Healthcare Data Privacy

Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito

Posted by HIPAA Journal

The Protecting Jessica Grubbs Legacy Act (S. 3374) has been reintroduced by Senators Joe Manchin (D-W.V.) and Shelley Moore Capito (R-W.V.). The Protecting Jessica Grubbs Legacy Act aims to modernize the 45 CRF Part 2 regulations to support the sharing of substance abuse disorder treatment records and improve care coordination.

42 CFR Part 2 regulations restrict the sharing of addiction records, which makes it very difficult for information to be shared about patients who are recovering from substance abuse disorder. Currently 45 CFR Part 2 regulations only permit substance abuse patients themselves to decide who has access to their full medical history. While the sharing of highly sensitive information about a patient’s history of substance abuse disorder and treatment is intended to protect the privacy of patients and ensure they are protected against discrimination, not making that information available to doctors can have catastrophic consequences, as happened with Jessica Grubbs.

Jessica Grubbs was recovering from substance abuse disorder when she underwent surgery. The discharging doctor prescribed oxycodone and Grubbs returned home with 50 oxycodone pills. She later died of an overdose. If the discharging doctor was made aware that Grubbs had a history of substance abuse disorder, a different medication could have been prescribed.

Medical providers are responsible for providing care to patients, but without access to their full medical histories, they are doing so blind. It is difficult for medical providers to make correct decisions about patients’ care if they only have access to incomplete medical records.

The Protecting Jessica Grubbs Legacy Act was introduced to ensure medical providers have access to all the necessary information, so they do not accidentally give opioid drugs to patients in recovery from substance abuse disorder. The Protecting Jessica Grubbs Legacy Act will help to ensure tragedies such as the death of Jessica Grubbs are prevented.

“No family or community should ever have to go through the senseless and preventable tragedy that Jessica Grubbs and her family had to endure,” said Sen. Manchin. “This bipartisan bill is essential to combating the opioid epidemic and ensuring that these painful deaths are prevented.”

Healthcare industry stakeholders have been pushing for changes to 42 CFR Part 2 regulations for several years and Congress has been petitioned to make changes to the regulations. In 2019, the National Association of Attorneys General wrote to House and Senate leaders calling for changes to the regulations, which were called cumbersome and out of date. 39 state attorneys general signed the letter. The HHS also proposed changes to 45 CFR Part 2 last year to align the regulations more closely with HIPAA.

The reintroduced Protecting Jessica Grubbs Legacy Act includes several revisions to the original act, S. 1012, which was introduced in April 2019. The language of the bill has been changed to require a patient to give their affirmative, written consent to opt-in before their information may be shared. An educational component has also been added that requires patients to be informed about exactly what they are consenting to before a final determination. An opt-out clause has also been added that allows patients to opt out and rescind their consent at any time. The revised Protecting Jessica Grubbs Legacy Act also calls for Part 2 regulations to be aligned more closely with HIPAA.

To ensure the privacy of patients is protected, enhancements have been made to current protections to prevent discrimination in relation to access to treatment, termination of employment, receipt of worker’s compensation, rental housing, and federal, state, and local government social services benefits.

The Secretary of the Department of Health and Human Services will be directed to consult with appropriate legal, clinical, privacy, and civil rights experts when updates are made to the Code of Federal Regulations to implement the changes proposed in the bill.

“This is an ideal compromise that alleviates the roadblocks to care coordination, while providing strong protections, and more importantly providing those suffering with substance use disorder, more comfortable in knowing they can share medical records in a protected manner and enforced with real penalties to prevent misuse of sensitive medical information,” said Sen. Manchin in a statement.

The revised bill has received considerable support from industry stakeholders and the bill has been co-sponsored by Sens. Sheldon Whitehouse (D-R.I), Kevin Cramer (R-N.D.), Dianne Feinstein (D-Calif.), Doug Jones (D-Ala.), Chris Murphy (D-Conn.), Thom Tillis (R-N.C.), Susan Collins (R-Maine), Kamala Harris (D-Calif.), Bill Cassidy (R-La.), Amy Klobuchar (D-Minn.), and Jeff Merkley (D-Ore.).

