Healthcare Data Privacy

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records.

Largest Healthcare Data Breaches in February 2020

The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in.

The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Health Share of Oregon Health Plan 654,362 Theft Laptop
BST & Co. CPAs, LLP Business Associate 170,000 Hacking/IT Incident Network Server
Aveanna Healthcare Healthcare Provider 166,077 Hacking/IT Incident Email
Overlake Medical Center & Clinics Healthcare Provider 109,000 Hacking/IT Incident Email
Tennessee Orthopaedic Alliance Healthcare Provider 81,146 Hacking/IT Incident Email
Munson Healthcare Healthcare Provider 75,202 Hacking/IT Incident Email
NCH Healthcare System, Inc. Healthcare Provider 63,581 Hacking/IT Incident Email
SOLO Laboratories, Inc. Business Associate 60,000 Hacking/IT Incident Network Server
JDC Healthcare Management Healthcare Provider 45,748 Hacking/IT Incident Email
Ozark Orthopaedics, PA Healthcare Provider 15,240 Hacking/IT Incident Email

Causes of February Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports, accounting for two thirds (66.67%) of all breaches reported in February and 54.78% of breached records (839,226 records). The average breach size was 32,277 records and the median breach size was 4,126 records. 80.76% of those incidents involved hacked email accounts.

There were 6 unauthorized access/disclosure incidents, four of which involved paper/films, one was an email incident and one involved a portable electronic device. 15,826 records were impermissibly disclosed in those incidents. The average breach size was 3,126 records and the median breach size was 2,548 records.

While there were only three theft incidents reported, they accounted for 42.78% of breached records. The average breach size was 327,696 records and the median breach size was 530 records.

There were two incidents involving lost paperwork containing the PHI of 5,904 patients and two improper disposal incidents involving paper files containing the PHI of 15,507 patients.

Location of Breached Protected Health Information

As the bar chart below shows, the biggest problem area for healthcare organizations is protecting email accounts. All but one of the email incidents were hacking incidents that occurred as a result of employees responding to phishing emails. The high total demonstrates how important it is to implement a powerful email security solution and to provide regular training to employees to teach them how to recognize phishing emails.

Breaches by Covered Entity Type

26 data breaches were reported by HIPAA-covered entities in February. The average breach size was 23,589 records and the median breach size was 3,229 records. Data breaches were reported by 8 health plans, with an average breach size of 83,490 records and a median breach size of 2,468 records.

There were 5 data breaches reported by business associates and a further 5 breaches that were reported by the covered entity but had some business associate involvement. The average breach size was 50,124 records and the median breach size was 15,010 records.

Healthcare Data Breaches by State

The data breaches reported in February were spread across 24 states. Texas was the worst affected with 4 breaches. Three data breaches were reported in Arkansas, California, and Florida. There were two reported breaches in each of Georgia, Indiana, Michigan, North Carolina, Virginia, and Washington. One breach was reported in each of Arizona, Hawaii, Illinois, Iowa, Maine, Massachusetts, Minnesota, Missouri, New Mexico, New York, Oregon, Pennsylvania, Tennessee, and Wisconsin.

HIPAA Enforcement Activity in February 2020

There was one HIPAA enforcement action reported in February. The HHS’ Office for Civil Rights announced that Steven A. Porter, M.D had agreed to pay a financial penalty of $100,000 to resolve a HIPAA violation case. The violations came to light during an investigation of a reported breach involving the practice’s medical records company, which Dr. Porter claimed was impermissibly using patient medical records by preventing access until payment of $50,000 was received.

OCR found that Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI. The practice had also not reduced risks to a reasonable and appropriate level, and policies and procedures to prevent, detect, contain, and correct security violations had not been implemented.

The post February 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Issues Guidance on Telehealth and HIPAA During Coronavirus Pandemic

Following on from the announcement from the HHS’ Office for Civil Rights that enforcement of HIPAA compliance in relation to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency has been relaxed, OCR has issued guidance on telehealth and remote communications.

Telehealth is defined by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” These services can be provided through the use of text, audio, or video via secure text messaging platforms, over the internet, using video conferencing solutions, or via landlines and wireless communications networks.

