Healthcare Data Privacy

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Posted by HIPAA Journal

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches.

The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act.

The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches.

“When the media reports data breaches that occurred to healthcare providers, the headline is always the number of patients affected,” explained John (Xuefeng) Jiang, MSU professor of accounting and information systems at MSU and lead author of the study. “We felt both the regulators and the public didn’t pay enough attention to the type of information compromised in the healthcare data breach.”

Types of Data Exposed in Healthcare Data Breaches

For the study, the researchers categorized healthcare data into three main groups: Demographic information (Names, email addresses, personal identifiers etc.); service and financial information (Payments, payment dates, billing amounts etc.); and Medical information (Diagnosis, treatments, medications etc.)

Social Security numbers, drivers license numbers, payment card information, bank account information, insurance information, and birth dates added to a subcategory of sensitive demographic information. This information could be used by criminals for identity theft, medical identity theft, tax and financial fraud. A subcategory of medical information was also used for particularly sensitive health data such as substance abuse records, HIV status, sexually transmitted diseases, mental health information, and cancer diagnoses, due to the potential implications for patients should that information be exposed or compromised.

Key Findings of the Study

  • 71% of breaches involved either sensitive demographic information or sensitive financial information, which placed 159 million individuals at risk of identity theft or financial fraud
  • 66% of breaches involved sensitive demographic information such as Social Security numbers
  • 65% of the breaches exposed general medical or clinical information
  • 35% of breaches compromised service or financial information
  • 16% of breaches only exposed medical or clinical information without exposing sensitive demographic or financial information
  • 76% of breaches included sensitive service and financial information such as credit card numbers – Those breaches affected 49 million individuals
  • 2% of breaches compromised sensitive health information – Those breaches affected 2.4 million individuals

Jiang believes hackers are not targeting healthcare organizations to gain access to patients’ sensitive medical information, instead healthcare organizations are attacked, and hackers take whatever data they can find in the hope that the information can be monetized. Jiang suggests hospitals and research institutions should store medical information separately from demographic information. Medical information could then be shared between healthcare providers and researchers without greatly increasing risks for patients. A separate system could be used for demographic, financial and billing information, which is needed by hospital administration staff.

The researchers advocate greater focus on the types of information exposed or compromised in healthcare data breaches to help breach victims manage risk more effectively. They suggest the Department of Health and Human Services should formally collect and publish information about the types of data that have been exposed in data breaches to help the public assess the potential for harm. The researchers plan to work closely with lawmakers and the healthcare industry to provide practical guidance and advice based on the results of their academic studies.

Data Breach Notifications Under HIPAA

The HIPAA Breach Notification Rule requires all patients affected by a reportable healthcare data breach to be notified within 60 days of discovery of the breach. Affected individuals must be told what types of information have been exposed or compromised as that information allows breach victims to make a determination about the risk they face so they can make a decision about any actions they need to take to reduce the risk of harm.

OCR explains in its online guidance on breach notification requirements of HIPAA, “These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”

Publicly Available HIPAA Breach Information

The HHS’ Office for Civil Rights, as required by the HITECH Act, has been publishing summaries of data breaches of 500 or more healthcare records on the HHS website since October 2009. The breach portal, which can be accessed by the public, contains basic information about the breaches.

The breach portal details the name of the breached entity, state, type of covered entity, individuals affected, breach submission date, type of breach, location of breached information, and whether there was business associate involvement. This information can also be downloaded for breaches that are under investigation by OCR and for incidents that have been archived following the closure of the OCR investigation.

When a data breach is archived, further information is added to the breach summary in a “web description” field. The web summary is not available for breaches still under investigation, but the information is included for archived breaches. The web summary is only viewable in the downloaded breach reports.

In many cases, the web description includes details of the types of information that were exposed in the breach, but not in all cases. Formalizing this requirement would ensure that all breaches detailed on the portal would have that information included. The web description field also includes information on any actions taken by OCR in response to the breach that led to the resolution and closure of the investigation.

The post Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches appeared first on HIPAA Journal.

August 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the average monthly breaches in 2018 (29.5 per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.

