Healthcare Compliance News

Albany ENT & Allergy Services Pays $500K Penalty and Commits to $2.25M Cybersecurity Investment

Posted by Steve Alder

The New York multi-site medical practice, Albany ENT & Allergy Services, has agreed to pay a $500,000 financial penalty to the state of New York and will invest $2.25 million to strengthen its information security practices after suffering two ransomware attacks that saw threat actors gain access to the medical records of more than 213,000 New York patients. Under the agreement, a further $500,000 in penalties must be paid if Albany ENT & Allergy Services fails to invest the required $2.25 million in upgrades and maintenance of its information security program over the next 5 years.

An investigation was launched by the Office of the New York Attorney General (OAG) following an intrusion of Albany ENT & Allergy Services’ network by two different threat actors between March 23, 2023, and April 4, 2023. The first intrusion involved ransomware and was discovered on March 27, 2023, when files were encrypted. Systems and data were restored by the healthcare provider’s IT vendor; however, the source of the intrusion was not identified before the restoration of external network access.

A different threat actor conducted a second ransomware attack 10 days later on April 2, 2023. A digital forensics firm was engaged to conduct a thorough investigation and remediate any vulnerabilities before the restoration process began. The compromised systems contained the records of 213. 935 patients, including names, addresses, birth dates, driver’s license numbers, Social Security numbers, diagnoses, test results, and treatment information.  Both threat actors provided evidence of data exfiltration when attempting to extort Albany ENT & Allergy Services; however, ransoms were not paid. The file review was completed in May 2023 and the affected individuals were notified and offered complimentary credit monitoring services.

The failure to identify the initial access vector was due to insufficient server logs. While server logs were created, they were not retained for a reasonable period, and there were no security programs in place to monitor and analyze server traffic. The company that conducted the forensic investigation after the second attack concluded that the initial access vector was likely the exploitation of an unpatched vulnerability in a Cisco VPN firewall.

The OAG investigation revealed the breach involved the protected health information of around 80,000 individuals more than the 120,000 individuals stated in the initial breach report. The additional affected individuals had their driver’s license numbers posted online by the threat actors when the ransom was not paid. OAG also determined that the threat actors gained access to six devices that hosted unencrypted personal information and some of those devices continued to store unencrypted personal information for months after the ransomware attacks. While an encryption policy had been implemented for laptop computers, it did not apply to personal information stored on other systems. Multi-factor authentication (MFA) had been implemented, but not consistently, with some remote access systems not protected by MFA.

Albany ENT & Allergy Services did not have an in-house information technology team and outsourced those functions to two third-party vendors. Outsourcing IT functions is acceptable under state law; however, a single Albany ENT & Allergy Services employee was responsible for liaising with those vendors and ensuring appropriate policies and procedures were followed and recommended practices were implemented. That employee did not have any IT or InfoSec experience or training. The lack of effective oversight meant critical security updates were not implemented in a timely manner, logs of activity in information systems were not retained for sufficiently long, MFA was not consistently implemented, and a reasonable information security program was not maintained. The security failures were determined to violate New York Business and Executive Law.

Under the agreement, Albany ENT & Allergy Services is required to implement a range of security measures including establishing a comprehensive information security program and ensuring effective oversight of its information security vendors. “Health care facilities need to take protecting patients’ private information seriously, and that means investing to protect data and responding quickly if breaches occur. Today’s agreement with AENT will strengthen its cybersecurity and protect the private information of New Yorkers who rely on this Capital Region medical provider,” said Attorney General Letitia James. “I urge all health care facilities and general companies to follow guidance from my office on how to have more secure systems to protect New Yorkers’ data.”

The post Albany ENT & Allergy Services Pays $500K Penalty and Commits to $2.25M Cybersecurity Investment appeared first on The HIPAA Journal.

Industry Groups Give Feedback on CISA’s Proposed Cybersecurity Reporting Requirements

Posted by Steve Alder

In April, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rulemaking (NPRM) introducing new requirements for critical infrastructure entities to report certain cybersecurity incidents. CISA sought comment from the public, and several healthcare stakeholders have provided feedback on the proposed rule.