The Notification of Enforcement Discretion covers “All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency,” which includes the remote diagnosis and treatment of patients. The Notification of Enforcement Discretion only applies to “Penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

OCR has confirmed that its Notification of Enforcement Discretion only applies to HIPAA-covered healthcare providers, not other HIPAA-covered entities that are not engaged in the provision of health care.

OCR explains that during the public health emergency, telehealth services can be provided to all patients, not only those that receive benefits under Medicare and Medicaid. Telehealth services can be provided to patients regardless of their health compliant, not only those with symptoms of COVID-19.

There is currently no expiration date for the Notification of Enforcement Discretion. This is a fluid situation and likely to be a long-term public health emergency. OCR will issue a public notice when the enforcement discretion no longer applies, and that decision will be based on circumstances and facts.

In the guidance OCR explains that telehealth services can be provided from healthcare facilities, including other clinics, offices, and from the home. To protect patient privacy, the services should be provided in a private setting where conversations cannot be overheard. Public locations and semi-public settings should be avoided, unless consent is given by patients or in exigent circumstances. In all cases, safeguards must be implemented to protect against incidental uses and disclosures of patients’ protected health information.

OCR has also provided clarification on the good faith and bad faith provision of telehealth services. The Notification of Enforcement Discretion only applies to good faith provision of telehealth services.

Bad faith provision of telehealth services includes:

  • Use of PHI for criminal purposes or furtherance of a criminal act
  • Uses of PHI transmitted during a telehealth communication for purposes not permitted by the HIPAA Privacy Rule e.g. sale of PHI; use of PHI for marketing purposes without first obtaining authorization
  • Violations of state licensing laws
  • Violations of professional ethical standards that would result in disciplinary action
  • The use of public-facing communications products

Public and Non-public Facing Communications Platforms

The Notification of Enforcement Discretion only applies to the use of non-public facing communications tools. These include HIPAA-compliant communications solutions, Facebook Messenger video, WhatsApp, Apple FaceTime, Skype, Google Hangouts video, and texting facilities within those applications. These non-public facing applications typically use end-to-end encryption, which helps to ensure PHI is not intercepted in transit. These solutions have access controls and give users control over certain aspects of communications, such as recording and muting conversations.

Public-facing communications platforms are not covered by the Notification of Enforcement Discretion and MUST NOT be used. These communications platforms have been developed to allow wide or indiscriminate access and are open to the public. Public-facing platforms include Facebook Live, Twitch, and TikTok, as well as chatroom platforms such as Slack.

You can view the OCR guidance on telehealth and HIPAA during the COVID-19 nationwide public health emergency on this link (PDF).

The post OCR Issues Guidance on Telehealth and HIPAA During Coronavirus Pandemic appeared first on HIPAA Journal.

Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic

There have been several reported cases of cyberattacks on healthcare organizations that are currently working round the clock to ensure patients with COVID-19 receive the medical are they need. These attacks cause major disruption at the best of times, but during the COVID-19 outbreak the attacks have potential to cause even greater harm and place patient safety at risk.

Many phishing campaigns have been detected using COVID-19 as a lure, fear about the 2019 Novel coronavirus is being exploited to deliver malware, and more than 2,000 coronavirus and COVID-19-themed domains have been registered, many of which are expected to be used for malicious purposes.

One of the largest testing laboratories in the Czech Republic, Brno University Hospital, experienced a cyberattack forcing the shutdown of its computer systems. The attack also affected its Children’s Hospital and Maternity hospital and patients had to be re-routed to other medical facilities.

Cyberattacks have also experienced in the United States, with the Champaign-Urbana Public Health District of Illinois suffering a ransomware attack that affected its website, a source of important information for people about the coronavirus pandemic. A DDoS attack was also conducted on the U.S. Department of Health and Human Services.

Some Threat Groups are Stopping Ransomware Attacks on Healthcare Organizations

While the cyberattacks are continuing, it would appear than at least some threat actors have taken the decision not to attack healthcare and medical organizations currently battling to treat patients and deal with the COVID-19 outbreak.

BleepingComputer reached out to several ransomware gangs that have previously conducted attacks on healthcare organizations to find out if they plan on continuing to conduct attacks during the COVID-19 outbreak.

