Healthcare Data Privacy

30 Senators Call for HIPAA Privacy Rule Update to Better Protect Women’s Privacy

A group of 30 senators is urging the Department of Health and Human Services to update the Health Insurance Portability and Accountability Act (HIPAA) to better protect the privacy of patients’ reproductive health information in the wake of the Supreme Court decision on Dobbs v. Jackson Women’s Health Organization and the overturning of Roe Vs Wade, which removed the Federal right to an abortion that had existed for almost 50 years. Following the decision, several states have either banned abortion for state residents or implemented restrictions, with some already seeking to investigate and punish women for seeking abortion care.

The senators, led by Senate Committee on Health, Education, Labor and Pensions (HELP) Chair Patty Murray (D-Wa.), wrote to HHS Secretary, Xavier Becerra, calling for further rulemaking to update the HIPAA Privacy Rule to broadly restrict HIPAA-regulated entities from sharing individuals’ reproductive health information without explicit consent, specifically the sharing of that information with law enforcement, or related to civil or criminal proceedings premised on the provision of abortion care. The senators are calling for the update “to protect patients, and their providers, from having their health information weaponized against them.”

This is the second such request to be sent to Becerra to update the HIPAA Privacy Rule with respect to reproductive healthcare information following the Supreme Court decision. In July 2022, Sens Michael Bennet (D-CO) and Catherine Cortez Masto (D-NV) wrote to Secretary Becerra requesting a HIPAA Privacy Rule update to improve patients’ reproductive healthcare rights.

Confusion About Permitted and Required Disclosures of PHI to Law Enforcement

HIPAA was passed by Congress in 1996, with the legislation calling for the HHS to issue regulations that ensured the privacy of personal health information, which led to the HIPAA Privacy Rule being penned in 2000 to limit uses and disclosures of protected health information unless consent is obtained. The HIPAA Privacy Rule has been updated several times since, with the senators now calling for a further update. “In order for patients to feel comfortable seeking care, and for health care personnel to provide this care, patients and providers must know that their personal health information, including information about their medical decisions, will be protected,” wrote the senators.

They explained that since the Dobbs decision, there has been widespread confusion among healthcare providers about when they are required to provide patients’ health information to state and local law enforcement. Some healthcare providers felt they were legally required to hand over that information when the HIPAA Privacy Rule only permits information to be provided to law enforcement. There have also been cases of healthcare providers being unaware that certain disclosures of reproductive health information are not permitted under HIPAA. “Stakeholders have even described clashes between providers and health care system administrators on whether certain information must be shared. Many of these issues seem to arise from misunderstandings of what the HIPAA Privacy Rule requires of regulated entities and their employees,” wrote the senators.

As more states introduce bans on abortions or implement laws that severely restrict access to abortion care, the confusion is likely to grow. Some states have implemented laws that criminalize abortion providers and also make it illegal for anyone to aid or abet an abortion, which means that any healthcare professional could be exposed to legal liability, from a referring provider to a receptionist. Some state legislators are proposing laws that will ban state residents from visiting another state to have an abortion. “In many cases, these laws have been used to disproportionately criminalize or surveil women of color for their pregnancy loss,” warn the senators.

The senators warn that prohibiting access to abortions and undermining health information privacy will likely have devastating consequences for women’s health. If there is a threat of legal action, many women may delay or avoid disclosing a pregnancy or avoid seeing prenatal care. They may also avoid seeking care for medical conditions such as arthritis or cancer, where the treatment could impact their pregnancy, and healthcare providers may hesitate to provide certain treatments. There are fears that women who are experiencing complications from pregnancy or abortion may avoid seeking essential emergency care, which could have profound health consequences.

Prompt Rulemaking Requested to Update the HIPAA Privacy Rule

The senators explained that HIPAA has protected patient privacy for more than 20 years and recognized the need for stronger protections to be in place for highly sensitive information such as psychotherapy notes, and suggest similar restrictions are required for reproductive health information. The senators praised the efforts of the HHS after the Dobbs decision, which included issuing guidance on the requirements of the HIPAA Privacy Rule with respect to information related to reproductive care, but have called for further proactive steps to be taken to strengthen patient privacy protections.

In addition to broadly restricting HIPAA-regulated entities from sharing reproductive health information without explicit consent for law enforcement, civil, or criminal proceedings premised on the provision of abortion care, the senators have called for the HHS to increase its efforts to engage and educate the healthcare community about the obligations of HIPAA-regulated entities under the HIPAA Privacy Rule, including explaining the difference between permitted and required disclosures of PHI, best practices for educating patients and health plan enrollees on their privacy rights, and how HIPAA interacts with state laws.

