Considering the Health Insurance Portability and Accountability Act (HIPAA) is now in its third decade, the Privacy Rule took effect 20 years ago, and compliance with the HIPAA Security Rule has been mandatory for 18 years, there have been relatively few financial penalties over the years, with just 130 imposed by OCR to resolve HIPAA violations. There have been changing HIPAA enforcement trends over the years and a shifting of enforcement priorities at OCR. Today, OCR is having to pick and choose the cases where financial penalties are pursued, and while more financial penalties are now being imposed, the penalty amounts are a fraction of the level that they were just a few years ago.

A Brief History of HIPAA Enforcement

The HIPAA Enforcement Rule – Final Rule was issued on February 16, 2006, and took effect on March 16, 2026. The Enforcement Rule gave the U.S. Department of Health and Human Services the authority to investigate HIPAA-regulated entities to determine whether they are in compliance with the HIPAA Rules and impose financial penalties if noncompliance is discovered. The HITECH Act, which took effect on February 18, 2009, established four categories of HIPAA violations based on the level of culpability and set minimum/maximum penalty amounts and penalty caps in each of the four penalty tiers, increasing the maximum penalty amount to $1.5 million for violations of an identical provision in a calendar year.

Then in FY 2020, the HHS reassessed the language of the HITECH Act and determined that the penalty amounts stipulated in the HITECH Act had been misinterpreted, and reduced the penalty amounts in three of the four tiers, only keeping the maximum penalty of $1.5 million for the most serious violations when there is determined to have been willful neglect of the HIPAA Rules with no attempt to correct violations.

Since the effective date of the HIPAA Enforcement Rule (up to and including February 2023), the HHS’ Office for Civil Rights has imposed 130 penalties for HIPAA violations, including violations of a single provision of the HIPAA Privacy Rule such as the failure to provide individuals with timely access to their medical records to egregious violations and widespread noncompliance with the HIPAA Rules. The penalties imposed so far range from $3,500 to $16,000,000.

Financial Penalties for HIPAA Violations are Relatively Rare

While OCR has the authority to impose financial penalties for HIPAA violations, the vast majority of investigations have not resulted in financial penalties. OCR investigates all large data breaches of 500 or more records and more than 5,000 such breaches have been reported since 2009, yet only 130 financial penalties have been imposed. OCR has stated that in the majority of cases, HIPAA violations are resolved through voluntary compliance and technical assistance, where OCR helps regulated entities address the violation to avoid further compliance issues.

In a February 28, 2023, update on its HIPAA enforcement actions, OCR explained that it has received more than 322,579 complaints about potential HIPAA violations. 14,355 cases were investigated and no violation was identified, and OCR failed to establish a case for enforcement in 215,125 cases. Technical assistance was provided in 53,661 cases.

From those cases, OCR has initiated more than 1,160 compliance reviews and said 97% of all cases have been successfully resolved. More than 30,013 cases have required changes to be made to privacy practices or corrective actions to be implemented by HIPAA-covered entities and business associates.  The 130 cases that warranted financial penalties have resulted in $134,828,772 being paid to OCR in civil monetary penalties and settlements.

HIPAA Audits Identified Widespread Noncompliance

In addition to the investigations of complaints and data breaches, OCR has conducted two phases of HIPAA audits. These audits were not conducted from a HIPAA enforcement perspective, rather the primary goal was to identify the areas where HIPAA-regulated entities were struggling with compliance. The audits have helped OCR to develop pertinent guidance to address the most common HIPAA violations. The first round of audits identified widespread HIPAA violations as covered entities struggled to get to grips with what was required, but more than a decade after the HIPAA Privacy and Security Rules were enacted, noncompliance was still common.

In the second round of compliance audits, the most common violations identified were related to Notices of Privacy Practices, a lack of information in breach notifications, HIPAA Right of Access failures, business associate breach notifications to covered entities, and risk analysis and risk management failures, with the latter common with covered entities and business associates.

According to OCR, the same areas of noncompliance are identified frequently in its investigations, along with impermissible uses and disclosures of protected health information, a lack of safeguards for protected health information, a lack of patient access to their protected health information, a lack of administrative safeguards for electronic protected health information, and the use or disclosure of more than the minimum necessary protected health information.

HIPAA Enforcement Trends

In the early years after the HIPAA Enforcement Rule was enacted, OCR showed a reluctance to resort to financial penalties for HIPAA violations, typically only pursuing financial penalties in the most egregious cases when widespread noncompliance was identified and for the most serious compliance failures.  In the 29 enforcement actions from 2008 to 2015, 9 penalties were imposed for risk analysis/risk management failures, 9 for the failure to safeguard PHI, 6 for widespread non-compliance with the HIPAA Rules, and one each for denying access to medical records, disclosing PHI without consent, the failure to encrypt PHI, improper disposal of PHI, and the failure to permanently erase PHI.

There was an uptick in HIPAA penalties in 2016, 10 years after the Enforcement Rule was published. Since then, the enforcement actions have addressed a much broader range of HIPAA violations. Risk analysis and risk management failures are still one of the most common HIPAA failures cited in its enforcement actions, along with other HIPAA Security Rule violations and impermissible disclosures of PHI.

In the fall of 2019, OCR launched a new enforcement initiative launched targeting organizations that were not compliant with the HIPAA Right of Access, with the penalties arising from complaints rather than data breaches. Since then, 65 penalties have been imposed to resolve HIPAA violations, 43 of which have been for HIPAA Right of Access violations. The main reason for this HIPAA enforcement trend has been a massive increase in OCR’s workload and extremely limited resources for HIPAA investigations.

Lack of Funding Hampering HIPAA Enforcement

OCR has been struggling with a lack of funding for several years as its budget has remained flat despite a significant increase in its workload. OCR has made multiple requests to Congress for additional funds, but those requests have been denied. Since fiscal year 2017, complaints about potential HIPAA violations have increased by 28% and reports of large data breaches – more than 500 records – have increased by 100%. All complaints must be assessed and when the allegations are substantiated, the violations must be investigated. OCR also investigates all large healthcare data breaches to determine if they are the result of non-compliance with the HIPAA Rules. As such, OCR’s limited budget and resources have been squeezed and that is limiting the ability of OCR to enforce compliance. OCR also has an increasing workload in other areas – OCR enforces 55 statutory authorities including civil rights and non-discrimination statutes in addition to HIPAA and for several years the small HHS department has not been given adequate resources to do its job.

To help address the budgetary shortfall, the HHS has undertaken a restructuring of OCR which has seen the creation of three new divisions to get more from its limited budget and resources, including a new enforcement division. The HHS hopes the restructuring will improve efficiency, which will help OCR deal with its increased caseload and reduce its backlog of investigations. It is worth noting that OCR’s enforcement staff has been reduced by 45% due to flat budgets and inflation increases, so while the restructuring will help, restructuring alone is unlikely to solve the problem.

OCR could use funds from its enforcement actions to address the budgetary shortfall; however, civil monetary collections have declined since 2019, despite an increase in enforcement actions. This is due to the reinterpretation of the language of the HITECH Act and the reduction in minimum and maximum penalty amounts and the annual penalty caps. In 2019, OCR raised almost $23 million in fines and settlements, but following the reassessment, the total fell to just over $2 million in 2022, even though a new record was set that year for the number of financial penalties imposed. The number of penalties has increased, but there has been a notable shift from imposing penalties on large HIPAA-covered entities for egregious violations of the HIPAA Rules to enforcement actions against small healthcare providers for HIPAA Right of Access violations.

