Healthcare Compliance News

HTI-1 Final Rule Takes Effect Today

Posted by Steve Alder

The Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule takes effect today (February 8, 2024). The Final Rule was issued through the HHS’ Office of the National Coordinator for Health Information Technology (ONC) and was released on December 13, 2023.

The Final Rule implements provisions of the 21st Century Cures Act and updates the ONC Health IT Certification Program with new and updated standards to promote valid, safe, effective, and fair development and implementation of AI systems, in line with the principles and priorities of President Biden’s Executive Order 14110: Safe, Secure and Trustworthy Development and Use of Artificial Intelligence. The Final Rule is intended to advance ONC-certified health IT interoperability, algorithm transparency, and data standardization to improve patient outcomes and reduce healthcare costs and implements.

The Final Rule establishes new requirements for transparency for AI and other predictive algorithms that are part of ONC-certified health IT, which is utilized by more than 96% of hospitals and 78% of office-based physicians in the United States. The transparency requirements allow clinical users of systems that incorporate AI and machine learning algorithms to access a consistent, baseline set of information about the algorithms and assess them for fairness, appropriateness, validity, effectiveness, and safety.

The Final Rule adopts the United States Core Data for Interoperability (USCDI) Version 3 (v3) as the new baseline standard within the ONC Health IT Certification Program. USCDI v3 includes updates to prior USCDI versions that are aimed at advancing more accurate and complete patient characteristics data to promote equity, reduce disparities, and support public health data interoperability. While the Final Rule is now in effect, developers of certified health IT have until January 1, 2026, to move to USCDI v3, although that can make that move sooner.

The Final Rule also introduced new information blocking requirements to support information sharing, revised some information blocking definitions, and added a new exception to encourage secure, efficient, standards-based exchange of electronic health information under the Trusted Exchange Framework and Common Agreement (TEFCA).

The Final Rule also introduced new interoperability-focused reporting metrics for certified Health IT to give better insights into how certified health IT is used to support the care delivery, such as the 21st Century Cures Act requirement to adopt a Condition of Certification for developers of certified health IT to report metrics as part of their participation in the Certification Program.

With the Final Rule now in effect, it is important to ensure that IT systems, information sharing policies, data collection, and reporting practices are assessed to ensure they are compliant with these new requirements.

The post HTI-1 Final Rule Takes Effect Today appeared first on HIPAA Journal.

What is Healthcare Compliance Tracking Software?

Posted by Steve Alder

Healthcare compliance tracking software is a tool that helps healthcare organizations keep compliance programs on schedule by automating the management of activities such as risk assessments, policy and procedure reviews, workforce training, and incident management. When used effectively, healthcare compliance tracking software can help organizations avoid legal risks, better protect the privacy and security of health information, and improve the quality of patient care.

Healthcare organizations have a lot of regulations and standards to comply with. Not only are most healthcare organizations required to comply with HIPAA, OSHA, and FDA regulations, but they might also have to meet CMS’ conditions for participation in Medicare, the voluntary standards for Joint Commission accreditation, and industry-specific or role-specific state licensing requirements.

In addition, if a healthcare organization operates in a state that has passed a data privacy law that does not exempt HIPAA covered entities and business associates, there may be occasions in which a provision of a state data privacy law preempts a provision of HIPAA – notwithstanding that some states exempt Protected Health Information, but not other types of identifiable information.

As a consequence of multiple regulations and standards, it is often difficult to keep on top of compliance activities. Even the best planned health compliance programs can be thrown off-schedule by an unforeseen event  – for example, the recent guidance that using tracking technologies on user-authenticated healthcare web pages could be a HIPAA violation.

How Healthcare Compliance Tracking Software can Keep Programs on Schedule

Healthcare compliance tracking software works by tracking program initiatives and activities to alert compliance teams when risk assessments are due for review, when policies and procedures need revising, and when workforce training needs to be provided or repeated – or, in the case of a security awareness training program, when the program needs to be updated to reflect emerging threats.

The same capabilities can be configured to manage Business Associate Agreements and the retention of compliance documentation, and to produce reports for upper management to show the value of investing in healthcare compliance tracking software. In some cases, the value of the investment can be that it is possible to demonstrate a good faith effort to comply with regulations and standards.

Thereafter – depending on the compatibility of the software with an existing IT infrastructure – healthcare compliance tracking software can be used to manage incident responses (i.e., compliance with the HIPAA Breach Notification Rule) or ensure corrective action plans remain on schedule to avoid an extension of the plan or a civil financial penalty for failing to comply with the plan.

The Benefits of Tracking Compliance Activities with Automation

The primary benefit of tracking compliance activities with automation is that healthcare compliance tracking software reduces the likelihood of human error due to an oversight or misinterpretation of a compliance activity. This reduces the likelihood of non-compliance and the consequences of non-compliance such as remedial action, legal risks, and financial costs (both direct and indirect costs).

In addition, by mitigating the risk that compliance activities will fall behind schedule, healthcare compliance tracking software helps better protect the privacy and security of health information. The benefit of this is that, when patients believe their health information will remain confidential, they are more likely to share details of their health conditions with healthcare providers.

With more information available to them, healthcare providers can make better informed decisions about diagnoses and treatment plans, which improves the quality of patient care and leads to better patient outcomes. Better patient outcomes not only reduce healthcare costs, but can improve staff morale and retention – saving healthcare organizations staff recruitment and training costs.

