Healthcare Data Privacy

Senator Seeks Information on How to Improve Health Data Privacy

Posted by Steve Alder

Senator Bill Cassidy (R-LA), ranking member of the U.S. Senate Committee on Health, Education, Labor, and Pensions (HELP), is seeking feedback on how health data privacy can be improved while also supporting the need for medical research.

Over the past few years there has been a proliferation of new technologies that collect, store, and transmit health information, including wearable devices, smart devices, and health and wellness apps. These technologies have enabled better care and greater patient access to health information, but the health data collected, stored, and transmitted via these technologies largely falls outside the protection of HIPAA.

Senator Cassidy’s request for information seeks feedback from stakeholders on ways of improving health data privacy, especially data collected using technologies that were not in use in 1996 when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law, and whether HIPAA needs to be modernized and expanded to cover data collected by non-HIPAA-regulated entities.

Senator Cassidy asks general privacy questions, such as what should be considered as health data and whether the term should only apply only to data covered by HIPAA, whether other types of health data should be treated differently, and which entities that are not currently classed as HIPAA-regulated entities should be accountable for handling health data and whether they should have a duty of loyalty to consumers/patients.

Senator Cassidy acknowledges that new regulations are likely to have implementation challenges and seeks feedback on ways that health data privacy can be improved without creating too great a burden, such as restricting the duty of loyalty based on the sensitivity of the collected data. He also seeks information from stakeholders on how well the HIPAA framework is currently working, whether HIPAA should be updated, the challenges legislative reforms of HIPAA would create, and how health data sharing can be structured, given the current patchwork of legal frameworks in different states.

Information is requested on biometric data, genetic information, and location data, and whether these types of information should be included in a new definition of health data, and what the obligations should be for collecting and safeguarding these types of data.

Consent should be obtained from consumers before health data is collected and data minimization is necessary to limit the information collected to what is reasonably necessary. Feedback is requested on how this can be achieved, how data practices should be communicated to consumers, whether consumers should have the right to request non-HIPAA-covered data be deleted, and if there should be an opt-in or opt-out method of data collection for health data not covered by HIPAA.

Feedback is also sought on the challenges that have been experienced in complying with the data privacy frameworks that have been implemented in 9 states since 2018, and whether any lessons have been learned as states have implemented these frameworks for the governance of health data.

Any new regulations or updates to HIPAA will need to be enforced, and that is also likely to create challenges. Currently, the HHS’ Office for Civil Rights is the main enforcer of HIPAA and has made it clear that it is operating under severe financial restraints and has a large backlog of investigations. The Federal Trade Commission has oversight of health data collected by non-HIPAA-covered entities and has recently taken action over breaches of health data. Suggestions are sought on how updates to HIPAA and new health data regulations should be enforced, and the role different agencies should have in enforcement.

Stakeholders have been given until September 28, 2023, to submit their responses.

The post Senator Seeks Information on How to Improve Health Data Privacy appeared first on HIPAA Journal.

OCR, FTC Publish Online Tracking Technology Warning Letters

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have published the letters that were sent to hospital systems and telehealth providers in July 2023 advising them about the privacy risks associated with website tracking technologies such as Meta Pixel and Google Analytics.

The widespread use of these tools on hospital websites and the risk of impermissible disclosures of protected health information (PHI) prompted OCR to issue guidance for HIPAA-regulated entities in December 2022. OCR stated in the guidance that these tools are not permitted under HIPAA unless consent is obtained via HIPAA authorizations or if there is a valid business associate relationship with the technology provider and a corresponding HIPAA-compliant business associate agreement (BAA). The FTC has also taken an interest in these tools and has taken action against non-HIPAA-regulated entities for alleged violations of the FTC Act and the FTC’s Health Breach Notification Rule with respect to tracking technologies.

The July 2023 letters explain that serious privacy and security risks have been identified with online tracking technologies and the recipients of the letters were warned that their websites and mobile applications may have these tracking tools in place that could be disclosing consumers’ sensitive personal health information to third parties. The types of information disclosed would depend on where the tracking technologies have been added. If they have been added to appointment scheduling apps or behind the logins of patient portals they could disclose highly sensitive information to third parties such as health conditions, diagnoses, medications, treatment information, treatment locations, frequency of visits, and more, along with identifiers that link that information to individuals. The disclosed information could be used by third parties for advertising purposes and could potentially result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.

The recipients of the letters, which include a diverse range of HIPAA-regulated entities and non-HIPAA-covered entities that collect health information, have been advised to review OCR and FTC guidance, assess the extent to which tracking technologies are in use, and ensure they are fully protecting the privacy and security of individuals’ health information.

The recipients of the letters have now been made public in the 387-page PDF document jointly published by OCR and FTC on their websites. While OCR and the FTC had reason to issue the letters to these organizations, receipt of a letter does not mean that tracking technologies are currently being used or HIPAA, the FTC Act, or the Health Breach Notification Rule have been violated. The recipients of the letters are listed below.

