Healthcare Compliance News

The Benefits of Outsourced Healthcare Compliance

Posted by Steve Alder

Outsourced healthcare compliance is when external experts or agencies take responsibility for some of an organization’s compliance obligations – either working inhouse as a separate compliance unit, working inhouse as a consultant to a compliance team, or working remotely via healthcare compliance software. They can also work as outsourced compliance experts for one particular regulation (i.e., HIPAA), or one element of multiple regulations (i.e., workforce training).

Outsourced healthcare compliance services can perform a wide range of compliance tasks, including risk assessments, policy development, training programs, audits, and ongoing compliance monitoring. By outsourcing these tasks, healthcare organizations can leverage specialized knowledge and experience not readily available in-house or lacking the resources to keep up to date with changes to federal, state, and industry regulations.

The Benefits of Outsourced Healthcare Compliance

Outsourced healthcare compliance has the primary benefit of enabling organizations to concentrate on core healthcare operations while entrusting some or all of their compliance obligations to experts. Some of the other benefits of outsourced healthcare compliance include:

Access to Specialized Knowledge

It is difficult for small compliance teams to keep up to date with every federal, state, and industry healthcare compliance requirement. Outsourced healthcare compliance provides access to experienced compliance professionals who are not only up to date with current compliance requirements, but who are also aware of changes under consideration.

Enhanced Efficiency

Due to having specialized knowledge of all applicable compliance regulations, outsourced healthcare compliance services can enhance efficiency by eliminating duplicated requirements – for example, HIPAA, OSHA, and CMS’ conditions for participation in Medicare all include similar emergency preparedness requirements.

Risk Reduction

Having specialized knowledge can also help organizations reduce the risk of non-compliance in cases where (for example) a provision of state law preempts a provision of HIPAA or additional training requirements exist due to the nature of an organization’s operations. Reducing the risks of non-compliance reduces the likelihood of penalties for non-compliance.

Better Trained Workforce

Due to their experience with different types of healthcare organizations, outsourced healthcare compliance services are often more familiar with how workforces absorb and apply training. This means training sessions can be better compiled and delivered by an external source to increase the likelihood of a better trained and compliant workforce.

Cost Savings

Outsourcing healthcare compliance can lead to cost savings by avoiding the requirement to hire an employee with the necessary compliance experience (i.e., a HIPAA Privacy Official). By comparison, outsourcing healthcare compliance allows organizations to pay for external compliance services on an as-needed basis.

How to Evaluate External Compliance Services

Selecting an external compliance service requires careful consideration of several key factors. It is important that, if a service provider is offering a technology solution, that the technology solution is customizable to meet all the organization’s compliance obligations. It is also important the provider offers technical and administrative support to deploy and configure the solution.

Other tips include ensuring the provider can demonstrate expertise in healthcare compliance, and an  understanding of industry regulations and best practices. It may also be necessary to research the provider’s reputation via a reputable source to assess their previous successes and failures – particularly with regards to integrating their technology solution into an existing IT infrastructure.

Finally, it is vital that prospective outsourced healthcare compliance experts provide reasonable expectations of what their services might entail. These expectations should include loss of organization control and the potential for a lengthy transition period – during which time there may be operational disruptions. In all cases, before engaging an outsourced healthcare compliance service, it is best to seek independent compliance advice.

The post The Benefits of Outsourced Healthcare Compliance appeared first on HIPAA Journal.

What is a Clearinghouse in Healthcare?

Posted by Steve Alder

A clearinghouse in healthcare is a middleman between a healthcare provider and a health plan that checks claims from healthcare providers to ensure they don´t contain errors before forwarding them to a health plan for payment. Having a middleman to check for accuracy reduces workloads for both healthcare providers and health plans and accelerates the payment of claims.

A clearinghouse in healthcare has several definitions – and can have several interpretations of the definitions. For health plans and healthcare providers subject to the HIPAA Administrative Simplification Regulations, it can be important to understand how the Department of Health and Human Services defines a clearinghouse in healthcare to avoid unintentional HIPAA violations.

What is a Healthcare Clearinghouse under HIPAA?

In the definitions section of the HIPAA Administrative Simplification Regulations (§160.103), a healthcare clearinghouse under HIPAA is defined as a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches, that performs either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data HIPAA elements, or

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Wasn’t HIPAA Supposed to Standardize the Claims Process?

To an onlooker from outside the industry, it might seem strange that healthcare providers and health plans still use healthcare clearinghouses when one of the objectives of the HIPAA Administrative Simplification Regulations was to standardize the claims process in order to reduce inefficiencies and reduce the likelihood of fraud in the healthcare industry.

However, healthcare billing is a challenging process. There are currently four medical data code sets permitted by HIPAA, one of which – ICD-10 – has more than 68,000 codes to represent different diagnoses and treatments. Once you multiply these by the number of HCPCS codes (for medical services and medical supplies) and numerous National Drug Codes, it is easy to see how errors can be made.

To further complicate the issue, there are thousands of health plans and thousands of hospitals in the United States. Some will have up-to-date claims software, others will not. A clearinghouse in healthcare not only has to ensure claims are correct but also that they are delivered to the health plan for payment if a healthcare provider and health plan use incompatible software.

Other challenges to take into account include state laws relating to the payment of healthcare claims, co-pays, and deductibles. It would be extremely difficult for a healthcare provider to manage all the codes and variables associated with the claims process accurately, which could delay payments and potentially result in cashflow problems for healthcare organizations on tight budgets.