The threat group behind DoppelPaymer ransomware confirmed they do not tend to conduct attacks on hospitals and nursing homes but said if an error is made and a healthcare organization does have files encrypted, they will be decrypted free of charge. That offer has not been extended to pharmaceutical companies. The Maze ransomware gang has similarly stated that all activity against medical organizations will be stopped until the “stabilization of the situation with the virus.”

Cybersecurity Firms Offer Free Ransomware Assistance During Coronavirus Pandemic

Several cybersecurity firms have announced they are offering free support to healthcare providers that experience ransomware attacks during the coronavirus pandemic, including Emsisoft and Awake Security.

Emsisoft helps ransomware victims recover their files when the decryptors provided by the attackers fail. Coveware is an incident response company that helps ransomware victims negotiate with hackers if the decision is taken to pay the ransom. The two firms will be partnering to help hospitals and other healthcare providers recover if they experience a ransomware attack. The services being provided free of charge include a technical analysis of a ransomware attack, the development of a decryption tool, if possible, and negotiation, transaction handing, and recovery assistance. Emsisoft will also develop a custom decryption tool to replace the one provided by the attackers, which will have a greater chance of success and will lower the probability of file loss.

Awake Security has announced that hospitals and other healthcare providers responding to the coronavirus pandemic will be provided with free access to its security platform for 60 days, with the possibility of an extension.

“As more IT and security workers have to operate remotely, we feel strongly that it is our moral duty to ensure the security of the infrastructure they protect,” said Rahul Kashyap, CEO, Awake Security. “We are glad to see many in the security industry step up to tackle this global crisis, and we hope others will join us in the #FightCOVID19 pledge.”

The platform monitors networks and detects threats from non-traditional computing devices, remote users logging in via VPNs, and the core and perimeter networks. The offer also includes free access to its Managed Detection and response solution which provides ongoing threat monitoring, proactive intelligence-driven threat hunting, and access to Awake Security support services.

Akamai is providing 60 days of free access to its Business Continuity Assistance Program, 1-Password has removed its 30-day free trial limit for business accounts, SentinelOne is offering free endpoint protection and endpoint detection until May 16, 2020, and Cyber Risk Aware is providing free COVID-19 phishing tests for businesses to help them prepare the workforce for coronavirus-themed phishing attacks. To support COVID-19-related healthcare communications, TigerConnect has made its secure healthcare communications platform available free of charge in the United States.

The post Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic appeared first on HIPAA Journal.

HIPAA Compliance and COVID-19 Coronavirus

HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses – and business associates of covered entities no doubt have many questions about HIPAA compliance and COVID-19 coronavirus cases. There may be confusion about the information that can be shared about individuals who have contracted COVID-19 and those suspected of exposure to the 2019 Novel Coronavirus, and with whom information can be shared.

HIPAA Compliance and the COVID-19 Coronavirus Pandemic

There is understandably concern about HIPAA compliance and the COVID-19 Coronavirus pandemic and how the HIPAA Privacy Rule and Security Rule apply. In the age of HIPAA, no disease outbreak on this scale has ever been experienced.

It is important to remember that during a public health emergency such as a disease outbreak, and this applies to HIPAA compliance and COVID-19, that the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and requires reasonable safeguards to be implemented to protect PHI against impermissible uses and disclosures. The HIPAA Privacy Rule restricts the uses and disclosures of PHI to those related to treatment, payment, and healthcare operations.

When public health emergencies are declared, it is common for the Secretary of the HHS to issue partial HIPAA waivers in affected areas. In such cases, certain provisions of the HIPAA Privacy Rule are waived for a period of 72 hours from the moment a HIPAA-covered entity institutes its disaster protocol. As of March 16, 2020, no HIPAA waivers have been declared by the Secretary of the HHS. Even without a HIPAA waiver, the HIPAA Privacy Rule permits responsible uses and disclosures of patients’ PHI.

OCR released a bulletin about the 2019 Novel Coronavirus in February 2020 confirming how patient information may be shared under the HIPAA Privacy Rule during emergency situations, such as the outbreak of an infectious disease, a summary of which is detailed below.

Permitted Uses and Disclosures of PHI in Emergencies

PHI can be disclosed without first receiving authorization from a patient for treatment purposes, including treating the patient or treating other patients. Disclosures are also permitted for coordinating and managing care, for patient referrals, and consultations with other healthcare professionals.