 

August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total).

Breached Healthcare Records by Year

Causes of August 2019 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in August. The average breach size was 18,833 records and the median breach size was 5,248 records.

There were 12 unauthorized access/disclosure incidents reported in August which breached 77,316 healthcare records. Those incidents breached an average of 6,443 records and the mean breach size was 1,281 records.  There were 3 loss incidents and 2 theft incidents. The theft incidents saw 17,650 records potentially compromised and 32,346 records were exposed due to the loss of paperwork or electronic devices. The mean loss breach size was 10,782 records and the mean theft breach size was 8,825 records.

Causes of August 2019 Healthcare Data Breaches

Location of Breached PHI

Phishing continues to pose serious problems for healthcare organizations. Out of the 49 reported breaches, 46.94% – 23 breaches – involved PHI stored in email accounts. The majority of those email breaches were due to phishing attacks.

There were 9 breaches reported that involved PHI stored on network servers, several of which involved ransomware. There were 7 breaches involving paper records/films, highlighting the need for enhanced physical security and administrative controls.

Four breaches involved portable electronic devices such as zip drives and laptop computers. These types of breaches have reduced considerably in recent years largely through the use of encryption, which should be implemented on all portable electronic devices used to store ePHI.

Location of Breached PHI in August 2019 Healthcare Data Breaches

Defending against phishing attacks is a major challenge, and one that can only be solved through layered defenses and staff training. Technological solutions such as spam filters, web filters, firewall rules, multi-factor authentication, and DMARC should be implemented to block phishing attempts, but the sophisticated nature of many phishing campaigns means even layered defenses may be bypassed. End user training is therefore essential. Employees must be trained how to recognize email threats and conditioned how to respond when suspicious emails land in their inboxes.

An annual training session may have been sufficient to provide protection a few years ago, but the increased number of attacks and diverse nature of email threats means a single annual training session is no longer enough. Annual classroom-based training sessions should be augmented with more regular refresher training sessions, cybersecurity bulletins, and email alerts about new threats to watch out for. Phishing simulation exercises are also very beneficial for helping identify individuals who require further training and to find out how effective training has been at reducing susceptibility to phishing attacks.

Largest Healthcare Data Breaches in August 2019

Listed below are the top ten healthcare data breaches reported in August 2019. The largest breach of the month was a phishing attack on Presbyterian Healthcare Services, which saw 183,370 healthcare records breached. The Conway Regional Health System, NorthStar Anesthesia, and Source 1 Healthcare Solutions breaches were also due to phishing attacks.

The Wisconsin Diagnostic Laboratories breach, which affected 114,985 individuals, the 33,370-record breach at Mount Sinai Hospital, and the 29,644-record breach at Integrated Regional Laboratories were all due to the hacking of business associate AMCA.

The breach at Grays Harbor Community Hospital was due to a ransomware attack and the Renown Health breach was due to the loss of a portable storage device. The cause of the breach at Timothee T. Wilkin, D.O. has not been confirmed.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Presbyterian Healthcare Services Healthcare Provider 183370 Hacking/IT Incident
Wisconsin Diagnostic Laboratories Healthcare Provider 114985 Hacking/IT Incident
Grays Harbor Community Hospital Healthcare Provider 88399 Hacking/IT Incident
Conway Regional Health System Healthcare Provider 37000 Unauthorized Access/Disclosure
Mount Sinai Hospital Healthcare Provider 33730 Hacking/IT Incident
Integrated Regional Laboratories, LLC Healthcare Provider 29644 Hacking/IT Incident
Renown Health Healthcare Provider 27004 Loss
NorthStar Anesthesia, P.A. Healthcare Provider 19807 Unauthorized Access/Disclosure
Source 1 Healthcare Solutions LLC Business Associate 15450 Hacking/IT Incident
Timothee T. Wilkin, D.O. Healthcare Provider 15113 Hacking/IT Incident

 

August 2019 Healthcare Data Breaches by Covered Entity Type

42 of the month’s 49 data breaches were reported by healthcare providers and three incidents were reported by health plans. Business associates reported 4 breaches and a further 8 incidents had some business associate involvement.