Why it is Important to Understand what a Clearinghouse in Healthcare is

For health plans and healthcare providers subject to the HIPAA Administrative Simplification Regulations, it is important to understand when a clearinghouse in healthcare qualifies as a Covered Entity and when a clearinghouse in healthcare qualifies as a Business Associate to ensure that – in the latter case – a Business Associate Agreement is in place to comply with the HIPAA requirements.

A clearinghouse qualifies as a Covered Entity when it conducts business-to-business transactions as described in the definitions above. However, if Covered Entity A conducts its own clearinghouse activities (i.e., a healthcare provider that bills health plans directly), and is contracted by Covered Entity B to conduct clearinghouse activities on its behalf, Covered Entity A becomes a Business Associate of Covered Entity B, and it is necessary for a Business Associate Agreement to be in place.

Health plans and healthcare providers unsure about when a clearinghouse in healthcare qualifies as a Covered Entity and when it qualifies as a Business Associate should seek professional compliance advice.

What is a Healthcare Clearinghouse? FAQs

What is a Healthcare Clearinghouse in Medical Billing?

A healthcare clearinghouse in medical billing converts medical billing data into a standard format that can be understood by different payers and checks the claims for errors or missing information. A clearinghouse also verifies the patient’s insurance eligibility, submits the claims electronically, and tracks their status. A clearinghouse helps to streamline the billing process, reduce denials, and speed up reimbursements for healthcare providers.

How do Healthcare Clearinghouses Ensure the Security of Medical Data?

Healthcare clearinghouses ensure the security of medical data in several ways:

Compliance with HIPAA Regulations – Clearinghouses are required to comply with the applicable standards of the Health Insurance Portability and Accountability Act (HIPAA), which mandates the secure and confidential handling of sensitive patient data.

Secure Data Transmission – Healthcare clearinghouses function as electronic hubs that allow healthcare providers to transmit claims to health plans in ways that ensure Protected Health Information (PHI) remains secure.

Data Normalization – Clearinghouses process and convert medical claims into a standardized format, a process termed “normalization”. This involves transmuting the diverse data formats from healthcare providers into a uniform structure that health plans can readily process.

Claim Scrubbing – Healthcare clearinghouses review each claim (a process known as claim scrubbing) before it reaches the health plan, thereby minimizing errors, identifying potential security issues, and speeding up the reimbursement process.

By implementing these measures, healthcare clearinghouses play a pivotal role in ensuring accurate, efficient, and secure data exchange in the healthcare industry.

Are Healthcare Providers Required to Use a Clearinghouse?

Healthcare providers are not explicitly required to use a clearinghouse for processing medical claims. However, while it’s not a requirement, many healthcare providers choose to use a clearinghouse because of the benefits they offer – such as eligibility verification, electronic remittance advice, and the ability to handle a variety of medical claims. The decision to use a clearinghouse may depend on various factors, including the size of the healthcare provider, the volume of claims processed, and the resources available for handling claims internally.

The post What is a Clearinghouse in Healthcare? appeared first on HIPAA Journal.

HHS Unveils Voluntary HPH Cybersecurity Performance Goals

Posted by Steve Alder

The Department of Health and Human Services (HHS) has unveiled the Cybersecurity Performance Goals (CPGs) that were outlined in its December 2023 Healthcare Sector Cybersecurity Strategy. These voluntary goals will help healthcare organizations take the necessary steps to improve cybersecurity and guide them through implementing high-impact measures to quickly improve resilience to cyber threats and recover quickly should their defenses be breached.

Cyberattacks on healthcare organizations have increased significantly in recent years with 2023 breaking records for the number of data breaches (725) and the number of breached records (133M). The HHS Cybersecurity Strategy aims to help the healthcare and public health (HPH) sector prepare for and respond to cyber threats, adapt to a rapidly changing threat landscape, and improve cyber resilience across the sector, with the establishment of voluntary cybersecurity goals the first step in that process.

The voluntary CPGs will help HPH sector organizations prioritize the implementation of high-impact cybersecurity practices – cybersecurity practices that will have the greatest impact on improving resilience to the most common attack vectors. As outlined in the HHS cybersecurity strategy, two tiers of CPGs have been developed: Essential CPGs and Enhanced CPGs. The essential CPGs are relatively low-cost minimum foundational cybersecurity practices that will greatly improve cybersecurity, and the enhanced CPGs are intended to encourage the adoption of more advanced cybersecurity practices. The aim is to get all healthcare delivery organizations to adopt the essential CPGs to make it harder for cyber actors to gain access to their networks and incentivize them to mature their cybersecurity programs by adopting the Enhanced CPGs.

The CPGs were developed based on the Cross-Sector CPGs released by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in March 2023, which were intended to serve as a cybersecurity baseline for all critical infrastructure entities. The HHS collaborated with CISA and the industry to develop the healthcare-specific CPGs, which were also informed by common industry cybersecurity frameworks, guidelines, best practices, and strategies such as the National Cybersecurity Strategy, Healthcare Industry Cybersecurity Practices (HICP) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Layered Protection at Each Stage of the Attack Chain

The HPH CPGs are concerned with improving resiliency at all points in digital systems that can be exploited by cyber actors. The Essential CPGs will help HPH sector organizations address common vulnerabilities to improve their security posture, improve incident response, and minimize residual risk. The Enhanced CPGs are intended to help HPH sector organizations mature their cybersecurity capabilities and improve their defense against additional attack vectors.