The above is just a snapshot of the capabilities and benefits of healthcare compliance tracking software. If you would like to know more about tracking compliance activities with automation, or developing a compliance program that accounts for the variety of regulations and standards, it is advisable to speak with a healthcare compliance expert.

The post What is Healthcare Compliance Tracking Software? appeared first on HIPAA Journal.

Why is Compliance Important in Healthcare?

Posted by Steve Alder

Compliance is important in healthcare because complying with the regulations that govern the healthcare industry can help avoid legal risks and penalties for non-compliance, protect the privacy and security of individually identifiable health information, and improve the quality and safety of patient care. In addition, demonstrating compliance with healthcare regulations can enhance the reputation of – and trust in – healthcare organizations and healthcare professionals.

Compliance in healthcare can mean different things to different people. For healthcare organizations, compliance can mean following the rules and regulations that apply to their operations. Depending on the nature of their operations, this can mean complying with (for example) HIPAA, OSHA, the Joint Commission standards, and the conditions of participation in Medicare. Most organizations also have to comply with local regulations relating to public health and emergency preparedness.

For members of organizations’ workforces, compliance in healthcare most often means complying with the organization’s policies and procedures. Although there are circumstances in which individuals can be personally liable for regulatory violations, in most cases the penalty for not complying with an organization’s policies and procedures is determined by the content of the organization’s sanctions policy (i.e., verbal/written warning, suspension, termination, etc.).

Compliance in healthcare is also important to patients. Not only are patients more likely to disclose confidential information about themselves when they feel the information will remain confidential – which can result in more accurate diagnoses and treatment plans, and better patient outcomes – but they are more likely to comply with treatment plans and therapies – resulting in less patient testing, fewer avoidable hospital visits, lower readmissions, and reduced costs for healthcare organizations.

However, although compliance in healthcare can means different things to different people, the benefits of compliance are connected. When a healthcare organization complies with regulations, it provides a safer, better educated workforce that can deliver a better standard of care to patients. When workforce members comply with organizational policies and procedures, it can reduce costs and better protect patient data, and when patients comply with their treatment plans and therapies, workforce morale and retention increases, further reducing costs for healthcare organizations.

Compliance for Healthcare Organizations

Compliance for healthcare organizations is complicated by the number of rules and regulations they have to comply with, the way regulations can overlap, and the frequency with which they can change. In larger organizations, compliance teams may be required to manage the volume of rules and regulations and the frequency with which they can change, while HR, legal, and IT teams may also be involved in developing policies and procedures and monitoring compliance with them.

Compliance for healthcare organizations is not only a legal obligation, but also a moral and ethical one. Healthcare organizations have a duty to uphold the standards of their profession and to act in the best interests of their patients. Complying with the applicable rules and regulations helps healthcare organizations deliver high-quality care that meets the needs and expectations of their patients, as well as the requirements of the law in order to avoid legal risks and penalties.

Why is Workforce Compliance Important in Healthcare?

Workforce compliance is important in healthcare because members of the workforce are the public face of healthcare organizations. By demonstrating an understanding of regulatory compliance and complying with the policies and procedures implemented by the healthcare organization, members of the workforce can build trust between patients and healthcare providers – which, not only benefits patients, but which can also result in increased workplace morale and job satisfaction.

Failing to comply with organizational policies can be professionally detrimental to workforce members. While minor violations of organizational policies and procedures might only result in a verbal warning or compliance retraining, serious or repeated violations can lead to sanctions that remain permanently on an employment record – or, in the worst cases, lead to suspension, termination of contract, and loss of license to practice.

Why is Patient Compliance Important in Healthcare?

Patient compliance, also known as medication adherence, is the degree to which patients follow the instructions of their healthcare providers. It is an important metric in the effectiveness of treatments, the prevention of complications, and the improvement of patient outcomes. However, patient compliance in healthcare is surprisingly low. According to the World Health Organization, only about 50% of patients in developed countries adhere to their prescribed therapies.

Improving patient compliance in healthcare requires a multifaceted approach that involves educating and counseling patients about their condition and treatment options, providing them with clear and simple instructions and reminders, and addressing their concerns and preferences. However, in order for this approach to work, it is necessary for patients to trust their healthcare providers – something that can be accomplished by organizational and workforce compliance in healthcare.

Improving Compliance in Healthcare

Compliance is not a one-time event, but an ongoing process that requires constant monitoring, evaluation, and improvement. Healthcare organizations need to have effective compliance programs that include policies, procedures, training, auditing, and reporting. Sanctions also need to be applied fairly and consistently. Compliance programs should be tailored to the needs and risks of each organization, and should be updated regularly to reflect the changes in the industry and to the law.

One way to improve compliance in healthcare is by deploying healthcare compliance software that can be customized for each organization’s compliance requirements. Solutions of this nature help organizations cope with multiple regulations, adapt to changing regulations, increase compliance efficiency, support growth and expansion, and improve patient outcomes. To find out if healthcare compliance software may be a solution for your organization, speak with a healthcare compliance expert.

The post Why is Compliance Important in Healthcare? appeared first on HIPAA Journal.

The Benefits of Outsourced Healthcare Compliance

Posted by Steve Alder

Outsourced healthcare compliance is when external experts or agencies take responsibility for some of an organization’s compliance obligations – either working inhouse as a separate compliance unit, working inhouse as a consultant to a compliance team, or working remotely via healthcare compliance software. They can also work as outsourced compliance experts for one particular regulation (i.e., HIPAA), or one element of multiple regulations (i.e., workforce training).

