirements of HIPAA were confirmed. This could indicate OCR may be looking at enforcing this aspect of HIPAA compliance more rigorously in the future, as unnecessary delays in issuing breach notifications are common.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Lessons from Biggest HIPAA Breaches of 2022 appeared first on HIPAA Journal.

Editorial: Will Amazon Clinic Put Patient Privacy at Risk?

Amazon has launched a new service that connects patients with doctors – Amazon Clinic. This should come as no surprise given Amazon’s recent acquisitions and the company’s stated ambitions healthcare market. The new service promises to deliver convenience combined with affordability, but Amazon’s latest healthcare venture sets warning bells ringing about patient privacy.

Amazon’s Journey into Healthcare

Amazon is the ultimate disruptor. The company started as an online bookseller and cornered that market, then transitioned into a portal that connects the world with every conceivable product they could want, all of which are available through an easy-to-use website that delivers everything faster than most of its competitors. Amazon products are usually cheaper than the competition and the company is well known for putting the consumer first. Order late one day and your purchases will be with you the next. It is not possible to overstate how successful the company has been. Amazon is now generating revenues of $140 billion a quarter, and that success turned its founder, Jeff Bezos, into the world’s richest man, a position he held from 2017 to 2021.

In 2006, Amazon launched its cloud computing platform, Amazon Web Services (AWS), which has helped many healthcare organizations with their digital transformations, and in recent years, Amazon has been taking greater strides into the lucrative healthcare market. In 2017, Amazon created a healthcare-focused tech lab, 1492, then in 2018 launched its cloud-based service, Amazon Comprehend Medical, which extracts healthcare data from text such as doctors’ notes and clinical trial reports.

Amazon partnered with Berkshire Hathaway and JPMorgan Chase to create the non-profit healthcare organization, Haven, which sought to improve access to primary care for those companies. Haven was later shut down and was replaced by the Amazon Care program for its staff, which provides online and face-to-face medical services. Amazon started rolling out that telemedicine service to employers around the country, although in August announced that it would be shutting down the service by the end of the year as it was not a sustainable solution for its enterprise customers.

Acquisitions of PillPack and One Medical Cement Move into Healthcare

Amazon’s move into healthcare took a major step forward with the $753 million acquisition of the online pharmacy PillPack in 2019, as the retailer looked to crack the prescription market. Amazon Pharmacy was launched in 2020, which offers Amazon Prime members free delivery for their pharmacy orders, packaged to make it easier for patients to remember when to take their medications.

This year, Amazon announced its intention to acquire the primary healthcare organization One Medical in a deal reportedly worth $3.9bn. One Medical provides a membership-based service offering in-person visits and virtual care and currently has around 815,000 members. This deal, if it completes, will cement Amazon’s place in the healthcare sphere.

Amazon’s planned acquisition of One Medical has sent alarm bells ringing throughout the healthcare industry and beyond. Privacy advocates are terrified about Amazon gaining access to large amounts of sensitive medical data and how that data will be used. There are fears that this most sensitive of data could be manipulated and exploited by Amazon in ways that may not become clear for many years to come.

In August, following the announcement about One Medical, Senator Josh Hawley (R-MO) wrote to the Federal Trade Commission (FTC) calling for the FTC to investigate the deal due to privacy and security concerns. Hawley stated that Amazon already wields too much power, and while the company would be required to comply with HIPAA and other healthcare privacy laws, some loopholes could be exploited. One of the biggest concerns with this merger, should it go ahead, is how Amazon plans to draw the line between consumer and patient data, and exactly where that line will be drawn.

Amazon Clinic Launched

The latest venture, Amazon Clinic, brings the convenience of Amazon’s retail empire direct to every home with an Internet connection and every individual with a smartphone. According to Amazon, Amazon Clinic allows everyone to “get treatment for common health concerns at your convenience—no appointments, video calls, or live chat required.” Amazon Clinic is billed as a virtual healthcare service that, like its retail business, delivers convenience and affordability.

Amazon Clinic is a message-based virtual care service, where users can select from a list of common health complaints, answer some questions, have that input reviewed by a licensed clinician, and then be provided with a personalized treatment plan. No appointments are needed, and in contrast to other healthcare services, the user knows the cost of the visit in advance. Pay a flat fee upfront and there are no surprises. Amazon says that the fee charged is less than many co-pays, plus the service offers more convenience as there are no waiting room visits and no telehealth appointments. The service is available 24/7 and prescriptions are filled by Amazon Pharmacy.

At launch, the virtual care service is being provided in 32 U.S. states for adults aged 18-64 and covers 20 common health conditions from acne to yeast infections, and the service can also be used to renew prescriptions for common medications with no visits or live chat required.  The service is aimed at the uninsured market as Amazon does not accept insurance – although payment can be made and users can then try to claim back the cost from their insurer.