Essential HPH CPGs

  • Mitigate Known Vulnerabilities
  • Email Security
  • Multifactor Authentication
  • Basic Cybersecurity Training for the Workforce
  • Strong Encryption for Sensitive Data in Transit
  • Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
  • Basic Incident Planning and Preparedness
  • Unique Credentials for all members of the Workforce
  • Separate User and Privileged Accounts
  • Vendor/Supplier Cybersecurity Requirements

Enhanced CPGs

  • Asset Inventory
  • Third-Party Vulnerability Disclosure
  • Third-Party Incident Reporting
  • Cybersecurity Testing
  • Cybersecurity Mitigation
  • Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP)
  • Network Segmentation
  • Centralized Log Collection
  • Centralized Incident Planning and Preparedness
  • Configuration Management

Initially, the CPHs will be voluntary; however, the HHS will use these CPGs to inform future rulemaking, including new cybersecurity requirements for healthcare organizations that participate in Medicare and Medicaid programs, the planned updates to the HIPAA Security Rule, and HHS efforts to incentivize the adoption of cybersecurity practices. Any new regulatory updates that include new cybersecurity requirements will be subject to standard notice and comment periods.

“We have a responsibility to help our health care system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” said HHS Deputy Secretary Andrea Palm. “The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”

The HHS outlined in its cybersecurity strategy its plans to make funds available to help under-resourced healthcare delivery organizations make the necessary investments in cybersecurity by helping to cover the initial costs of implementing the essential CPGs. The HHS also plans to create an incentive program to encourage the adoption of the Enhanced CPGs. The establishment of these programs to help financially challenged hospitals is essential, as while the creation of the CPGs is a great first step, many healthcare delivery organizations simply do not have the funding available to make the necessary investments to improve cybersecurity.

The HPH CPGs are detailed in an 11-page PDF document that can be accessed on the HHS HPH Cyber website.

The post HHS Unveils Voluntary HPH Cybersecurity Performance Goals appeared first on HIPAA Journal.

December 2023 Healthcare Data Breach Report

Posted by Steve Alder

There was no letup in healthcare data breaches as the year drew to a close, with December seeing the second-highest number of data breaches of the year. The Department of Health and Human Services (HHS) Office for Civil Rights received 74 reports of healthcare data breaches of 500 or more records in December, which helped make 2023 a record-breaking year for healthcare data breaches. While there may still be some late additions to the list, as of January 18, 2023, 725 data breaches of 500 or more healthcare records have been reported to OCR in 2023 – The highest number since OCR started publishing records of data breaches on its “Wall of Shame.” To add some perspective, that is more than twice the number of data breaches that were reported in 2017.

It is not just the number of data breaches that is concerning. Healthcare data breaches have been increasing in severity and there have been ransomware attacks that have seen patients contacted and threatened directly with the exposure of their sensitive health data. Many of the data breaches reported in 2023 have been on a colossal scale, with December no exception with two multi-million-record data breaches reported.

Since 2009, when OCR created its Wall of Shame, the number of breached records has been trending upwards, but even the most pessimistic of security professionals would not have predicted at the start of 2023 that there would be such a massive rise in breached records. 2021 was a bad year with 45.9 million records breached, and 2022 was worse with 51.9 million breached records, but in 2023, an astonishing 133 million records were exposed or stolen. On January 18, 2023, the OCR breach portal showed 133,068,542 individuals had their protected health information exposed or stolen in 2023.

We will explore the year’s data breaches in greater detail and make predictions for the coming year in posts over the next few days but first, let’s take a dive into December’s data breaches to see where and how 11,306,411 healthcare records were breached.

The Biggest Healthcare Data Breaches in December 2023

Two of the largest data breaches of 2023 were reported in December, the largest of which occurred at the New Jersey-based analytics software vendor, HealthEC. Hackers gained access to a system used by more than 1 million healthcare professionals to improve patient outcomes. The platform contained the protected health information of 4,452,782 individuals. The data breach was the second in as many months to result in the exposure of the health data of more than 1 million Michigan residents, prompting the Michigan Attorney General to call for new legislation to hold companies accountable for breaches of healthcare data.

A 2.7 million-record data breach was reported by another business associate, ESO Solutions. ESO Solutions is a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, and had its network breached and files encrypted with ransomware. At least 12 health systems and hospitals are known to have been affected.

More than 900,000 records were obtained by hackers who gained access to an archive of data from the now defunct Fallon Ambulance Services, which was being stored to meet data retention requirements by Transformative Healthcare, and a cyberattack on Electrostim Medical Services exposed the data of almost 543,000 patients.