They have called for the HHS to expand its efforts to educate patients about their rights under the HIPAA Privacy Rule and to ensure cases involving reproductive health information receive timely, appropriate attention for compliance and enforcement activities.

The post 30 Senators Call for HIPAA Privacy Rule Update to Better Protect Women’s Privacy appeared first on HIPAA Journal.

HC3 Highlights Privacy and Security Risks Associated with Emerging Technologies

Emerging technologies have the potential to revolutionize the healthcare industry. While there are many potential benefits, these technologies can introduce risks that could threaten patient privacy and safety. If vulnerabilities are not properly addressed, they could be exploited by malicious actors to gain access to sensitive patient data or internal networks, which could threaten patient safety.

The Health Sector Cybersecurity Coordination Center (HC3) has drawn attention to some of the most beneficial emerging technologies that have the potential to revolutionize clinical research, the monitoring and delivery of care, communication, data analysis, and data protection, and has highlighted some of the risks associated with these technologies.

Artificial intelligence systems can rapidly analyze big data, provide deeper patient insights, and accurately diagnose medical conditions from medical images and data far more quickly than humans, accelerating clinical decisions. While the uses of AI in healthcare are numerous, these systems can introduce risks.

AI systems need access to large amounts of data in order to learn, but there are concerns around patient privacy and the security of that data. The data sent to these systems must be protected at rest and in motion through end-to-end encryption and robust access controls must be in place. AI systems could potentially allow the re-identification of patients from de-identified data, such as if de-identified data is combined with data from other sources.

5G cellular networks are around 10 to 100 times faster than regular cellular communications and there are many possible uses in healthcare, with the low latency expected to make telesurgery possible. 5G networks will support a much more extensive range of wearable and Internet of Medical Things (IoMT) devices. As with IoT, there are security threats that must be mitigated. Data transmitted via 5G networks must be properly secured, 5G devices must authenticate before connecting to networks, and any data stored on the IoMT devices must be secured with whole disk encryption. HC3 has highlighted the importance of having a Cybersecurity Bill of Materials to allow healthcare organizations to accurately assess the security of devices.

Nanotechnology has the potential to revolutionize the treatment of diseases through the delivery of drugs to specific cells. The technology could improve diagnostic imaging, and there is considerable potential for the provision of highly personalized medicine. There is concern however about the potential for malicious actors to “hack humans,” in bioterrorist attacks, nanodevices could be taken out of action in denial-of-service attacks, and ransomware could be used to disrupt nanotechnology systems, with potentially fatal consequences.

These and other emerging technologies can all greatly benefit the healthcare industry and have the potential to improve patient outcomes and lower costs, but all risks associated with these technologies must be carefully assessed and managed to ensure that vulnerabilities cannot be exploited and patient privacy and safety are not put at risk.

The post HC3 Highlights Privacy and Security Risks Associated with Emerging Technologies appeared first on HIPAA Journal.

House Democrats Seek Answers from Meta on its Abortion Data Sharing Policies

Democratic leaders have demanded answers from Meta CEO Mark Zuckerberg about the role the company played in a criminal investigation in Nebraska into an alleged illegal abortion. Democrats from the Committee on Energy and Commerce wrote to the Meta CEO on August 31, 2022, to express their concern about the release of private communications that had taken place between a mother and her daughter about an abortion.

The police conducted a criminal investigation into Jessica Burgess, 41, and her daughter, Celeste Burgess, 18, over an alleged illegal abortion. The teenager is alleged to have had an illegal abortion after 20 weeks, then buried the fetus. When Roe v Wade was overturned, Nebraska was one of the states that made abortion illegal more than 20 weeks after fertilization.

The police launched an investigation after learning that a 17-year-old had unexpectedly given birth to a stillborn baby. The local police issued a warrant to Meta seeking access to conversations that had taken place between the mother and daughter on its platforms, according to a Deseret News report. Celeste Burgess was charged with three felony counts: performing an illegal abortion, performing the abortion without a licensed doctor, and then concealing a dead human body, along with two misdemeanors: concealing the death of another person and false reporting. Jessica Burgess was charged on two counts: performing an illegal abortion after 20 weeks and performing the abortion as a non-licensed doctor. Another individual, a 22-year-old man, was also charged with one misdemeanor:  attempting to conceal the death of another person.