August 2019 Healthcare Data Breaches by Covered Entity Type

August 2019 Healthcare Data Breaches by State

August’s healthcare data breaches affected entities based in 26 states. Texas was the worst affected with 5 reported breaches. 4 breaches were reported by entities based in Washington state, and three breaches were suffered by entities based in Arkansas, New York, and Pennsylvania.

California, Georgia, Illinois, Massachusetts, Minnesota, Missouri, New Mexico, Ohio, Oregon, and Wisconsin each experienced 2 breaches and one breach was reported by an entity based in each of Connecticut, Florida, Iowa, Kansas, Michigan, Nevada, New Jersey, Oklahoma, Rhode Island, Tennessee, and Virginia.

HIPAA Enforcement Activity in August 2019

There were no civil monetary penalties or settlements between the HHS and HIPAA-covered entities/business associates in August, and also no HIPAA-related enforcement activities by state attorneys general.

AMCA Data Breach Update

The AMCA data breach affected at least 24 healthcare organizations, 23 of which have now submitted breach reports to the Department of Health and Human Service’ Office for Civil Rights. The confirmed breach total currently stands at 26,043,743 records with a further 16,100 records expected to be added to that total.  These breaches were mostly reported to OCR in July and August.

Healthcare Organization Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,500,000
2 LabCorp 10,251,784
3 Clinical Pathology Associates 1,733,836
4 Carecentrix 467,621
5      Laboratories/Opko Health 425,749
6 American Esoteric Laboratories 409,789
7 Sunrise Medical Laboratories 401,901
8 Inform Diagnostics 173,617
9 CBLPath Inc. 141,956
10 Laboratory Medicine Consultants 140,590
11 Wisconsin Diagnostic Laboratories 114,985
12 CompuNet Clinical Laboratories 111,555
13 Austin Pathology Associates 43,676
14 Mount Sinai Hospital 33,730
15 Integrated Regional Laboratories 29,644
16 Penobscot Community Health Center 13,299
17 Pathology Solutions 13,270
18 West Hills Hospital and Medical Center / United WestLabs 10,650
19 Seacoast Pathology, Inc 8,992
20 Arizona Dermatopathology 5,903
21 Laboratory of Dermatology ADX, LLC 4,082
22 Western Pathology Consultants 4,079
23 Natera 3,035
24 South Texas Dermatopathology LLC TBC (Est. 16,100)
Total Records Breached 26,043,743

The post August 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Thousands of Fetal Remains and Abandoned Medical Records Discovered in Indiana

Posted by HIPAA Journal

The late Dr. Ulrich Klopfer, who operated three abortion clinics in Indiana up until the suspension of his license in 2015, has been discovered to have removed fetal remains from his clinics. The remains were discovered by family members while sorting through his personal belongings at his Illinois home following his death on September 3, 2019.

Authorities investigating the discovery have announced that that 2,246 medically preserved fetal remains were found at the property. The remains are believed to have been removed from his clinics. No evidence has been uncovered to suggest any procedures were performed at the property.

Indiana Attorney General Hill described Dr. Klopfer as “one of the most notorious abortionists in the history of Indiana” with “a record of deplorable conditions and violations of regulatory controls.” His license was suspended in 2015 over multiple violations of state laws, including improper record keeping, a failure to report a case of the rape of a minor following an abortion procedure, and violations of state waiting periods. Dr. Klopfer lost his medical license in 2016.

The remains have been removed from the property and have been transferred to the Will County coroner’s office. Attorney General Hill confirmed on Friday that all the remains had come from Dr. Klopfer’s abortion clinics in South Bend, Gary, and Fort Wayne in Indiana and date from 2000 to 2002. Officials in Illinois have now turned over evidence and information to the Office of the Indiana Attorney General.

Attorney General Curtis Hill also announced that after executing search warrants, investigators uncovered thousands of medical records at Dr. Klopfer’s property and his abortion clinics. Those records have now been removed and secured.