Amazon’s Checkered Privacy History

Anyone concerned about providing their most sensitive health data to Amazon need not be worried, as Amazon states, “Your health data is secure – All of your information is protected by our practices and by law… HIPAA and all other applicable laws and regulations.” Amazon also points out that “We have extensive experience protecting data of all kinds appropriately across a variety of businesses and remain focused on the important mission of protecting customers’ health information.”

There is, of course, the question of the extent to which consumers can trust Amazon with their health data, as while its services are much loved by consumers, the company does not have an exemplary record when it comes to data privacy. That “extensive experience” includes some questionable data practices and there have been many allegations of serious privacy violations.

Amazon was investigated for violations of the European Union’s General Data Protection Regulation (GDPR), with the Luxembourg Data Protection Authority determining that the retailer had violated several Articles of the GDPR related to its processing of user data, even though Amazon was well aware of the requirements of the GDPR. The fine imposed in 2021 was a record €746 million ($887 million). Amazon has appealed that decision and maintains there was no data breach or disclosure of personal data to any third parties. The exact nature of the alleged violations has not been disclosed publicly, although it is suspected to be related to the use of personal data internally for advertising purposes without consent.

This year, an Amazon cloud backup service was recently found to be inadvertently exposing RDS snapshots over the public Internet that contained corporate personally identifiable information (PII). Also, this year, Amazon accidentally exposed an internal server to the public Internet that contained data about users’ Prime viewing habits.

One problem for Amazon comes from the sheer volume of data that it collects from many different sources, from search engine and site searches to what is said to Alexa. Amazon has had problems mapping all of that data and does not know exactly where all that data is being held, let alone how all that data is being used. That is a major concern if health information is also collected.

Then there is Amazon’s vast workforce of more than 1.6 million full and part-time employees, which creates a considerable insider privacy risk and questions have long been asked about how customer data is protected against insider threats. A report was published by the Wall Street Journal in 2018 about how Amazon employees were being bribed to provide access to sensitive information such as buying habits, sales volume, and the on-site search terms of customers. Amazon has a history of having employees sharing customer contact information with third parties, and in 2020, disgruntled employees were found to be leaking customer email addresses. An internal application that was used by Amazon to extract data was found to be used as a backdoor, allowing third parties to collect customer data, notably by a Chinese firm that had harvested the information of millions of customers. Questions have also been asked about the ability of the Amazon retail arm to detect security incidents.

Of course, insider threats are a problem for all businesses; however, for a company such as Amazon which has received considerable criticism from employees about working conditions, the threat is greater. Former Amazon chief information security officer Gary Gagnon said in 2018 that there was free-for-all internal access to customer information and that the systems in place made it difficult to track where all of Amazon’s data was going.

Privacy Concerns About Access to Medical Data

Amazon has access to a huge amount of data from the retail side of its business and has the goal of broadening its access to data to include healthcare information, which through Amazon Clinic will help to drive the growth of its online pharmacy business.

Amazon states that it will abide by federal regulations such as HIPAA, but while HIPAA has helped to protect the privacy of patients for two decades, there are considerable gaps. HIPAA has not adapted to changing technology, such as the massive rise in the use of health apps. The data collected through those apps is often the same data that HIPAA protects if collected by a healthcare provider, yet the apps are beyond the protection of HIPAA.

One concern is to what extent the data collected through Amazon Clinic will be used by other parts of the business. Through Amazon Clinic, patients fill out health questionnaires. That information would be valuable for the retail arm. The first health condition on the Amazon Clinic list – Acne – brings up more than 10,000 products on its retail site. Amazon may claim that Amazon Clinic data will be kept separate, but enforcers of the GDPR are likely to have their suspicions about the extent to which that will occur. Will users of the Amazon Clinic find they are offered a range of tailored products to suit their specific health needs?

As Amazon has demonstrated over the years, other players in the markets in which it operates struggle to compete, and that has been seen from the very early days when Amazon started putting booksellers out of business. There are already several players in the telehealth market that offer similar services for common health conditions but lack the reach of Amazon, and they may well struggle to compete. Coupled with its companion One Medical business – if that acquisition goes ahead – could lead to a monopoly on telehealth that would reduce consumer choice.

The Future of Healthcare?

There is no doubt that there is demand for Amazon Clinic, which seeks to bridge the gap between medical complaints that require more than a trip to the drug store and are not sufficiently severe to warrant a costly trip to the doctor. A service that plugs that gap and offers convenience and affordability is almost certain to prove popular.

Amazon Clinic could have a positive impact on the industry from a patient perspective. One of the keys to the success of Amazon is its focus on improving the customer experience. If the service proves to be successful, healthcare providers may also start looking at ways that they can do the same and make their services better and more convenient.