It has now been 7 months since the Clop hacking group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution and data breach reports continue to be issued. More than 2,600 organizations worldwide had data stolen in the attacks, with the healthcare industry among the worst affected.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Data Breach
HealthEC LLC NJ Business Associate 4,452,782 Hacking incident (Data theft confirmed)
ESO Solutions, Inc. TX Business Associate 2,700,000 Ransomware attack
Transformative Healthcare (Fallon Ambulance Services) MA Healthcare Provider 911,757 Hacking incident (Data theft confirmed)
Electrostim Medical Services, Inc. dba EMSI FL Healthcare Provider 542,990 Hacking incident
Cardiovascular Consultants Ltd. AZ Healthcare Provider 484,000 Ransomware attack (Data theft confirmed)
Retina Group of Washington, PLLC MD Healthcare Provider 455,935 Ransomware attack
CompleteCare Health Network NJ Healthcare Provider 313,973 Ransomware attack (Data theft confirmed)
Health Alliance Hospital Mary’s Avenue Campus NY Healthcare Provider 264,197 Hacking incident (Data theft confirmed)
Independent Living Systems, LLC FL Business Associate 123,651 Hacking incident (MOVEit)
Pan-American Life Insurance Group, Inc. LA Health Plan 105,387 Hacking incident (MOVEit)
Meridian Behavioral Healthcare, Inc. FL Healthcare Provider 98,808 Hacking incident
Mercy Medical Center IA Healthcare Provider 97,132 Hacking incident at business associate (PJ&A)
Pan-American Life Insurance Group, Inc. LA Business Associate 94,807 Hacking incident (MOVEit)
Regional Family Medicine AR Healthcare Provider 80,166 Hacking incident
HMG Healthcare, LLC TX Healthcare Provider 80,000 Hacking Incident (Data theft confirmed)
Heart of Texas Behavioral Health Network TX Healthcare Provider 63,776 Hacking incident
Kent County Community Mental Health Authority d/b/a Network180 MI Healthcare Provider 59,334 Unauthorized email account access
Highlands Oncology Group PA AR Healthcare Provider 55,297 Ransomware attack
Southeastern Orthopaedic Specialists, PA NC Healthcare Provider 35,533 Ransomware attack (Data theft confirmed)
Eye Physicians of Central Florida, PLLC, a division of Florida Pediatric Associates, LLC FL Healthcare Provider 31,189 Hacking incident (Data theft confirmed)
Clay County Social Services MN Business Associate 22,005 Ransomware attack (Data theft confirmed)
Bellin Health WI Healthcare Provider 20,790 Hacking incident
Neuromusculoskeletal Center of the Cascades, PC OR Healthcare Provider 19,373 Unauthorized email account access
Independent Living Systems, LLC FL Healthcare Provider 19,303 Hacking incident (MOVEit)
Community Memorial Healthcare, Inc. KS Healthcare Provider 14,798 Hacking incident
VNS Choice dba VNS Health Health Plans NY Health Plan 13,584 Unauthorized email account access
Hi-School Pharmacy WA Healthcare Provider 12,779 Ransomware attack

Many HIPAA-regulated entities keep information to the bare minimum in their breach reports, which allows them to meet legal requirements for breach reporting while minimizing the risk of disclosing information that could be used against them in class action lawsuits. The problem with this minimalistic breach reporting is the victims of the breach are not given enough information to accurately assess the risk they face, and the lack of transparency in data breach reporting makes it difficult to accurately assess how hackers are gaining access to healthcare networks and the nature of the attacks.

This is especially true for ransomware attacks and data theft/extortion attacks. Several breaches have been reported as hacking incidents where a possibility of unauthorized access to or theft of patient data, when the threat actors behind the attacks have claimed responsibility and have added the breached entity to their data leak sites. This trend has grown throughout the year.

December 2023 Data Breach Causes and Data Locations

All of December’s data breaches of 10,000 or more records were hacking incidents, which accounted for 83.78% of the month’s 74 data breaches (62 incidents) and 99.79% of the month’s breached healthcare records (11,283,128 records). The average breach size was 181,986 records and the median breach size was 6,728 records. In 2009, hacking incidents accounted for 49% of all data breaches of 500 or more records. In 2023, hacking incidents accounted for 79.72% of all large data breaches. Something clearly needs to be done to improve resiliency to hacking and there are signs of action being taken at the state and federal level.

In December 2023, OCR published its Healthcare Sector Cybersecurity Strategy which details several steps that OCR plans to take to improve cyber resiliency in the healthcare sector and patient safety. The extent to which these plans will be made a reality will depend on Congress making the necessary funding available. OCR is planning a much-needed update to the HIPAA Security Rule in 2024 and has stated that it will establish voluntary cybersecurity goals for the healthcare sector. OCR will be working with Congress to provide financial assistance for domestic investments in cybersecurity to help cover the initial cost. The New York Attorney General has also announced that there will be new cybersecurity requirements for hospitals in the state after a significant increase in cyberattacks, and that funds have been made available to help low-resource hospitals make the necessary improvements.

There were 8 data breaches classified as unauthorized access/disclosure incidents, involving 14,998 healthcare records. The average breach size was 1,875 records and the median breach size was 1,427 records. There were four loss/theft incidents reported in December, two of which involved stolen paperwork and two involved the loss of electronic devices, with the latter preventable if encryption had been used. 8,285 records were lost across these incidents.

The most common location of breached healthcare data was network services, which is unsurprising given the large number of hacking incidents. 14 data breaches involved protected health information stored in email accounts, three of which resulted in the exposure of more than 10,000 records.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in December with 49 reported breaches of 500 or more records, followed by business associates with 13 breaches, health pans with 11, and a single breach at a healthcare clearinghouse. While healthcare providers suffered the most breaches, it was data breaches at business associates that exposed the most records. Across the 13 business associate-reported breaches, 7,416,567 records were breached, compared to 3,730,791 records in the 49 breaches at healthcare providers. The health plan breaches exposed 156,479 records and 2,574 records were exposed in the healthcare clearinghouse data breach.

These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. A deeper dive into the data to determine where the breach actually occurred reveals there were 24 data breaches at business associates (7,544,504 records), 43 data breaches at healthcare providers (3,616,078 records), 6 data breaches at health plans (143,255 records), and one breach at a healthcare clearinghouse (2,574 records).

The average size of a business associate data breach was 314,354 records (median: 2,749 records), the average size of a healthcare provider data breach was 84,095 records (median: 5,809 records), and the average health plan data breach was 23,876 records (median: 7,695 records). The chart below shows where the data breaches occurred rather than the reporting entity.