ADHD Online, MI DearBrightly, CA Kick Health, WA Peace Health, WA Strut Health, TX
Advocate Aurora Health, WI Done, CA KwikMed, AZ Penn Medicine Chester County Hospital, PA Talkiatry, NY
Alfie, NY Dorsal, NY LCMC Health System, LA Penn Medicine, PA Talkspace, NY
Alpha, CA Duke University Health System, NC Lemonaid, CA Picnic, NY Tampa General Hospital, FL
Apostrophe, CA El Camino Hospital, CA Loyola Medicine, IL Piedmont Healthcare, GA Texas Health Resources, TX
Array Behavioral Care, NJ Eleanor Health, MA Mantra Health, NY Plume, CO The Wellness Company, RI
Ascension, MO Elektra Health, NY Marshall Medical Center, CA PRJKT RUBY, AZ Thomas Jefferson Hospital, PA
Barnes-Jewish Hospital, MO Everlywell, TX MedStar Health, MD Push Health, CA Tufts Medical Center, MA
Barton Healthcare System, CA Facet, NY Memorial Healthcare System, FL QCare Plus, FL UC Davis Health, CA
Beaumont Health System, MI Favor, CA MemorialCare Long Beach Medical Center, CA Quick MD, CA UCLA Reagan Medical Center, CA
Bellin Health, WI Folx, MA Mercy Medical Center, MD Relief Labs, Inc. d/b/a Clearing, NY UCSF Office of Legal Affairs, CA
Bicycle Health, MA Found, CA Middlesex Health, CT Remedy Psychiatry, CA UnityPoint Health, IA
Bon Secours Mercy Health, OH Froedtert Hospital and the Medical College of Wisconsin, WI Mindbloom, FL Renown Health, NV University Hospitals Cleveland Medical Center, OH
Boulder Care, OR Gennev, WA Minded, NY Riverside Health System, VA University of Chicago Medicine, IL
Brigham and Women’s Faulkner Hospital, MA Grady Health System, GA Mistr, FL Rochester Regional Health, NY University of Iowa Hospitals and Clinics, IA
Brightline, CA Henry Ford Hospital, MI MultiCare Health System, WA Roman, NY University of Kansas Health System, KS
Brightside, CA Hers, CA Musely, CA Rush University Medical Center, IL University of Pittsburgh Medical Center, PA
Calibrate, NY Hims, CA My Ketamine Home, FL Salem Health, OR University of Texas Southwestern Medical Center, TX
CallonDoc, TX Hone Health, NY Nemours Children’s Health, FL Sanford USD Medical Center, SD University of Vermont Health Network, VT
Cedars-Sinai Medical Center, CA Honor Health, AZ New York Presbyterian Hospital, NY Sarasota Memorial Health Care System, FL Wexner Medical Center, OH
Chesapeake Regional Healthcare, VA Houston Methodist, TX Northwestern Medicine Central DuPage Hospital, IL Scripps Memorial Hospital La Jolla – Scripps Health, CA Willis-Knighton Health System, LA
Children’s Wisconsin, WI Inova Health System, VA Northwestern Memorial Healthcare, IL Sharp Healthcare, CA Wisp, CA
Cone Health, NC Invigor Medical, WA Nue Life, FL Sparrow Health Systems, MI Wondermed, CA
Cove, NY Johns Hopkins Hospital, MD Nurx, CA St. Joseph Mercy Health System, MI Workit, FL
Covenant Health, TN K Health, NY Oar, NY St. Luke’s Health System, ID Yale New Haven Health, CT
Curology, CA Keeps, NY Ophelia, NY St. Tammany Health System, LA

The post OCR, FTC Publish Online Tracking Technology Warning Letters appeared first on HIPAA Journal.

July 2023 Healthcare Data Breach Report

Posted by Steve Alder

There was a 15.2% fall in reported data breaches in July with 56 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), which makes July an average month for data breaches. Over the past 12 months, 57 breaches have been reported each month on average; however, July was not an average month in terms of the number of compromised records.

There was a 261% month-over-month increase in breached records in July, with 18,116,982 records breached across the 56 reported incidents. The incredibly high total was due to a major data breach at HCA Healthcare that saw the records of 11,270,000 individuals compromised.

The figures this month bring the running breach total for 2023 up to 395 incidents, across which the records of 59,569,604 individuals have been exposed or stolen. The average breach size for 2023 is 150,809 records and the median breach size is 4,209 records. Over the past 12 months, more than 81.76 million records have been breached across 683 incidents.

Largest Healthcare Data Breaches Reported in July

HCA Healthcare is a Nashville, TN-based health system that operates 182 hospitals and around 2,300 sites of care. Hackers gained access to an external electronic storage facility that was used by a business associate for automating the formatting of email messages, such as reminders sent to patients about scheduling appointments. While the breach was one of the largest ever reported, the data stolen in the attack was limited. HCA Healthcare said the data compromised was limited to name, city, state, zip code, email, telephone number, date of birth, gender, service date, location, and, in some instances, the date of the next appointment.