Background

The proposed rule requires critical infrastructure entities to report cybersecurity incidents to CISA within 72 hours of detecting a cybersecurity incident and within 24 hours of making a ransomware payment. The types of covered incidents include:

  • Unauthorized system access
  • Denial of Service (DOS) attacks with a duration of more than 12 hours
  • Malicious code on systems, including variants if known
  • Targeted and repeated scans against services on systems
  • Repeated attempts to gain unauthorized access to systems
  • Email or mobile messages associated with phishing attempts or successes
  • Ransomware attacks against critical infrastructure, including the variant and ransom details if known

The types of information that must be submitted to CISA include:

  • Incident date and time
  • Incident location
  • Type of observed activity
  • Detailed narrative of the event
  • Number of people or systems affected
  • Company/Organization name
  • Point of Contact details
  • Severity of event
  • Critical infrastructure sector
  • Anyone else who has been informed

CISA will share the information with federal and non-federal partners to improve detection and the minimization of the harmful impacts on critical infrastructure entities, accelerate mitigation of exploited vulnerabilities, and allow software developers and vendors to develop more secure products. The information will also be shared with law enforcement to help with the investigation, identification, capture, and prosecution of the perpetrators of cybercrime.

Healthcare Industry Groups Give Feedback to CISA

The Workgroup for Electronic Data Interchange (WEDI) and the Medical Group Management Association (MGMA) have called for CISA to align the reporting time frame with the HHS’ Office for Civil Rights, as having to submit reports to multiple agencies will place a considerable administrative burden on healthcare organizations. MGMA believes the new reporting requirements will be overly burdensome for medical groups, and the duplicative reporting requirements may affect the ability of those groups to operate effectively, especially when dealing with a cyberattack.

MGMA explained that under HIPAA, covered entities must report cybersecurity incidents to the HHS’ Office for Civil Rights within 60 days for HIPAA compliance. Rather than layering different reporting requirements on each other, MGMA suggests that CISA should work closely with the HHS to seamlessly incorporate data that must reported under HIPAA. This will promote collaboration and prevent covered entities from reporting the same incident multiple times in different formats. MGMA said the sized-based criteria for reporting means small medical groups will not have the burden of reporting incidents but using the SBA definition means that many small physician offices will be impacted, even practices with annual revenues as low as $9 million.

The short timeframe for reporting incidents was criticized by WEDI, which said it could take longer than 72 hours to gather all the necessary information for the initial report. WEDI has called for CISA to be flexible with the reporting timeframe, such as allowing the initial report to be submitted with as much information as it has been possible to gather within 72 hours and allowing additional information to be submitted after that deadline as it becomes available. WEDI also proposes a carve-out for certain ransomware attacks. WEDI has requested that CISA not consider an attack to be a data breach if no protected health information has been accessed, provided the entity has made a good faith effort to deploy a recognized security program and has implemented security policies and procedures.

CHIME/AEHIS Members Express Concern

The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) have urged CISA to consider that the core mission of healthcare is patient safety and not to implement regulatory requirements that could jeopardize that mission.

One concern from their members is the reporting requirements under HIPAA, which require security breaches to be reported to OCR within 60 days of the discovery of a data breach. They are concerned that the clock would start ticking for reporting under HIPAA on the date of submission of the incident report to CISA, and that could create considerable additional burdens for HIPAA-regulated entities. CHIME and AEHIS have asked CISA to clarify the reporting requirements for managed service providers and other third-party service providers that provide products or services to HIPAA-covered entities, requesting that the service provider be considered the covered entity for reporting under CIRCIA.

After the initial incident report, critical infrastructure entities are required to submit supplemental reports following a significant cybersecurity incident, with those supplemental reports submitted without delay or as soon as possible. There is concern that with the threat of enforcement, HIPAA-covered entities may feel compelled to prioritize reporting of incidents over patient safety. CHIME/AEHIS have requested that the supplemental reports be submitted every 72 hours at a minimum or every 5 days, and for those reports to only be required if substantial new or different information becomes available.