With a disease such as COVID-19, it is essential for public health authorities to be notified as they will need information in order to ensure public health and safety. It is permissible to share PHI with public health authorities such as the Centers for Disease Control and Prevention (CDC) and others responsible for ensuring the safety of the public, such as state and local health departments. These disclosures are necessary to help prevent and control disease, injury, and disability. In such cases, PHI may be shared without obtaining authorization from a patient.

Disclosures of PHI are also permitted to prevent and lessen a serious and imminent threat to a specific person or the public in general, provided that such disclosures are permitted by other laws. Such disclosures do not require permission from a patient. In such cases, these disclosures are left to the discretion and professional judgement of healthcare professionals about the nature and the severity of the threat.

Disclosures of Information to Individuals Involved in a Patient’s Care

The HIPAA Privacy Rule permits disclosures of PHI to individuals involved in the care of a patient such as friends, family members, caregivers, and other individuals that have been identified by the patient.

HIPAA covered entities are also permitted to share patient information in order to identify, locate, and notify family members, guardians, and other individuals responsible for the patient’s care, about the patient’s location, general condition, or death. That includes sharing information with law enforcement, the press, or even the public at large.

In such cases, verbal permission should be obtained from the patient prior to the disclosure. A healthcare professional must otherwise be able to reasonably infer, using professional judgement, that the patient does not object to a disclosure that is determined to be in the best interest of the patient.

Information may also be shared with disaster relief organizations that are authorized by law or charters to assist in disaster relief efforts, such as for coordinating the notification of family members or other persons involved in the patient’s care about the location of a patient, their status, or death.

The HIPAA Minimum Necessary Standard Applies

Aside from disclosures by healthcare providers for the purpose of providing treatment, the ‘minimum necessary’ standard applies. Healthcare professionals must make reasonable efforts to ensure that any PHI disclosed is restricted to the minimum necessary information to achieve the purpose for which the information is being disclosed.

When information is requested by a public health authority or official, covered entities can rely on representations from the public health authority or official that the requested information is the minimum necessary amount, when that reliance is reasonable under the circumstances.

Disclosures About COVID-19 Patients to the Media

HIPAA does not apply to disclosures by the media about infections, but HIPAA does apply to disclosures to the media by HIPAA-covered entities and their business associates. In such cases, the HIPAA-covered entity or business associate can provide limited information if a request is made about a patient by name. The information disclosed should be limited to the general condition of the named patient and their location in the facility, provided the disclosure is consistent with the patient’s wishes. The status of the patient should be described in terms such as undetermined, good, fair, serious, critical, treated and released, treated and transferred, or deceased.

All other information may not be disclosed to the media or any individual not involved in the care of a patient without first obtaining written consent from the patient in question.

Disclosures of Information About COVID-19 by Non-HIPAA Covered Entities

It is worth noting that HIPAA only applies to HIPAA-covered entities, business associates of HIPAA-covered entities, and subcontractors of business associates. There are no restrictions on disclosures of information about the 2019 Novel Coronavirus and COVID-19 by other entities; however, while HIPAA may not apply, other federal and state laws may do.

HIPAA would therefore not apply when an employee tells an employer they have contracted COVID-19 or are self-isolating because they are displaying symptoms of COVID-19. HIPAA would apply if an employer is informed about an employee testing positive, if the employer is notified about the positive test by the employer’s health plan.

Further Information on HIPAA Compliance and the COVID-19 Coronavirus Pandemic

In response to this emergency, HIPAA Journal has worked with Compliancy Group to set up a free hotline for any questions you have related to the response to HIPAA compliance during coronavirus crisis: (800) 231-4096

Background Information on the SARS-CoV-2 Pandemic and COVID-19

The 2019 Novel Coronavirus has been named Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2) and causes Coronavirus Disease 2019 (COVID-19). The virus was first identified in November and originated in Wuhan, in the Hubei province of China. The Chinese government took steps to control the spread of the virus, but it was not possible to contain, and it spread around globe.