The second largest breach, reported by the Centers for Medicare and Medicaid Services (CMS) as affecting 1,362,470 Medicare recipients, was more severe due to the types of data compromised. The breach occurred at a CMS contractor, Maximus Federal Services, Inc. (Maximus). Maximus was one of hundreds of organizations to fall victim to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Progress Software identified the vulnerability and issued a patch on May 31, 2023; however, the vulnerability had already been exploited by the Clop hacking group. The total number of victims of this breach has yet to be determined; however, Kon Briefing has been tracking the breach reports and reports that at least 734 organizations had the vulnerability exploited and between 42.7 million and 47.6 million records were stolen in the attack. Clop did not encrypt data, just stole files and issued ransom demands, payment of which was required to prevent the release or sale of the stolen data. In July, 26 breaches of 10,000 or more records were reported to OCR, 11 of which were due to the exploitation of the MOVEit vulnerability. All but two of the 26 breaches were due to hacking incidents.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
HCA Healthcare TN Business Associate 11,270,000 Hacking/IT Incident Hacking Incident – External, electronic storage facility used by a business associate
Centers for Medicare & Medicaid Services MD Health Plan 1,362,470 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (Maximus)
Florida Health Sciences Center, Inc. dba Tampa General Hospital FL Healthcare Provider 1,313,636 Hacking/IT Incident Hacking incident – Ransomware attack
Pension Benefit Information, LLC MN Business Associate 1,209,825 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Allegheny County PA Healthcare Provider 689,686 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 398,319 Hacking/IT Incident Hacking incident
Johns Hopkins Medicine MD Healthcare Provider 310,405 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Harris County Hospital District d/b/a Harris Health System TX Healthcare Provider 224,703 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Precision Anesthesia Billing LLC FL Business Associate 209,200 Hacking/IT Incident Hacking incident – Ransomware attack
Fairfax Oral and Maxillofacial Surgery VA Healthcare Provider 208,194 Hacking/IT Incident Hacking incident
The Chattanooga Heart Institute TN Healthcare Provider 170,450 Hacking/IT Incident Hacking incident – Data theft confirmed
Phoenician Medical Center, Inc AZ Healthcare Provider 162,500 Hacking/IT Incident Hacking incident – Data theft confirmed
UT Southwestern Medical Center TX Healthcare Provider 98,437 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Hillsborough County, Florida (County Government) FL Healthcare Provider 70,636 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Family Vision of Anderson, P.A. SC Healthcare Provider 62,631 Hacking/IT Incident Hacking incident – Ransomware attack
Jefferson County Health Center IA Healthcare Provider 53,827 Hacking/IT Incident Hacking incident – Data theft confirmed (Karakurt threat group)
New England Life Care, Inc. ME Healthcare Provider 51,854 Hacking/IT Incident Hacking incident
Care N’ Care Insurance Company, Inc. TX Health Plan 33,032 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (TMG Health Inc)
Synergy Healthcare Services GA Business Associate 25,772 Hacking/IT Incident Hacking incident
Rite Aid Corporation PA Healthcare Provider 24,400 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Life Management Center of Northwest Florida, Inc. FL Healthcare Provider 19,107 Hacking/IT Incident Hacking incident
Saint Francis Health System OK Healthcare Provider 18,911 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Pennsylvania Department of Human Services PA Healthcare Provider 16,390 Unauthorized Access/Disclosure Hacking incident – Unauthorized access to a system test website
The Vitality Group, LLC IL Business Associate 15,569 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Wake Family Eye Care NC Healthcare Provider 14,264 Hacking/IT Incident Hacking incident – Ransomware attack
East Houston Med and Ped Clinic TX Healthcare Provider 10,000 Unauthorized Access/Disclosure Storage unit sold that contained boxes of patient records

Causes of July 2023 Data Breaches

Hacking incidents dominated the breach reports in July, with 49 incidents reported to OCR involving 18,083,328 records. The average breach size was 369,048 records and the median breach size was 9,383 records. The majority of these incidents were data theft and extortion incidents, where hackers gained access to networks, stole data, and issued ransom demands. Many hacking groups are now choosing not to encrypt files and are concentrating on data theft and extortion. When claiming responsibility for the MOVEit attacks, a spokesperson for the Clop group said they could have encrypted data but chose not to.

There were 7 unauthorized access/disclosure incidents reported involving the PHI of 33,654 individuals. The average breach size was 4,808 records and the median breach size was 1,541 records. Three of those incidents involved unauthorized access to paper records and three were email-related data breaches. There were no reported breaches involving the loss, theft, or impermissible disclosure of physical records or devices containing electronic PHI.

Where did the Data Breaches Occur?

The OCR breach portal lists data breaches by the reporting entity, although that is not necessarily where the data breach occurred. Business associates of HIPAA-covered entities may report their own breaches, they may be reported by the covered entity, or a combination of the two. For instance, Maximus reported its MOVEit Transfer breach as affecting 932 individuals, but many of its clients were affected and the total number of individuals affected was in the millions.

The raw data on the breach portal indicates 37 breaches at healthcare providers, 11 breaches at business associates, 7 at health plans, and one breach at a healthcare clearing house. The charts below are based on where the breach occurred, rather than the reporting entity.

Geographical Distribution of Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states. Texas was the worst affected state with 7 breaches, with Florida and California also badly affected.

State Breaches
Texas 7
Florida 6
California 5
Maryland, Pennsylvania & Tennessee 4
Arizona & North Carolina 3
Connecticut, Illinois & Minnesota 2
Georgia, Idaho, Indiana, Iowa, Kentucky, Maine, Michigan, New Jersey, New York, Ohio, Oklahoma, South Carolina, Virginia & Washington 1

HIPAA Enforcement Activity in July 2023

There were no enforcement actions announced by OCR or state attorneys general in July to resolve HIPAA violations.

The post July 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Views on FTC’s Proposed Health Breach Notification Rule Update

Posted by Steve Alder

In May 2023, the Federal Trade Commission (FTC) proposed changes to the Health Breach Notification Rule following a 10-year review of the rule. The proposed changes are intended to modernize the rule and make it fit for purpose in the digital age. A lot has changed since the Health Breach Notification Rule was introduced. Huge amounts of health data are now collected and shared by direct-to-consumer technologies such as health apps and wearable devices. These apps and devices can collect highly sensitive health data, yet the information collected is generally not protected by the HIPAA Rules.

The proposed update to the Health Breach Notification Rule includes changes to definitions to make it clear that vendors of personal health records (PHRs) and related entities that are not covered by HIPAA are required to issue notifications after an impermissible disclosure of their health data. The definition of a ‘breach of security’ has been changed to make it clear that a breach includes the unauthorized acquisition of identifiable health information, either by a security breach or an unauthorized disclosure. Changes have also been made to standardize consumer notifications and ensure sufficient information is provided to consumers to allow them to assess risk and require consumers to be advised about the potential for harm from a data breach.

Timely notifications must be issued to the FTC, the affected individuals, and in some cases, the media. Third-party service providers to vendors of PHRs and PHR-related entities must also issue notifications to the vendor in the event of a data breach. The deadline for providing notifications is 60 calendar days following the discovery of a data breach, although, like the HIPAA Breach Notification Rule, notifications should be issued without undue delay.