This year, the HHS requested an additional $78 million in funding for FY 2024, which almost doubles its FY 2023 budget, with a requested increase of $38 million from the $40 million received in 2023. OCR Director, Melanie Fontes Rainer, said OCR now has to pick and choose its battles carefully, as it is forced to operate under incredible resource constraints and its staff is incredibly overworked. Data from 2020 indicates OCR has just 77 investigators, and they are not all investigating HIPAA violations. Some are investigating violations of other statutes such as anti-discrimination and civil rights violations. For FY 2023, the HHS requested a 58% increase to its budget to $60 million, which would have allowed OCR to hire a further 37 investigators. The HHS was unable to get a budget increase when Democrats had a majority in the House and Senate, so it seems even more unlikely now.

This year, in addition to the sizeable budget increase, OCR has submitted a proposal to get the authority to work with the Department of Justice and seek injunctive relief, which will improve OCR’s ability to prevent additional or future harm to individuals from non-compliance. OCR is also seeking help from Congress to increase the caps for financial penalties for HIPAA violations to provide additional funding for its enforcement activities.

The Future of HIPAA Enforcement

OCR is continuing with its enforcement initiative targeting HIPAA Right of Access violations and has already announced one settlement this year due to untimely breach notifications. These enforcement actions are relatively cut and dry. A patient complains that they have not been provided with their records, can provide proof that the request has been sent, and the healthcare provider must provide proof that the requested records have been provided and evidence of staff training.  It is difficult for covered entities to contest the findings when records have not been provided in a set time frame, so legal disputes are unlikely, especially considering the penalties imposed are relatively small. These enforcement actions are therefore a good use of OCR’s limited resources.

What is needed, however, is investigations of hacking incidents, which are behind the massive increase in large data breaches. OCr needs additional funding for these investigations to determine if they have been caused by noncompliance with the HIPAA Security Rule. These investigations are, however, much more complex, time-consuming, and resource-intensive. OCR faces a potential problem. The approach taken in the past in its enforcement actions has been called into question when the $4.3 million penalty for University of Texas MD Anderson Cancer Center was overturned on appeal.

OCR’s enforcement actions were deemed to be “‘arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law,” and the penalty was reduced by a factor of 10. That case could embolden other HIPAA-regulated entities to challenge penalties, further draining OCR’s resources and its ability to enforce HIPAA. While it is unclear exactly how much impact the overturning of the MD Anderson Cancer Center penalty has had, OCR has only fined four entities for Security Rule failures related to data breaches since that decision out of 37 enforcement actions – Excellus Health Plan, AEON Clinical Laboratories (Peachstate), Oklahoma State University – Center for Health Sciences (OSU-CHS), and Banner Health.

OCR also needs to start sharing a percentage of the settlements and civil monetary penalties it collects with victims of HIPAA violations, which is likely to reduce the funds OCR can use from those enforcement actions further still. Without an increase in its budget – which appears likely – the future of HIPAA enforcement is likely to depend in a large part on an increase to the penalty caps and improvements to efficiency from its restructuring.

A reduction in data breaches would certainly help ease OCR’s caseload, but with a relative lack of enforcement of noncompliance and extensive targeting of the healthcare industry by malicious actors, that seems somewhat unlikely. OCR is now considering the recognized security practices that have been implemented when making determinations about fines and penalties which could encourage healthcare organizations to improve security, but for many smaller healthcare organizations, budgets are already limited and there is a global shortage of skilled cybersecurity professionals. Regulatory moves by the government could help to address this by providing incentives for healthcare organizations to make further investments in security and to deal with the staff shortage by introducing incentives for cybersecurity professionals to take on roles in healthcare.

The HHS has also increased the guidance issued to help healthcare organizations improve their defenses. The Health Sector Cybersecurity Coordination Center (HC3) is now issuing more threat advisories specific to the healthcare sector along with recommendations and resources to help healthcare organizations improve their defenses by focusing their efforts on the most pertinent threats. That help has been welcomed, and while more healthcare-specific threat intelligence would be of great help to the sector, HC3 also has considerable budget constraints and also requires additional funding to increase its output.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: HIPAA Enforcement Trends and Outlook appeared first on HIPAA Journal.

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was signed into law and one of its requirements was for the Department of Health and Human Services (HHS) to develop a national patient identifier system. Under such a system, every person in the United States would be provided with a unique permanent ID number that would allow them to be tracked across the entire U.S. health system, not for any form of control, government interference in healthcare, or any other nefarious purpose, but to address a pressing public health and safety issue: To ensure patients can be reliably and accurately connected with their health information. 27 years later and we are no closer to a national patient identifier than we were in 1996.

The reason for the lack of action goes back to 1998, when Representative Ron Paul (R-TX) introduced a ban on the HHS developing a national patient identifier system by ensuring no funding was provided by Congress for that purpose. Language has been included in every appropriation bill since then that prevents any funding from being given to the HHS to use for that purpose. In 2019, Senator Rand Paul (R-KY), son of Rep. Ron Paul, tried to take this a step further by introducing a bill that sought to remove the national patient identifier provision from HIPAA entirely, although the effort did not succeed. Then in 2021, House and Senate appropriators removed the language from the appropriations bill – a move widely applauded by many healthcare stakeholder groups – to allow this long-standing issue to be addressed and permit the HHS to start exploring potential methodologies for introducing a national patient identifier.

Later that year, Sen. Rand Paul wrote to Senate appropriators requesting the reintroduction of the language into the appropriations bill, then – along with Senator Marsha Blackburn (R-TN) – introduced the National Patient ID Repeal Act; standalone legislation calling once again for the provision to be stripped from HIPAA. The bill was not passed, but Sen. Rand Paul’s advocacy helped ensure that the funding ban was reintroduced.

The Mismatching of Patient Records is a Common and Serious Patient Safety Issue

The primary reason for introducing a national patient identifier system was to ensure patients could be accurately matched with their healthcare information, no matter where in the country they sought healthcare. Such a system would ensure an individual’s healthcare data could not be mismatched with another individual, which was a problem in 1996 and remains a serious patient safety issue today. Each year, the Joint Commission publishes a list of National Patient Safety Goals. and top of the list for 2023, as has been the case for several years, is the correct identification of patients. A national patient identifier could solve this important patient safety issue.

The lack of a universal patient identifier results in duplicated medical records. If a patient visits a healthcare provider and their records cannot be found, a new medical record is created, resulting in the patient’s records being split between two different records. Important information about the patient will be missing from their records, which could include information vital to ensuring that patient’s safety. Patient mismatching often results in repeated, medical tests, which can delay care and cause patients to incur unnecessary costs. There can, of course, be far more serious consequences from the mismatching of patient records, such as medication mix-ups, transplant errors, and catastrophic delays to care resulting in loss of life. These are not uncommon events and occur repeatedly throughout the healthcare system.

The problem of incorrectly identifying patients and mismatching records was exacerbated during the pandemic when thousands of duplicate records were created in the rush to get the population vaccinated. There were many cases of patients being unable to get COVID vaccines as their medical records stated – through mismatching with similarly named patients – that they had already received the vaccine. Misidentification and duplicate health records also caused disruptions to the registration process and vaccine availability at provider sites, hampering efforts to ensure rapid vaccination of the population. When the next pandemic hits, the same problems will likely be experienced again.

In 2020, the Patient ID Now Coalition was founded, an advocacy group whose founding members include the American College of Surgeons, AHIMA, CHIME, HMMS, Intermountain Healthcare, and Premier Healthcare Alliance. Patient ID Now is attempting to build bipartisan momentum to support accurate patient identification by removing the legislative barriers that are preventing the development of a national patient identifier system. Patient ID Now believes the creation of a national patient identifier is one of the most important patient safety issues to address.

Patient ID Now provided an example of the devastating consequences of mismating patient records. A woman visited her physician who arranged for her to have a mammogram; however, she never received the results. She mistakenly assumed that she was not contacted about the results because nothing bad was found, when the reality was the mammogram results had been mismatched with a patient who shared the same name. The mismatching was only identified when she mentioned the mammogram to her physician during an annual check-up. The mammogram showed she had cancer, and the one-year delay in receiving treatment had allowed the cancer to progress to the point where it was terminal.