The World Health Organization (WHO) declared the outbreak a public health emergency of international concern on January 30, 2020. Following the WHO declaration, HHS Secretary Alex Azar declared the SARS-CoV-2 outbreak a public health emergency for the United States. WHO declared the outbreak a pandemic on March 11, 2020 and on March 13, 2020, President Trump declared COVID-19 a national emergency.

SARS-CoV-2 is highly infectious, and COVID-19 has a high mortality rate. The mortality rate is difficult to determine many people infected with SARS-CoV-2 only have relatively mild symptoms and do not seek medical help. Testing has been erratic initially in many locations and tests have been in short supply. Based on the limited data available, the mortality rate ranges from less than 1% to 7%. In early March, WHO estimated a mortality rate of 3.4%; however, the data on which these figures are based may be inaccurate and this is an evolving situation.

One of the main factors that has contributed to the rapid spread of SARS-CoV-2 is the long incubation period before symptoms are experienced, during which time infected individuals can spread the virus. It can take up to 14 days before infected individuals start displaying symptoms. The median incubation time is 10 days.

This is a rapidly changing situation that is likely to get considerably worse until the spread of the disease can be curbed. In the absence of a vaccine to provide protection, steps need to be taken by the entire population to limit exposure and prevent the spread of the disease.

There has been significant progress towards a vaccine in a short space of time. Some pharma firms having already developed potential vaccines, but they now need to be tested for safety on humans in clinical trials. Even if the process can be fast tracked, it is unlikely that a vaccine will be available before 2021.

The post HIPAA Compliance and COVID-19 Coronavirus appeared first on HIPAA Journal.

University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack

The University of Kentucky (UK) has been battling to remove malware that was downloaded on its network in February 2020. Cybercriminals gained access to the UK network and installed cryptocurrency mining malware that used the processing capabilities of UK computers to mine Bitcoin and other cryptocurrencies.

The malware caused a considerable slowdown of the network, with temporary failures of its computer system causing repeated daily interruptions to day to day functions, in particular at UK healthcare.

UK believes the attack was resolved on Sunday morning after a month-long effort. On Sunday morning, UK performed a major reboot of its IT systems – a process that took around 3 hours. UK believes the attackers have now been removed from its systems, although they will be monitoring the network closely to ensure that external access has been blocked. The attack is believed to have originated from outside the United States.

UK Healthcare, which operates UK Albert B. Chandler Hospital and Good Samaritan Hospital in Lexington, KY, serves more than 2 million patients. While computer systems were severely impacted at times, patient care was not affected and patient safety was not put at risk.

An internal investigation was launched and third-party computer forensics specialists were engaged to assist with the investigation. University spokesman Jay Blanton said it is hard to determine whether any sensitive data was viewed or downloaded. The belief is that the malware attack was solely conducted to hijack the “vast processing capabilities” of the UK network to mine cryptocurrency.

UK has taken steps to improve cybersecurity, including installing CrowdStrike security software. More than $1.5 million has been spent ejecting the hackers from the network and bolstering security.

Arkansas Children’s Hospital Reboots Systems to Deal with ‘Cybersecuirty Threat’

Arkansas Children’s Hospital in Little Rock has experienced a cyberattack that has impacted Arkansas Children’s Hospital and Arkansas Children’s Northwest. Its IT systems have been rebooted in an attempt to deal with the cyberthreat and a third-party digital forensics firm has been engaged to assist with the investigation.

The exact nature of the threat has not yet been disclosed and it is currently unclear when the attack will be resolved. All facilities are continuing to provide medical services to patients, but some non-urgent appointments may have to be rescheduled.

The investigation into the attack is ongoing, but at this stage, no evidence has been found to suggest patient information has been affected.

The post University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack appeared first on HIPAA Journal.

53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months

The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses Report from Keeper Security shows approximately two thirds of healthcare organizations have experienced a data breach in the past and 53% have experienced a breach of protected health information in the past 12 months.

The survey was conducted by the Ponemon Institute on 2,391 IT and IT security professionals in the United States, United Kingdom, DACH, Benelux, and Scandinavia, including 219 respondents from the healthcare industry.

Keeper Security reports indicates the average healthcare data breach results in the exposure of more than 7,200 confidential records and the average cost of a healthcare data breach is $1.8 million, including the cost of disruption to normal operations. The most common causes of healthcare data breaches are phishing attacks (68%), malware infections (41%), and web-based attacks (40%).