While the FTC’s Health Breach Notification Rule has been in effect for more than a decade, the FTC has only recently started enforcing the rule. The first enforcement action came in February this year against the digital health company, GoodRx Holdings, Inc, which was found to have disclosed uses’ health data to third-party advertising platforms such as Facebook (Meta) and Google. The FTC also took action against Easy Healthcare Corporation, which provides an ovulation and period tracking mobile application (Premom). In the case of Premom, health data was transferred to third parties such as Google and AppsFlyer. GoodRx agreed to settle the case and pay a $1.5 million civil monetary penalty and Easy Healthcare paid a $100,000 civil penalty.

Feedback on the Proposed Rule

The FTC provided 60 days from the date of publication in the Federal Register for the public to submit comments on the proposed changes to the Health Breach Notification Rule and the final date for submitting comments was August 8, 2023. 117 individuals and organizations submitted comments on the proposed changes, with the FTC broadly praised for updating the rule. Some of the key points from the submitted comments are detailed below.

User Consent and Transparency

Mozilla, the developer of the Firefox Internet browser, broadly supports the proposed changes. Mozilla expressed concern about the extent to which users are tracked online and how personally identifiable health information is already being transferred to third parties, often without the users’ knowledge or consent. Mozilla’s “Privacy Not Included” research team recently reviewed the practices of popular mental health and reproductive apps and found many indiscriminately collect and share intimate information for advertising purposes yet provide limited opportunities for consumers to object to those uses. The researchers found apps frequently made deceptive claims about data sharing, combined app user data with data collected from other sources such as social media profiles and data brokers, and oftentimes, the sensitive data collected by these apps was not appropriately secured.

Mozilla points out that its survey data revealed 55% of users said they did not understand when they had given their consent for apps to share their data, indicating either deceptive practices when obtaining consent or app developers are using unclear language when obtaining consent. Mozilla called for the FTC to clearly define authorization in the rule and to include the language that the FTC considered but did not include in the proposed rule and calls for the FTC to require user consent to be obtained before any personal information is collected.

Mozilla also suggested the FTC require companies to abide by browser-based opt-out signals when determining whether they have authorization to share data under the rule, such as the Global Privacy Control (GPC) as individuals are likely to want to make a simple and clear decision about the sharing of their health data. Mozilla, like several other commenters, suggested the need for a definition of acquisition, which Mozilla believes should involve any use or access by a third party of information derived from the health data, not just wholesale transfer, aligning the definition with the California Privacy Rights Act, although this appears to be something of a contentious point, not supported by the Consumer Technology Association, for example (see below).

Unintended Consequences of Electronic Breach Notifications

The Identity Theft Resource Center (ITRC), a national nonprofit organization established to minimize identity risk and mitigate the impact of identity compromise and crime, broadly praised the FTC’s efforts to update the rule but warned that allowing increased use of electronic notifications about data breaches could have a negative effect due to the potential for significant data breaches to escape public scrutiny. The ITRC suggested a change in the language of the rule to make it clear that organizations subject to the rule must comply with applicable state laws that require broader public notice.

As can be seen in data breach reporting by ITRC and The HIPAA Journal, consumers are often not provided with much information about the nature and root cause of a breach, such as if data was obtained by a ransomware group and posted on a dark net data leak site. Consumers are often told that an unauthorized third party may have viewed or obtained a user’s data when data theft and dark web publication have been confirmed. ITRC noticed this growing trend starting in late 2021 and the data breach notifications required under HIPAA increasingly see consumers provided with little or no actionable information. The FTC was praised for expanding the content requirements for notifications, which require consumers to be advised, in plain language, about the potential harms from a data breach.

Clearer Requirements for Sexual and Reproductive Health Information

The Planned Parenthood Federation of America is a trusted voice for sexual and reproductive health and a leading advocate for policies advancing access to sexual and reproductive health care. Planned Parenthood is a strong believer that data related to accessing health care should not be used by government entities or others hostile to sexual and reproductive health care. Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, this has become an even more pressing concern as there are genuine fears that health data will be sought to punish individuals for seeking or obtaining reproductive health care.

Planned Parenthood expressed concern that consumers may avoid using health apps out of fear that their privacy may be at risk, given the criminalization of abortion, gender-affirming care, and contraception in some states. This could create a culture of fear around using health applications when technology should be able to be used safely without fear that sensitive data is being moved or sold without knowledge or consent.

The efforts of the FTC to improve health information privacy were praised by Planned Parenthood, which made several recommendations to further improve privacy, specifically the privacy of reproductive health information. In addition to the FTC’s definitions for ‘healthcare provider’ and ‘health care services or supplies’ in the proposed rule, Planned Parenthood recommends the FTC include explicit language that protects people’s sexual and reproductive health care data.

Planned Parenthood suggests the FTC’s definition of ‘PHR identifiable information’ should include a more explicit reference to sexual and reproductive health due to the sensitivity of that information, such as “…relates to the past, present, or future physical, sexual, reproductive, or mental health or condition of an individual,” and also include broad definitions for “sexual” and “reproductive” health. By including these definitions, the FTC Health Breach Notification Rule would be consistent with OCR’s proposed changes to the HIPAA Privacy Rule for improving reproductive health information privacy relating to data collected by HIPAA-regulated entities.

Ensure Data Brokers are Covered by the Rule

The U.S. Public Interest Research Group, a public interest research and advocacy organization, has included a 9,659-signature petition from its members and the general public calling for stronger rules to protect digital health information.