This is far from an isolated example. A January 2019 Government Accountability Office Report found that matching patients with the right records was an incredibly common problem. 45% of large hospitals reported experiencing difficulty with accurately identifying patients. CHIME estimates that matching records within hospitals can be as low as 80%, which means 1 in 5 patients may not be matched with their entire medical records. Further, the matching rate may be even lower between organizations that share the same EHR vendor, dropping to just 50%. AHIMA reports that inaccurate patient identification results in $1,950 in duplicative medical care costs per inpatient and causes $1.5 million in denied claims each year.

Why Does the Funding Ban Continue?

A national patient identifier can help to prevent medical errors, save lives, and cut costs, and also has other benefits. A national patient identifier would support clinical and public health research and population health initiatives, which would help with the transition from fee-for-service to value-based care, and that would benefit patients, providers, payers, and the country as a whole. So, what are the main reasons why the funding ban continues?

One of the most commonly cited arguments against the introduction of a National Patient Identifier, and one that has been often stated by Sen. Rand Paul, is to stop government involvement in an individual’s healthcare. “As a physician, I know firsthand how much the doctor-patient relationship relies on trust and privacy, which would be undermined by a National Patient ID,” said Sen. Rand Paul when introducing the National Patient ID Repeal Act in 2021. He explained that the move to strip this provision from HIPAA was to “prevent the government from centralizing patients’ personal health records or interfering with their medical decisions,” and warned that removing the ban “would open the floodgates for a government-issued ID to be linked with the private medical history of every man, woman, and child in America.”

Sen. Blackburn, who supported the bill, said, “The federal government has no right to dictate individual medical decisions or gain access to your private medical records. The existing National Patient ID sets a dangerous precedent for Big Brother to exert even more control over your life, and it is paramount that we prevent the Biden administration from creating it.” It has also been suggested that creating a “cradle-to-grave medical record” would allow individuals’ entire medical records to be used to conduct medical research without consent, although the HIPAA Privacy Rule prevents such uses and disclosures without consent, and there is no reason why additional safeguards could not be introduced with a National Patient Identifier system.

Another argument often put forward is a national patient identifier would make it easier for nation-state actors to steal patient data. “Now, more than ever, it is crucial to protect Americans’ genetic information from theft by foreign actors like China,” said Sen. Rand Paul when introducing the National Patient ID Repeal Act. While these are valid concerns, it is worth bearing in mind that big tech companies and data brokers are already compiling huge amounts of incredibly personal data on individuals, including health information, and are using and selling that information without restriction. Companies such as AncestryDNA and 23andMe (and many others) provide hugely popular services to the public that involve sequencing DNA, and these companies are not even bound by the protections of HIPAA.

It is also important to point out that healthcare data theft is a problem without a national patient identifier. As of January 31, 2023, more than 383 million healthcare records have already been stolen along with identifiers such as Social Security numbers. If a healthcare-only identifier was introduced, patients would not have to disclose their Social Security numbers to their healthcare providers, thus helping them to protect themselves against identity theft and fraud. While it has been suggested that patient trust could be lost due to a national patient identifier, a system could be set up akin to the credit monitoring system, and patients would be able to monitor access to their healthcare data and see exactly who accesses it and for what reason.

National Patient Identifiers Have Been Successfully Introduced in Many Developed Countries

A national patient identifier has been introduced in many developed countries with great success and has helped to eliminate patient misidentification. For instance, in the United Kingdom, all patients are issued with a unique National Health System ID number, which allows patients to be matched with their medical records no matter where they receive healthcare through the NHS system. Sure, if the NHS is hacked, then entire medical records could be stolen, but in the UK, it is seen as far more important to ensure patient safety by correctly matching patients with their entire medical records than any potential risks of worries about government control.

While there are clear benefits to a national patient identifier – which I feel far outweigh any negatives – introducing such a system is not without problems, one of the biggest is the cost. which has been estimated to be in the region of $1.5 billion and $11.1 billion, and there will undoubtedly be challenges in implementing any such system.

Removing the appropriations bill language will at least allow the HHS to start exploring how a national standards-based system could be introduced to ensure patients can be accurately matched with their medical records and start obtaining feedback from stakeholders on potential methodologies. Surely, it would be better to actively address the pressing public health and safety issue of mismatched patient records, than to keep rejecting the idea due to outdated fears about the government controlling individuals’ healthcare decisions.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Time to Stop Blocking a National Patient Identifier System appeared first on HIPAA Journal.

Achieving compliance with the Rules of the Health Insurance Portability and Accountability Act (HIPAA) can be a challenge for healthcare organizations and their business associates. The HIPAA Rules were developed to cover healthcare organizations of different types and sizes, so the Rules needed to be flexible to accommodate this diversity. They also needed to be capable of standing the test of time without requiring regular updates in response to changing technology and operating practices.

While HIPAA sets standards for privacy, security, and administrative processes, the Rules can seem complex and often lack important details and they do not include an easy-to-follow HIPAA compliance checklist, so it’s no surprise that achieving and maintaining HIPAA compliance can be a daunting prospect. One of the biggest challenges for compliance professionals is interpreting the HIPAA Rules and applying those requirements to their organization. For smaller healthcare organizations with limited resources, achieving and maintaining compliance can be harder still.

If HIPAA compliance is causing you headaches or keeping you up at night, it is worthwhile considering partnering with a compliance company and getting advice on how to achieve and maintain compliance for peace of mind. For those considering going it alone, there are three pillars of HIPAA compliance that you need to get right.

Pillar 1: Implement a HIPAA Compliance Program

HIPAA-regulated entities need to implement an effective HIPAA compliance program, covering all standards and implementation specifications of the HIPAA Rules. HIPAA-compliant policies and procedures must be developed and implemented, and staff trained on those policies. While compliance responsibilities can be split between multiple individuals – such as a Privacy and Security Officer – one individual should have overall responsibility for compliance throughout the entire organization. You should also consider forming a compliance committee that meets regularly to discuss the state of compliance with HIPAA and other federal and state regulations.

One of the first things the Department of Health and Human Services’ Office for Civil Rights (OCR) will seek to establish when investigating complaints and data breaches is whether the entity has implemented a formal HIPAA compliance program and is taking its HIPAA compliance obligations seriously. Proving your organization takes HIPAA compliance seriously and has not ignored its obligations means compliance efforts must be thoroughly documented.

The first stage of an OCR investigation involves a document request. OCR will contact a covered entity and ask for specific documentation relative to the complaint or data breach, and that information needs to be provided promptly. If there a HIPAA-regulated entity is unable to prove they have a HIPAA compliance program in place, then a financial penalty is all but guaranteed. If you have invested time and effort into complying with the HIPAA Rules and can provide documentation demonstrating your good faith effort, the HHS is more likely to provide technical assistance than impose a financial penalty. OCR says the vast majority of investigations are resolved through voluntary compliance or technical assistance, and financial penalties will be avoided if entities can demonstrate satisfactory compliance.

When investigating data breaches, organizations will be asked to provide evidence that comprehensive, accurate risk analyses have been conducted. You may be asked to provide evidence of risk analyses for the past 5 or 6 years. If you can’t provide that documentation, it doesn’t matter whether those risk analyses have been conducted or not, from OCR’s perspective, at best they were incomplete and at worst were not conducted at all. Both are likely to result in a fine.

If a complaint is investigated about an alleged employee HIPAA violation, OCR will want to see evidence that a HIPAA training program is in place and proof that employees have received appropriate training. The sanctions policy may be requested, along with evidence of any ongoing corrective actions and sanctions, further training that has been provided to the workforce in response to discovered violations, and samples of breach notifications.