Healthcare data breaches have increased considerably in the past few years. Even though there is a high risk of an attack, healthcare organizations do not feel that they are well prepared. Only one third of IT and IT security professionals in the healthcare industry said they had enough budget to mount a strong defense to prevent cyberattacks. 90% of healthcare organizations devote less than 20% of their IT budget to cybersecurity, with an average allocation of just 13%. 87% said they did not have the personnel to achieve a more efficient cybersecurity posture. Even though emergency planning is a requirement of HIPAA, less than one third of respondents said they had a plan for responding to cyberattacks.

When asked about the importance of passwords for preventing data breaches, 66% of healthcare organizations agreed that good password security was an important part of their security defenses, but fewer than half of surveyed organizations have visibility into the password practices of their employees.

A second study conducted by the Ponemon Institute, on behalf of Censinet, shows healthcare vendors are also being targeted and are struggling to defend against cyberattacks. That survey revealed 54% of healthcare vendors have experienced at least one data breach in the past, and 41% of those respondents have experienced six or more data breaches in the past 2 years. For healthcare vendors, the average size of a data breach is over 10,000 records and the average cost of a breach is $2.75 million

When healthcare vendors experience a data breach it is common for customers to take their business elsewhere. 54% of healthcare vendors said a single data breach would result in a loss of business and 28% of healthcare vendors said they lost a customer when security gaps were discovered.

It is common for security gaps to go unnoticed, as 42% of respondents said healthcare providers do not require them to provide proof they are in compliance with privacy and data protection regulations. Even when security gaps are discovered, 41% of healthcare vendor respondents said they were not required to take any action.

Risk assessments are a requirement of HIPAA, but they are costly and time consuming to perform. Vendors spend an average of $2.5 million a year conducting risk assessments, but only 44% believe risk assessments improve their security posture which Censinet believes could be due to 64% of vendors finding risk assessments confusing and ambiguous.

59% of healthcare vendors said risk assessments become out of date within 3 months of being conducted, yet only 18% of respondents said their healthcare clients require them to complete risk assessments more than once a year.

“According to the research, 55 percent of vendors say that these certifications do not provide enough value for the cost, while 77 percent indicate challenges with the certification process, including respondents who believe it is too time-consuming, too costly and too confusing.” The solution could be automation. 61% of vendors believe workflow automation would streamline the risk assessment process and 60% believe workflow automation would reduce the cost of risk assessments by up to 50%.

The post 53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months appeared first on HIPAA Journal.

Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito

The Protecting Jessica Grubbs Legacy Act (S. 3374) has been reintroduced by Senators Joe Manchin (D-W.V.) and Shelley Moore Capito (R-W.V.). The Protecting Jessica Grubbs Legacy Act aims to modernize the 45 CRF Part 2 regulations to support the sharing of substance abuse disorder treatment records and improve care coordination.

42 CFR Part 2 regulations restrict the sharing of addiction records, which makes it very difficult for information to be shared about patients who are recovering from substance abuse disorder. Currently 45 CFR Part 2 regulations only permit substance abuse patients themselves to decide who has access to their full medical history. While the sharing of highly sensitive information about a patient’s history of substance abuse disorder and treatment is intended to protect the privacy of patients and ensure they are protected against discrimination, not making that information available to doctors can have catastrophic consequences, as happened with Jessica Grubbs.

Jessica Grubbs was recovering from substance abuse disorder when she underwent surgery. The discharging doctor prescribed oxycodone and Grubbs returned home with 50 oxycodone pills. She later died of an overdose. If the discharging doctor was made aware that Grubbs had a history of substance abuse disorder, a different medication could have been prescribed.

Medical providers are responsible for providing care to patients, but without access to their full medical histories, they are doing so blind. It is difficult for medical providers to make correct decisions about patients’ care if they only have access to incomplete medical records.

The Protecting Jessica Grubbs Legacy Act was introduced to ensure medical providers have access to all the necessary information, so they do not accidentally give opioid drugs to patients in recovery from substance abuse disorder. The Protecting Jessica Grubbs Legacy Act will help to ensure tragedies such as the death of Jessica Grubbs are prevented.