The post Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito appeared first on HIPAA Journal.

Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete

Posted by HIPAA Journal

Following the revelation that a considerable volume of patient data had been shared with Google by the Catholic health system Ascension, the second largest health system in the United States, concern was raised about the nature of the partnership.

Ascension operates 150 hospitals and more than 2,600 care facilities in 20 states and the District of Columbia and has more than 10 million patients. In November 2019, a whistleblower at Google passed information to the Wall Street Journal on the nature of the collaboration and claimed that patient data, including patient names, dates of birth, lab test results, diagnoses, health histories and other protected health information, had been shared with Google and was accessible by more than 150 Google employees.

In response to the story, Google announced that the partnership, named Project Nightingale, was a cloud migration and data sharing initiative. Ascension is migrating its data warehouse and analytics infrastructure to the Google Cloud and will be using Google’s G Suite productivity suite. Patient data was being used by Google’s AI and machine learning technologies with the purpose of improving clinical quality and patient safety.

Google and Ascension both unissued statements confirming that there was a business associate agreement in place and data was being shared in a manner compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules and health data was not being used for purposes other than those stated in its BAA. Several investigations were launched to determine the nature of the agreement between both companies, with the HHS’ Office for Civil Rights opening an investigation into both companies to determine whether HIPAA Rules were being adhered to.

Three U.S. senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google demanding answers about the collaboration. Google responded and explained that data was shared in accordance with HIPAA Rules, that only a limited number of employees have access to that data, that access controls are in place to prevent unauthorized access, and any individual required to access health data is set permissions based on their role and job function.

Google also explained that Ascension’s data is logically isolated from other customers and confirmed that the data was only being used for an EHR search pilot program that would provide physicians and nurses with a unified view of patient data from multiple EHR systems. The EHR search tool will allow medical staff to search data in EHRs faster and effectively query medical records using words and abbreviations commonly used in healthcare. Google confirmed that medical records were not being used for secondary purposes, such as identifying services for specific individuals or to send them targeted advertisements.

The senators believe the answers provided by Google are incomplete. On Monday, they wrote to Ascension demanding answers about Project Nightingale and the patient data shared with Google. “Google’s response did not answer a number of our questions pertaining to Ascension’s involvement, we are requesting additional details from Ascension to help us better understand how Project Nightingale protects the sensitive health information of American patients,” explained the senators.

The senators want to know how many records have been shared with Google, the exact nature of the information that was shared, if there have been any breaches of the shared data, and whether patients were notified that their PHI would be shared with Google and if they were given the opportunity to opt out.

“It’s critical lawmakers receive comprehensive information about Project Nightingale, which serves as a case study of Google’s more extensive foray into electronic health records,” explained the senators in the letter. “While improving the sharing, accessibility, and searchability of health data for providers could almost certainly lead to improvements in care, the role of Google in developing such a tool warrants scrutiny.”

The post Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete appeared first on HIPAA Journal.

IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk

Posted by HIPAA Journal

An audit of the National Institutes of Health (NIH) conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed technology control weaknesses in the NIH electronic medical records system and IT systems that placed the protected health information of patients at risk.

NIH received $5 million in congressional appropriations in FY 2019 to conduct oversight of NIH grant programs and operations. Congress wanted to ensure that cybersecurity controls had been put in place to protect sensitive data and determine whether NIH was in compliance with Federal regulations.

The audit was conducted on July 16, 2019 by CliftonLarsonAllen LLP (CLA) on behalf of OIG to determine the effectiveness of certain NIH information technology controls and to assess how NIH receives, processes, stores, and transmits Electronic Health Records (EHR) within its Clinical Research Information System (CRIS), which contained the EHRs of patients of the NIH Clinical Center.

NHS has approximately 1,300 physicians, dentists and PhD researchers, 830 nurses, and around 730 allied healthcare professionals. In 2018, the Clinical Center had more than 9,700 new patients, over 4,500 inpatient admissions, and over 95,000 outpatient visits.