It is therefore imperative that you maintain accurate, detailed records of all of your compliance efforts and store that documentation in a central data repository with your policies and procedures. That will ensure that you can respond quickly to any request and provide evidence of compliance. The failure to provide the requested documentation could trigger a much more extensive review of your compliance program.

Pillar 2: Develop a Security Awareness and HIPAA Training Program

Policies and procedures must be developed on all aspects of HIPAA but not just to allow boxes to be ticked in a HIPAA compliance checklist. That may be sufficient to pass a very basic document review, but policies alone will not make an organization HIPAA compliant. All members of the workforce must be provided with the policies and must receive training relevant to their role. Every individual in a healthcare organization has a role to play in making their organization HIPAA compliant and must be trained to allow them to perform their duties in a HIPAA-compliant way.

Employees should not have to guess how HIPAA applies. In addition to training, employees must be made aware of the sanctions policy and the repercussions of HIPAA violations and the sanctions policy must be enforced.

HIPAA calls for training to be provided during the onboarding process, regardless of whether a new hire is a seasoned healthcare professional or is new to the industry. It is the responsibility of the compliance officer to ensure that appropriate training programs are developed and that all members of the workforce receive adequate training. While HIPAA violations can take many different forms, most HIPAA violations are due to mistakes by employees and a lack of appropriate training is often the cause.

It is unreasonable to expect employees to gain the knowledge of a compliance professional from HIPAA training provided during the onboarding process. The goal is to ensure that everyone is aware of how HIPAA applies to their role, the rules regarding uses and disclosures, and how to protect patient data. Training needs to be an ongoing process, so refresher training should be provided annually to ensure standards do not slip. HIPAA calls for the staff to be trained on internal policies relative to their role and for all members of the workforce to receive security awareness training.

The importance of the latter was highlighted in the 2022 Verizon Data Breach Investigations Report, which revealed the human factor was involved in 82 percent of data breaches. Security awareness training is concerned with teaching security best practices, making the workforce aware of security threats, and training employees on how to recognize and report those threats. Through training, organizations can eradicate risky practices and significantly reduce the risk of a successful cyberattack and data breach.

Training programs should be tailored to each role and include the specific threats those individuals are likely to encounter. Given the extent to which healthcare employees are targeted with phishing attempts and BEC attacks, there needs to be a particular focus on identifying, avoiding, and reporting these threats to the security team.

Security awareness training is a requirement of the HIPAA Security Rule but the frequency of training is left to the discretion of each regulated entity. HIPAA-regulated entities should go above and beyond the minimum requirements for training and should implement an ongoing security awareness training program, with training delivered throughout the year. The goal should be the creation of a security culture, which is unlikely to happen with infrequent training. As with all aspects of HIPAA compliance, training must be documented. One of the first things OCR will seek to establish when investigating data breaches is whether a security awareness training program is in place.

Pillar 3: Develop, Implement, and Continuously Improve an Information Technology Security Program

There are 20 standards in the HIPAA Security Rule, but within each standard are many more implementation specifications. There are more than 60 implementation specifications that must be considered and implemented, including required and addressable specifications.

HIPAA Security Rule compliance primarily involves developing and implementing a comprehensive information security program that incorporates administrative, technical, and physical safeguards to protect against reasonably anticipated threats and hazards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The information security program must incorporate access controls to protect against internal and external unauthorized access to ePHI, continuous evaluation of security controls, monitoring information systems for unauthorized activity, security awareness training, and developing and implementing contingency and incident response plans.

The risk analysis is one of the fundamental implementation specifications of the HIPAA Security Rule, and one of the main areas where mistakes are made. Risk analyses must be accurate, comprehensive, and organization-wide, and should identify all potential risks and vulnerabilities to ePHI. Those risks must then be subjected to a risk management process and be reduced to a low and acceptable level. Risks must be documented, assessed for criticality, prioritized, and managed, and the process must be fully documented, including how the risks were addressed, when they were resolved, ongoing unresolved issues, and the time frames and steps for addressing any unresolved issues. Risk analyses should be conducted annually and in response to any material change in policies, procedures, or new technology.

When investigating data breaches, OCR seeks to establish the underlying cause of a data breach and will require evidence of risk analyses and risk management. OCR will look for the mitigations in response to a data breach, the actions taken to prevent further incidents, and the entity’s compliance prior to the breach. Recognized security practices will also be considered as a mitigating factor, so these must be thoroughly documented.

HIPAA Security Rule compliance will ensure a baseline level of security is achieved but given the extent to which the healthcare industry is targeted, organizations should look beyond HIPAA Security Rule compliance and should continue to develop the information security program. Adopting a cybersecurity framework such as the NIST Cybersecurity Framework or HITRUST CSF will greatly improve an organization’s security posture and will be considered a mitigating factor by OCR when investigating data breaches and HIPAA Security Rule violations.

Organizations unable to take this step should consider adopting the HHS 405(d) Program, which serves as a stepping stone between HIPAA Security Rule compliance and the full implementation of a cybersecurity framework. The HHS 405(d) Program documentation outlines the main current cybersecurity threats to the sector, offers best practices for mitigating those threats, and technical assistance tailored to the size and capabilities of small, medium, and lar-sized healthcare organizations.

HIPAA Compliance is a Continuous Process

There is much more to HIPAA compliance than developing and documenting policies, training staff, and developing an effective information security program, but if you get the basic structure in place, achieving HIPAA compliance will be much more straightforward and you will be able to demonstrate that you are taking your obligations seriously.

Adopting a methodical checklist-style approach to HIPAA compliance will help to ensure compliance with all HIPAA standards, but becoming compliant is just the start. Maintaining compliance requires regular internal audits, updates to policies and procedures to account for new HIPAA requirements and changing technology, and ensuring that safeguards remain effective in a rapidly changing threat landscape.

Signing up to receive updates from the HHS 405d Program is a good place to start, a plan should be developed for adopting a cybersecurity framework to improve the maturity of your cybersecurity program, and there are advantages to be gained from using HIPAA compliance software, especially for healthcare organizations and business associates that feel a little overwhelmed about HIPAA compliance.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: The Three Pillars of HIPAA Compliance appeared first on HIPAA Journal.

This is the third article in the ‘Benefits of HIPAA’ series, this time around exploring how the Health Insurance Portability and Accountability Act (HIPAA) and its subsequent amendments have benefited patients. The first article in the series explored how HIPAA has benefited healthcare organizations and the second covered the key benefits of HIPAA for healthcare professionals.

A World of Change for Patients

It has now been 27 years since HIPAA was signed into law by President Clinton. Memories of what the healthcare industry was like before that time may be starting to fade, but it should not be forgotten just how important HIPAA was at that time and has continued to be for more than a quarter of a century since. The initial Act introduced standards in healthcare to improve efficiency and make sure that healthcare providers, health plans, and healthcare clearinghouses followed standard practices and used the same code sets.

No system can function efficiently if the different components do not speak the same language, yet this was essentially how the healthcare system operated at the time. That system worked well when healthcare was provided on a one-to-one basis between a clinician and a patient, but as the healthcare ecosystem was becoming more complex, change was desperately needed to ensure healthcare information could be easily transferred to where it was needed, without requiring time-consuming and costly manual processes to convert the data into a usable form. In addition to helping clinicians have access to the data they need, HIPAA has also helped health plans process claims more efficiently and ensures funds are rapidly transferred to pay for healthcare services.

HIPAA made it easier for healthcare providers and health plans to share data electronically and that has helped patients by improving the continuity of care. Recent rules introduced by the HHS have helped to remove some of the barriers to information sharing and ensure that healthcare organizations and electronic health record providers do not engage in practices that could block or hamper the sharing of patient data. That is helping to prevent patients from incurring unnecessary costs, such as having to redo medical tests when they change healthcare providers.

HIPAA has helped to improve the accuracy of record keeping, making it easier to match medical records with the right patients, thus preventing medical errors. HIPAA has also played an important role in reducing healthcare fraud, which was forcing health insurance providers to massively increase their premiums to cover the losses.