Outsourced healthcare compliance services can perform a wide range of compliance tasks, including risk assessments, policy development, training programs, audits, and ongoing compliance monitoring. By outsourcing these tasks, healthcare organizations can leverage specialized knowledge and experience not readily available in-house or lacking the resources to keep up to date with changes to federal, state, and industry regulations.

The Benefits of Outsourced Healthcare Compliance

Outsourced healthcare compliance has the primary benefit of enabling organizations to concentrate on core healthcare operations while entrusting some or all of their compliance obligations to experts. Some of the other benefits of outsourced healthcare compliance include:

Access to Specialized Knowledge

It is difficult for small compliance teams to keep up to date with every federal, state, and industry healthcare compliance requirement. Outsourced healthcare compliance provides access to experienced compliance professionals who are not only up to date with current compliance requirements, but who are also aware of changes under consideration.

Enhanced Efficiency

Due to having specialized knowledge of all applicable compliance regulations, outsourced healthcare compliance services can enhance efficiency by eliminating duplicated requirements – for example, HIPAA, OSHA, and CMS’ conditions for participation in Medicare all include similar emergency preparedness requirements.

Risk Reduction

Having specialized knowledge can also help organizations reduce the risk of non-compliance in cases where (for example) a provision of state law preempts a provision of HIPAA or additional training requirements exist due to the nature of an organization’s operations. Reducing the risks of non-compliance reduces the likelihood of penalties for non-compliance.

Better Trained Workforce

Due to their experience with different types of healthcare organizations, outsourced healthcare compliance services are often more familiar with how workforces absorb and apply training. This means training sessions can be better compiled and delivered by an external source to increase the likelihood of a better trained and compliant workforce.

Cost Savings

Outsourcing healthcare compliance can lead to cost savings by avoiding the requirement to hire an employee with the necessary compliance experience (i.e., a HIPAA Privacy Official). By comparison, outsourcing healthcare compliance allows organizations to pay for external compliance services on an as-needed basis.

How to Evaluate External Compliance Services

Selecting an external compliance service requires careful consideration of several key factors. It is important that, if a service provider is offering a technology solution, that the technology solution is customizable to meet all the organization’s compliance obligations. It is also important the provider offers technical and administrative support to deploy and configure the solution.

Other tips include ensuring the provider can demonstrate expertise in healthcare compliance, and an  understanding of industry regulations and best practices. It may also be necessary to research the provider’s reputation via a reputable source to assess their previous successes and failures – particularly with regards to integrating their technology solution into an existing IT infrastructure.

Finally, it is vital that prospective outsourced healthcare compliance experts provide reasonable expectations of what their services might entail. These expectations should include loss of organization control and the potential for a lengthy transition period – during which time there may be operational disruptions. In all cases, before engaging an outsourced healthcare compliance service, it is best to seek independent compliance advice.

The post The Benefits of Outsourced Healthcare Compliance appeared first on HIPAA Journal.

What is a Clearinghouse in Healthcare?

Posted by Steve Alder

A clearinghouse in healthcare is a middleman between a healthcare provider and a health plan that checks claims from healthcare providers to ensure they don´t contain errors before forwarding them to a health plan for payment. Having a middleman to check for accuracy reduces workloads for both healthcare providers and health plans and accelerates the payment of claims.

A clearinghouse in healthcare has several definitions – and can have several interpretations of the definitions. For health plans and healthcare providers subject to the HIPAA Administrative Simplification Regulations, it can be important to understand how the Department of Health and Human Services defines a clearinghouse in healthcare to avoid unintentional HIPAA violations.

What is a Healthcare Clearinghouse under HIPAA?

In the definitions section of the HIPAA Administrative Simplification Regulations (§160.103), a healthcare clearinghouse under HIPAA is defined as a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches, that performs either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data HIPAA elements, or

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Wasn’t HIPAA Supposed to Standardize the Claims Process?

To an onlooker from outside the industry, it might seem strange that healthcare providers and health plans still use healthcare clearinghouses when one of the objectives of the HIPAA Administrative Simplification Regulations was to standardize the claims process in order to reduce inefficiencies and reduce the likelihood of fraud in the healthcare industry.

However, healthcare billing is a challenging process. There are currently four medical data code sets permitted by HIPAA, one of which – ICD-10 – has more than 68,000 codes to represent different diagnoses and treatments. Once you multiply these by the number of HCPCS codes (for medical services and medical supplies) and numerous National Drug Codes, it is easy to see how errors can be made.

To further complicate the issue, there are thousands of health plans and thousands of hospitals in the United States. Some will have up-to-date claims software, others will not. A clearinghouse in healthcare not only has to ensure claims are correct but also that they are delivered to the health plan for payment if a healthcare provider and health plan use incompatible software.

Other challenges to take into account include state laws relating to the payment of healthcare claims, co-pays, and deductibles. It would be extremely difficult for a healthcare provider to manage all the codes and variables associated with the claims process accurately, which could delay payments and potentially result in cashflow problems for healthcare organizations on tight budgets.

Why it is Important to Understand what a Clearinghouse in Healthcare is

For health plans and healthcare providers subject to the HIPAA Administrative Simplification Regulations, it is important to understand when a clearinghouse in healthcare qualifies as a Covered Entity and when a clearinghouse in healthcare qualifies as a Business Associate to ensure that – in the latter case – a Business Associate Agreement is in place to comply with the HIPAA requirements.

A clearinghouse qualifies as a Covered Entity when it conducts business-to-business transactions as described in the definitions above. However, if Covered Entity A conducts its own clearinghouse activities (i.e., a healthcare provider that bills health plans directly), and is contracted by Covered Entity B to conduct clearinghouse activities on its behalf, Covered Entity A becomes a Business Associate of Covered Entity B, and it is necessary for a Business Associate Agreement to be in place.