CLA found NIH had implemented controls to ensure the confidentiality, integrity, and availability of health data contained in its EHR and information systems, but those measures were not working effectively. Consequently, data in its EHR system and information systems could potentially have been accessed by unauthorized individuals and data was at risk of impermissible disclosure, disruption, modification, and destruction.

The National Institute of Standards and Technology (NIST) recommends primary and alternate EHR processing sites should be geographically separated. The geographical separation reduces the risk of unintended interruptions and helps to ensure critical operations can be recovered when prolonged interruptions occur. OIG found the primary and alternate sites were located in adjacent buildings on the NIH campus. If a catastrophic event had occurred, there was a high risk of both sites being affected.

The hardware supporting the EHR system was either approaching end of life or was on extended support. Four servers were running a Windows operating system that Microsoft had stopped supporting in 2015. NIH had paid for extended support which ran until January 2020, but OIG found there was no effective transition plan. OIG also found that NIH was not deactivating user accounts in a timely manner when employees were terminated or otherwise left NIH. 19 out of 26 user accounts that had been inactive for more than 365 days had not been deactivated, the accounts of 9 out of 61 terminated users were still active, and 3 out of 25 new CRIS users had changed their permissions without a form being completed justifying the change.

NIH informed CLA that it had delayed software upgrades until system upgrades were completed. NIH was in the process of upgrading its hardware at the time of fieldwork in anticipation of upgrades to CRIS. Software updates were due to be performed after the hardware upgrade had been completed.

NIH had implemented an automated tool to scan for inactive accounts and delete them, but the tool had not been fully implemented at the time of fieldwork. There were issues with the tool, such as problems tracking individuals who changed departments.

OIG recommended implementing an alternate processing site in a geographically distinct location and to take action to mitigate risks associated with the current alternative site until the new site is established. Policies and procedures should be implemented to ensure that software is upgraded prior to end of life, and NIH must ensure that its automated tool is functioning as intended. NIH concurred with all recommendations and has described the actions that have been and will be taken to ensure the recommendations are implemented.

The post IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk appeared first on HIPAA Journal.

Healthcare Organizations are Overconfident About Their Ability Protect PHI and Control Data Sharing

Posted by HIPAA Journal

Healthcare organizations are confident they are protecting regulated data and are controlling data sharing, but that confidence appear to be misplaced in many cases according to a recent report from Netwrix.

Data has a life cycle. When it is no longer required it should be deleted, but oftentimes sensitive data can remain hidden away on networks for long periods of time. Documents containing sensitive information can be stored in the wrong place where they are no longer subject to the protection measures organizations have implemented to keep confidential information secure and prevent unauthorized access. Misplaced data can be exposed for weeks or months.

A recent survey conducted by Netwrix has revealed the extent of the problem. For its 2020 Data Risk & Security Report, Netwrix surveyed 1,045 IT professionals from a wide range of industries and found that the 91% were confident that their sensitive data was stored securely. However, a quarter of respondents said they had found sensitive data stored outside designated storage locations in the past 12 months, indicating that confidence is misplaced. 43% of respondents that said they had discovered sensitive data in the wrong place said the information had been exposed for days and 23% said it was exposed for weeks prior to discovery.

Healthcare providers who took part in the survey were less confident that all sensitive data was stored securely. 52% of healthcare respondents said they were certain all regulated data was stored securely. Out of the 52% that were certain they were storing all regulated data securely, 24% said they had discovered sensitive data in the wrong place in the past 12 months.

65% of surveyed healthcare providers were confident that employees do not using cloud apps to share sensitive data to bypass controls put in place by the IT department, but that confidence appears to be misplaced. 32% of respondents who were adamant that unauthorized data sharing does not take place were unable to verify their claim as they do not track data sharing at all, and 17% can only track data sharing through manual processes.