“No family or community should ever have to go through the senseless and preventable tragedy that Jessica Grubbs and her family had to endure,” said Sen. Manchin. “This bipartisan bill is essential to combating the opioid epidemic and ensuring that these painful deaths are prevented.”

Healthcare industry stakeholders have been pushing for changes to 42 CFR Part 2 regulations for several years and Congress has been petitioned to make changes to the regulations. In 2019, the National Association of Attorneys General wrote to House and Senate leaders calling for changes to the regulations, which were called cumbersome and out of date. 39 state attorneys general signed the letter. The HHS also proposed changes to 45 CFR Part 2 last year to align the regulations more closely with HIPAA.

The reintroduced Protecting Jessica Grubbs Legacy Act includes several revisions to the original act, S. 1012, which was introduced in April 2019. The language of the bill has been changed to require a patient to give their affirmative, written consent to opt-in before their information may be shared. An educational component has also been added that requires patients to be informed about exactly what they are consenting to before a final determination. An opt-out clause has also been added that allows patients to opt out and rescind their consent at any time. The revised Protecting Jessica Grubbs Legacy Act also calls for Part 2 regulations to be aligned more closely with HIPAA.

To ensure the privacy of patients is protected, enhancements have been made to current protections to prevent discrimination in relation to access to treatment, termination of employment, receipt of worker’s compensation, rental housing, and federal, state, and local government social services benefits.

The Secretary of the Department of Health and Human Services will be directed to consult with appropriate legal, clinical, privacy, and civil rights experts when updates are made to the Code of Federal Regulations to implement the changes proposed in the bill.

“This is an ideal compromise that alleviates the roadblocks to care coordination, while providing strong protections, and more importantly providing those suffering with substance use disorder, more comfortable in knowing they can share medical records in a protected manner and enforced with real penalties to prevent misuse of sensitive medical information,” said Sen. Manchin in a statement.

The revised bill has received considerable support from industry stakeholders and the bill has been co-sponsored by Sens. Sheldon Whitehouse (D-R.I), Kevin Cramer (R-N.D.), Dianne Feinstein (D-Calif.), Doug Jones (D-Ala.), Chris Murphy (D-Conn.), Thom Tillis (R-N.C.), Susan Collins (R-Maine), Kamala Harris (D-Calif.), Bill Cassidy (R-La.), Amy Klobuchar (D-Minn.), and Jeff Merkley (D-Ore.).

The post Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito appeared first on HIPAA Journal.

Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete

Following the revelation that a considerable volume of patient data had been shared with Google by the Catholic health system Ascension, the second largest health system in the United States, concern was raised about the nature of the partnership.

Ascension operates 150 hospitals and more than 2,600 care facilities in 20 states and the District of Columbia and has more than 10 million patients. In November 2019, a whistleblower at Google passed information to the Wall Street Journal on the nature of the collaboration and claimed that patient data, including patient names, dates of birth, lab test results, diagnoses, health histories and other protected health information, had been shared with Google and was accessible by more than 150 Google employees.

In response to the story, Google announced that the partnership, named Project Nightingale, was a cloud migration and data sharing initiative. Ascension is migrating its data warehouse and analytics infrastructure to the Google Cloud and will be using Google’s G Suite productivity suite. Patient data was being used by Google’s AI and machine learning technologies with the purpose of improving clinical quality and patient safety.

Google and Ascension both unissued statements confirming that there was a business associate agreement in place and data was being shared in a manner compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules and health data was not being used for purposes other than those stated in its BAA. Several investigations were launched to determine the nature of the agreement between both companies, with the HHS’ Office for Civil Rights opening an investigation into both companies to determine whether HIPAA Rules were being adhered to.

Three U.S. senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google demanding answers about the collaboration. Google responded and explained that data was shared in accordance with HIPAA Rules, that only a limited number of employees have access to that data, that access controls are in place to prevent unauthorized access, and any individual required to access health data is set permissions based on their role and job function.

Google also explained that Ascension’s data is logically isolated from other customers and confirmed that the data was only being used for an EHR search pilot program that would provide physicians and nurses with a unified view of patient data from multiple EHR systems. The EHR search tool will allow medical staff to search data in EHRs faster and effectively query medical records using words and abbreviations commonly used in healthcare. Google confirmed that medical records were not being used for secondary purposes, such as identifying services for specific individuals or to send them targeted advertisements.