“Folks who use these clinics have a high degree of expectation of privacy and confidentiality… It’s deplorable now that folks who went into this procedure, no matter how you feel about this procedure, have to relive that moment,” said Attorney General Hill. The attorney general’s office is attempting to contact all individuals affected.

A law was introduced in Indiana in 2016 that required all medical facilities in the state to bury or cremate fetal remains. The Supreme Court upheld the law this year and it became enforceable this September. Under HIPAA, all medical records must be secured at all times to prevent unauthorized access. While there is no medical record retention period under HIPAA, state medical record retention laws require medical records to be retained for 7 years after the date when the record was made.  It is currently unclear what laws, if any, have been violated.

“We are going to continue this matter to determine as best we can exactly what happened here,” said Attorney General Hill. “But in the meantime, I can tell you that we are going to bring our babies home and make sure they are treated with the proper dignity and respect deserving of anyone.”

The post Thousands of Fetal Remains and Abandoned Medical Records Discovered in Indiana appeared first on HIPAA Journal.

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

Posted by HIPAA Journal

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, has revealed 24.3 million medical images in medical image storage systems are freely accessible online and require no authentication to view or download the images.

Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet.

Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers.

Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images.

PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required is a web browser or a few lines of code. Anyone with rudimentary computer expertise would be able to view and download the images.

The exposed PACS were located in 52 countries and the highest concentration of unprotected PACS were found in the United States. 187 unsecured servers were found in the United States. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of around 5 million U.S. patients.

The researchers found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and had a CVSS v3 score of 10 out of 10.

The images included personal and medical information such as patients’ names, dates of birth, scan date, scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the number of generated images. Some of the images also contained Social Security numbers.

The types of patient information included on the images could be used for identity theft, medical identity theft, and insurance fraud. The data could also be used to extort money from patients or create highly convincing spear phishing emails.

While the investigation uncovered no evidence to suggest any of the exposed information had been copied and published online, the possibility of data theft could not be discounted.

PACS are designed to allow images to be accessed easily by healthcare professionals, but the systems often lack security controls to restrict access. It is the responsibility of healthcare delivery organizations (HDOs) to ensure safeguards are implemented to secure their PACS, but HDOs can face major challenges addressing vulnerabilities and securing their systems without negatively impacting workflows.

To help address the problem, the National Cybersecurity Center of Excellence (NCCoE) recently released new guidance for HDOs to help them improve security controls on PACS and mitigate risks without negatively impacting user productivity and system performance.

The post 400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS appeared first on HIPAA Journal.

NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has issued draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem.

The guidelines – NIST Cybersecurity Practice Guide, SP 1800-24 – have been written for health healthcare delivery organizations (HDOs) to help them secure their PACS and reduce the probability of a data breach and data loss, protect patient privacy, and ensure the integrity of medical images while minimizing disruption to hospital systems.

PACS is used by virtually all HDOs for storing, viewing, and sharing digital medical images. The systems make it easy for healthcare professionals to access and share medical images to speed up diagnosis.

The system can often be accessed via desktops, laptops, and mobile devices and a PACS may also link to electronic health records, other hospital systems, regulatory registries, and government, academic, and commercial archives.

With many users and devices and interactions with multiple systems, HDOs can face challenges securing their PACS ecosystem, especially without having a negative impact on user productivity and system performance.

Key challenges include controlling, monitoring, and auditing user accounts, identifying outliers in user behavior, enforcing the rule of least privilege, creating separation-of-duties policies for internal and external users, monitoring and securing internal and external connections to the system, and ensuring data integrity as images move across the enterprise.

The Healthcare PACS Project identifies the individuals who interact with the system, defines their interactions, performs a risk assessment, and identifies commercially available mitigating security technologies.

The guidance document explains the best approach and architecture to adopt, along with the characteristics of a secure PACS. Included are how-to-guides and an example implementation that uses commercially available technologies to implement stronger security controls to create a much more secure PACS ecosystem.

The guidance document was developed with assistance from several PACS system developers and cybersecurity companies, including Cisco, Digicert, Forescout, Philips, Hylans, Symantec, tripwire, Virta Labs, Zingbox, and Clearwater compliance.