U.S. consumers may be comfortable with Amazon collecting vast amounts of information and building up detailed profiles of consumers in exchange for convenience and low prices, but questions remain about whether Amazon can be trusted with health data. An American Medical Association survey earlier this year suggests there is widespread mistrust in nontraditional healthcare entities. Amazon may find it difficult to earn consumer trust.

Amazon says this new service makes doctor’s visits simpler and affordable and that any privacy fears are unfounded. It remains to be seen whether making health care more convenient and affordable will come at the cost of patient privacy, and it may be some time before that becomes fully apparent.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Will Amazon Clinic Put Patient Privacy at Risk? appeared first on HIPAA Journal.

Editorial: Lessons for American Healthcare Providers from the Australian Medibank Health Record Breach

The U.S. healthcare industry is currently engaged in a cyber war against a widely dispersed set of adversaries, which include hordes of financially-motivated hackers and organized cybercriminal groups, hacktivists, and nation-state-sponsored threat actors. Ransomware has become an epidemic, and while there are signs that attacks are leveling off or decreasing, the healthcare industry has yet to see such a dip, now being the most targeted sector.

One trend that has emerged is an increase in extortion-only attacks. Rather than breaching networks, exfiltrating data, and then encrypting files, ransomware is not used. Sensitive data is stolen and demands are issued for its safe return and to prevent the sale or publication of the data, with the file encryption element of the attack abandoned as it is time-consuming and noisy. One attack that has made the headlines – the cyberattack on the Australian health insurer, Medibank Private Ltd – confirms the global nature of the current cyber war, which healthcare organizations around the world are struggling to win. The attack stands out due to the scale of the data theft and the callousness of the perpetrators.

The Medibank Cyberattack

Medibank Private Ltd. is the largest private health insurer in Australia, covering around one in six Australians. On October 13, 2022, Medibank detected suspicious activity within its network. The unauthorized access was terminated, and initially, Medibank CEO David Koczkar issued a statement saying no evidence was found that customer data was accessed. Medibank was then contacted on October 17, 2022, by the threat actor behind the attack seeking payment to prevent the release of stolen data. Threats were issued to publish the stolen data, starting with a sample of the data of some of the most prominent customers, including politicians, actors, activists, social media personalities, and people with “very interesting diagnoses.” Medibank confirmed data theft had occurred on October 20.

Access to the network was gained, sensitive data was stolen, and a ransom demand was issued to prevent the publication and sale of the stolen data of 9.7 million current and former customers. The ransom demand was $9.7m, or $1 for each of the affected individuals. The attack has been attributed to an unnamed Russian cybercriminal group, with reports suggesting REvil was behind the attack. REvil’s data leak site redirects to the site where the Medibank data is being published. REvil was one of the most prolific cybercriminal groups in operation; however, following the arrests of several alleged key members of the group, Russia’s federal security services (FSB) said REvil no longer exists. Whether this attack signals the rebirth of REvil, or if it was conducted by an affiliated group has yet to be confirmed. The Australian Federal Police (AFP) claims to know which group is behind the attack.

Medibank said the threat actor infiltrated its systems using “high-level credentials,” which had the necessary clearance to access large amounts of data, and that multi-factor authentication was protecting those accounts. How those credentials were stolen and MFA was bypassed has not been made public.

The Hackers Show No Mercy

Medibank said it received council from cybersecurity experts regarding paying the ransom, and the consensus was that if the ransom was paid, there was only a limited chance that the stolen data would be returned, that all copies would be deleted, and that there would be no sale or misuse of the data. The decision was then made not to pay the ransom, the implications of which were felt last week when the threat actor started to publish samples of the stolen data, initially posting two lists of data each containing around 100 records.

One was referred to as a “naughty list” which included the data of individuals who had claimed for treatment for drug addiction and mental health issues, and a “good list” that included claims for more generic hospital procedures. That was followed by the publication of another file that included details of around 300 individuals who had claimed for healthcare services related to the termination of pregnancies, then another file was published containing the details of 240 customers who had claimed for alcoholism-related treatments. The information of more than 480,000 customers has now been leaked. Medibank is standing by its initial decision not to make payment.

Medibank has reported to the Australian Stock Exchange that it is expecting a financial hit of around $25m to $35m, not including any regulatory fines or litigation. In terms of the latter, there could well be several lawsuits filed. Lawyers around the country are currently assessing the potential for suing Medibank over the data breach and are assessing the harm that has come from the exposure of highly sensitive data. The breach mitigation and legal costs will have to be covered by Medibank, as chief financial officer, Mark Rogers, confirmed that there was no cyber insurance policy in place due to the excessive cost.

Lessons US Healthcare Organizations Can Learn from the Medibank Cyberattack

The Medibank cyberattack is horrific – for Medibank and especially the 9.7 million affected individuals, and the repercussions will be felt for a long time to come. The situation is still evolving, but there are already lessons to be learned from this hugely damaging cyberattack.