U.S. PIRG broadly supports the proposed changes and believes it is appropriate for the rule to apply to the type of information that entities may process, regardless of whether they brand themselves as health-related companies or not. U.S. PIRG has called for the FTC to ensure that data brokers are included in the rule, as they can pull in large amounts of data about consumers and can aggregate health signals. The data broker and AdTech firm Tremor was offered as an example. Tremor offers over 400 standard health segments that may be used by its clients to deliver targeted advertising. U.S. PIRG also believes the definition of ‘breach of security’ should also include an entity that collects more information than necessary to serve the purpose for which it was collected.

Personal Health Record Should Align with Protected Health Information Definition

The Healthcare Information and Management Systems Society (HIMSS) praised the FTC for the update and clarification on how the rule applies to today’s technologies but points out that privacy and security is not only about avoiding breaches but also about ensuring information is private and secure in the first place. HIMSS encourages the FTC to explore and encourage proactive, rather than reactive, privacy and security practices in future rulemaking cycles.

HIMSS recommends the FTC align the proposed definition of PHR with the definition of protected health information in HIPAA. This would help to ensure that all health data is covered by the rule, regardless of how that information is transmitted. To make it easier for breaches to be reported without unnecessary delay, HIMSS suggests the FTC create an easily accessible, user-friendly, interactive form on its website for directly reporting breaches and other suspected violations of the Rule to the FTC.

Expansion of PHR and Breach of Security Definitions

The American Medical Informatics Association (AMIA) recommends the explicit inclusion of usernames/passwords maintained by non-HIPAA-regulated entities as being PHR identifiable health information, and for a breach of security to be presumed when a PHR or PHR-related entity failed to adequately disclose to individuals how their data will be accessed, processed, used, reused, or disclosed. AMIA also points out that for the rule to act as a deterrent to poor data management, it must be rigorously enforced, and enforcement must be sufficiently stringent and appropriate to compel the secure and responsible management of health data.

Abandon Health Care Provider Definition

While the FTC has been broadly praised for the proposed update, the FTC has been warned about some of the unintended consequences of some of the proposed changes. Multiple commenters, including the American Medical Association (AMA), take issue with the definition of ‘health care provider’ in the rule. The rule does not apply to HIPAA-covered entities, and to include a definition of ‘health care provider’ could easily result in confusion, since a health care provider is widely regarded by the public as an entity that provides medical care or health care. This issue was also raised by the Texas Medical Association (TMA) in its comments.

“The AMA strongly urges the Commission to abandon this highly ambiguous and potentially harmful definition. To lump together apps such as FitBit and Flo, in the same regulatory definition as physicians, is a disservice to consumers of public health and the industry as a whole.” The AMA suggests creating a more appropriate definition for apps, tracking devices, and other covered technologies, removing ‘health care provider’ and instead using a more appropriate descriptive term such as “health apps and diagnostic tool services.” Both the AMA and TMA also recommend removing ‘health care provider’ from the PHR identifiable health information definition, and instead using the term HIPAA-covered entity.

The AMA also makes a good point about the definition of a PHR which includes the phrase, “has the technical capacity to draw information from multiple sources.” The AMA suggests the definition be broadened to also include “when an app only draws health information from one place but extracts non-health information drawn from other sources, as well as when a PHR only draws identifiable health information from one place with non-identifiable health information coming from others.”

Such a change would give individuals more confidence in using PHRs and health apps without having to worry about making a change in the settings that could cause the app to no longer qualify as a PHR, which would remove protections under the rule.

The option of electronic notifications was praised as the aim should be to ensure notification as fast as possible. The AMA suggests that PHR users should be required to choose two methods of notification, in addition to postal notices, that best suit their lifestyle, as that will ensure notifications reach them quickly.

Proposed Rule Goes Too Far

The Consumer Technology Association (CTA) believes the proposed rule should be narrowed considerably and suggests the scope of the parties subject to the rule is not consistent with the HITECH Act. The CTA recommends that covered entities should be limited and should not include “merchants that may sell a variety of products that include health-related products, focusing on apps that actually gather health-related information from multiple sources, and excluding service providers such as cloud computing providers, analytics providers, and advertising providers, particularly when they do not target or are unaware of receiving covered health data.”

The CTA also recommends narrowing the scope of a ‘breach of security’ to the acquisition of covered health data, and not including inadvertent or good faith unauthorized access or disclosure when no data was actually obtained by a third party. The CTA also takes issue with the timescales and content of notifications. Rather than a notification period of 60 days from the date of discovery of a breach, the CTA recommends requiring a company to report the breach and issue notifications when it has been reasonably determined that a breach of security has occurred. This will help companies devote all their resources to investigating breaches and would harmonize the rule with state breach reporting laws.

The CTA also recommends simplifying consumer notice content and focusing on providing consumers with actionable information. Companies should not be required to speculate about the harms that could potentially result from a breach, nor should they be required to provide a list of entities that obtained health data. “Requiring an explanation of potential, speculative harm will create consumer confusion, further misinformation, and encourage unnecessary litigation,” wrote the CTA. Having to list companies that obtained a consumer’s PHR identifiable health information may interfere with investigatory efforts, including law enforcement inquiries or other internal investigations, and could also invite litigation against those entities. Since not all of the proposed content for notifications is actionable, including ‘speculative’ information may only serve to alarm and confuse consumers.

Viewpoints from The HIPAA Journal

The HIPAA Journal supports the FTC’s efforts to update the Health Breach Notification Rule to plug notification gaps and ensure that consumers are provided with timely notifications whenever their health data has been impermissibly disclosed. As various studies have demonstrated, companies not covered by HIPAA have not been adequately protecting health data and have been disclosing health information without the knowledge of the subjects of that data.