Health plans and healthcare providers unsure about when a clearinghouse in healthcare qualifies as a Covered Entity and when it qualifies as a Business Associate should seek professional compliance advice.

What is a Healthcare Clearinghouse? FAQs

What is a Healthcare Clearinghouse in Medical Billing?

A healthcare clearinghouse in medical billing converts medical billing data into a standard format that can be understood by different payers and checks the claims for errors or missing information. A clearinghouse also verifies the patient’s insurance eligibility, submits the claims electronically, and tracks their status. A clearinghouse helps to streamline the billing process, reduce denials, and speed up reimbursements for healthcare providers.

How do Healthcare Clearinghouses Ensure the Security of Medical Data?

Healthcare clearinghouses ensure the security of medical data in several ways:

Compliance with HIPAA Regulations – Clearinghouses are required to comply with the applicable standards of the Health Insurance Portability and Accountability Act (HIPAA), which mandates the secure and confidential handling of sensitive patient data.

Secure Data Transmission – Healthcare clearinghouses function as electronic hubs that allow healthcare providers to transmit claims to health plans in ways that ensure Protected Health Information (PHI) remains secure.

Data Normalization – Clearinghouses process and convert medical claims into a standardized format, a process termed “normalization”. This involves transmuting the diverse data formats from healthcare providers into a uniform structure that health plans can readily process.

Claim Scrubbing – Healthcare clearinghouses review each claim (a process known as claim scrubbing) before it reaches the health plan, thereby minimizing errors, identifying potential security issues, and speeding up the reimbursement process.

By implementing these measures, healthcare clearinghouses play a pivotal role in ensuring accurate, efficient, and secure data exchange in the healthcare industry.

Are Healthcare Providers Required to Use a Clearinghouse?

Healthcare providers are not explicitly required to use a clearinghouse for processing medical claims. However, while it’s not a requirement, many healthcare providers choose to use a clearinghouse because of the benefits they offer – such as eligibility verification, electronic remittance advice, and the ability to handle a variety of medical claims. The decision to use a clearinghouse may depend on various factors, including the size of the healthcare provider, the volume of claims processed, and the resources available for handling claims internally.

The post What is a Clearinghouse in Healthcare? appeared first on HIPAA Journal.

HHS Unveils Voluntary HPH Cybersecurity Performance Goals

Posted by Steve Alder

The Department of Health and Human Services (HHS) has unveiled the Cybersecurity Performance Goals (CPGs) that were outlined in its December 2023 Healthcare Sector Cybersecurity Strategy. These voluntary goals will help healthcare organizations take the necessary steps to improve cybersecurity and guide them through implementing high-impact measures to quickly improve resilience to cyber threats and recover quickly should their defenses be breached.

Cyberattacks on healthcare organizations have increased significantly in recent years with 2023 breaking records for the number of data breaches (725) and the number of breached records (133M). The HHS Cybersecurity Strategy aims to help the healthcare and public health (HPH) sector prepare for and respond to cyber threats, adapt to a rapidly changing threat landscape, and improve cyber resilience across the sector, with the establishment of voluntary cybersecurity goals the first step in that process.

The voluntary CPGs will help HPH sector organizations prioritize the implementation of high-impact cybersecurity practices – cybersecurity practices that will have the greatest impact on improving resilience to the most common attack vectors. As outlined in the HHS cybersecurity strategy, two tiers of CPGs have been developed: Essential CPGs and Enhanced CPGs. The essential CPGs are relatively low-cost minimum foundational cybersecurity practices that will greatly improve cybersecurity, and the enhanced CPGs are intended to encourage the adoption of more advanced cybersecurity practices. The aim is to get all healthcare delivery organizations to adopt the essential CPGs to make it harder for cyber actors to gain access to their networks and incentivize them to mature their cybersecurity programs by adopting the Enhanced CPGs.

The CPGs were developed based on the Cross-Sector CPGs released by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in March 2023, which were intended to serve as a cybersecurity baseline for all critical infrastructure entities. The HHS collaborated with CISA and the industry to develop the healthcare-specific CPGs, which were also informed by common industry cybersecurity frameworks, guidelines, best practices, and strategies such as the National Cybersecurity Strategy, Healthcare Industry Cybersecurity Practices (HICP) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Layered Protection at Each Stage of the Attack Chain

The HPH CPGs are concerned with improving resiliency at all points in digital systems that can be exploited by cyber actors. The Essential CPGs will help HPH sector organizations address common vulnerabilities to improve their security posture, improve incident response, and minimize residual risk. The Enhanced CPGs are intended to help HPH sector organizations mature their cybersecurity capabilities and improve their defense against additional attack vectors.

Essential HPH CPGs

  • Mitigate Known Vulnerabilities
  • Email Security
  • Multifactor Authentication
  • Basic Cybersecurity Training for the Workforce
  • Strong Encryption for Sensitive Data in Transit
  • Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
  • Basic Incident Planning and Preparedness
  • Unique Credentials for all members of the Workforce
  • Separate User and Privileged Accounts
  • Vendor/Supplier Cybersecurity Requirements

Enhanced CPGs

  • Asset Inventory
  • Third-Party Vulnerability Disclosure
  • Third-Party Incident Reporting
  • Cybersecurity Testing
  • Cybersecurity Mitigation
  • Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP)
  • Network Segmentation
  • Centralized Log Collection
  • Centralized Incident Planning and Preparedness
  • Configuration Management

Initially, the CPHs will be voluntary; however, the HHS will use these CPGs to inform future rulemaking, including new cybersecurity requirements for healthcare organizations that participate in Medicare and Medicaid programs, the planned updates to the HIPAA Security Rule, and HHS efforts to incentivize the adoption of cybersecurity practices. Any new regulatory updates that include new cybersecurity requirements will be subject to standard notice and comment periods.