CHIME/AEHIS point out that the definition of larger hospitals – those with 100 or more beds – is inadequate and that a more nuanced approach is required with other factors considered other than bed count, and not require reporting of incidents by critical access hospitals (CAHs), which are already under considerable financial strain. Making CAHs report incidents could increase the financial strain on the hospitals, leading to more closures and reduced access to healthcare for patients.

CHIME/AEHIS have received feedback from their members about the level of detail required by CISA about the security architecture of breached entities. “If CISA requires hospitals and healthcare systems to define their entire security architecture, that is a tremendous amount of information to include in a report,” explained the industry groups. “Our members do not believe that CISA needs to know an entire description of an organization’s security program – as it is not helpful to fulfill the purpose of CIRCIA, is potentially considered intellectual property (IP), and/or sensitive for the organization.”

The post Industry Groups Give Feedback on CISA’s Proposed Cybersecurity Reporting Requirements appeared first on The HIPAA Journal.

ONC Releases Common Agreement Version 2.0

Posted by Steve Alder

On April 22, 2024, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) released Version 2.0 of the Trusted Exchange Framework and Common Agreement (TEFCA).

TEFCA establishes the technical infrastructure model and governing approach for different health information networks and their users and allows them to share clinical information with each other. The ONC requires health information networks that participate in TEFCA to begin implementing the new version and support the Health Level Seven Fast Healthcare Interoperability Resources standard. ONC has also published Participant and Subparticipant Terms of Participation, which details the requirements for Participants and Subparticipants, compliance with which is required for participation in TEFCA. Version 2.0 of the Common Agreement will make it easier for participating health information networks to share data with each other and will also make it easier for patients to access their health data through digital health apps.

“We have long intended for TEFCA to have the capacity to enable FHIR API exchange. This is in direct response to the health IT industry’s move toward standardized APIs with modern privacy and security safeguards, and allows TEFCA to keep pace with the advanced, secure data services approaches used by the tech industry,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “I want to commend the effort put forth by the TEFCA and FHIR communities to help get us there with the release of CA v2.0.”

The post ONC Releases Common Agreement Version 2.0 appeared first on HIPAA Journal.

NY Attorney General Finds Northwell Health Deceptively Advertised COVID-19 Testing Sites

Posted by Steve Alder

New York Attorney General, Letitia James, has announced a settlement with New York’s largest health network, Northwell Health, to resolve allegations it deceptively advertised its emergency departments as COVID-19 testing sites during the COVID-19 public health emergency. Northwell Health claimed in advertisements that three emergency departments in New York City and Long Island were COVID-19 testing sites; however, when patients visited to be tested they were billed for emergency room visits.

The Office of the Attorney General (OAG) investigated Northwell Health after complaints were received from patients who claimed they had been overcharged for testing. OAG investigated and found that Lenox Hill Hospital, Lenox Health Greenwich, and Huntington Hospital had signs advertising their emergency departments as COVID-19 testing sites between March 2020 and March 2021. Hundreds of patients visited the emergency departments solely to be tested for COVID-19 but were billed standard emergency department charges. In the case of Huntington Hospital, even patients who used the drive-in testing facility were charged for emergency room visits. OAG determined that Northwell Health collected $81,761.46 in out-of-pocket payments from 559 New Yorkers for COVID-19 tests and related services, and patients visiting the emergency department for other reasons were also charged for COVID-19 tests.

OAG found that the actions of Northwell Health violated New York Executive Law § 63(12) and General Business Law §§ 349 and 350. Under the terms of the settlement, Northwell Health has issued more than $400,000 in refunds to 2,048 patients and will pay a civil monetary penalty of $650,000 to the state. “During a time of great stress at the height of the pandemic, Northwell Health caused more worry and frustration for New Yorkers who were sent emergency room bills for simply taking a COVID-19 test,” said Attorney General James. “Today we are putting money back in New Yorkers’ pockets after Northwell Health misled them. New York patients should not get surprise fees, and I encourage anyone who thinks they’ve been taken advantage of through deceptive advertising to file a complaint with my office.”

The post NY Attorney General Finds Northwell Health Deceptively Advertised COVID-19 Testing Sites appeared first on HIPAA Journal.