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 32 states reported data breaches of 500 or more records in December. California was the worst affected state with 85 large data breaches followed by New York and Texas with 7 reported breaches.

State Number of Breaches
California 8
New York & Texas 7
Florida 6
Massachusetts 4
New Jersey, Tennessee & Wisconsin 3
Arkansas, Connecticut, Illinois, Kansas, Kentucky, Louisiana, Maryland, North Carolina & Washington 2
Alaska, Arizona, Colorado, Iowa, Michigan, Minnesota, Mississippi, Missouri, Montana, New Mexico, North Dakota, Oregon, South Carolina, Virginia & West Virginia 1

HIPAA Enforcement in December 2023

OCR announced two enforcement actions against healthcare providers in December to resolve alleged violations of the HIPAA Rules. OCR continued its enforcement initiative targeting noncompliance with the HIPAA Right of Access with its 46th enforcement action over the failure to provide individuals with timely access to their medical records. Optum Medical Care of New Jersey settled its investigation and agreed to pay a financial penalty of $160,000 to resolve allegations that patients had to wait between 84 days and 231 days to receive their requested records when they should have been provided within 30 days.

OCR also announced its first-ever settlement resulting from an investigation of a phishing attack. Lafourche Medical Group in Louisiana suffered a phishing attack that resulted in the exposure of the protected health information of almost 35,000 individuals. While phishing attacks are not HIPAA violations, OCR’s investigation uncovered multiple violations of the HIPAA Security Rule, including no risk analyses prior to the 2021 phishing attack, and no procedures to regularly review logs of system activity before the attack. Lafourche Medical Group chose to settle the investigation and paid a $480,000 penalty.

These two enforcement actions bring the total number of OCR enforcement actions involving financial penalties up to 13, the lowest annual total since 2019, although there was a slight increase in funds raised from these enforcement actions with $4,176,500 collected in fines. OCR is pushing Congress to increase the penalties for HIPAA violations to make penalties more of a deterrent and also to provide much-needed funding to allow OCR to clear the backlog of HIPAA compliance investigations, in particular investigations of hacking incidents. Currently, OCR’s hands are tied, as the department’s budget has remained the same for years, aside from annual increases for inflation, yet its caseload of breach investigations has soared.

HIPAA Enforcement by State Attorneys General

State attorneys general have the authority to enforce HIPAA compliance and 2023 saw an increase in enforcement actions. The HIPAA Journal has tracked 16 enforcement actions by state attorneys general in 2023 that resolved violations of HIPAA or equivalent state consumer protection and data breach notification laws. In December, three enforcement actions were announced, two by New York Attorney General Letitia James and one by Indiana Attorney General Todd Rokita. New York has been particularly active this year having announced 4 settlements to resolve HIPAA violations in 2023 and the state also participated in two multi-state actions.

In December, AG James announced a settlement had been reached with Healthplex to resolve alleged violations of New York’s data security and consumer protection laws with respect to data retention, logging, MFA, and data security assessments which contributed to a cyberattack and data breach that affected 89,955 individuals. The case was settled for $400,000. AG James also investigated New York Presbyterian Hospital over a reported breach of the health information of 54,396 individuals related to its use of tracking technologies on its website, which sent patient data to third parties such as Meta and Google in violation of the HIPAA Privacy Rule and New York Executive Law. The case was settled for $300,000.

The Indiana Attorney General investigated CarePointe ENT over a breach of the health information of 48,742 individuals. AG Rokita alleged that CarePointe ENT was aware of security issues several months before they were exploited by cybercriminals but did not address them in a timely manner. There was also no business associate agreement with its IT services provider. The investigation was settled for $125,000.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on January 18, 2023.

The post December 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment

Posted by Steve Alder

New York Attorney General Letitia James has announced that an agreement has been reached with Refuah Health Center Inc. to resolve allegations it failed to maintain reasonable and appropriate cybersecurity controls to protect and limit access to sensitive patient data stored on its network. Under the terms of the agreement, Refuah Health Center has agreed to invest $1.2 million in cybersecurity and will pay $450,000 in penalties and costs.

The NY AG launched an investigation of Refuah Health Center after being notified about a May 2021 ransomware attack that compromised the personal and protected health information of 260,740 individuals, including 175,077 New Yorkers.  The Lorenz ransomware group gained access to internal systems in late May 2021, initially compromising a system that was used for viewing videos from internal cameras monitoring its facilities. That system was only protected with a four-digit code.

The attackers stole administrator credentials that were used by a former IT vendor to remotely access the network. The credentials had not been changed for 11 years and had not been deleted or disabled, even though they had not been used by the IT vendor in 7 years. The account did not have multifactor authentication enabled. The credentials allowed access to a large number of files containing patient information that had not been encrypted at the file level.

The Lorenz group exfiltrated data and encrypted files with ransomware. They contacted Refuah and issued a ransom demand and provided proof of data theft, including a list of files that were copied and a screenshot of patient data consistent with a database associated with Refuah’s dental practice. The third-party forensic investigation concentrated on the files that were stored on the shared network space but Refuah did not investigate to determine whether the database had been accessed, even though the attackers provided a screenshot of that database that displayed the records of 34 patients.

Refuah completed its analysis of the files on March 2, 2022, then mailed notification letters on April 29, 2022. The data compromised in the attack included patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account numbers, and health insurance policy numbers.