Out of all industries surveyed, healthcare performed the worst for controlling redundant, obsolete, and trivial (ROT) files. 60% of CIOs at healthcare organizations said they find it difficult to identify ROT files that need to be purged. Data classification technology makes it easier to identify ROT. 43% of healthcare organizations that classify their data say it’s easy to identify ROT compared to 13% that don’t classify their data.

According to the study, only 20% of healthcare organizations regularly delete ROT data. The low figures can be explained by the lack of a data retention policy. 69% of healthcare providers do not have such a policy in place to help them methodically delete data when it is no longer required. That percentage was the highest out of all industries surveyed.

HIPAA requires access controls to be implemented to prevent unauthorized individuals from accessing protected health information and those access rights must be reviewed regularly. When access to regulated data is no longer required, access rights must be updated accordingly. Netwrix found that 55% of healthcare organizations do not regularly review access rights to PHI regularly and 70% of healthcare organizations do not review access rights to archived data, in violation of HIPAA.

The HIPAA Right of Access allows patient to obtain a copy of their health information and the California Consumer Privacy Act (CCPA) gives consumers the right to access their data. 55% of healthcare organizations said handling data subject requests (DSARs) puts pressure on their IT teams. The burden can be eased by using data classification technology. Organizations that have implemented data classification technology and classify data at the point of collection say they are able to satisfy DSARs in 1/3 of the time.

Finding the money to justify allocating budgets to data classification technology could prove difficult, as in order to increase funds IT teams need to provide security metrics to senior managers to justify expenditure, While 47% of organizations expect budget increases this year, only 16% said they have the security metrics to justify budget increased to senior managers. Senior managers are increasingly asking for metrics to justify expenditure and need to see there will be a return on any investment.

“Cybersecurity leaders need to find more effective ways to manage data security risks and show return on investment to the executive team,” said Netwrix CEO, Steve Dickson. “Gaining more visibility into data, internal processes and user activity will enable them to prioritize their efforts, mitigate security and compliance risks more efficiently, and prove the effectiveness of their investments.”

The post Healthcare Organizations are Overconfident About Their Ability Protect PHI and Control Data Sharing appeared first on HIPAA Journal.

January 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day.

As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day. There was also a 15.78% decrease in reported breaches compared to December 2019.

healthcare data breaches February 2019 to January 2020

Healthcare data breaches in January

While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years.

Largest Healthcare Data Breaches in January 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
PIH Health CA Healthcare Provider 199,548 Hacking/IT Incident Email
Douglas County Hospital d/b/a Alomere Health MN Healthcare Provider 49,351 Hacking/IT Incident Email
InterMed, PA ME Healthcare Provider 33,000 Hacking/IT Incident Email
Fondren Orthopedic Group L.L.P. TX Healthcare Provider 30,049 Hacking/IT Incident Network Server
Native American Rehabilitation Association of the Northwest, Inc. OR Healthcare Provider 25,187 Hacking/IT Incident Email
Central Kansas Orthopedic Group, LLC KS Healthcare Provider 17,214 Hacking/IT Incident Network Server
Hospital Sisters Health System IL Healthcare Provider 16,167 Hacking/IT Incident Email
Spectrum Healthcare Partners ME Healthcare Provider 11,308 Hacking/IT Incident Email
Original Medicare MD Health Plan 9,965 Unauthorized Access/Disclosure Other
Lawrenceville Internal Medicine Assoc, LLC NJ Healthcare Provider 8,031 Unauthorized Access/Disclosure Email

Causes of January 2020 Healthcare Data Breaches

2019 saw a major increase in healthcare data breaches caused by hacking/IT incidents. In 2019, more than 59% of data breaches reported to the HHS’ Office for Civil Rights were the result of hacking, malware, ransomware, phishing attacks, and other IT security breaches.

Causes of January 2020 Healthcare Data Breaches

Hacking/IT incidents continued to dominate the breach reports in January and accounted for 59.38% of all breaches reported (19 incidents). 28.13% of reported breaches were classified as unauthorized access/disclosure data breaches (9 incidents), there were two reported theft incidents, both involving physical records, and 2 cases of improper disposal of physical records. Ransomware attacks continue to plague the healthcare industry, but phishing attacks are by far the biggest cause of healthcare data breaches. As the above table shows, these attacks can see the PHI of tens of thousands or even hundreds of thousands of patients exposed or stolen.