One Third of Healthcare Websites Still Use Meta Pixel Tracking Code

Posted by Steve Alder

A recent analysis of healthcare websites by Lokker found widespread use of Meta Pixel tracking code. 33% of the analyzed healthcare websites still use Meta pixel tracking code, despite the risk of lawsuits, data breaches, and fines for non-compliance with the HIPAA Rules.

Website Tracking Technologies in Healthcare

A study conducted in 2021 that looked at the websites of 3,747 U.S. hospitals found 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties, and an analysis in 2022 of the websites of the top 100 hospitals in the United States by The Markup/STAT revealed one-third of those hospitals used tracking technologies on their websites that transferred visitor data, including protected health information (PHI), to third parties.

In December 2022, the HHS’ Office for Civil Rights issued guidance to HIPAA-regulated entities on the use of website tracking technologies. The guidance made it clear that these technologies violate HIPAA unless there is a business associate agreement (BAA) in place with the provider of the code or authorizations are obtained from patients. OCR and the Federal Trade Commission wrote to almost 130 healthcare organizations in July 2023 warning them about the compliance risks of using tracking technologies, after these tools were discovered on their websites. In March 2024, OCR updated its guidance – believed to be in response to a legal challenge by the American Hospital Association –  however, OCR’s view that a BAA or authorizations are required has not changed.

Several hospitals and health systems have reported the use of these tracking technologies to OCR as data breaches, and many lawsuits have been filed against hospitals over the use of these tools, some of which have resulted in large settlements. For example, Novant Health agreed to pay $6.6 million to settle a lawsuit filed by patients who had their PHI transferred to third parties due to the use of these tracking tools. The FTC is also actively enforcing the FTC Act with respect to trackers, with BetterHelp having to pay $7.8 million to consumers as refunds for disclosing sensitive health data without consent. States have also taken action over the use of Meta pixel and other website trackers, with New York Presbyterian Hospital settling a Pixel-related HIPAA violation case with the New York Attorney General for $300,000.

Lokker’s 2024 Study of Website Tracking Technologies

Lokker, a provider of online data privacy and compliance solutions, conducted a study of 3,419 websites across four industries (healthcare, technology, financial services, and retail), that explored three critical areas of risk.

  • Unauthorized consumer data collection through third-party trackers, tags, and pixels.
  • How privacy tools are often failing to meet the requirements of emerging laws.
  • The escalating complexities of protecting consumers’ data privacy.

The study looked at the threat of data brokers sharing consumer data with foreign adversaries. Across all industries, 12% of websites had the TikTok pixel, including 4% of healthcare companies. While the privacy risks associated with this pixel are lower than other tracking technologies, the information collected by TikTok pixel may be transferred to China. 2% of websites, including 0.55% of healthcare websites, were found to use pixels and other web trackers that originated in China, Russia, or Iran. Data transfers to foreign nations are a major concern for the U.S. government. In February this year, President Biden signed an Executive Order to prevent the sharing of Americans’ data with foreign countries.

Alarmingly, given the considerable media coverage, HIPAA guidance, regulatory fines, and lawsuits associated with website tracking technologies, 33% of healthcare organizations were still using Meta pixel on their websites. Lokker found an average of 16 trackers and a maximum of 93 trackers on healthcare websites. The most common trackers used by healthcare organizations were from Google (googletagmanager.com, doubleclick.net, google-analytics.com, google.com, googleapis.com, youtube.com), Meta (facebook.com, facebook.net), ICDN (icdn.com), and Microsoft (linkedin.com). There appears to be confusion about obtaining consent from website visitors about the collection of their data through tracking technologies such as pixels and cookies. According to OCR guidance, the use of a banner on a website advising visitors about the use of tracking technologies does not constitute a valid HIPAA authorization. These consent banners were identified on the websites of 59% of healthcare organizations.

These consent banners often do not function as intended, as 98.5% of websites load cookies on page load, with Lokker reporting that, on average, 33 cookies are loaded before consent banners appear, and these banners often misclassify or overlook cookies and trackers. Lokker also found that technologies such as browser fingerprinting are often excluded from consent tools, and the rapidly evolving web means tracker changes may go unnoticed by consent tools, resulting in users unwittingly consenting to undesired data collection.