“We have a responsibility to help our health care system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” said HHS Deputy Secretary Andrea Palm. “The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”

The HHS outlined in its cybersecurity strategy its plans to make funds available to help under-resourced healthcare delivery organizations make the necessary investments in cybersecurity by helping to cover the initial costs of implementing the essential CPGs. The HHS also plans to create an incentive program to encourage the adoption of the Enhanced CPGs. The establishment of these programs to help financially challenged hospitals is essential, as while the creation of the CPGs is a great first step, many healthcare delivery organizations simply do not have the funding available to make the necessary investments to improve cybersecurity.

The HPH CPGs are detailed in an 11-page PDF document that can be accessed on the HHS HPH Cyber website.

The post HHS Unveils Voluntary HPH Cybersecurity Performance Goals appeared first on HIPAA Journal.

December 2023 Healthcare Data Breach Report

Posted by Steve Alder

There was no letup in healthcare data breaches as the year drew to a close, with December seeing the second-highest number of data breaches of the year. The Department of Health and Human Services (HHS) Office for Civil Rights received 74 reports of healthcare data breaches of 500 or more records in December, which helped make 2023 a record-breaking year for healthcare data breaches. While there may still be some late additions to the list, as of January 18, 2023, 725 data breaches of 500 or more healthcare records have been reported to OCR in 2023 – The highest number since OCR started publishing records of data breaches on its “Wall of Shame.” To add some perspective, that is more than twice the number of data breaches that were reported in 2017.

It is not just the number of data breaches that is concerning. Healthcare data breaches have been increasing in severity and there have been ransomware attacks that have seen patients contacted and threatened directly with the exposure of their sensitive health data. Many of the data breaches reported in 2023 have been on a colossal scale, with December no exception with two multi-million-record data breaches reported.

Since 2009, when OCR created its Wall of Shame, the number of breached records has been trending upwards, but even the most pessimistic of security professionals would not have predicted at the start of 2023 that there would be such a massive rise in breached records. 2021 was a bad year with 45.9 million records breached, and 2022 was worse with 51.9 million breached records, but in 2023, an astonishing 133 million records were exposed or stolen. On January 18, 2023, the OCR breach portal showed 133,068,542 individuals had their protected health information exposed or stolen in 2023.

We will explore the year’s data breaches in greater detail and make predictions for the coming year in posts over the next few days but first, let’s take a dive into December’s data breaches to see where and how 11,306,411 healthcare records were breached.

The Biggest Healthcare Data Breaches in December 2023

Two of the largest data breaches of 2023 were reported in December, the largest of which occurred at the New Jersey-based analytics software vendor, HealthEC. Hackers gained access to a system used by more than 1 million healthcare professionals to improve patient outcomes. The platform contained the protected health information of 4,452,782 individuals. The data breach was the second in as many months to result in the exposure of the health data of more than 1 million Michigan residents, prompting the Michigan Attorney General to call for new legislation to hold companies accountable for breaches of healthcare data.

A 2.7 million-record data breach was reported by another business associate, ESO Solutions. ESO Solutions is a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, and had its network breached and files encrypted with ransomware. At least 12 health systems and hospitals are known to have been affected.

More than 900,000 records were obtained by hackers who gained access to an archive of data from the now defunct Fallon Ambulance Services, which was being stored to meet data retention requirements by Transformative Healthcare, and a cyberattack on Electrostim Medical Services exposed the data of almost 543,000 patients.

It has now been 7 months since the Clop hacking group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution and data breach reports continue to be issued. More than 2,600 organizations worldwide had data stolen in the attacks, with the healthcare industry among the worst affected.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Data Breach
HealthEC LLC NJ Business Associate 4,452,782 Hacking incident (Data theft confirmed)
ESO Solutions, Inc. TX Business Associate 2,700,000 Ransomware attack
Transformative Healthcare (Fallon Ambulance Services) MA Healthcare Provider 911,757 Hacking incident (Data theft confirmed)
Electrostim Medical Services, Inc. dba EMSI FL Healthcare Provider 542,990 Hacking incident
Cardiovascular Consultants Ltd. AZ Healthcare Provider 484,000 Ransomware attack (Data theft confirmed)
Retina Group of Washington, PLLC MD Healthcare Provider 455,935 Ransomware attack
CompleteCare Health Network NJ Healthcare Provider 313,973 Ransomware attack (Data theft confirmed)
Health Alliance Hospital Mary’s Avenue Campus NY Healthcare Provider 264,197 Hacking incident (Data theft confirmed)
Independent Living Systems, LLC FL Business Associate 123,651 Hacking incident (MOVEit)
Pan-American Life Insurance Group, Inc. LA Health Plan 105,387 Hacking incident (MOVEit)
Meridian Behavioral Healthcare, Inc. FL Healthcare Provider 98,808 Hacking incident
Mercy Medical Center IA Healthcare Provider 97,132 Hacking incident at business associate (PJ&A)
Pan-American Life Insurance Group, Inc. LA Business Associate 94,807 Hacking incident (MOVEit)
Regional Family Medicine AR Healthcare Provider 80,166 Hacking incident
HMG Healthcare, LLC TX Healthcare Provider 80,000 Hacking Incident (Data theft confirmed)
Heart of Texas Behavioral Health Network TX Healthcare Provider 63,776 Hacking incident
Kent County Community Mental Health Authority d/b/a Network180 MI Healthcare Provider 59,334 Unauthorized email account access
Highlands Oncology Group PA AR Healthcare Provider 55,297 Ransomware attack
Southeastern Orthopaedic Specialists, PA NC Healthcare Provider 35,533 Ransomware attack (Data theft confirmed)
Eye Physicians of Central Florida, PLLC, a division of Florida Pediatric Associates, LLC FL Healthcare Provider 31,189 Hacking incident (Data theft confirmed)
Clay County Social Services MN Business Associate 22,005 Ransomware attack (Data theft confirmed)
Bellin Health WI Healthcare Provider 20,790 Hacking incident
Neuromusculoskeletal Center of the Cascades, PC OR Healthcare Provider 19,373 Unauthorized email account access
Independent Living Systems, LLC FL Healthcare Provider 19,303 Hacking incident (MOVEit)
Community Memorial Healthcare, Inc. KS Healthcare Provider 14,798 Hacking incident
VNS Choice dba VNS Health Health Plans NY Health Plan 13,584 Unauthorized email account access
Hi-School Pharmacy WA Healthcare Provider 12,779 Ransomware attack