Hacking/IT incidents tend to be the most damaging type of breach and involve more healthcare records than other breach types. In January, 416,275 records were breached in hacking/IT incidents. The average breach size was 21,909 records and the median breach size was 6,524 records. 26,450 records were breaches as a result of unauthorized access/disclosure incidents. The average breach size was 26,450 records and the median breach size was 2,939 records.

11,284 records were stolen in theft incidents with an average breach size of 5,642 records. The two improper disposal incidents saw 2,812 records discarded without first rendering documents unreadable and undecipherable. The average breach size was  1,406 records. 
Location of breached protected health information

Regular security awareness training for employees has been shown to reduce susceptibility to phishing attacks, but threat actors are conducting increasingly sophisticated attacks. It is often hard to distinguish a phishing email from a genuine message, especially in the case of business email compromise scams.

What is needed to block these attacks is a defense in depth approach and no one technical solution will be effective at blocking all phishing attacks. Defenses should include an advanced spam filter to block phishing messages at source, a web filter to block access to websites hosting phishing kits, DMARC to identify email impersonation attacks, and multi-factor authentication to prevent compromised credentials from being used to access email accounts.

Healthcare Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in January with 25 reported breaches of 500 or more healthcare records. Five breaches were reported by health plans, and two breaches were reported by business associates of HIPAA-covered entities. There were a further three data breaches reported by covered entities that had some business associate involvement.

January 2020 Healthcare Data Breaches by Covered Entity

January 2020 Healthcare Data Breaches records exposed covered entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates in 23 states reported data breaches in January. California and Texas were the worst affected with three reported breaches in each state. There were two breaches reported in each of Florida, Illinois, Maine, Minnesota, and New York, and one breach was reported in each of Alabama, Arizona, Colorado, Connecticut, Georgia, Iowa, Indiana, Kansas, Maryland, Michigan, North Carolina, New Jersey, Oregon, Pennsylvania, South Carolina, and Virginia.

HIPAA Enforcement in January 2020

There were no financial penalties imposed on HIPAA covered entities or business associates by the HHS’ Office for Civil Rights or state attorneys general in January.

There was a notable increase in the number of lawsuits filed against healthcare organizations that have experienced data breaches related to phishing and ransomware attacks.

January saw a lawsuit filed against Health Quest over a July 2018 phishing attack, Tidelands Health is being sued over a December 2019 ransomware attack, and a second lawsuit was filed against DCH Health System over a malware attack involving the Emotet and TrickBot Trojans that occurred in October 2019. These lawsuits follow legal action against Kalispell Regional Healthcare and Solara Medical Supplies in December.

The trend has continued in February with several law firms racing to be the first to file lawsuits against PIH Health in California over a 2019 phishing attack that exposed the data of more than 200,000 individuals.

These lawsuits may cite HIPAA violations, but since there is no private cause of action under HIPAA, legal action is taken over violations of state laws.

The post January 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Senator Gillibrand Proposes Data Protection Act and Creation of Federal Data Protection Agency

Posted by HIPAA Journal

Senator Kirsten Gillibrand has introduced a new Senate bill – the Data Protection Act – to create new standards for data privacy and give consumers more rights over their personal data. Currently, consumer data is collected and used by a vast number of companies. That personal information has, in many cases, been collected without the knowledge of consumers and is being exploited for profit.

The California Consumer Privacy Act (CCPA) has given Californian consumers greater rights over their personal data, but most U.S. consumers can do little about the collection, use, and sale of their personal data.

Sen. Gillibrand’s Data Protection Act is intended to bring the protection of [consumer] privacy and freedom into the digital age.” The Data Protection Act calls for the creation of a new consumer watchdog agency – the Data Protection Agency (DPA) – which will be tasked with protecting the data of consumers, safeguarding their privacy, and ensuring data practices are fair and transparent. The Director of the DPA would be appointed by the president, confirmed by the Senate, and would serve a 5-year term.