In addition to compliance risks related to HIPAA, there is also a risk of Video Privacy Protection Act (VPPA) violations. 3% of healthcare companies had Meta pixel or other social media trackers on pages containing video players, putting them at risk of VPPA lawsuits. In 2023, more than 80 lawsuits were filed alleging VPPA violations due Meta pixel being used to gather and disseminate video viewing data from websites without user consent, some of which have led to multi-million-dollar settlements.

“LOKKER’s research sheds light on critical issues that businesses often underestimate. Unauthorized data collection through third-party trackers and related technologies is far more pervasive than most people realize. We all build websites with third-party tools, and they use other third-party tools, and so on. Many of these are essential and necessary. However, this web of interconnected technologies produces dozens to hundreds of URLs collecting data on a single webpage and is the engine that powers the data broker market,” said Ian Cohen, founder and CEO of LOKKER. “Moreover, data collection on websites and ad tech happens in real time; existing privacy tools are not real-time, and therefore not getting the job done. As a result, we’re seeing a dramatic increase in privacy violations, lawsuits, and fines.” The findings are published in Lokker’s Online Data Privacy Report March 2024.

The post One Third of Healthcare Websites Still Use Meta Pixel Tracking Code appeared first on HIPAA Journal.

ONC Reports on Progress on Advancing Nationwide, Trusted Health Information Networks

Posted by Steve Alder

The HHS Office of the National Coordinator for Health Information Technology (ONC) has provided an update to Congress on the progress that has been made on the access, exchange, and use of electronic health information through trusted health information networks (HINs) and health information exchanges (HIEs).

HealthIT is integral to healthcare delivery, and it has become even more so since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Across the United States, hundreds of physician offices, hospitals, and health systems now use ONC-certified healthIT to access, process, store, and exchange electronic health information (EHI) and ONC reports significant progress in the past year toward nationwide interoperability, and connecting nationwide, trusted HINs.

According to the ONC report, 85% of hospitals have electronically queried or found patient health information through various methods; 64% of hospitals reported using nationwide networks that enable data exchange across different healthIT systems in 2021, around half of physicians searched for or queried patient health information via their EHR when seeing a new patient in 2021, and HINs are one of the most common methods used by hospitals to electronically send and receive summary of care cards.

There are, however, barriers to progress. As explained to Congress in a February 2023 report, those barriers have resulted in uneven progress across healthcare and have affected the ability to realize the full potential of certified health IT. In 2021, 72% of hospitals reported challenges exchanging data across different EHR vendor platforms, 54% faced challenges developing customized interfaces, 57% faced challenges matching and identifying the correct patient between systems, and in 2022, around three-quarters of hospitals experienced at least one challenge to electronic public health reporting.

HIN’s and NIEs each have limitations, which are being addressed through the Trusted Exchange Framework and Common Agreement (TEFCA). TEFCA simplifies network participation by providing a way for healthcare providers, health plans, and patients to make a single connection to access EHI on a nationwide scale, and TEFCA supports a broader range of exchange purposes, including treatment, payment, healthcare operations, public health, government benefits determination, and individual access services.

ONC published version 1.1. of TEFCA in November 2023, and in December, five organizations completed the TEFCA onboarding process and were officially designated as Qualified Health Information Networks (QHINs), and a further two organizations were designated as QHINs in February 2024.

ONC anticipates more organizations will be designated as QHINs in the coming year and reports that most hospitals are aware of TEFCA and plan to participate. ONC expects TEFCA will scale significantly and will create a pathway for modern information sharing and patients will experience the benefits, especially those that have multiple healthcare providers as it will make it much easier to efficiently access and manage their own health information, although virtually everyone that uses the healthcare system will benefit from connected HINs eventually, said ONC.

ONC thanked Congress for its commitment to the 21st Century Cures Act, which envisioned TEFCA, and recommended support for the implementation of the health IT provisions of the Cures Act.