Meta issued a statement in response to the reporting of the case in the media seeking to correct factual errors in the stories, claiming “much of the reporting about Meta’s role in a criminal case against a mother and daughter in Nebraska is plain wrong.” Meta confirmed that the warrant made no mention of abortion. “We received valid legal warrants from local law enforcement on June 7, before the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. The warrants did not mention abortion at all,” said Meta. “Court documents indicate that police were at that time investigating the alleged illegal burning and burial of a stillborn infant. The warrants were accompanied by non-disclosure orders, which prevented us from sharing information about them. The orders have now been lifted.”

The Committee Democrats are seeking answers from Meta on its privacy policies regarding the protection of sensitive information of users of its platform and how the company ensures private information is protected while also complying with legal obligations, especially considering the company is likely to receive further requests from law enforcement seeking access to users’ sensitive data related to illegal abortions.

“We fear it is only a matter of time before Meta is asked by law enforcement to turn over personal data of users in which they specifically cite attempting or performing abortion as the crime being investigated,” wrote the Committee Democrats. “It is completely foreseeable that Meta may be asked to turn over other sensitive data based on conversations related to assisting a friend or family member with transportation to obtain an abortion or providing money for cab fare or hotel accommodations. The possibilities are endless and are endlessly troubling.”

Chairman Frank Pallone, Jr., Chairwoman of the Subcommittee on Health, Anna G. Eshoo, Chair of the Subcommittee on Oversight and Investigations, Diana DeGette, and Chair Subcommittee on Consumer Protection and Commerce, Jan Schakowsky, have requested a briefing regarding Meta’s treatment of personal data and its policies and procedures regarding the sharing of that data with law enforcement and other outside parties.

The post House Democrats Seek Answers from Meta on its Abortion Data Sharing Policies appeared first on HIPAA Journal.

California Legislature Passes Bill Prohibiting the Sharing of Information About Abortions

The Californian legislature has passed a bill (AB-1242) that prohibits companies in the state from complying with warrants from other states that seek access to information about individuals seeking or providing abortions.

The decision of the U.S. Supreme Court to overturn Roe v. Wade removed the federal right to obtain an abortion. Several states had trigger laws in place that made abortion illegal in the event of Roe v. Wade being overturned. A dozen states have already made abortion illegal for state residents and several other states are considering implementing similar restrictions.

There are fears that legal action could be taken against individuals in those states if they seek access to abortions in other states, and that attempts may be made by state attorneys general and law enforcement to obtain information about individuals seeking abortion in states where abortion remains legal. Under the existing law in California, records of individuals must be provided if a search warrant is issued upon certain grounds. The law change prohibits the issuance of such a warrant related to investigations of individuals seeking abortions or individuals providing abortions. The new bill also prohibits local police from assisting with investigations into abortions, including providing cellphone location information of women who travel to California to obtain abortions.

Specifically, the bill prohibits “the issuance of an ex parte order authorizing interception of wire or other electronic communication or an order, or extension of an order, authorizing or approving the installation and use of a pen register or trap and trace device for the purpose of investigating or recovering evidence of a prohibited violation.”

Prohibited violations are defined as “a violation of a law that creates liability for, or arising out of, either prohibiting, facilitating, or obtaining an abortion or intending or attempting to provide, facilitate, or obtain an abortion that is lawful under California law.”

In the event that a state wishes to issue a search warrant seeking the identity of individuals or the content of their communications, those states would be required to attest that the information being sought is in no way related to investigations of abortions. If any Californian company chooses to comply with any such request, the state attorney general would be permitted to sue the company for a violation of state law.

The bill no awaits the signature of California Governor Gavin Newsom. Newsom has until September 30, 2022, to sign the bill into law.

The post California Legislature Passes Bill Prohibiting the Sharing of Information About Abortions appeared first on HIPAA Journal.

Study Explores How Medical Apps are Sending Health Data to Facebook and Others

Sensitive information is being shared with data brokers and advertisers for the purpose of serving targeted advertisements, and not just by health apps and fitness trackers. HIPAA-covered entities are also sharing the health data without patient consent, which puts them at risk of regulatory fines and lawsuits.

Many consumer health apps collect sensitive health data, including pregnancy and fertility trackers and personal fitness and exercise apps. These apps are fed data or directly collect that information through associated wearable devices, and that information may be shared with third parties or sold, as per the terms and conditions for use of the apps. If users do not wish to share their data, they can simply not use the apps.