Once established, the updated rule – and the FTC Act – should be rigorously enforced to ensure they serve as a deterrent against the improper sharing of sensitive health data, whether deliberate or accidental. The FTC should also work closely with OCR to ensure that there are no regulatory gaps and that all health data is protected, no matter who collects the information. In the event of an impermissible disclosure of health information of any kind, consumers need to be informed as quickly as possible.

There has been a growing trend in breach notifications from HIPAA-regulated entities where the date of discovery of a breach is taken as the date when the forensic investigation confirms protected health information has been breached, which may be several months after the date that a security breach was discovered. The deadline for reporting should align with the HIPAA Breach Notification Rule, and allowing electronic notifications should speed up the notification process and help to ensure that timely notifications are issued. The FTC should ensure that that reporting deadline is enforced. The HIPAA Journal shares the view of the ITRC regarding the potential for serious data breaches to escape public scrutiny with electronic notifications. Maintaining a public record of data breaches as the Office for Civil Rights does with data breaches at HIPAA-regulated entities would solve this problem. The proposed rule rightly includes content requirements for notifications.

It is important to provide consumers with actionable information about a data breach and to clearly explain how risk can be reduced. In order for consumers to be able to make accurate decisions about the actions they should take in response to a breach, they should be advised about the potential harms. If companies are concerned about the potential for litigation from explaining the harms that can be caused by a data breach, they may be more inclined to implement appropriate data security measures to prevent data breaches from occurring in the first place.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Views on FTC’s Proposed Health Breach Notification Rule Update appeared first on HIPAA Journal.

Federal Judge Tentatively Advances Meta Pixel Medical Privacy Class Action

Posted by Steve Alder

A class action lawsuit against Meta over the disclosure of health data to the social media giant has been allowed to proceed by a federal judge. The judge issued a tentative order allowing the lawsuit to advance for several of the claims made by the plaintiffs; however, the number of claims has been reduced by around half.

The consolidated lawsuit, John Doe v Meta Platforms Inc., filed in the U.S. District Court for the Northern District of California, alleges the plaintiffs and class members had their medical privacy violated by Facebook’s Meta Pixel tracking tool. The lawsuit alleges that Meta knew, or should have known, that the Pixel tool was being used improperly on the websites of hospitals. The lawsuit alleges at least 664 hospital systems and medical providers were sending medical information to Facebook through the Meta Pixel tool. According to the lawsuit, the improper use of the tracking tool resulted in “the wrongful, contemporaneous, re-direction to Facebook of patient communications to register as a patient, sign-in or out of a supposedly “secure” patient portal, request or set appointments, or call their provider via their computing device.” The data was then used to create and serve individuals with personalized ads.

As the HHS’ Office for Civil Rights confirmed in 2022 guidance on HIPAA and tracking technologies, these tools can only be used if there is a HIPAA-compliant business relationship with the tracking technology vendor or if valid HIPAA authorizations have been obtained. Since Meta is not a business associate and there were no HIPAA authorizations, the disclosures were impermissible under HIPAA.

Meta states in its terms and conditions that partners are required to have a lawful right to collect and share data before providing it to Meta. Meta argued that it is the responsibility of web developers to ensure that appropriate permission is obtained before Meta Pixel is used on websites and said that it explains to web developers how they can meet their legal obligations when using the Pixel tool. “There’s no statutory or common law doctrine that would allow the plaintiffs to impose liability upon Meta for the decision of third parties to send Meta data that it doesn’t want, that it has contractually barred them from sending in,” said Meta attorney, Lauren Goldman.

U.S. District Judge William Orrick III denied Meta’s motion to dismiss on several counts, allowing the lawsuit to proceed for the alleged violations of federal and state wiretap laws, as the plaintiffs had sufficiently argued that Meta had not done enough to prevent the transmission of sensitive health data. Orrick found the plaintiffs had plausibly argued that the data collection occurred in California and Meta had not met its burden of proof to show that healthcare providers were given sufficient consent by Meta to collect sensitive medical information.

The extraterritoriality, Wiretap Act, California Invasion of Privacy Act (CIPA), unjust enrichment, and larceny claims were advanced; however, Orrick granted the motion to dismiss the privacy, contract, California Comprehensive Computer Data Access and Fraud (CDAFA) Act, negligence per se, trespass to chattels, Unfair Competition Law (UCL), and Consumer Legal Remedies Act (CLRA) claims. The plaintiffs’ attorneys are required to refile the lawsuit as some of the privacy claims lack sufficient detail about the types of information that were allegedly transmitted to Meta. The judge stated in the hearing on Wednesday in San Francisco federal court that a final order would be issued as soon as possible.

The post Federal Judge Tentatively Advances Meta Pixel Medical Privacy Class Action appeared first on HIPAA Journal.

Vanderbilt University Medical Center Investigated by OCR over Disclosure of Transgender Patients’ Medical Records

Posted by Steve Alder

Vanderbilt University Medical Center is being investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) over the disclosure of the medical records of transgender patients to Tennessee Attorney General, Jonathan Skrmetti. VUMC provided the medical records of transgender patients to AG Skrmetti after receiving civil investigative demands for the data as part of an investigation into potential medical billing fraud. VUMC recently sent notifications to the affected patients informing them about the disclosure of their records, which started to be provided to AG Skrmetti in December last year.

The HIPAA Privacy Rule permits, but does not require, healthcare providers to disclose patients’ medical records for law enforcement purposes in certain circumstances, such as in response to an administrative request if the information being sought is relevant and material to a legitimate law enforcement inquiry. VUMC and AG Skrmetti both maintain that the disclosures were legal. AG Skrmetti said the records were requested in response to a run-of-the-mill investigation he was involved with. The investigation was launched in September 2022 after a VUMC doctor publicly described having manipulated medical billing codes to evade coverage limitations on gender-related treatments.