The DPA would have the power to define, arbitrate, and enforce data protection rules created by Congress or the DPA itself, and would be authorized to impose civil monetary penalties on entities found to have violated consumer privacy and grant injunctive relief and equitable remedies.

The DPA would receive complaints from consumers, conduct investigations, and inform the public on data protection issues, including sharing the findings of investigations into companies that are misusing consumer data. The DPA would also be tasked with advising Congress on emerging privacy and technology issues and would represent the United States at international data privacy forums.

The DPA would promote data protection and privacy innovation across the public and private sector, assist with the development of  Privacy Enhancing Technologies (PETs) to limit or eliminate the collection of personal data, and take action to prevent “pay-for-privacy” and “take-it-or-leave-it” provisions in service contracts.

The Data Protection Act would also help to address privacy gaps for health data not covered by HIPAA, such as the health data collected by fitness trackers and wellness apps. Data collected by these apps could be used for any number of purposes. “Let’s say that you enjoy working out and monitor your heart rate on a fitness app,” suggests Sen. Gillibrand. “The company that built the app now has access to your personal information. Do you have any idea what exactly they are allowed to do with it? Perhaps they could sell that data to your health insurance company — who could, in turn, charge you more if they think that you don’t exercise enough.”

Sen. Gillibrand explained that the United States is the only OECD member that does not have a federal data protection agency to ensure the personal data of consumers is not being misused and to take action when it is.

“Data has been called ‘the new oil,’” said Sen. Gillibrand. “Companies are rushing to explore and refine it, ignoring regulations, putting profits above responsibility, and treating consumers as little more than dollar signs. Like the oil boom, little thought is being given to the long-term consequences.”

The Data Protection Act has been endorsed by several technology, privacy and civil rights organizations, including Public Citizen, Color of Change, Center for Digital Democracy, Consumer Federation of America, Consumer Action, and the Electronic Privacy Information Center.

The post Senator Gillibrand Proposes Data Protection Act and Creation of Federal Data Protection Agency appeared first on HIPAA Journal.

OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions

Posted by HIPAA Journal

An audit conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed many pharmacies and other healthcare providers are improperly using Medicare beneficiaries’ data.

OIG conducted the audit at the request of the HHS’ Centers for Medicare and Medicaid Services (CMS) to determine whether there was inappropriate access and use of Medicare recipients’ data by mail-order and retail pharmacies and other healthcare providers, such as doctors’ offices, clinics, long-term care facilities, and hospitals.

CMS was concerned that a mail order pharmacy and other healthcare providers were misusing Medicare Part D Eligibility Verification Transactions (E1 transactions), which should be only be used to verify Medicare recipients’ eligibility for certain coverage benefits.

OIG conducted the audit to determine whether E1 transactions were only being used for their intended purpose. Since E1 transactions contain Medicare beneficiaries’ protected health information (PHI), they could potentially be used for fraud or other malicious or inappropriate purposes.

An E1 transaction consists of two parts – a request and a response. The healthcare provider submits an E1 request that contains an NCPDP provider ID number or NPI, along with basic patient demographic data.  The request is forwarded onto the transaction facilitator which matches the E1 request data with the data contained in the CMS Eligibility file. A response is then issued, which contains a beneficiary’s Part D coverage information.

The audit was conducted on one mail-order pharmacy and 29 providers selected by CMS. Out of 30 entities audited, 25 used E1 transactions for a purpose other than billing for prescriptions or to determine drug coverage order when beneficiaries are covered by more than one insurance plan. 98% of those 25 providers’ E1 transactions were not associated with prescriptions.

OIG found providers were obtaining coverage information for beneficiaries without prescriptions, E1 transactions were being used to evaluate marketing leads, some providers had allowed marketing companies to submit E1 transactions for marketing purposes, providers were obtaining information about private insurance coverage for items not covered under Part D, long term care facilities had obtained Part D coverage using batch transactions, and E1 transactions had been submitted by 2 non-pharmacy providers.