However, there is growing concern over the sharing of identifiable health data by healthcare organizations covered by the Health Insurance Portability and Accountability Act, which places restrictions on uses and disclosures of identifiable protected health information. Many hospitals have recently been discovered to have used the Meta Pixel JavaScript code on their websites for tracking visitor activity and evaluating the effectiveness of their Facebook marketing campaigns. In some cases, the code has been included on pages within patient portals, and health information has been transferred to Meta without consent and used by Facebook advertisers to serve targeted, personalized advertisements. At least two lawsuits have been filed against healthcare providers over the privacy violations, and Novant Health has recently issued notifications to more than 1.3 million patients whose privacy was violated.

Study Explores How Medical Apps Share Healthcare Data with Social Media Networks

A recent study has explored how medical apps have been sharing sensitive health data. The researchers selected medical apps that were commonly used by patients that engaged with social media websites, including Facebook, to find information related to their medical condition. The study focused on five digital medicine companies and evaluated 32 different cross-site-tracking middleware types that used cookies to track individuals across the Internet and shared their browsing data with Facebook for purposes of advertising and lead generation. Specifically, the researchers focused on companies that were offering services to patient advocates in the cancer care community who were active users of social media sites.

Patients often use social media websites to get support from their peers, with Facebook being one of the most popular. Facebook is awash with adverts related to health conditions. According to the researchers, health and pharmaceutical companies spent more than 1 billion on advertising on Facebook mobile advertising alone in 2019. The health information revealed by patients to social media sites exposes them to these adverts and allows health and pharmaceutical companies to target very specific patient populations. The focus on the cancer community was because those patients were perceived to be vulnerable to online scams, medical misinformation, and privacy breaches through the use of cross-site-tracking middleware. The researchers focused their study on Facebook’s ad model, although the findings may well apply to other social media platforms.

How Patients Are Tracked and Served Targeted Advertisements

In a typical scenario, a cancer patient signs up to use a digital medicine or genetic testing app and agrees to the terms and conditions. The patient has or signs up for a Facebook account in a separate process. Vendors embed third-party tracking code on websites that share off-Facebook activity without a user’s consent.

The off-Facebook activity from the vendor is used to update ad interests algorithms on Facebook. Facebook’s algorithms then promote health-related ads based on the users’ health interests. Vendors can target ads to users with specific health interests, and may also attempt to enrich data through forms and quizzes, with the lead data passed from Facebook to the vendor’s CRM system.

Privacy Policies and Data Sharing Practices Differ

While digital medicine or genetic testing apps have privacy policies that explain how data is collected and used, in some cases the privacy policies do not match the actual data sharing practices. All five of the apps had privacy policies, but three said health data would not be shared with advertisers when information was being shared.

All five apps are potentially covered by the Federal Trade Commission’s Health Breach Notification Rule, and two of the app providers were CLIA-certified labs that offer clinical genetic and diagnostic tests, and are therefore bound by HIPAA. In some cases, users were being tracked and data was being shared even though consent has not been obtained, and in some cases, users were told that their health information would not be shared with Facebook or others.

A spokesperson for Meta said that health information should not be shared with the platform and that it has filters in place that can detect and remove health data to prevent it from being shared with advertisers; however, the filter does not detect all health data. The researchers point out that Facebook announced in November 2021 that the platform would be removing all detailed ad-targeting endpoints for sensitive health information.”

The researchers suggest that the practice of tracking users and sharing their data with Facebook (and potentially other social media networks) could violate federal and industry regulations, especially the FTC’s Health Data Breach Notification Rule and potentially HIPAA. They also point out that since the introduction of the Health Data Breach Notification Rule, there has been no enforcement.

“We demonstrated that personal data and personal health data can be easily obtained without the aid of highly sophisticated cyberattack techniques but with rather commonplace third-party advertising tools,” said the researchers. While the study did not confirm any intentional deception of individuals, it was also not clear the extent to which these companies were aware that user health data is being monitored and fed to Facebook for the purposes of serving targeted advertisements.

“These marketing tools reveal a dark pattern used to track vulnerable patient journeys across platforms as they browse online, in some ways unclear to the companies and patient populations who are engaging through Facebook,” concluded the researchers. “While the digital medicine ecosystem relies on social media to recruit and build their businesses through advertising-related marketing channels, these practices sometimes contradict their own stated privacy policies and promises to users.”