One of the initial aims of HIPAA was to improve the portability of health insurance and help to prevent Americans from falling into a job lock situation, where they felt unable to change jobs due to the fear of losing health insurance coverage. While HIPAA has not solved the problem of job lock, it has certainly helped. HIPAA also helped to expand health insurance coverage and prevent discrimination, by ensuring individuals could not be denied health insurance due to pre-existing medical conditions.

Privacy and Security of Healthcare Data

HIPAA called for the Secretary of the Department of Health and Human Services to adopt standards to ensure patient privacy and data security, which were added a few years later in the Privacy and Security Rules. Before the HIPAA Privacy Rule was signed into law, patients did not have a federal right to healthcare data privacy and there were no federal restrictions on disclosures of that data or how healthcare data could be used. A patient’s healthcare information could be used for marketing purposes without restriction, and before the HIPAA Privacy Rule, healthcare providers were not required by law to provide a patient with a copy of their medical records.

The HIPAA Privacy Rule introduced standards for privacy, stipulating exactly when healthcare data could be disclosed and required patients to provide their authorization before their healthcare information could be used for most purposes other than the provision of healthcare, payment for healthcare, and other essential uses necessary for healthcare organizations to provide their services. HIPAA ensured that disclosures of healthcare data were limited to the minimum necessary amount, prohibiting a patient’s entire medical records from being disclosed when the entire record was not required. HIPAA has ensured that, in general, healthcare information cannot be provided to an employer, be used for marketing or advertising purposes, or be sold without written authorization from the individual.

These privacy protections and the need to keep healthcare data secure seem like basic rights today, yet before the HIPAA Privacy and Security Rules were signed into law, there wasn’t a legal requirement to ensure the privacy and security of healthcare data, and healthcare providers and health plans were not accountable for privacy violations and security failures.

HIPAA Gave Patients New Rights

In addition to benefitting patients in these ways, HIPAA gave patients several new rights over their healthcare data. One of the most important rights is the ability to inspect healthcare data. Healthcare providers accurately record patient information, but errors can be made. The Privacy Rule gave patients the right to check their medical records for errors and have those errors corrected. Before the Privacy Rule was introduced, those errors would likely have remained, threatening patient safety. Patients were also given the right to obtain a copy of their healthcare data, which allows them to take it to a new healthcare provider and disclose that information to whomever they wish, be that a friend, family member, or a medical research institution. Recent changes have also allowed patients to have their healthcare information sent to the health app of their choosing.

The HIPAA Privacy Rule ensured transparency of privacy practices, ensuring patients are enforced about how their healthcare data will be used – through Notices of Privacy Practices – and to whom the information has been disclosed – Accounting of Disclosures, a copy of which can be obtained on request. Patients were also given the right to request restrictions on disclosures of their healthcare information, putting them in control of who is provided with their sensitive healthcare information.

HIPAA does not have a private cause of action, which means a patient can’t sue for a HIPAA violation; however, patients do have the right to file a complaint about a HIPAA violation with a healthcare provider or health plan and can submit a complaint to the HHS’ Office for Civil Rights, which will investigate and take action. Further, when there is an unauthorized disclosure of healthcare information, or when that information has been exposed, patients need to be notified, which allows them to take action to protect against identity theft and fraud.

How the Pending HIPAA Privacy Rule Update Will Benefit Patients

It has been two decades since the HIPAA Privacy Rule was signed into law and a lot has changed in that time. Certain aspects of the Privacy Rule have proven to be cumbersome for HIPAA-covered entities, and there are several areas where improvements are required for patients. Fortunately, some important updates are about to be made that will deliver even more benefits for patients and will improve access to medical records.

Obtaining a copy of medical records is a fundamental right of HIPAA, but the timescale for providing those records is hardly appropriate in the digital age. The latest update will see the time shortened for providing a copy of a patient’s records from 30 days to 15 days, and if an extension is permitted, that time frame has similarly been reduced to 15 days. That means a maximum of 30 days to obtain a copy of the requested records. To further improve access, patients will also be allowed to take notes and photographs of their records, should they so wish. The burden of identity verification when requesting access to records has also been reduced and it has been made easier for patients to direct their healthcare providers to transfer their records to another healthcare provider.

Patients can be charged for copies of their medical records, and while there are restrictions on what can be charged, the update will help to prevent patients from incurring unnecessary or unexpected costs. There has been clarification on when copies of electronic medical records must be provided free of charge, and healthcare providers are required to publish how much patients will typically be charged if they want paper copies of their records.

Another important change will help to improve patient safety, as the ability of healthcare providers to disclose patient information to avert a threat to health or safety has been expanded. They will be able to disclose patient information when harm is “serious and reasonably foreseeable,” instead of a “serious and imminent” threat to health or safety. The changes will also facilitate the sharing of patient information to improve care coordination and case management for individuals, which is intended to improve family and caregiver involvement in the care individuals need when experiencing emergencies or health crises.

Moving Forward – Where HIPAA Needs to Change

The updates to the Privacy Rule will certainly benefit patients, but there is one area where HIPAA lets patients down. HIPAA only applies to healthcare data when it is collected, maintained, stored, or transmitted by a HIPAA-regulated entity. The same healthcare data could be collected, maintained, stored, or transmitted by another entity, and would not be protected by HIPAA. For instance, healthcare information could be stored in a health app, and that information would fall outside the protections of HIPAA. What is now needed is an expansion of HIPAA to cover all healthcare data or new HIPAA-like regulations to be introduced to cover healthcare data when the information is collected by an entity not covered by HIPAA.

One common criticism of HIPAA is the lack of a private cause of action, which prevents patients from suing for HIPAA violations. While this is unlikely to change, there is some good news for patients. The HHS’ Office for Civil Rights will soon be distributing a percentage of the funds raised from its enforcement actions to victims of HIPAA violations, as soon as a suitable methodology for doing so is developed. OCR recently sought information from industry stakeholders and the public on how best to implement this requirement and ensure the funds are fairly distributed.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editoirial: Benefits of HIPAA for Patients appeared first on HIPAA Journal.

It has been almost 27 years since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law, more than 2 decades since the Privacy Rule was enacted, and this February will be the 20^th anniversary of the HIPAA Security Rule. This article is the second in a series that explores the benefits of HIPAA, focusing on some of the ways that HIPAA has benefited healthcare professionals. The first article in the series covered the benefits of HIPAA for healthcare organizations.

HIPAA was signed into law in 1996 by President Clinton and introduced standards in healthcare to improve efficiency, eliminate waste, combat fraud, and ensure that Americans could retain health insurance coverage when they are between jobs. When penning the legislation, Congress recognized the importance of the confidentiality of healthcare data and included provisions requiring the Secretary of the Department of Health and Human Services to establish standards for patient privacy and the transmission of electronic health information. Today, HIPAA is best known for these Rules, which restrict the uses and disclosures of protected health information and require HIPAA-covered entities to keep health information secure and protected against unauthorized access. HIPAA also helped the healthcare industry move into the digital age by encouraging the adoption of electronic health records, stipulating the controls that must be implemented to secure healthcare data.

There was considerable resistance to legislation introducing standards for the entire healthcare industry, despite a clear need for change. HIPAA gave healthcare organizations the prod they needed to implement those changes, which have improved efficiency, profitability, and helped healthcare providers deliver better patient care. Before the Privacy Rule was introduced there was a cavalier attitude to patient privacy. Patient records were often left unsecured, and before access controls were a legal requirement, huge numbers of healthcare professionals could view sensitive patient data. The American Health Information Management Association determined that, on average, around 150 individuals in a hospital could access a patient’s medical records during a typical hospitalization and there were no restrictions on the amount of information those individuals could view. There were also no restrictions on disclosures of patient information, and disclosures often occurred without the knowledge of patients. Prior to HIPAA, any information disclosed to a healthcare provider by a patient essentially became the property of the healthcare provider and there was no obligation to share that information with the patient.