Multiple HIPAA Security Rule Failures Identified

The NY AG looked at the administrative and technical safeguards that had been implemented and identified widespread noncompliance with the HIPAA Security Rule. Refuah Health Center had not conducted a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information since March 2017 in violation of 45 C.F.R § 164.308(a)(1)(ii)(A) and (B) and had not addressed vulnerabilities that were identified in that risk analysis in the four years since it was conducted, in violation of § 164.306(a).

There were insufficient policies and procedures to prevent, detect, contain, and correct security violations, in violation of § 164.308(a)(1)(i), a lack of policies and procedures authorizing access to ePHI in violation of § 164.308(a)(4)(i), and no procedures for regularly reviewing logs of information system activity, in violation of § 164.308(a)(1)(ii)(D).

Policies and procedures for granting right of access based on access authorization policies were not present, in violation of § 164.308(a)(4)(ii)(B) and (C), there were no procedures for monitoring log-in attempts and reporting discrepancies nor procedures for creating, changing, and safeguarding passwords, in violation of § 164.308(a)(5)(ii)(C) and (D), and insufficient policies and procedures to address security incidents, and identifying and responding to suspected or known security incidents, in violation of § 164.308(a)(6)(i) and (ii).

Further, there were insufficient periodic technical and nontechnical evaluations of security policies and procedures (§ 164.308(a)(8)), insufficient technical policies and procedures for systems that maintain ePHI to allow access to persons granted access rights and no mechanism to encrypt ePHI (§ 164.312(a)(1) and (2)(iv)), insufficient controls for recording and examining activity in systems that contain or use ePHI (§ 164.312(b)), and insufficient verification of persons seeking access to ePHI to ensure they are who they claim to be (§ 164.312(d)).

The NY AG also determined there had been two violations of New York General Business Law, which requires the implementation and maintenance of reasonable safeguards to protect consumer information (§ 899-bb), and the  disclosure of a data breach in the most expedient time possible and without unreasonable delay (§ 899-aa). The later was also determined to be a violation of the HIPAA Breach Notification Rule (§ 164.404).

The agreement with the NY AG includes the requirement to invest $1.2 million in cybersecurity and make substantial improvements to its information security program, data retention policies, and incident response policies and procedures. Refuah is also required to issue notifications to all individuals whose data was compromised within 90 days.

“New Yorkers should receive medical care and trust that their personal and health information is safe,” said Attorney General James. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

The post Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment appeared first on HIPAA Journal.

FTC Prohibits Rite Aid from Using Facial Technology System for Surveillance for 5 Years

Posted by Steve Alder

Rite Aid has been banned from using facial recognition technology for security surveillance for five years as part of a settlement with the Federal Trade Commission (FTC), which determined the pharmacy chain failed to mitigate potential risks to consumers from misidentification.

Between 2012 and 2020, Rite Aid used artificial intelligence-based facial recognition technology in hundreds of its stores to identify customers who may have been engaged in shoplifting or other problematic behaviors. While the system correctly identified many individuals who had engaged in these behaviors, the system also recorded thousands of false positives, where the facial recognition technology incorrectly matched individuals with others who had previously been identified as shoplifters or had engaged in other problematic behaviors. The misidentified individuals were then erroneously accused of wrongdoing by Rite Aid employees.

The FTC found that the facial recognition technology was more likely to record false positives in communities that were predominantly Black or Asian, compared to plurality-White communities, indicating bias in the technology and heightened risks to certain consumers because of race or gender. According to the FTC, Rite Aid contracted with two technology firms to build a database of images and videos of “persons of interest,” who were thought to have engaged in shoplifting or other problematic behaviors in Rite Aid stores, and that database was used for the AI-based facial recognition system. Tens of thousands of images and videos were collected along with names and background information, including background criminal data. Many of the images in the database were of low quality and had been collected from store security cameras, the mobile devices of employees, and in some cases, from news stories. “The technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States”, according to the FTC.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”

Rite Aid was alleged to have failed to consider and mitigate risks to consumers from misidentification, failed to take into account the limitations of the technology and the high risk of misidentifying Black and Asian individuals, did not properly test, assess, measure, document, or inquire about the accuracy of the technology before deployment, failed to prevent low-quality images from being fed into the system, failed to monitor or test the accuracy of the technology after deployment, and failed to adequately train employees tasked with operating the technology and flag that it could generate false positives.

The FTC also said Rite Aid violated a previous 2010 data security order with the FTC that resolved a complaint that Rite Aid failed to protect the medical privacy of customers and employees, which required Rite Aid to implement a comprehensive information security program. As an example, the FTC alleged that Rite Aid conducted many security assessments of service providers orally and did not obtain or possess backup documentation of those assessments, including those that were considered by Rite Aid to be high-risk.

Rite Aid has been ordered to delete or destroy all photos and videos of consumers used in connection with the operation of the facial recognition or analysis system within 45 days, and within 60 days, to identify all third parties that received photos or videos as part of the facial recognition and analysis and instruct them to also delete the photos and videos.

In addition to the ban on facial recognition technology, Rite Aid is prohibited from using any automated biometric security or surveillance system that is not otherwise prohibited by the order unless a comprehensive automated biometric security or surveillance system monitoring program is established and maintained to identify and address risks that could result in physical, financial, or reputational harm to consumers, stigma, or severe emotional distress.

Rite Aid must also notify consumers when their biometric information is enrolled in a database used in connection with a biometric security or surveillance system and when Rite Aid takes some kind of action against them based on an output generated by such a system, and must investigate and respond to consumer complaints about actions taken against them based on automated biometric security or surveillance system.