The study – Health advertising on Facebook: Privacy and policy considerations – was published in the journal Patterns on August 15, 2022.

The post Study Explores How Medical Apps are Sending Health Data to Facebook and Others appeared first on HIPAA Journal.

July 2022 Healthcare Data Breach Report

In July 2022, 66 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights, which is a 5.71% reduction from the 70 data breaches reported in June 2022 and July 2021. While the number of data breaches fell slightly from last month, data breaches are being reported at well over the average monthly rate of 57 breaches per month.

Healthcare data breaches in the past 12 months

For the second consecutive month, the number of exposed or impermissibly disclosed healthcare records topped 5 million. 5,331,869 records were breached across the 66 reported incidents, which is well above the 12-month average of 3,499,029 breaches a month. July saw 8.97% fewer records breached than June 2022 and 7.67% fewer than July 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches in July 2022

In July, 25 data breaches of 10,000 or more records were reported, 15 of which occurred at business associates of HIPAA-covered entities. The largest data breach was a ransomware attack on the accounts receivable management agency, Professional Finance Company. Cyberattacks on business associates can affect many different HIPAA-covered entities, as was the case with the PFC breach, which affected 657 HIPAA-covered entities. The breach was reported by PFC as affecting more than 1.9 million individuals, although some of those clients have reported the breach separately. It is unclear how many records in total were compromised in the ransomware attack.

The second largest data breach occurred at the Wisconsin mailing vendor, OneTouchPoint. This was also a ransomware attack and was reported by OneTouchPoint as affecting more than 1 million individuals, but as was the case with the PFC ransomware attack, some of its healthcare provider clients self-reported the data breach, including Aetna ACE Health Plan. Goodman Campbell Brain and Spine also suffered a major ransomware attack. The Indiana-based healthcare provider confirmed that the threat actors had uploaded the stolen data to their data leak site.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Breach Cause of Breach
Professional Finance Company, Inc. CO Business Associate 1,918,941 Yes Ransomware attack
OneTouchPoint, Inc. WI Business Associate 1,073,316 Yes Ransomware attack
Goodman Campbell Brain and Spine IN Healthcare Provider 362,833 No Ransomware attack – Data leak confirmed
Aetna ACE CT Health Plan 326,278 Yes Ransomware attack on mailing vendor (OneTouchPoint)
Synergic Healthcare Solutions, LLC dba Fast Track Urgent Care Center FL Healthcare Provider 258,411 Yes Hacking incident at billing vendor (PracticeMax)
Avamere Health Services, LLC OR Business Associate 197,730 Yes Hacking incident – Data theft confirmed
BHG Holdings, LLC dba Behavioral Health Group TX Healthcare Provider 197,507 No Hacking incident – Data theft confirmed
Premere Infinity Rehab, LLC OR Business Associate 183,254 Yes Hacking incident at business associate (Avamere Health Services) – Data theft confirmed
Carolina Behavioral Health Alliance, LLC NC Business Associate 130,922 Yes Hacking incident
Family Practice Center PC PA Healthcare Provider 83,969 No Hacking incident
Kaiser Foundation Health Plan, Inc. (Southern California) CA Health Plan 75,010 No Theft of device in a break-in at a storage facility
Magie Mabrey Hughes Eye Clinic, P.A. dba Arkansas Retina AR Healthcare Provider 57,394 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
McLaren Port Huron MI Healthcare Provider 48,957 Yes Hacking incident at business associate (MCG Health) – Data theft confirmed
Southwest Health Center WI Healthcare Provider 46,142 No Hacking incident – Data theft confirmed
WellDyneRx, LLC FL Business Associate 43,523 Yes Email account compromised
Associated Eye Care MN Healthcare Provider 40,793 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Zenith American Solutions WA Business Associate 37,146 Yes Mailing error
Benson Health NC Healthcare Provider 28,913 No Hacking incident
Healthback Holdings, LLC OK Healthcare Provider 21,114 No Email accounts compromised
East Valley Ophthalmology AZ Healthcare Provider 20,734 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Arlington Skin VA Healthcare Provider 17,468 No Hacking incident at EHR management company (Virtual Private Network Solutions)
The Bronx Accountable Healthcare Network NY Healthcare Provider 17,161 No Email accounts compromised
Granbury Eye Clinic TX Healthcare Provider 16,475 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
CHRISTUS Spohn Health System Corporation TX Healthcare Provider 15,062 No Ransomware attack – Data leak confirmed
Central Maine Medical Center ME Healthcare Provider 11,938 Yes Hacking incident at business associate (Shields Healthcare Group)