E1 transactions are covered transactions under HIPAA, PHI must be protected against unauthorized access while it is being electronically stored or transmitted between covered entities, and the minimum necessary standard applies. The findings suggest HIPAA is being violated and that this could well be a nationwide problem. Based on the findings of the audit and apparent widespread improper access and use of PHI, OIG will be expanding the audits nationwide.

OIG believes these issues have arisen because CMS has not yet fully implemented controls to monitor providers who are submitting high numbers of E1 transactions relative to prescriptions provided; CMS has yet to issue clear guidance that E1 transactions must not be used for marketing purposes; and CMS has not limited non-pharmacy access.

Following the audit, CMS took further steps to monitor for abuse of the eligibility verification system and will be taking appropriate enforcement actions when cases of misuse are discovered. OIG has recommended CMS issue clear guidance on E1 transactions and ensure that only pharmacies and other authorized entities submit E1 transactions.

The post OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions appeared first on HIPAA Journal.

eHI and CDT Collaborate to Develop Consumer Privacy Framework for Health Data not Covered by HIPAA

Posted by HIPAA Journal

The eHealth Initiative (eHI) and the Center for Democracy & Technology (CDT) have joined forces to develop a new consumer privacy framework for health data that address current privacy gaps that exist for health data not covered by Health Insurance Portability and Accountability Act Rules.

Personally identifiable health data collected, stored, maintained, processed, or transmitted by HIPAA-covered entities and their business associates is subject to the protections of the HIPAA Privacy and Security Rules. If the same data is collected, stored, maintained, processed, or transmitted by a non-HIPAA covered entity, those protections are not required by law.

Currently health data is collected, stored, and transmitted by health and wellness apps, wearable devices, and informational health websites, but without HIPAA-like protections the privacy of consumer health data is put at risk.

eHI and CDT have received funding for the new initiative, Building a Consumer Privacy Framework for Health Data, from the Robert Wood Johnson Foundation. They have already formed a Steering Committee for Consumer Health Privacy consisting of experts and leaders from healthcare, technology, privacy advocacy groups, and consumer groups. The Steering Committee will discuss the steps required to ensure the privacy of health data not covered by HIPAA privacy laws and will review various approaches to deal with the complexities of protecting non-HIPAA-covered health data.

“Our unique focus is evaluating ‘health-ish’ data that is not protected by HIPAA or other health privacy laws,” explained Jennifer Covich Bordenick, Chief Executive Officer of eHI. “It is critical that we bring a broad and inclusive array of collaborators to the table to work through some of the key concerns.”

The first meeting of the Steering Committee took place in Washington DC on February 11, 2019 and was attended by a diverse group of participants including 23andMe, American College of Physicians, American Hospital Association, American Medical Association, Ascension, Change Healthcare, Electronic Frontier Foundation, Elektra Labs, Fitbit, Future of Privacy Forum, Hispanic Technology and Telecom Partnership, Hogan Lovells, Microsoft, National Partnership for Women & Families, Salesforce, Under Armour, UnitedHealth Group, Waldo Law Offices, Wellmark Blue Cross and Blue Shield, and Yale University.

Further Steering Committee meetings will take place throughout 2020 and smaller workgroups will be formed to work on specific aspects of the privacy framework. eHI and CDT are encouraging privacy experts, consumer groups, and companies that manage wearable, genomic, and social media data to engage with the project.

“Consumers are increasingly skeptical of how their data is being used, with health-related data being especially sensitive,” said Lisa Hayes, Interim Co-Chief Executive Officer of CDT. “Our hope is that this framework is a first step to providing greater privacy rights and protections for consumers who want to take advantage of innovative digital health and wellness services.”

The post eHI and CDT Collaborate to Develop Consumer Privacy Framework for Health Data not Covered by HIPAA appeared first on HIPAA Journal.

2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server

 

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.