HIPAA Ushered in Much-Needed Change

The Administrative Simplification Regulations of HIPAA had three main aims: To protect and enhance the rights of consumers by providing them with access to their health information and preventing inappropriate uses; to improve the quality of healthcare by restoring trust in the healthcare system; and improve the efficiency and effectiveness of healthcare delivery through a national framework of health privacy protection. HIPAA built on the privacy legislation introduced by individual states and ensured privacy protections were in place across the entire country.

Congress understood that it was not possible to achieve administrative simplification without also protecting the privacy and confidentiality of personal health information. High-quality healthcare can only be delivered if patients trust that their sensitive, private health information will be protected and kept confidential, and with healthcare delivery becoming more complex, privacy and security were becoming even more important.

The Benefits of HIPAA for Healthcare Professionals

Healthcare organizations have benefited greatly from HIPAA through the standardization of healthcare transactions, which has improved efficiency and profitability. Patients have benefited by being given rights over their personal health information and transparency over how their health information is used, and HIPAA has also delivered many benefits to healthcare professionals.

A Clear Set of Rules to Follow

One of the most important benefits of HIPAA for healthcare professionals is being provided with a clear set of rules to follow with respect to healthcare data. HIPAA is often criticized for being vague in certain areas, but the rules covering allowable uses and disclosures are clear about how to protect patient privacy. Having clear rules to follow makes it easier for healthcare professionals to work efficiently and concentrate on providing care. HIPAA has also helped improve patient safety by encouraging the adoption of electronic health records, which makes it easier to match medical records with the right patients and ensure patient information is accurately recorded and always available.

HIPAA Has Improved Trust and Helped Healthcare Professionals Deliver Better Care

HIPAA has provided all Americans with a basic level of protection for their healthcare data, giving them peace of mind about disclosing their most personal information, which is critical to ensuring their full participation in their own healthcare. The relationship between a clinician and a patient is built on trust. A clinician must trust the patient to provide honest information about their symptoms and the patient must trust the clinician to keep sensitive information confidential or that information will not be disclosed.

The restrictions on the uses and disclosures of health information introduced by HIPAA have helped to build trust, which in turn helps clinicians make correct diagnoses and develop effective treatment plans. Studies have shown that patients who do not believe their privacy will be protected are much less likely to fully participate in the diagnosis and treatment of medical conditions.

Keeping healthcare data private and confidential is an important part of improving patient well-being. Disclosures of private health information, whether through careless discussions in non-private settings or cyberattacks through noncompliance with the HIPAA Security Rule, can greatly affect a patient’s mental health. Invasions of privacy are a major source of stress, potentially resulting in stigma, discrimination, loss of opportunity, and an increased risk of identity theft and fraud, all of which can have a profound impact on patient well-being.

HIPAA Helps Providers Deliver Patient-Centric Care

Providing the best quality care possible is essential to the success of a healthcare organization, but healthcare providers need to also provide a quality patient experience, which involves more than delivering high-quality care. Delivering patient-centric care is key to improving the patient experience and satisfaction metrics such as HCAHPS scores, which are vital to the long-term success of a healthcare organization. The cost of healthcare is increasing, insurance premiums are rising, and so are the deductibles. If patients do not get the service they need and feel they are getting value for money, they will simply switch providers.

HIPAA has helped the healthcare industry transition into patient-centric care by empowering patients to participate more actively in their own healthcare. By taking a more active role in their healthcare, patients are more likely to comply with the advice their healthcare providers give them and make healthier lifestyle choices, which improves patient outcomes. Healthcare providers need to continue to find new ways to improve patient engagement, and HIPAA compliance helps them to do so while ensuring patient privacy is protected. In today’s digital world, information security is essential as cyberattacks have the potential to expose patients’ highly sensitive data. With the number of attacks now being conducted, HIPAA Security Rule compliance has never been more important and is critical to achieving patient-centric objectives. Further, when patient satisfaction improves, so does employee morale, as healthcare professionals get more job satisfaction.

HIPAA Compliance Helps Increase Profits

HIPAA has standardized healthcare, improved efficiency, and helped to eliminate waste and fraud, which has been key to improving the profitability of the healthcare industry and job security for healthcare professionals. Through HIPAA compliance, healthcare organizations can improve patient loyalty, which means fewer resources need to be invested into attracting new patients and more money can be directed into improving healthcare services and giving healthcare professionals the resources they need to deliver high-quality care.

HIPAA Compliance Makes You a Better Healthcare Professional

HIPAA is a work in progress, far from perfect, and compliance may be cumbersome at times, but the legislation has delivered many benefits to healthcare organizations, healthcare professionals, and patients. HIPAA has helped transform the healthcare industry, and through continued compliance, healthcare professionals can deliver high-quality care, improve relationships with patients, and get more job satisfaction.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Benefits of HIPAA for Healthcare Professionals appeared first on HIPAA Journal.

Amazon has launched a new service that connects patients with doctors – Amazon Clinic. This should come as no surprise given Amazon’s recent acquisitions and the company’s stated ambitions healthcare market. The new service promises to deliver convenience combined with affordability, but Amazon’s latest healthcare venture sets warning bells ringing about patient privacy.

Amazon’s Journey into Healthcare

Amazon is the ultimate disruptor. The company started as an online bookseller and cornered that market, then transitioned into a portal that connects the world with every conceivable product they could want, all of which are available through an easy-to-use website that delivers everything faster than most of its competitors. Amazon products are usually cheaper than the competition and the company is well known for putting the consumer first. Order late one day and your purchases will be with you the next. It is not possible to overstate how successful the company has been. Amazon is now generating revenues of $140 billion a quarter, and that success turned its founder, Jeff Bezos, into the world’s richest man, a position he held from 2017 to 2021.

In 2006, Amazon launched its cloud computing platform, Amazon Web Services (AWS), which has helped many healthcare organizations with their digital transformations, and in recent years, Amazon has been taking greater strides into the lucrative healthcare market. In 2017, Amazon created a healthcare-focused tech lab, 1492, then in 2018 launched its cloud-based service, Amazon Comprehend Medical, which extracts healthcare data from text such as doctors’ notes and clinical trial reports.

Amazon partnered with Berkshire Hathaway and JPMorgan Chase to create the non-profit healthcare organization, Haven, which sought to improve access to primary care for those companies. Haven was later shut down and was replaced by the Amazon Care program for its staff, which provides online and face-to-face medical services. Amazon started rolling out that telemedicine service to employers around the country, although in August announced that it would be shutting down the service by the end of the year as it was not a sustainable solution for its enterprise customers.

Acquisitions of PillPack and One Medical Cement Move into Healthcare

Amazon’s move into healthcare took a major step forward with the $753 million acquisition of the online pharmacy PillPack in 2019, as the retailer looked to crack the prescription market. Amazon Pharmacy was launched in 2020, which offers Amazon Prime members free delivery for their pharmacy orders, packaged to make it easier for patients to remember when to take their medications.

This year, Amazon announced its intention to acquire the primary healthcare organization One Medical in a deal reportedly worth $3.9bn. One Medical provides a membership-based service offering in-person visits and virtual care and currently has around 815,000 members. This deal, if it completes, will cement Amazon’s place in the healthcare sphere.

Amazon’s planned acquisition of One Medical has sent alarm bells ringing throughout the healthcare industry and beyond. Privacy advocates are terrified about Amazon gaining access to large amounts of sensitive medical data and how that data will be used. There are fears that this most sensitive of data could be manipulated and exploited by Amazon in ways that may not become clear for many years to come.