Many HIPAA-regulated entities keep information to the bare minimum in their breach reports, which allows them to meet legal requirements for breach reporting while minimizing the risk of disclosing information that could be used against them in class action lawsuits. The problem with this minimalistic breach reporting is the victims of the breach are not given enough information to accurately assess the risk they face, and the lack of transparency in data breach reporting makes it difficult to accurately assess how hackers are gaining access to healthcare networks and the nature of the attacks.

This is especially true for ransomware attacks and data theft/extortion attacks. Several breaches have been reported as hacking incidents where a possibility of unauthorized access to or theft of patient data, when the threat actors behind the attacks have claimed responsibility and have added the breached entity to their data leak sites. This trend has grown throughout the year.

December 2023 Data Breach Causes and Data Locations

All of December’s data breaches of 10,000 or more records were hacking incidents, which accounted for 83.78% of the month’s 74 data breaches (62 incidents) and 99.79% of the month’s breached healthcare records (11,283,128 records). The average breach size was 181,986 records and the median breach size was 6,728 records. In 2009, hacking incidents accounted for 49% of all data breaches of 500 or more records. In 2023, hacking incidents accounted for 79.72% of all large data breaches. Something clearly needs to be done to improve resiliency to hacking and there are signs of action being taken at the state and federal level.

In December 2023, OCR published its Healthcare Sector Cybersecurity Strategy which details several steps that OCR plans to take to improve cyber resiliency in the healthcare sector and patient safety. The extent to which these plans will be made a reality will depend on Congress making the necessary funding available. OCR is planning a much-needed update to the HIPAA Security Rule in 2024 and has stated that it will establish voluntary cybersecurity goals for the healthcare sector. OCR will be working with Congress to provide financial assistance for domestic investments in cybersecurity to help cover the initial cost. The New York Attorney General has also announced that there will be new cybersecurity requirements for hospitals in the state after a significant increase in cyberattacks, and that funds have been made available to help low-resource hospitals make the necessary improvements.

There were 8 data breaches classified as unauthorized access/disclosure incidents, involving 14,998 healthcare records. The average breach size was 1,875 records and the median breach size was 1,427 records. There were four loss/theft incidents reported in December, two of which involved stolen paperwork and two involved the loss of electronic devices, with the latter preventable if encryption had been used. 8,285 records were lost across these incidents.

The most common location of breached healthcare data was network services, which is unsurprising given the large number of hacking incidents. 14 data breaches involved protected health information stored in email accounts, three of which resulted in the exposure of more than 10,000 records.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in December with 49 reported breaches of 500 or more records, followed by business associates with 13 breaches, health pans with 11, and a single breach at a healthcare clearinghouse. While healthcare providers suffered the most breaches, it was data breaches at business associates that exposed the most records. Across the 13 business associate-reported breaches, 7,416,567 records were breached, compared to 3,730,791 records in the 49 breaches at healthcare providers. The health plan breaches exposed 156,479 records and 2,574 records were exposed in the healthcare clearinghouse data breach.

These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. A deeper dive into the data to determine where the breach actually occurred reveals there were 24 data breaches at business associates (7,544,504 records), 43 data breaches at healthcare providers (3,616,078 records), 6 data breaches at health plans (143,255 records), and one breach at a healthcare clearinghouse (2,574 records).

The average size of a business associate data breach was 314,354 records (median: 2,749 records), the average size of a healthcare provider data breach was 84,095 records (median: 5,809 records), and the average health plan data breach was 23,876 records (median: 7,695 records). The chart below shows where the data breaches occurred rather than the reporting entity.

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 32 states reported data breaches of 500 or more records in December. California was the worst affected state with 85 large data breaches followed by New York and Texas with 7 reported breaches.