NCCoE is seeking feedback from HDOs and healthcare industry stakeholders on the new guidance until November 18, 2019. The draft guidance can be downloaded from the NCCoE website on this link.

The post NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data

Posted by HIPAA Journal

The Consumer Technology Association (CTA) has released data privacy guidelines to help companies better protect health and wellness data.

The guidelines have been developed to help CTA members address tangible privacy risks and securely collect, use, and share health and wellness data collected from health/wellness apps, wearable devices, and other digital tools.

The guidelines – Guiding Principles for the Privacy of Personal Health and Wellness Information – were developed by the CTA to help members address privacy gaps, discover consumer preferences, and earn consumer trust.

“[The] privacy guidelines, developed with consensus among industry stakeholders, will help give both individuals and companies the confidence to invest in innovative technologies which will improve health,” explained CTA president and CEO, Gary Shapiro. “The CTA Privacy Principles demonstrate that health tech companies understand they must be trusted stewards of patient data.”

Consumers now have access to a plethora of apps, devices, and digital tools that let them keep track of their health metrics, improve wellness, and manage their health and medical conditions. These tools help to engage consumers in their own health and wellness, make informed decisions to improve their health, and even access and share their medical information with others. Consumers benefit from these tools through improvements to their health and healthcare companies can use the aggregated data collected by these tools for research. That can lead to faster diagnoses and treatment for health conditions.

However, recent data breaches have raised concerns among consumers about how their information is collected, stored, and shared, and privacy scandals have made consumers much more aware about secondary uses of their data. These incidents have undermined trust in wearable devices and health apps, which is something that the CTA hopes to address with the guidance.

Initially the aim was to address privacy concerns around wearable devices, but the focus has since been expanded to cover apps and other digital tools. The CTA has been working with CTA members such as IBM, Humetrix, Humana, Validic, and Doctors on Demand to develop the guidelines, which cover the collection, storage, use, and sharing of health and wellness data.

The guidelines serve as a voluntary framework to improve privacy protections and security for health data and are intended to establish a baseline for privacy and security.

The guidelines are based on five key principles:

  • Being open and transparent about how health and wellness information is collected and used
  • Being careful how personal health information is used
  • Giving consumers control over the uses and sharing of their health information
  • Implementing strong security to protect health data
  • Being accountable for practices and promises

The guidelines incorporate some flexibility to ensure they can be adopted by companies of all types and sizes. While they are primarily intended for CTA members, they can also be adopted by non-HIPAA covered app developers, service providers, technology companies, and firms that are just entering the health and wellness sphere.

The guidelines are also available to consumers to let them learn more about CTA principles and make informed decisions about the companies they choose to interact with.

The privacy guidelines can be downloaded from the CTA Tech website on this link (PDF).

The post Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data appeared first on HIPAA Journal.

Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets

Posted by HIPAA Journal

Becton Dickinson (BD) has discovered a vulnerability in its Pyxis drug dispensing cabinets which could allow an unauthorized individual to use expired credentials to access patient data and medications.

The vulnerability was discovered by BD, which self-reported the flaw to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). ICS-CERT has recently issued an advisory about the flaw.

The vulnerability affects Pyxis ES versions 1.3.4 to 1.6.1 and Pyxis Enterprise Server with Windows Server versions 4.4 through 4.12.

The vulnerability – tracked as CVE-2019-13517 – is a session fixation flaw in which existing access privileges are not properly coordinated with the expiration of access when a vulnerable device is joined to an Active Directory (AD) domain.

This means the credentials of a previously authenticated user could be used to gain access to a vulnerable device under certain configurations. This would allow an attacker to obtain the same level of privileges as the user whose credentials are being used, which could give access to patient information and medications. Healthcare providers that do not use AD with the devices are unaffected.

The vulnerability has been assigned a CVSS V3 base score of 7.6 out of 10. ICS-CERT warns that the vulnerability is remotely exploitable and requires a low level of skill to exploit; however, BD notes that connecting the drug cabinets to hospital domains is an uncommon configuration and is not recommended by BD. Consequently, only a limited number of hospitals that use the drug carts will be affected.