Rite Aid said it is pleased to have reached an agreement with the FTC which means the company can put the matter behind it; however, said, “We fundamentally disagree with the facial recognition allegations in the agency’s complaint.” Rite Aid also explained that the allegations related to a facial recognition technology pilot program that was deployed in a limited number of stores. “Rite Aid stopped using the technology in this small group of stores more than three years ago, before the FTC’s investigation regarding the Company’s use of the technology began.” All parties have agreed to the consent order but it has yet to be approved by a judge.

The post FTC Prohibits Rite Aid from Using Facial Technology System for Surveillance for 5 Years appeared first on HIPAA Journal.

Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital

Posted by Steve Alder

New York Presbyterian Hospital has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with the New York Attorney General and will pay a financial penalty of $300,000.

NYP operates 10 hospitals in New York City and the surrounding metropolitan area and serves approximately 2 million patients a year. In June 2016, NYP added tracking pixels and tags to its nyp.org website to track visitors for marketing purposes. In early June 2022, NYP was contacted by a journalist from The Markup and was informed that these tools were capable of transmitting sensitive information to the third-party providers of the tools, including information classified as protected health information under HIPAA.

On June 16, 2023, The Markup published an article about the use of these tools by NYP and other U.S. hospitals, by which time NYP had already taken steps to remove the tools from its website and had initiated a forensic investigation to determine the extent of any privacy violations.  NYP determined that PHI had potentially been impermissibly disclosed and reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on March 20, 2023, as involving the protected health information (PHI) of up to 54,396 individuals.

NY Attorney General Launches HIPAA Investigation

NY Attorney General, Letitia James opened an investigation of NYP in response to the reported breach to determine whether NYP had violated HIPAA and New York laws. The investigation confirmed that NYP had added several tracking tools to its website that were provided by third parties such as Bing, Google, Meta/Facebook, iHeartMedia, TikTok, The Trade Desk, and Twitter. These tools were configured to trigger on certain user events on its website. Most were configured to send information when a webpage loaded, and some sent information in response to clicks on certain links, the transmission of forms, and searches conducted on the site. The snippets of information sent to third parties included information about the user’s interactions on the website, including the user’s IP address, URLs visited, and searches. The tools provided by Google, Meta, and the Trade Desk also received unique identifiers that had been stored in cookies on the user’s devices.

Meta/Facebook also received information such as first and last name, email address, mailing address, and gender information, if that information was entered on a webpage where the Meta pixel was present. In some cases, the information sent to third parties included health information, such as if the user researched health information, performed a search for a specialist doctor, or scheduled an appointment. Certain URLs also revealed information about a specific health condition.

The tracking tools from Meta, Google, and the Trade Desk were used to serve previous website visitors with targeted advertisements based on their previous interactions on the website. NYP and its digital marketing vendor also used Meta pixel data to categorize website visitors based on the pages they visited and used Meta pixel to serve advertisements to other individuals with similar characteristics, known as “lookalike audiences.” For example, NYP identified individuals who visited webpages related to prostate cancer, and those individuals were then served targeted advertisements on other third-party websites related to prostate cancer.

Commonly Used Website Tracking Tools Violate HIPAA

These tracking tools are widely used by businesses of all types and sizes for marketing, advertising, and data collection purposes; however, in contrast to most businesses with an online presence, hospitals are HIPAA-covered entities and are required by federal law to ensure the privacy of personal and health information. As confirmed by the HHS’ Office for Civil Rights in December 2022 guidance, third-party tools that are capable of collecting and transmitting PHI may only be used if there is a business associate agreement (BAA) in place and the disclosure of PHI is permitted by HIPAA or if HIPAA-compliant authorizations have been obtained from patients. NYP, like many other HIPAA-covered entities that used these tools, had no BAAs in place with the tracking tool vendors and did not obtain consent from patients to disclose their PHI to those vendors.

The New York Attorney General determined that while NYP had policies and procedures relating to HIPAA compliance and patient privacy, they did not include appropriate policies and procedures for vetting third-party tracking tools. The New York Attorney General determined that the use of these tools violated § 164.502(a) of the HIPAA Privacy Rule, which prohibits disclosure of PHI, and § 164.530(c) and (i), which requires administrative, technical, and physical safeguards to protect the privacy of PHI and policies and procedures to comply with those requirements. NYP was also found to have violated New York Executive Law § 63 (12), by misrepresenting the manner and extent to which it protects the privacy, security, and confidentiality of PHI.

Settlement Agreed to Resolve Alleged Violations of HIPAA and State Laws

NYP fully cooperated with the investigation and chose to settle the alleged violations with no admission or denial of the findings of the investigation. In addition to the financial penalty, NYP has agreed to comply with Executive Law § 63 (12), General Business Law § 899-aa, and the HIPAA Privacy Rule Part 164 Subparts E and the HIPAA Breach Notification Rule 45 C.F.R. Part 164 Subpart D concerning the collection, use, and maintenance of PHI. NYP is also required to contact all third parties that have been sent PHI and request that information be deleted and NYP has agreed to conduct regular audits, reviews, and tests of third-party tools before deploying them to an NYP website or app, and conduct regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools.

NYP is also required to clearly disclose on all websites, mobile applications, and other online services it owns or operates, all third parties that receive PHI as the result of a pixel, tag, or other online tool, and provide a clear description of the PHI that is received.  The notice must be placed on all unauthenticated web pages that allow individuals to search for doctors or schedule appointments, as well as any webpage that addresses specific symptoms or health conditions.