Causes of July 2022 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in July with 55 data breaches classed as hacking/IT incidents, with ransomware attacks continuing to be a problem for the healthcare industry. 9 of the top 25 breaches were reported as ransomware attacks, although HIPAA-regulated often do not disclose the exact nature of cyberattacks and whether ransomware was involved. Across the hacking incidents, the records of 5,195,024 individuals were breached, which is 97.43% of all records breached in July. The average breach size was 94,455 records and the median breach size was 4,447 records. The median breach size is less than half the median breach size in June due to a large number of relatively small data breaches.

There were 8 unauthorized access/disclosure incidents reported involving 59,784 records. The average breach size was 7,473 records and the median breach size was 1,920 records. There were 3 incidents reported involving the loss of devices/physical documents containing PHI, and one reported theft. 77,061 records were exposed across those 3 incidents. The average breach size was 25,687 records and the median breach size of 1,201 records.

Causes of July 2022 healthcare data breaches

Unsurprisingly given the large number of hacking incidents, 56% of the month’s breaches involved PHI stored on network servers. 12 incidents involved unauthorized access to email accounts, caused by a mix of phishing and brute force attacks.

July 2022: location of breached PHI

There has been a marked increase in hybrid phishing attacks on the healthcare industry in recent months, where non-malicious emails are sent that include a phone number manned by the threat actor. According to Agari, Q2, 2022 saw a 625% increase in hybrid phishing attacks, where initial contact was made via email with the scam taking place over the phone. Several ransomware groups have adopted this tactic as the main way of gaining initial access to victims’ networks. The lures used in the emails are typically notifications about upcoming charges that will be applied if the recipient does not call the number to stop the payment for a free trial of a software solution or service that is coming to an end or the renewal of a subscription for a product. In these attacks, the victim is tricked into opening a remote access session with the threat actor.

HIPAA Regulated Entities Affected by Data Breaches

Every month, healthcare providers are the worst affected HIPAA-regulated entity type, but there was a change in July with business associates of HIPAA-regulated entities topping the list. 39 healthcare providers reported data breaches but 15 of those breaches occurred at business associates. 10 health plans reported breaches, with 4 of those breaches occurring at business associates. 17 business associates self-reported breaches. The chart below shows the month’s data breaches based on where they occurred, rather than the reporting entity.

July 2022 healthcare data breaches by HIPAA-regulated entity type

July 2022 Healthcare Data Breaches by State

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states, with Texas the worst affected with 10 data breaches.

State No. Breaches
Texas 10
Pennsylvania & Virginia 5
California, Florida, North Carolina & Wisconsin 4
Arizona, Connecticut, Georgia, Illinois, New Hampshire, Ohio, Oklahoma, & Oregon 2
Alabama, Arkansas, Colorado, Indiana, Iowa, Maine, Massachusetts, Michigan, Minnesota, Missouri, New York, Rhode Island, Washington, & Wyoming 1

HIPAA Enforcement Activity in July 2022

From January to June, only 4 enforcement actions were announced by the HHS’ Office for Civil Rights; however, July saw a further 12 enforcement actions announced that resulted in financial penalties to resolve HIPAA violations. OCR has continued with its HIPAA Right of Access enforcement initiative, with 11 of the penalties imposed for the failure to provide patients with timely access to their medical records. 10 of those investigations were settled, and one was resolved with a civil monetary penalty.

July also saw one investigation settled with OCR that resolved multiple alleged violations of the HIPAA Rules that were uncovered during an investigation of a 279,865-record data breach at Oklahoma State University – Center for Health Sciences.

No HIPAA enforcement actions were announced by state attorneys general in July.

Covered Entity Amount Settlement/CMP Reason
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure

The post July 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Survey Confirms Patients Are Extremely Concerned About Healthcare Data Privacy

Healthcare data breaches are being reported in record numbers with tens of millions of patients having their healthcare data exposed or impermissibly disclosed every year. Healthcare data should remain private and confidential but it is clear that is no longer the case.

The American Medical Association (AMA) recently teamed up with the Savvy Cooperative to explore the perspectives of patients about the privacy of their medical information and conducted a survey on 1,000 adults in the United States to better understand patients’ views on the privacy of healthcare data, with a view to determining how the healthcare industry and the government can help patients and their care teams better protect medical information and strengthen trust.