The medical record disclosures have been condemned by many members of the LGBTQ+ community. AG Skrmetti and other authorities in the state have expressed a hostile attitude regarding the rights of transgender individuals and a federal appeals panel recently approved a law in the state that bans hormone therapy and puberty blockers for transgender youth. There are fears that the information disclosed may be used against the patients. Two patients recently lawsuit against VUMC over the disclosures that alleges the records of 106 patients were provided to AG Skrmetti. Given the attitude of state authorities regarding transgender rights, the patients believe VUMC should have provided unidentified data – patient data that has had all personally identifiable information removed.

VUMC’s Chief Communications Officer, John Howser, recently confirmed that VUMC is assisting OCR with a civil rights investigation over the disclosures, although he did not provide any further information as the investigation is ongoing.

The post Vanderbilt University Medical Center Investigated by OCR over Disclosure of Transgender Patients’ Medical Records appeared first on HIPAA Journal.

95% of Patients are Worried About Medical Record Breaches

Posted by Steve Alder

Given the number of healthcare data breaches that are now being reported it is no surprise that patients are concerned that their sensitive health information will be obtained by cybercriminals or leaked on the Internet. In the first half of 2023, 339 data breaches of 500 or more records had been reported to the HHS’ Office for Civil Rights, and while that represents a year-over-year decline in data breach incidents, more than 41,450,000 healthcare records have been reported as breached in the first 6 months of the year – 10 million less than the number of breached records in all of 2022.

The health information network and interoperability provider, Health Gorilla, recently conducted a study that explored patients’ views on health information privacy and data sharing. 1,213 patients were surveyed who had seen a physician at least once in the previous 12 months. 95% said they were concerned that their medical records would be stolen or leaked online, 70% of whom had extreme or moderate concerns about healthcare data breaches. More than half of respondents expressed concern about the privacy and security protections that companies that handle their health data are putting in place.

The survey also revealed there is widespread mistrust in big tech companies such as Amazon, Google, Microsoft, and Facebook, which are increasingly gaining access to healthcare information through products and services that store healthcare data. 65% of respondents said they do not trust or slightly distrust those companies. That distrust is fueled by data breaches and a lack of transparency about data handling and storage practices, and since big tech firms are heavily reliant on data monetization, there are fears that attempts may be made to commercialize the health data they store or sell that information to third parties.

Patients expressed a greater level of confidence in health data exchange facilitated by government-approved entities. 60% of respondents said they feel significantly more or much more confident about health information exchange facilitated by government-approved entities, although regardless of who is sharing or exchanging health data, there are fears that health data may be used for purposes other than the reasons for which it is being shared.

71% of respondents said they were comfortable with sharing health data with healthcare providers for treatment purposes and 39% were comfortable with health plans accessing their medical records. Only 28% of respondents were comfortable with their health data being shared for operations-related purposes, and only 23% said they were comfortable with government agencies accessing their health data for public health reasons.

One solution to the distrust issue is to share de-identified data – health data that has been stripped of all personal identifiers; however, only 64% of respondents said they were comfortable with deidentified data being shared for research purposes. 13% of individuals said they did not want their health data to be shared for research purposes even if the information contained no personal identifiers.

HIPAA gives patients the right to access their own medical records and 94% of individuals feel that is very or at least somewhat important. 88% of respondents said they had exercised that right and have accessed their medical records at least once in the past 12 months, with 48% saying they accessed their medical records in the past 3 months. While there have been many enforcement actions by the HHS’ Office for Civil Rights over failures to provide access to medical records, the survey suggests patients tend not to have problems accessing their health data. 72% of patients said accessing their records was extremely or somewhat easy, with only 4% of patients finding it extremely difficult.

“The results of this privacy report indicate the urgent need to build trust with patients. As we make progress in setting a universal floor for interoperability, patients must have confidence in the system for healthcare interoperability to work,” added Steve Yaskin, Co-Founder and Chief Executive Officer at Health Gorilla. “The majority of patients don’t believe that vendors are doing enough to protect their health data and have serious concerns about a potential breach of their medical records. Patients must serve as a prominent voice in our national dialogue on health data privacy. The actual solutions will come in many forms, but one thing is abundantly clear — it’s time to act.”

The post 95% of Patients are Worried About Medical Record Breaches appeared first on HIPAA Journal.

700,000 Highly Sensitive School Records Exposed Online

Posted by Steve Alder

Highly sensitive information on 682,438 teachers and students at independent schools has been left exposed to the Internet and could be accessed by anyone without a password. The exposed 572.8 GB database was discovered by security researcher Jeremiah Fowler who traced documents in the database to the Southern Association of Independent Schools, Inc (SAIS).

“In my many years as a security researcher, I have seen everything from millions of credit card numbers and health records to internal documents from organizations of all sizes. However, this discovery is among the most sensitive data collections I have ever encountered,” said Fowler. The database contained highly sensitive teacher and student records. Each student record included a photograph of the student, along with their home address, date of birth, age, Social Security number, and health information. Fowler said he discovered third-party security reports that included details of weaknesses in school security, the locations of cameras, access and entry points, active shooter and lockdown notifications, school maps, financial budgets, teacher background checks, and much more. Fowler quickly notified SAIS and the database was rapidly secured.

Fowler was unable to determine how long the database had been exposed and if it was accessed by unauthorized individuals. He said the database was a goldmine for criminals on many levels. The database was hosted in a cloud storage repository and had been mistakenly configured to be non-password protected. The database appeared to be on SAIS’s primary server, and the exposure did not appear to be due to a vendor configuration issue.