The post ONC Reports on Progress on Advancing Nationwide, Trusted Health Information Networks appeared first on HIPAA Journal.

OCR Settles HIPAA Right of Access Investigation with Phoenix Healthcare for $35,000

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that a $35,000 settlement has been reached with Phoenix Healthcare to resolve a HIPAA Right of Access violation. This is the 47th investigation of a HIPAA Right of Access case to result in a financial penalty. The HIPAA Right of Access provision of the HIPAA Privacy Rule requires patients or their personal representatives to have timely access to their health information. Access/copies of the requested information must be provided within 30 days of the request being received.

OCR received a complaint from a daughter whose mother was a patient of Phoenix Healthcare, an Oklahoma multi-facility organization in nursing care. The daughter was the personal representative of her mother and had not been provided with timely access to her mother’s medical records. The daughter requested the records on multiple occasions and had to wait almost a year to receive the requested data. The requested records were provided 323 days after the initial request was made.

The daughter reported the matter to OCR as a potential HIPAA investigation and OCR launched an investigation. OCR determined that there had been a violation of the HIPAA Right of Access and informed Phoenix Healthcare by letter on March 30, 2021, of its intention to impose a financial penalty of $250,000 for the failure to comply with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Phoenix Healthcare contested the proposed fine and requested a hearing before an Administrative Law Judge (ALJ). The ALJ upheld the violations cited by OCR and that there had been wilful neglect of the HIPAA Privacy Rule. The ALJ ordered Phoenix Healthcare to pay a civil monetary penalty of $75,000.

Phoenix Healthcare appealed the $75,000 penalty, contesting both the penalty amount and the wilful neglect determination. The Departmental Appeals Board affirmed the ALJ’s decision that there had been wilful neglect of the HIPAA Rules and order to pay $75,000; however, OCR chose to settle with Phoenix Healthcare and reduced the financial penalty to $35,000 on the condition that the Departmental Appeals Board’s decision is not challenged, that Phoenix Healthcare revises its HIPAA policies and procedures, and provides HIPAA training on the revised policies and procedures to its workforce.

“Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” said OCR Director Melanie Fontes Rainer. “Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”

This is the third OCR HIPAA investigation of 2024 to result in a financial penalty, the others being a $4,750,000 settlement with Montefiore Medical Center, and a $40,000 settlement with Green Ridge Behavioral Health.

The post OCR Settles HIPAA Right of Access Investigation with Phoenix Healthcare for $35,000 appeared first on HIPAA Journal.

CISA Proposes Cyberattack Reporting Rules for Critical Infrastructure Entities

Posted by Steve Alder

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has proposed a rule that implements cyberattack and ransom payment reporting requirements for critical infrastructure entities, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

In March 2022, CIRCIA was signed into law by President Biden, one of the requirements of which was for CISA to develop and implement new regulations that require critical infrastructure entities, including hospitals and health systems, to report covered cyber incidents and ransomware payments to CISA. The purpose of the reporting is to provide CISA with timely information about cyberattacks to allow resources to be rapidly deployed and assistance provided to support victims of cyberattacks and allow CISA to rapidly identify cyberattack trends and disseminate information to help network defenders prevent further attacks.

When developing the new requirements, CISA consulted with various entities, including the Sector Risk Management Agencies, the Department of Justice, other appropriate Federal agencies, the DHS-chaired Cyber Incident Reporting Council, and non-federal stakeholders.

Incidents That Should Be Reported

  • Unauthorized access to systems
  • Denial of Service (DOS) attacks that last more than 12 hours
  • Malicious code on systems, including variants if known
  • Targeted and repeated scans against services on systems
  • Repeated attempts to gain unauthorized access to systems
  • Email or mobile messages associated with phishing attempts or successes
  • Ransomware against critical infrastructure, including variant and ransom details if known

Information That Should be Shared

  1. Incident date and time
  2. Incident location
  3. Type of observed activity
  4. Detailed narrative of the event
  5. Number of people or systems affected
  6. Company/Organization name
  7. Point of Contact details
  8. Severity of event
  9. Critical Infrastructure Sector if known
  10. Anyone else that has been informed

Proposed Timeframe for Reporting

Time is of the essence when reporting incidents. The sooner CISA is informed, the faster information can be shared to warn other organizations in the sector about attackers’ tactics, techniques, and procedures. Covered entities will be required to report covered incidents within 72 hours, and ransom payments will need to be reported within 24 hours of payment being made.