The survey confirmed that patients are deeply concerned about the lack of security and the inability to ensure their private healthcare data remains confidential. 92% of respondents to the survey believe privacy is a basic right and their health data should not be available for corporations or other individuals to buy. 94% of respondents said companies that collect, store, analyze, or use health data should be held accountable under the law, and almost 93% of patients want health app developers to publicize if and how their product adheres to industry standards for handling health data.

HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities, and there are strict rules concerning uses and disclosures of healthcare data; however, the survey confirmed that patients are unclear about the rules that protect their privacy, and they are concerned about who has access to their personal healthcare information. 75% of respondents said they were concerned about protecting the privacy of their health data.

“The AMA is highly concerned that patients’ private medical information is increasingly vulnerable and digital patient data is being shared beyond the confines of the HIPAA framework without protections of federal privacy,” said AMA President Jack Resneck Jr., MD, especially in light of the U.S. Supreme Court ruling overturning Roe v. Wade. “That medical information was previously being siphoned off and monetized was always a concern. Now, it’s a legal threat as zealous prosecutors can track patients and access their medical records to determine what medical services were provided.”

The survey confirmed that patients are comfortable with their healthcare providers having access to their healthcare data, but patients were least comfortable with social media sites, employers, and big technology companies accessing their healthcare data. 59% of patients were concerned that their health data could be used by companies to discriminate against them or their loved ones or exclude them from opportunities to find housing, gain employment, and receive benefits.

Almost 88% of patients said they think their physicians or hospitals should have the ability to review and verify the security of health apps before those apps gain access to their health data, yet federal regulations prohibit this. Patients also want to have the choice about how their health information is used, with 75% of patients wanting to have the option to opt-in before a company uses any of their health data, and over 75% wanting to receive a request prior to a company using their health data for a new purpose. Almost 80% of respondents said they want to be able to opt-out of sharing some or all of their health data.

The AMA said much more needs to be done to improve transparency on how apps use patient medical information and said it has identified and recommended additional actions to increase transparency on what apps do with medical information. The AMA has also developed a “Privacy by Design” toolkit that health app developers can use to build privacy controls into their apps.

The AMA is calling for all policymakers, in Congress and the administration, to take much-needed action to better protect health information.

The post Survey Confirms Patients Are Extremely Concerned About Healthcare Data Privacy appeared first on HIPAA Journal.

Digital Marketing and Analytics Company Files Lawsuit Against FTC Over Alleged Privacy Violations

A lawsuit has been filed against the Federal Trade Commission by an Idaho-based digital marketing and analytics company, which is alleged to have violated the Federal Trade Commission (FTC) Act with its data practices.

Kochava’s primary business unit provides mobile advertising attribution through customizable software tools, which are provided under the software-as-a-service model. The software allows its customers to obtain data points and analytics for digital marketing campaigns and applications. The second business unit is an aggregator of third-party provided mobile device data, which Kochava makes available through its data marketplace, the Kochava Collective.

Following the Supreme Court’s decision to overturn Wade v. Roe, privacy advocates have voiced their concern about the potential for data brokers and law enforcement in some states to collect information about individuals who visit reproductive health clinics to seek advice about abortions.  Shortly after the Supreme Court’s decision, the FTC announced its commitment to fully enforce the law against the illegal use and sharing of highly sensitive data, such as the collection and use of consumer location data and illegal privacy practices with respect to reproductive healthcare data.

The Kochava Collective provides data feeds and audience targeting to clients for marketing purposes. The FTC alleges the Kochava Collective provides precise geolocation data that is associated with Mobile Advertising Identifiers (MAIDs), which means it is possible to identify and track consumers when they visit sensitive locations such as reproductive health clinics, therapist’s offices, medical facilities, and addiction recovery centers.  The FTC also alleges that the data is time-stamped, so it is possible to tell exactly when an individual visited a location and that there are no technical controls in place to prohibit Kochava’s customers from tracking consumers when they visit those locations. The collection of latitude and longitude, IP address, and mobile advertising identifier information associated with consumers’ devices is a violation of the FTC Act, according to the FTC, which is seeking a permanent injunction against Kochava to prevent future FTC Act violations.