OCR’s guidance on tracking technologies is being challenged in court due to doubts about whether the types of information collected by tracking tools fall under the HIPAA definition of PHI. The requirements of the settlement concerning the use of tracking technologies and the restrictions imposed will remain in effect until the relevant sections of OCR’s guidance are amended, superseded, withdrawn, revoked, supplanted by successive guidance, or temporarily or permanently enjoined and/or rejected by a court ruling applicable to HIPAA-covered entities in New York.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients’ personal information and health data. New York-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that New York-Presbyterian is not negligent in protecting its patients’ information.”

A spokesperson for NYP responded to the resolution of the investigation and provided the following statement, “We are pleased to have reached a resolution with the New York State Attorney General on this matter. The privacy and security of our patients’ health information is of paramount importance, and the protection of this confidential information remains a top priority. We continually assess our data collection, data privacy, and digital monitoring tools and practices so that they meet or exceed the highest standards.”

The post Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital appeared first on HIPAA Journal.

Compliancy Group Best Healthcare Compliance Software According to G2

Posted by Steve Alder

Compliancy Group has been named the best healthcare compliance software provider by G2 in its Winter 2023 Reports. G2, (formerly G2 Crowd) is the world’s largest and most trusted software marketplace. Each year, 80 million people visit the G2 peer-to-peer business software review website to read and write reviews of software and conduct research to inform purchase decisions. Each quarter, G2 releases Grid Reports to help technology buyers visualize the marketplace and identify companies that provide software solutions to meet their needs. The Grid Reports categorize companies as niche providers, contenders, high performers, and leaders based on their market presence and customer satisfaction scores. Leaders are companies that combine a strong market presence with high customer satisfaction scores.

In the Winter 2023 Reports, Compliance Group was named the best software company in the healthcare compliance software category. To qualify for inclusion in the healthcare compliance software category, a company must provide software that allows users to monitor, track, and update any changes to industry and/or governmental regulation and practice; facilitate the designation of compliance officers and committees; develop compliance-specific policies and procedures, including standards of conduct; facilitate open lines of communication; support appropriate and relevant compliance training and education; set up, track, and respond to detected compliance offenses; and support or offer internal monitoring, auditing, and measuring efforts.

98% of users of Compliancy Group’s Healthcare compliance software gave a 4- or 5-star rating and 96% of users believed the company to be heading in the right direction. 96% said that they would be likely to recommend the software. The company was recognized by G2 as being the easiest to do business with, a leader in the Americas, having the highest user adoption rate, and was also named as a momentum leader – a company that combines high satisfaction scores, with a strong digital presence, and strong employee growth.

Compliancy Group was also named a leader in the healthcare risk management category. To be included in the healthcare risk management software category, a company must support the creation and modification of healthcare risk management plans; provide risk surveillance tools; collect patient, provider, and operational data across the hospital; and comply with healthcare regulations such as HIPAA and HITECH. In this category, Compliancy Group achieved an average customer satisfaction score of 4.8 out of 5 and was ranked as the 2nd easiest healthcare risk management software to use.

The post Compliancy Group Best Healthcare Compliance Software According to G2 appeared first on HIPAA Journal.

Optum Medical Care of New Jersey Settles OCR HIPAA Right of Access Investigation

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle alleged violations of the HIPAA Privacy Rule with Optum Medical Care of New Jersey for $160,000.

Optum Medical Care of New Jersey, formerly known as Riverside Medical Group and Riverside Pediatric Group, is a private multi-specialty physician group with approximately 150 locations in New Jersey and Southern Connecticut. In the Fall of 2021, OCR received six complaints from individuals who had not been provided with their records after sending a request to Optum Medical Care. The requests were to obtain a copy of an individual’s own records or requests from parents for copies of their minor children’s records.

The HIPAA Privacy Rule gives individuals the right to obtain a copy of their medical records and those of their minor children. When a request is received by a HIPAA covered entity, the records must be provided within 30 calendar days, although under certain limited circumstances, a 30-day extension is possible.

OCR launched an investigation in February 2022 in response to the complaints and determined that Optum Medical Care had exceeded the allowed timeframe for providing those records. The complainants had to wait between 84 days and 231 days to receive their requested records.

Optum Medical Care chose to settle the alleged violations and agreed to pay a $160,000 financial penalty and adopt a corrective action plan (CAP) that includes reviewing and revising its policies and procedures for individual access to PHI, providing training to the workforce on those new procedures, and ensuring that all patients are provided with their requested records within 30 days. In the event of a right of access request being denied, OCR must be informed and provided with documentation to support that denial. OCR will monitor Optum Medical Care for compliance with the CAP for a period of one year.

OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019, and this is the 46th investigation to result in a financial penalty. “Healthcare providers must make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority,” said OCR Director Melanie Fontes Rainer. “Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year.  This is the law—providers must proactively respond to record requests and ensure timely access.  Access to medical records empowers patients and their families to make decisions about their health care and improve their health overall. It is critical that providers follow the law.”

This is the 13th HIPAA enforcement action of 2023 to result in a financial penalty. In 2023, OCR has imposed $4,176,500 in financial penalties. The average penalty was $321,269 and the median penalty was $100,000.

OCR has also stated in its Healthcare Sector Cybersecurity Strategy that it is working with Congress to increase the penalties for HIPAA violations.

The post Optum Medical Care of New Jersey Settles OCR HIPAA Right of Access Investigation appeared first on HIPAA Journal.