Since some of the requirements of CIRCIA are regulatory, CISA is first required to publish a Notice of Proposed Rulemaking (NPRM) in the Federal Register and accept public comments for 60 days. The NMPR was published in the Federal Register on March 27, 2024. The Final Rule will be published within 18 months of the date of the NPRM.

The new reporting requirements will not be mandatory until the Final Rule takes effect; however, CISA encourages all critical infrastructure entities to voluntarily report cyberattacks and ransom payments ahead of the compliance date. The information shared will allow CISA to provide assistance and warnings to other organizations to prevent them from suffering similar attacks.

A fact sheet has been released that summarizes key requirements and the NPRM can be viewed in the Federal Register.

The post CISA Proposes Cyberattack Reporting Rules for Critical Infrastructure Entities appeared first on HIPAA Journal.

New Compliance Requirements for Florida Hospitals with Emergency Departments

Posted by Steve Alder

Florida Governor Ron De Santis has signed the “Live Healthy” legislative package into law, which enhances current policies and includes $716 million in health care investments. The purpose of the legislative package is to strengthen Florida’s health care workforce, broaden access to quality health care, and foster innovation in the industry. The new laws introduce new compliance requirements for hospitals with emergency departments.

The bills signed by Governor DeSantis on March 21, 2024, are:

  • SB 7016, which creates and expands training programs that will help to develop and retain Florida’s health care workforce.
  • SB 7018, which harnesses the innovation and creativity of entrepreneurs and industry leaders to meet the needs and challenges of Florida’s evolving health care system.
  • SB 1758, which formalizes some of the great work already underway within the Agency for Persons with Disabilities through the First Lady’s Hope Florida initiative.
  • SB 330, which creates a new category of teaching hospitals dedicated to advancing behavioral health care through research, collaborating with our colleges and universities, and partnering with the state of Florida to address acute behavioral health care needs.
  • SB 322, which creates public record and meeting exemptions for personal identifying information for practitioners participating in the Interstate Medical Licensure Compact, the Audiology and Speech-Language Pathology Interstate Compact, and the Physical Therapy Licensure Compact.

“We are taking action to bolster our health care workforce to keep pace with our state’s unprecedented growth,” said Governor DeSantis. “I applaud Senate President Passidomo for her dedication to this cause, which contributes to positioning Florida as the freest and healthiest state in the nation.”

New Compliance Requirements for Florida Hospitals with Emergency Departments

One of the bills, SB 7016, introduces new rules for hospitals with emergency departments (EDs), including hospitals with off-campus EDs. In Florida, many patients use EDs for non-emergent care or seek emergency care that could have been avoided if they received regular primary care. The bill requires hospitals with EDs to submit a diversion plan to the state that details how they will help these patients access the appropriate care setting if they present to the ED with a non-emergent condition or indicate that they do not have regular access to primary care.

The nonemergency care access plans (NCAPs), which must not conflict with the Emergency Medical Treatment and Labor Act, will require state approval by July 1, 2025, after which hospitals will be required to submit their plans annually and demonstrate that they are effective. If the NCAP does not receive state approval, it must be updated before a license is granted or renewed.

For Medicaid patients, the NCAP must include outreach to the patient’s Medicaid managed care plan, and at least one of the following:

  1. A partnership agreement with at least one local federally qualified health center or another primary care setting. Staff at the ED must proactively seek to establish a relationship between the patient and the federally qualified health center or primary care setting if the patient indicates they do not have regular access to primary care.
  2. The establishment and operation of a hospital-owned urgent care center within or in close proximity to the hospital ED, to which the patient can be diverted if, after an initial screening, the patient requires non-emergent healthcare services.

The post New Compliance Requirements for Florida Hospitals with Emergency Departments appeared first on HIPAA Journal.