Harris Health Systems Confirms Breach of Almost 225,000 Patient Records

Harris County Hospital District, doing business as Harris Health System, has recently reported a data breach affecting 224,703 individuals. On June 2, 2023, Harris Health System was notified about a zero-day vulnerability in the MOVEit Transfer file transfer solution. The vulnerability was immediately addressed; however, the forensic investigation revealed hackers had exploited the vulnerability on May 28, 2023, and downloaded files from the system.

The review of the affected files revealed they contained information such as names, addresses, birth dates, Social Security numbers, medical record numbers, immigration status, driver’s license numbers/ other government-issued identification numbers, health insurance information, procedure information, treatment costs, diagnoses, medications, provider names, and dates of service.

Harris Health System said the vulnerability has been patched and additional steps have been taken to improve the security of its MOVEit server. Affected individuals were notified about the breach on July 21, 2023, and individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services.

New England Life Care Reports 51,854-Record Data Breach

New England Life Care in Portland, ME, says it detected a security breach on May 24, 2023, that disrupted its IT systems. The incident was rapidly contained a third-party cybersecurity firm was engaged to conduct a forensic investigation. The analysis confirmed that the exposed files contained patient data such as names, addresses, service/equipment information, and patient status (active/discharged).

The 51,854 affected individuals were notified by mail on July 21, 2023. New England Life Care said additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.

Park Royal Hospital Discovers Unauthorized Email Account Access

Park Royal Hospital in Fort Myers, FL, has discovered unauthorized access to an employee email account. The security breach was detected on May 15, 2023, and the forensic investigation confirmed that the email account was compromised on May 8, 2023. The email account contained protected health information such as patient names, provider names, dates of treatment, and diagnosis and treatment information. The hospital said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

The incident is still being investigated and notification letters will be mailed when that process is completed. The breach has been reported to the HHS’ Office for Civil Rights as affecting at least 500 individuals.

Email Accounts Compromised at Unified Pain Management

Konen & Associates, doing business as Unified Pain Management in Texas, has recently notified the HHS’ Office for Civil Rights about an email account breach involving at least 500 records. Suspicious activity was detected within its corporate email accounts on March 21, 2023. Steps were immediately taken to prevent further unauthorized access and a third-party digital forensic firm was engaged to conduct an investigation; however, it was not possible to determine if any information within the email accounts had been accessed or downloaded.

The review of the emails confirmed that they contained information such as patient names, addresses, health insurance policy numbers, Social Security numbers, payment information, and health information such as treatment and diagnosis information.  Steps have been taken to improve email security and affected individuals have been offered credit monitoring and identity theft restoration services at no cost.

The post 700,000 Highly Sensitive School Records Exposed Online appeared first on HIPAA Journal.

Majority of Americans Mistakenly Believe Health App Data is Covered by HIPAA

Posted by Steve Alder

There is a common misconception that the Health Insurance Portability and Accountability Act (HIPAA) applies to health apps; however, the majority of health apps are not covered by HIPAA nor is the health information collected, stored, or transmitted by the apps.

HIPAA applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and vendors used by those entities, which are classed as business associates. While health apps may collect some of the exact same health data that is maintained by HIPAA-covered entities, the information collected by health apps is not subject to the same privacy and security standards. As such, health information collected by health apps may be transmitted to third parties, sold, or used for purposes that are not permitted under HIPAA.

According to a recent ClearDATA Harris Poll survey of 2,000 U.S. adults, 68% of respondents said they were very or somewhat familiar with HIPAA, yet 81% of respondents believed that the health data collected by digital health apps is covered by HIPAA and subject to its Privacy and Security Rules. As such, many users of health apps are likely to be unaware that any health data entered into the apps could be legally sold to third parties.

The survey also revealed health information privacy is not a key factor for Americans when choosing personal health apps. 58% of respondents that have used digital health apps said they had not considered how the information entered into those apps would be used. Health information privacy is also not a major concern when seeking healthcare services, with only 27% of respondents considering whether their data is secure when choosing a provider.

The main considerations are whether the provider accepts their insurance (68%), whether they can see a doctor face to face (49%), and if they can be treated quickly (41%). This was especially true with younger Americans, with 54% of respondents in that age range saying health data privacy is less important to them than convenience, compared to 69% of those over 65 who place greater value on privacy and security than convenience.

While HIPAA does not apply to most digital health apps, digital health companies are required to comply with Federal Trade Commission (FTC) Act and must issue notifications to consumers in the event of a breach of health data under the Health Breach Notification Rule. The FTC has only recently started enforcing the Health Breach Notification Rule, despite the rule being in effect for a decade, and its recent enforcement actions indicate digital health companies have been disclosing sensitive health data to third parties and have not been informing consumers.

The FTC recently published a notice of proposed rulemaking that seeks to clarify that the Health Breach Notification Rule applies to health apps and other similar direct-to-consumer technologies such as fitness trackers. “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

Representative Adam Schiff (D-CA), Seth Magaziner (D-RI), André Carson (D-IN), Sara Jacobs (D-CA), Greg Casar (D-TX), Kim Schrier, M.D. (D-WA) recently expressed their support for the proposed changes to strengthen the Health Breach Notification Rule given that the FTC’s recent enforcement actions uncovered disclosures of sensitive health information and deceptive business practices. “We agree with the assertion by FTC that apps that provide health services to users and have personal health records (PHR) qualify as vendors of personal health records and must be regulated as such,” wrote the congress members. “There is a need for much greater transparency when this data is mishandled, and the FTC rule will require these apps to notify individuals, the FTC, and in some cases the media of a breach of unsecured personally identifiable health information.,” They also expressed their support for the FTC’s requirement for health app providers to clearly explain the potential harm that could stem from data breaches and name the third parties that may have acquired unsecured personal health information.

The post Majority of Americans Mistakenly Believe Health App Data is Covered by HIPAA appeared first on HIPAA Journal.