In August, following the announcement about One Medical, Senator Josh Hawley (R-MO) wrote to the Federal Trade Commission (FTC) calling for the FTC to investigate the deal due to privacy and security concerns. Hawley stated that Amazon already wields too much power, and while the company would be required to comply with HIPAA and other healthcare privacy laws, some loopholes could be exploited. One of the biggest concerns with this merger, should it go ahead, is how Amazon plans to draw the line between consumer and patient data, and exactly where that line will be drawn.

Amazon Clinic Launched

The latest venture, Amazon Clinic, brings the convenience of Amazon’s retail empire direct to every home with an Internet connection and every individual with a smartphone. According to Amazon, Amazon Clinic allows everyone to “get treatment for common health concerns at your convenience—no appointments, video calls, or live chat required.” Amazon Clinic is billed as a virtual healthcare service that, like its retail business, delivers convenience and affordability.

Amazon Clinic is a message-based virtual care service, where users can select from a list of common health complaints, answer some questions, have that input reviewed by a licensed clinician, and then be provided with a personalized treatment plan. No appointments are needed, and in contrast to other healthcare services, the user knows the cost of the visit in advance. Pay a flat fee upfront and there are no surprises. Amazon says that the fee charged is less than many co-pays, plus the service offers more convenience as there are no waiting room visits and no telehealth appointments. The service is available 24/7 and prescriptions are filled by Amazon Pharmacy.

At launch, the virtual care service is being provided in 32 U.S. states for adults aged 18-64 and covers 20 common health conditions from acne to yeast infections, and the service can also be used to renew prescriptions for common medications with no visits or live chat required.  The service is aimed at the uninsured market as Amazon does not accept insurance – although payment can be made and users can then try to claim back the cost from their insurer.

Amazon’s Checkered Privacy History

Anyone concerned about providing their most sensitive health data to Amazon need not be worried, as Amazon states, “Your health data is secure – All of your information is protected by our practices and by law… HIPAA and all other applicable laws and regulations.” Amazon also points out that “We have extensive experience protecting data of all kinds appropriately across a variety of businesses and remain focused on the important mission of protecting customers’ health information.”

There is, of course, the question of the extent to which consumers can trust Amazon with their health data, as while its services are much loved by consumers, the company does not have an exemplary record when it comes to data privacy. That “extensive experience” includes some questionable data practices and there have been many allegations of serious privacy violations.

Amazon was investigated for violations of the European Union’s General Data Protection Regulation (GDPR), with the Luxembourg Data Protection Authority determining that the retailer had violated several Articles of the GDPR related to its processing of user data, even though Amazon was well aware of the requirements of the GDPR. The fine imposed in 2021 was a record €746 million ($887 million). Amazon has appealed that decision and maintains there was no data breach or disclosure of personal data to any third parties. The exact nature of the alleged violations has not been disclosed publicly, although it is suspected to be related to the use of personal data internally for advertising purposes without consent.

This year, an Amazon cloud backup service was recently found to be inadvertently exposing RDS snapshots over the public Internet that contained corporate personally identifiable information (PII). Also, this year, Amazon accidentally exposed an internal server to the public Internet that contained data about users’ Prime viewing habits.

One problem for Amazon comes from the sheer volume of data that it collects from many different sources, from search engine and site searches to what is said to Alexa. Amazon has had problems mapping all of that data and does not know exactly where all that data is being held, let alone how all that data is being used. That is a major concern if health information is also collected.

Then there is Amazon’s vast workforce of more than 1.6 million full and part-time employees, which creates a considerable insider privacy risk and questions have long been asked about how customer data is protected against insider threats. A report was published by the Wall Street Journal in 2018 about how Amazon employees were being bribed to provide access to sensitive information such as buying habits, sales volume, and the on-site search terms of customers. Amazon has a history of having employees sharing customer contact information with third parties, and in 2020, disgruntled employees were found to be leaking customer email addresses. An internal application that was used by Amazon to extract data was found to be used as a backdoor, allowing third parties to collect customer data, notably by a Chinese firm that had harvested the information of millions of customers. Questions have also been asked about the ability of the Amazon retail arm to detect security incidents.

Of course, insider threats are a problem for all businesses; however, for a company such as Amazon which has received considerable criticism from employees about working conditions, the threat is greater. Former Amazon chief information security officer Gary Gagnon said in 2018 that there was free-for-all internal access to customer information and that the systems in place made it difficult to track where all of Amazon’s data was going.

Privacy Concerns About Access to Medical Data

Amazon has access to a huge amount of data from the retail side of its business and has the goal of broadening its access to data to include healthcare information, which through Amazon Clinic will help to drive the growth of its online pharmacy business.

Amazon states that it will abide by federal regulations such as HIPAA, but while HIPAA has helped to protect the privacy of patients for two decades, there are considerable gaps. HIPAA has not adapted to changing technology, such as the massive rise in the use of health apps. The data collected through those apps is often the same data that HIPAA protects if collected by a healthcare provider, yet the apps are beyond the protection of HIPAA.

One concern is to what extent the data collected through Amazon Clinic will be used by other parts of the business. Through Amazon Clinic, patients fill out health questionnaires. That information would be valuable for the retail arm. The first health condition on the Amazon Clinic list – Acne – brings up more than 10,000 products on its retail site. Amazon may claim that Amazon Clinic data will be kept separate, but enforcers of the GDPR are likely to have their suspicions about the extent to which that will occur. Will users of the Amazon Clinic find they are offered a range of tailored products to suit their specific health needs?

As Amazon has demonstrated over the years, other players in the markets in which it operates struggle to compete, and that has been seen from the very early days when Amazon started putting booksellers out of business. There are already several players in the telehealth market that offer similar services for common health conditions but lack the reach of Amazon, and they may well struggle to compete. Coupled with its companion One Medical business – if that acquisition goes ahead – could lead to a monopoly on telehealth that would reduce consumer choice.

The Future of Healthcare?

There is no doubt that there is demand for Amazon Clinic, which seeks to bridge the gap between medical complaints that require more than a trip to the drug store and are not sufficiently severe to warrant a costly trip to the doctor. A service that plugs that gap and offers convenience and affordability is almost certain to prove popular.

Amazon Clinic could have a positive impact on the industry from a patient perspective. One of the keys to the success of Amazon is its focus on improving the customer experience. If the service proves to be successful, healthcare providers may also start looking at ways that they can do the same and make their services better and more convenient.

U.S. consumers may be comfortable with Amazon collecting vast amounts of information and building up detailed profiles of consumers in exchange for convenience and low prices, but questions remain about whether Amazon can be trusted with health data. An American Medical Association survey earlier this year suggests there is widespread mistrust in nontraditional healthcare entities. Amazon may find it difficult to earn consumer trust.

Amazon says this new service makes doctor’s visits simpler and affordable and that any privacy fears are unfounded. It remains to be seen whether making health care more convenient and affordable will come at the cost of patient privacy, and it may be some time before that becomes fully apparent.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Will Amazon Clinic Put Patient Privacy at Risk? appeared first on HIPAA Journal.

The U.S. healthcare industry is currently engaged in a cyber war against a widely dispersed set of adversaries, which include hordes of financially-motivated hackers and organized cybercriminal groups, hacktivists, and nation-state-sponsored threat actors. Ransomware has become an epidemic, and while there are signs that attacks are leveling off or decreasing, the healthcare industry has yet to see such a dip, now being the most targeted sector.

One trend that has emerged is an increase in extortion-only attacks. Rather than breaching networks, exfiltrating data, and then encrypting files, ransomware is not used. Sensitive data is stolen and demands are issued for its safe return and to prevent the sale or publication of the data, with the file encryption element of the attack abandoned as it is time-consuming and noisy. One attack that has made the headlines – the cyberattack on the Australian health insurer, Medibank Private Ltd – confirms the global nature of the current cyber war, which healthcare organizations around the world are struggling to win. The attack stands out due to the scale of the data theft and the callousness of the perpetrators.