State Number of Breaches
California 8
New York & Texas 7
Florida 6
Massachusetts 4
New Jersey, Tennessee & Wisconsin 3
Arkansas, Connecticut, Illinois, Kansas, Kentucky, Louisiana, Maryland, North Carolina & Washington 2
Alaska, Arizona, Colorado, Iowa, Michigan, Minnesota, Mississippi, Missouri, Montana, New Mexico, North Dakota, Oregon, South Carolina, Virginia & West Virginia 1

HIPAA Enforcement in December 2023

OCR announced two enforcement actions against healthcare providers in December to resolve alleged violations of the HIPAA Rules. OCR continued its enforcement initiative targeting noncompliance with the HIPAA Right of Access with its 46th enforcement action over the failure to provide individuals with timely access to their medical records. Optum Medical Care of New Jersey settled its investigation and agreed to pay a financial penalty of $160,000 to resolve allegations that patients had to wait between 84 days and 231 days to receive their requested records when they should have been provided within 30 days.

OCR also announced its first-ever settlement resulting from an investigation of a phishing attack. Lafourche Medical Group in Louisiana suffered a phishing attack that resulted in the exposure of the protected health information of almost 35,000 individuals. While phishing attacks are not HIPAA violations, OCR’s investigation uncovered multiple violations of the HIPAA Security Rule, including no risk analyses prior to the 2021 phishing attack, and no procedures to regularly review logs of system activity before the attack. Lafourche Medical Group chose to settle the investigation and paid a $480,000 penalty.

These two enforcement actions bring the total number of OCR enforcement actions involving financial penalties up to 13, the lowest annual total since 2019, although there was a slight increase in funds raised from these enforcement actions with $4,176,500 collected in fines. OCR is pushing Congress to increase the penalties for HIPAA violations to make penalties more of a deterrent and also to provide much-needed funding to allow OCR to clear the backlog of HIPAA compliance investigations, in particular investigations of hacking incidents. Currently, OCR’s hands are tied, as the department’s budget has remained the same for years, aside from annual increases for inflation, yet its caseload of breach investigations has soared.

HIPAA Enforcement by State Attorneys General

State attorneys general have the authority to enforce HIPAA compliance and 2023 saw an increase in enforcement actions. The HIPAA Journal has tracked 16 enforcement actions by state attorneys general in 2023 that resolved violations of HIPAA or equivalent state consumer protection and data breach notification laws. In December, three enforcement actions were announced, two by New York Attorney General Letitia James and one by Indiana Attorney General Todd Rokita. New York has been particularly active this year having announced 4 settlements to resolve HIPAA violations in 2023 and the state also participated in two multi-state actions.

In December, AG James announced a settlement had been reached with Healthplex to resolve alleged violations of New York’s data security and consumer protection laws with respect to data retention, logging, MFA, and data security assessments which contributed to a cyberattack and data breach that affected 89,955 individuals. The case was settled for $400,000. AG James also investigated New York Presbyterian Hospital over a reported breach of the health information of 54,396 individuals related to its use of tracking technologies on its website, which sent patient data to third parties such as Meta and Google in violation of the HIPAA Privacy Rule and New York Executive Law. The case was settled for $300,000.

The Indiana Attorney General investigated CarePointe ENT over a breach of the health information of 48,742 individuals. AG Rokita alleged that CarePointe ENT was aware of security issues several months before they were exploited by cybercriminals but did not address them in a timely manner. There was also no business associate agreement with its IT services provider. The investigation was settled for $125,000.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on January 18, 2023.

The post December 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment

Posted by Steve Alder

New York Attorney General Letitia James has announced that an agreement has been reached with Refuah Health Center Inc. to resolve allegations it failed to maintain reasonable and appropriate cybersecurity controls to protect and limit access to sensitive patient data stored on its network. Under the terms of the agreement, Refuah Health Center has agreed to invest $1.2 million in cybersecurity and will pay $450,000 in penalties and costs.

The NY AG launched an investigation of Refuah Health Center after being notified about a May 2021 ransomware attack that compromised the personal and protected health information of 260,740 individuals, including 175,077 New Yorkers.  The Lorenz ransomware group gained access to internal systems in late May 2021, initially compromising a system that was used for viewing videos from internal cameras monitoring its facilities. That system was only protected with a four-digit code.

The attackers stole administrator credentials that were used by a former IT vendor to remotely access the network. The credentials had not been changed for 11 years and had not been deleted or disabled, even though they had not been used by the IT vendor in 7 years. The account did not have multifactor authentication enabled. The credentials allowed access to a large number of files containing patient information that had not been encrypted at the file level.

The Lorenz group exfiltrated data and encrypted files with ransomware. They contacted Refuah and issued a ransom demand and provided proof of data theft, including a list of files that were copied and a screenshot of patient data consistent with a database associated with Refuah’s dental practice. The third-party forensic investigation concentrated on the files that were stored on the shared network space but Refuah did not investigate to determine whether the database had been accessed, even though the attackers provided a screenshot of that database that displayed the records of 34 patients.

Refuah completed its analysis of the files on March 2, 2022, then mailed notification letters on April 29, 2022. The data compromised in the attack included patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account numbers, and health insurance policy numbers.

Multiple HIPAA Security Rule Failures Identified

The NY AG looked at the administrative and technical safeguards that had been implemented and identified widespread noncompliance with the HIPAA Security Rule. Refuah Health Center had not conducted a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information since March 2017 in violation of 45 C.F.R § 164.308(a)(1)(ii)(A) and (B) and had not addressed vulnerabilities that were identified in that risk analysis in the four years since it was conducted, in violation of § 164.306(a).

There were insufficient policies and procedures to prevent, detect, contain, and correct security violations, in violation of § 164.308(a)(1)(i), a lack of policies and procedures authorizing access to ePHI in violation of § 164.308(a)(4)(i), and no procedures for regularly reviewing logs of information system activity, in violation of § 164.308(a)(1)(ii)(D).