The senators believe the answers provided by Google are incomplete. On Monday, they wrote to Ascension demanding answers about Project Nightingale and the patient data shared with Google. “Google’s response did not answer a number of our questions pertaining to Ascension’s involvement, we are requesting additional details from Ascension to help us better understand how Project Nightingale protects the sensitive health information of American patients,” explained the senators.

The senators want to know how many records have been shared with Google, the exact nature of the information that was shared, if there have been any breaches of the shared data, and whether patients were notified that their PHI would be shared with Google and if they were given the opportunity to opt out.

“It’s critical lawmakers receive comprehensive information about Project Nightingale, which serves as a case study of Google’s more extensive foray into electronic health records,” explained the senators in the letter. “While improving the sharing, accessibility, and searchability of health data for providers could almost certainly lead to improvements in care, the role of Google in developing such a tool warrants scrutiny.”

The post Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete appeared first on HIPAA Journal.

IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk

An audit of the National Institutes of Health (NIH) conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed technology control weaknesses in the NIH electronic medical records system and IT systems that placed the protected health information of patients at risk.

NIH received $5 million in congressional appropriations in FY 2019 to conduct oversight of NIH grant programs and operations. Congress wanted to ensure that cybersecurity controls had been put in place to protect sensitive data and determine whether NIH was in compliance with Federal regulations.

The audit was conducted on July 16, 2019 by CliftonLarsonAllen LLP (CLA) on behalf of OIG to determine the effectiveness of certain NIH information technology controls and to assess how NIH receives, processes, stores, and transmits Electronic Health Records (EHR) within its Clinical Research Information System (CRIS), which contained the EHRs of patients of the NIH Clinical Center.

NHS has approximately 1,300 physicians, dentists and PhD researchers, 830 nurses, and around 730 allied healthcare professionals. In 2018, the Clinical Center had more than 9,700 new patients, over 4,500 inpatient admissions, and over 95,000 outpatient visits.

CLA found NIH had implemented controls to ensure the confidentiality, integrity, and availability of health data contained in its EHR and information systems, but those measures were not working effectively. Consequently, data in its EHR system and information systems could potentially have been accessed by unauthorized individuals and data was at risk of impermissible disclosure, disruption, modification, and destruction.

The National Institute of Standards and Technology (NIST) recommends primary and alternate EHR processing sites should be geographically separated. The geographical separation reduces the risk of unintended interruptions and helps to ensure critical operations can be recovered when prolonged interruptions occur. OIG found the primary and alternate sites were located in adjacent buildings on the NIH campus. If a catastrophic event had occurred, there was a high risk of both sites being affected.

The hardware supporting the EHR system was either approaching end of life or was on extended support. Four servers were running a Windows operating system that Microsoft had stopped supporting in 2015. NIH had paid for extended support which ran until January 2020, but OIG found there was no effective transition plan. OIG also found that NIH was not deactivating user accounts in a timely manner when employees were terminated or otherwise left NIH. 19 out of 26 user accounts that had been inactive for more than 365 days had not been deactivated, the accounts of 9 out of 61 terminated users were still active, and 3 out of 25 new CRIS users had changed their permissions without a form being completed justifying the change.

NIH informed CLA that it had delayed software upgrades until system upgrades were completed. NIH was in the process of upgrading its hardware at the time of fieldwork in anticipation of upgrades to CRIS. Software updates were due to be performed after the hardware upgrade had been completed.

NIH had implemented an automated tool to scan for inactive accounts and delete them, but the tool had not been fully implemented at the time of fieldwork. There were issues with the tool, such as problems tracking individuals who changed departments.

OIG recommended implementing an alternate processing site in a geographically distinct location and to take action to mitigate risks associated with the current alternative site until the new site is established. Policies and procedures should be implemented to ensure that software is upgraded prior to end of life, and NIH must ensure that its automated tool is functioning as intended. NIH concurred with all recommendations and has described the actions that have been and will be taken to ensure the recommendations are implemented.

The post IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk appeared first on HIPAA Journal.