The Medibank Cyberattack

Medibank Private Ltd. is the largest private health insurer in Australia, covering around one in six Australians. On October 13, 2022, Medibank detected suspicious activity within its network. The unauthorized access was terminated, and initially, Medibank CEO David Koczkar issued a statement saying no evidence was found that customer data was accessed. Medibank was then contacted on October 17, 2022, by the threat actor behind the attack seeking payment to prevent the release of stolen data. Threats were issued to publish the stolen data, starting with a sample of the data of some of the most prominent customers, including politicians, actors, activists, social media personalities, and people with “very interesting diagnoses.” Medibank confirmed data theft had occurred on October 20.

Access to the network was gained, sensitive data was stolen, and a ransom demand was issued to prevent the publication and sale of the stolen data of 9.7 million current and former customers. The ransom demand was $9.7m, or $1 for each of the affected individuals. The attack has been attributed to an unnamed Russian cybercriminal group, with reports suggesting REvil was behind the attack. REvil’s data leak site redirects to the site where the Medibank data is being published. REvil was one of the most prolific cybercriminal groups in operation; however, following the arrests of several alleged key members of the group, Russia’s federal security services (FSB) said REvil no longer exists. Whether this attack signals the rebirth of REvil, or if it was conducted by an affiliated group has yet to be confirmed. The Australian Federal Police (AFP) claims to know which group is behind the attack.

Medibank said the threat actor infiltrated its systems using “high-level credentials,” which had the necessary clearance to access large amounts of data, and that multi-factor authentication was protecting those accounts. How those credentials were stolen and MFA was bypassed has not been made public.

The Hackers Show No Mercy

Medibank said it received council from cybersecurity experts regarding paying the ransom, and the consensus was that if the ransom was paid, there was only a limited chance that the stolen data would be returned, that all copies would be deleted, and that there would be no sale or misuse of the data. The decision was then made not to pay the ransom, the implications of which were felt last week when the threat actor started to publish samples of the stolen data, initially posting two lists of data each containing around 100 records.

One was referred to as a “naughty list” which included the data of individuals who had claimed for treatment for drug addiction and mental health issues, and a “good list” that included claims for more generic hospital procedures. That was followed by the publication of another file that included details of around 300 individuals who had claimed for healthcare services related to the termination of pregnancies, then another file was published containing the details of 240 customers who had claimed for alcoholism-related treatments. The information of more than 480,000 customers has now been leaked. Medibank is standing by its initial decision not to make payment.

Medibank has reported to the Australian Stock Exchange that it is expecting a financial hit of around $25m to $35m, not including any regulatory fines or litigation. In terms of the latter, there could well be several lawsuits filed. Lawyers around the country are currently assessing the potential for suing Medibank over the data breach and are assessing the harm that has come from the exposure of highly sensitive data. The breach mitigation and legal costs will have to be covered by Medibank, as chief financial officer, Mark Rogers, confirmed that there was no cyber insurance policy in place due to the excessive cost.

Lessons US Healthcare Organizations Can Learn from the Medibank Cyberattack

The Medibank cyberattack is horrific – for Medibank and especially the 9.7 million affected individuals, and the repercussions will be felt for a long time to come. The situation is still evolving, but there are already lessons to be learned from this hugely damaging cyberattack.

Cybersecurity must be a board-level issue

Even with considerable investment in cybersecurity, defenses can be breached. The security posture of Medibank at the time of the attack is unclear, but one issue that has come to light is the lack of board involvement in cybersecurity at Medibank. Medibank chairman, Mike Wilkins, confirmed there were no cybersecurity or IT experts on the board, something that is all too common at healthcare organizations. Given the high risk of a cyberattack and its potential implications, board-level oversight of cybersecurity is essential. According to Deloitte, which has been called in to investigate the security breach, “Boards have now started looking at cyber risk as an enterprise-wide risk management issue, rather than a pure IT security issue, owing to its firmwide implications… Cybersecurity oversight has now become the most important topic for the Board after strategic planning.”

Hope for the Best, But Plan for the Worst

It is often only when a cyberattack occurs that cybersecurity gets the investment it needs, yet it should come as no surprise to any healthcare organization about the high risk of an attack occurring, given the frequency with that they are now being reported. Koczkar has stated that Medibank had planned for such an attack and was able to immediately implement its cyber response strategy for exactly this type of event; however, while an incident response plan had been implemented, shareholders have been voicing concerns about Medibank’s level of preparedness for such an attack, not just in terms of incident response, but the measures that had been implemented to prevent such a breach. Healthcare organizations can hope for the best, but they need to assume that a cyberattack is inevitable and ensure appropriate defenses are in place. It is also vital to not just develop and implement a breach response plan, but to practice the incident response with tabletop exercises, involving all teams involved in the response.

The Importance of Transparent Communication with Customers and Shareholders

The decision of whether or not to pay the ransom is not straightforward, and while there are very good reasons for not paying a ransom, there are repercussions for any decision, as this attack has shown. Medibank clearly stated the reasons why the ransom was not paid, and it was clearly communicated that their decision was in line with the recommendations of the Australian government.

Medibank appears to have opted for a strategy of damage limitation to protect the company’s reputation by downplaying the seriousness of the breach, and that approach has backfired. The CEO first issued a statement that no evidence of data theft had been found, then issued another statement that the attack appeared to be a precursor to a ransomware attack, before finally admitting that data theft had occurred.

Shareholders have been demanding answers with share prices falling sharply, forcing three halts on trading. Many are furious about the management of the breach and the level of transparency of Medibank post-breach, with little information or reassurances provided. Transparency and clear communication with shareholders and customers can go a long way toward protecting a company’s reputation after a data breach, especially one where the perpetrators have been telling shareholders to sell all their shares.

Zero-Trust and Phishing Resistant Multi-factor Authentication

It is currently unclear how credentials were obtained and MFA bypassed, but phishing is a reasonable assumption. While it is important to protect all accounts with multi-factor authentication, especially accounts with high levels of privileges, not all forms of MFA provide the same level of protection. Healthcare organizations should follow the advice of CISA and implement phishing-resistant MFA. A change of mindset is also required for security, shifting from traditional perimeter defenses to zero-trust, with the latter assuming that a network has already been breached, with controls implemented to validate all stages of digital interactions to limit the potential for lateral movement.

The Importance of Cyber Insurance

Medibank will face a huge financial hit from the attack, the initial estimates of which appear to be very low. While the average cost of a healthcare data breach is now $10,1 million, according to the IBM Security 2022 Cost of a Data Breach Report, the cost of mega data breaches of 1 million to 10 million records was calculated to be $49 million, and $180 million for breaches of 10M-20M records. Bloomberg Intelligence suggests the breach cost could rise as high as $450 million if customers sue for damages. Cyber insurance is unlikely to pay all breach-related costs, but the failure to have any cyber insurance policy is a serious risk, and that decision could prove to be incredibly costly.

Greater Protection for Highly Sensitive Data

The nature of the data published by the attacker is shocking. In the United States, disclosure of the details of individuals who have had a legal abortion could cause incredible harm and potentially put women at risk of criminal charges. These data types, along with other highly sensitive information such as substance disorder treatment information, data of domestic violence victims, and patients with stigmatized diseases such as HIV, should be subject to far more stringent protections, as far as is possible, due to the harm that can be caused if that information is exposed. In the Medibank attack, patient data in all of those categories was obtained and published.

The Australia Cyber Security Minister, Clare O’Neil, said that the damage caused by the Medibank cyberattack is “potentially irreparable”. It may be too late for Medibank, but as more information about the attack and response comes to light, the lessons learned will be invaluable to healthcare organizations around the world and may help them prevent similar incidents and manage successful attacks better to reduce the damage caused.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Lessons for American Healthcare Providers from the Australian Medibank Health Record Breach appeared first on HIPAA Journal.