Policies and procedures for granting right of access based on access authorization policies were not present, in violation of § 164.308(a)(4)(ii)(B) and (C), there were no procedures for monitoring log-in attempts and reporting discrepancies nor procedures for creating, changing, and safeguarding passwords, in violation of § 164.308(a)(5)(ii)(C) and (D), and insufficient policies and procedures to address security incidents, and identifying and responding to suspected or known security incidents, in violation of § 164.308(a)(6)(i) and (ii).

Further, there were insufficient periodic technical and nontechnical evaluations of security policies and procedures (§ 164.308(a)(8)), insufficient technical policies and procedures for systems that maintain ePHI to allow access to persons granted access rights and no mechanism to encrypt ePHI (§ 164.312(a)(1) and (2)(iv)), insufficient controls for recording and examining activity in systems that contain or use ePHI (§ 164.312(b)), and insufficient verification of persons seeking access to ePHI to ensure they are who they claim to be (§ 164.312(d)).

The NY AG also determined there had been two violations of New York General Business Law, which requires the implementation and maintenance of reasonable safeguards to protect consumer information (§ 899-bb), and the  disclosure of a data breach in the most expedient time possible and without unreasonable delay (§ 899-aa). The later was also determined to be a violation of the HIPAA Breach Notification Rule (§ 164.404).

The agreement with the NY AG includes the requirement to invest $1.2 million in cybersecurity and make substantial improvements to its information security program, data retention policies, and incident response policies and procedures. Refuah is also required to issue notifications to all individuals whose data was compromised within 90 days.

“New Yorkers should receive medical care and trust that their personal and health information is safe,” said Attorney General James. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

The post Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment appeared first on HIPAA Journal.

FTC Prohibits Rite Aid from Using Facial Technology System for Surveillance for 5 Years

Posted by Steve Alder

Rite Aid has been banned from using facial recognition technology for security surveillance for five years as part of a settlement with the Federal Trade Commission (FTC), which determined the pharmacy chain failed to mitigate potential risks to consumers from misidentification.

Between 2012 and 2020, Rite Aid used artificial intelligence-based facial recognition technology in hundreds of its stores to identify customers who may have been engaged in shoplifting or other problematic behaviors. While the system correctly identified many individuals who had engaged in these behaviors, the system also recorded thousands of false positives, where the facial recognition technology incorrectly matched individuals with others who had previously been identified as shoplifters or had engaged in other problematic behaviors. The misidentified individuals were then erroneously accused of wrongdoing by Rite Aid employees.

The FTC found that the facial recognition technology was more likely to record false positives in communities that were predominantly Black or Asian, compared to plurality-White communities, indicating bias in the technology and heightened risks to certain consumers because of race or gender. According to the FTC, Rite Aid contracted with two technology firms to build a database of images and videos of “persons of interest,” who were thought to have engaged in shoplifting or other problematic behaviors in Rite Aid stores, and that database was used for the AI-based facial recognition system. Tens of thousands of images and videos were collected along with names and background information, including background criminal data. Many of the images in the database were of low quality and had been collected from store security cameras, the mobile devices of employees, and in some cases, from news stories. “The technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States”, according to the FTC.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”

Rite Aid was alleged to have failed to consider and mitigate risks to consumers from misidentification, failed to take into account the limitations of the technology and the high risk of misidentifying Black and Asian individuals, did not properly test, assess, measure, document, or inquire about the accuracy of the technology before deployment, failed to prevent low-quality images from being fed into the system, failed to monitor or test the accuracy of the technology after deployment, and failed to adequately train employees tasked with operating the technology and flag that it could generate false positives.

The FTC also said Rite Aid violated a previous 2010 data security order with the FTC that resolved a complaint that Rite Aid failed to protect the medical privacy of customers and employees, which required Rite Aid to implement a comprehensive information security program. As an example, the FTC alleged that Rite Aid conducted many security assessments of service providers orally and did not obtain or possess backup documentation of those assessments, including those that were considered by Rite Aid to be high-risk.

Rite Aid has been ordered to delete or destroy all photos and videos of consumers used in connection with the operation of the facial recognition or analysis system within 45 days, and within 60 days, to identify all third parties that received photos or videos as part of the facial recognition and analysis and instruct them to also delete the photos and videos.

In addition to the ban on facial recognition technology, Rite Aid is prohibited from using any automated biometric security or surveillance system that is not otherwise prohibited by the order unless a comprehensive automated biometric security or surveillance system monitoring program is established and maintained to identify and address risks that could result in physical, financial, or reputational harm to consumers, stigma, or severe emotional distress.

Rite Aid must also notify consumers when their biometric information is enrolled in a database used in connection with a biometric security or surveillance system and when Rite Aid takes some kind of action against them based on an output generated by such a system, and must investigate and respond to consumer complaints about actions taken against them based on automated biometric security or surveillance system.

Rite Aid said it is pleased to have reached an agreement with the FTC which means the company can put the matter behind it; however, said, “We fundamentally disagree with the facial recognition allegations in the agency’s complaint.” Rite Aid also explained that the allegations related to a facial recognition technology pilot program that was deployed in a limited number of stores. “Rite Aid stopped using the technology in this small group of stores more than three years ago, before the FTC’s investigation regarding the Company’s use of the technology began.” All parties have agreed to the consent order but it has yet to be approved by a judge.

The post FTC Prohibits Rite Aid from Using Facial Technology System for Surveillance for 5 Years appeared first on HIPAA Journal.