Cybersecurity must be a board-level issue

Even with considerable investment in cybersecurity, defenses can be breached. The security posture of Medibank at the time of the attack is unclear, but one issue that has come to light is the lack of board involvement in cybersecurity at Medibank. Medibank chairman, Mike Wilkins, confirmed there were no cybersecurity or IT experts on the board, something that is all too common at healthcare organizations. Given the high risk of a cyberattack and its potential implications, board-level oversight of cybersecurity is essential. According to Deloitte, which has been called in to investigate the security breach, “Boards have now started looking at cyber risk as an enterprise-wide risk management issue, rather than a pure IT security issue, owing to its firmwide implications… Cybersecurity oversight has now become the most important topic for the Board after strategic planning.”

Hope for the Best, But Plan for the Worst

It is often only when a cyberattack occurs that cybersecurity gets the investment it needs, yet it should come as no surprise to any healthcare organization about the high risk of an attack occurring, given the frequency with that they are now being reported. Koczkar has stated that Medibank had planned for such an attack and was able to immediately implement its cyber response strategy for exactly this type of event; however, while an incident response plan had been implemented, shareholders have been voicing concerns about Medibank’s level of preparedness for such an attack, not just in terms of incident response, but the measures that had been implemented to prevent such a breach. Healthcare organizations can hope for the best, but they need to assume that a cyberattack is inevitable and ensure appropriate defenses are in place. It is also vital to not just develop and implement a breach response plan, but to practice the incident response with tabletop exercises, involving all teams involved in the response.

The Importance of Transparent Communication with Customers and Shareholders

The decision of whether or not to pay the ransom is not straightforward, and while there are very good reasons for not paying a ransom, there are repercussions for any decision, as this attack has shown. Medibank clearly stated the reasons why the ransom was not paid, and it was clearly communicated that their decision was in line with the recommendations of the Australian government.

Medibank appears to have opted for a strategy of damage limitation to protect the company’s reputation by downplaying the seriousness of the breach, and that approach has backfired. The CEO first issued a statement that no evidence of data theft had been found, then issued another statement that the attack appeared to be a precursor to a ransomware attack, before finally admitting that data theft had occurred.

Shareholders have been demanding answers with share prices falling sharply, forcing three halts on trading. Many are furious about the management of the breach and the level of transparency of Medibank post-breach, with little information or reassurances provided. Transparency and clear communication with shareholders and customers can go a long way toward protecting a company’s reputation after a data breach, especially one where the perpetrators have been telling shareholders to sell all their shares.

Zero-Trust and Phishing Resistant Multi-factor Authentication

It is currently unclear how credentials were obtained and MFA bypassed, but phishing is a reasonable assumption. While it is important to protect all accounts with multi-factor authentication, especially accounts with high levels of privileges, not all forms of MFA provide the same level of protection. Healthcare organizations should follow the advice of CISA and implement phishing-resistant MFA. A change of mindset is also required for security, shifting from traditional perimeter defenses to zero-trust, with the latter assuming that a network has already been breached, with controls implemented to validate all stages of digital interactions to limit the potential for lateral movement.

The Importance of Cyber Insurance

Medibank will face a huge financial hit from the attack, the initial estimates of which appear to be very low. While the average cost of a healthcare data breach is now $10,1 million, according to the IBM Security 2022 Cost of a Data Breach Report, the cost of mega data breaches of 1 million to 10 million records was calculated to be $49 million, and $180 million for breaches of 10M-20M records. Bloomberg Intelligence suggests the breach cost could rise as high as $450 million if customers sue for damages. Cyber insurance is unlikely to pay all breach-related costs, but the failure to have any cyber insurance policy is a serious risk, and that decision could prove to be incredibly costly.

Greater Protection for Highly Sensitive Data

The nature of the data published by the attacker is shocking. In the United States, disclosure of the details of individuals who have had a legal abortion could cause incredible harm and potentially put women at risk of criminal charges. These data types, along with other highly sensitive information such as substance disorder treatment information, data of domestic violence victims, and patients with stigmatized diseases such as HIV, should be subject to far more stringent protections, as far as is possible, due to the harm that can be caused if that information is exposed. In the Medibank attack, patient data in all of those categories was obtained and published.

The Australia Cyber Security Minister, Clare O’Neil, said that the damage caused by the Medibank cyberattack is “potentially irreparable”. It may be too late for Medibank, but as more information about the attack and response comes to light, the lessons learned will be invaluable to healthcare organizations around the world and may help them prevent similar incidents and manage successful attacks better to reduce the damage caused.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Lessons for American Healthcare Providers from the Australian Medibank Health Record Breach appeared first on HIPAA Journal.