Kochava denies that its data can be used by its customers to identify and track individuals and claims that the FTC has misunderstood the services it provides. Kochava maintains that while the FTC is correct with respect to the collection of latitude and longitude, IP addresses, and MAIDS associated with consumer devices, those data elements are not received until days afterward, and the specific locations and consumers associated with MAIDs are not linked. Further, Kochava explains in the lawsuit that the FTC is wrong in its view that there are no technical controls in place to prevent its customers from tracking consumers when they visit sensitive locations. Kochava said it introduced a new capability on August 10, 2022, called Privacy Block, which allows its clients to shut off the collection of sensitive location data such as visits to healthcare providers.

Kochava maintains that it “operates consistently and proactively in compliance with all rules and laws, including those specific to privacy,” and that the FTC has threatened the company with a District Court lawsuit and a proposed settlement when both the lawsuit and settlement are based on inaccurate information. Kochava also alleges the FTC is overstepping its legal authority to enforce the FTC Act and is attempting to make the company a scapegoat in order to set a precedent across the ad tech industry. Kochava files the lawsuit to get the Idaho Federal Court to intervene.

The post Digital Marketing and Analytics Company Files Lawsuit Against FTC Over Alleged Privacy Violations appeared first on HIPAA Journal.

Novant Health Notifies Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal

Novant Health has recently notified patients about a breach of their protected health information due to the incorrect configuration of Meta Pixel code on its patient portal.

Code Snippet Sending Sensitive Patient Data to Meta

Earlier this year, an investigation conducted by The Markup into the use of Meta Pixel code on healthcare providers’ websites revealed 33 of the top 100 hospitals in the United States had included Meta Pixel code on their websites, and 7 of those hospitals had added the code to their password-protected patient portals. The 7 hospitals discovered by The Markup to have installed Meta Pixel on their patient portals were Community Health Network, FastMed, Edward-Elmhurst Health, Piedmont, Renown Health, WakeMed, and Novant Health.

Meta Pixel is a snippet of JavaScript code that is used to track website visitors, and the information gathered is sent to Meta (Facebook), which may be used to serve targeted ads. Meta claims that organizations that use Meta Pixel are not supposed to send sensitive data. If Meta discovers it has been sent sensitive data by mistake, it is filtered out to prevent the information from being used to serve targeted ads. That process does not appear to be working, and even if that information is filtered out, it is still being sent to Meta.

In the weeks following the publication of the report, multiple lawsuits were filed on behalf of individuals whose personal and protected health information was disclosed to Meta via Meta Pixel code on healthcare provider websites. The lawsuits allege violations of federal and state privacy laws as the information was sent without obtaining express consent from patients.

A class action lawsuit was filed on behalf of a patient of Baltimore-based MedStar Health System, which alleges Meta Pixel has been used on the websites of at least 664 healthcare providers, allowing patient data to be sent to Meta in violation of the Health Insurance Portability and Accountability Act (HIPAA). Another lawsuit was filed against Meta and the University of California San Francisco and Dignity Health, with the lead plaintiff claiming to have been served targeted adverts following the disclosure of sensitive information about a health issue on the patient portal. Most recently, a similar lawsuit was filed against Meta and Northwestern Memorial Hospital in Chicago, IL.

Novant Health Notifies Patients About Meta Pixel Data Breach

Novant Health has recently notified an as-of-yet unspecified number of patients that some of their protected health information (PHI) has been sent to Meta. As far as HIPAA Journal has been able to establish, Novant Health is the first healthcare provider to issue breach notification letters to patients over the use of Meta Pixel code.

Novant Health explained in the breach notification letters that PHI was transferred to Meta due to “an incorrect configuration of [Meta] Pixel, an online tracking tool.” Novant Health said it wanted to be fully transparent over the data breach and the reasons for using the pixel code on its website.

“In May 2020, as our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goals of improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” explained Novant Health. “This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those advertisement efforts on Facebook; however, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”

When notified about the potential privacy violation, Novant Health immediately disabled and removed the pixel from the patient portal and launched an investigation to determine the extent to which information was being transferred to Meta. On June 17, 2022, Novant Health determined that PHI may have been inadvertently transferred based on the type of user activity on the patient portal. The information transferred would have varied from patient to patient, and may have included an individual’s email address, phone number, IP address, contact information entered into Emergency Contacts or Advanced Care Planning, appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes.

Novant Health said it has found no evidence that Meta or any other third party has acted upon the information provided. If an individual entered financial information or a Social Security number in free text boxes, that information may also have been sent to Meta. Novant Health said the individual notification letters would state if such information had been disclosed, and if so, complimentary credit monitoring services will be provided to affected individuals.

The post Novant Health Notifies Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal appeared first on HIPAA Journal.