The flaw has been addressed in the latest software release, v 1.6.1.1, which removes access to the file-sharing part of the Pyxis network.

Affected healthcare providers have been recommended to implement the following mitigations to reduce the risk associated with the vulnerability:

  • Never rely on expiration dates to remove users from the hospital’s Active Directory system
  • Remove users from the AD role that grants them access to the Pyxis ES system
  • Never place Pyxis ES systems on the hospital domain

BD is unaware of any cases where the vulnerability has been exploited to view data without authorization.

The post Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets appeared first on HIPAA Journal.

Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record

Posted by HIPAA Journal

A majority of patients are comfortable with sharing their biospecimens and EHR data for research purposes, according to a new study published in JAMA Network Open; however, most patients want to restrict the sharing of at least one part of their medical record. Patients also exhibited preferences as to the institutions with whom their data and biospecimens were shared.

Certain legislation covering the use of EHR data and biospecimens allow patient data to be shared for research purposes, either in identifiable or de-identified form, unless the patient explicitly opts out of data sharing. The researchers note that this all or nothing approach is problematic, as many patients are concerned about sharing certain types of information due to fears about secondary uses of their data.

The researchers investigated the attitudes of 1,246 adults in the United States about a tiered consent approach to EHR record sharing. This approach splits an individual’s medical records into smaller parts, which allows patients to consent to sharing certain parts of their medical records and restricting sharing on others. The researchers also investigated attitudes toward sharing EHR or partial EHR data with different types of researchers.

A small percentage of patients – 46 individuals (3.7%) – declined to share their EHR data with their own healthcare provider, 352 individuals (28.3%) declined sharing their data with nonprofit organizations, and 590 (47.4%) declined to share their data with for-profit organizations. 291 individuals (23.4%) said they would be happy to share data with any researcher.

Overall, 909 patients (72.9%) were willing to share their EHR data and biospecimens selectively and, in general, there was a preference for sharing data within the organization where patients received medical care, followed by nonprofit healthcare organizations. Patients were least willing to share data with for-profit organizations. The majority of patients said at least one item on their medical record should not be shared with others for research purposes.

“In a system in which people can choose where to receive care, it seems plausible that a patient selects to receive care in the most trusted institution, and this trust may more easily transfer to the care of data and biospecimens,” wrote the researchers.

By giving patients the choice of sharing subsets of their EHR data, patients would appear to be more open to sharing their records for research purposes. The researchers also found that there was a marked difference in the number of patients willing to share their data based on the method of obtaining consent. When opt-in forms were used, patients were willing to share fewer data items than when opt-out forms were used.

“We found that a tiered-permission system that allowed for specific removal of data items or categories of data could be implemented in practice and that it mattered to participants with whom the EHR data and biospecimens would be shared because there were differences in sharing preferences according to the researchers’ affiliations,” said the researchers.

The post Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record appeared first on HIPAA Journal.

Study Confirms Why Prompt Data Breach Notifications Are So Important

Posted by HIPAA Journal

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential.

When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere.

According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum.

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the breach being discovered.

Prompt data breach notifications can make a big difference. Patients and plan members are likely to be much more forgiving if they are informed about a data breach promptly. 90% of respondents said they would be somewhat forgiving if they knew that the breached organization had a plan in place for communicating with patients in the event of a data breach, but many organizations are not prepared for the worst.

Previous research conducted by Experian suggests 34% of breach response plans do not include customer notification and only 52% of companies have a data breach crisis or communications plan in place. If the communications team is made aware in advance of notification requirements, the people responsible for the communications are mapped out, and approval processes are planned in advance, it will allow notifications to be issued much more quickly.

While incredibly fast breach notifications are expected, in practice it is often not possible to issue notifications in such a short time frame. A phishing attack that results in an email account being subjected to unauthorized access requires every email in that email account to be checked for PHI. It is not always possible to automate that search effectively and manual checks are often required. It is therefore important to start investigations promptly, yet 84% of businesses did not include forensic analysis in their breach response plans which can lead to delays in issuing notifications.

Slow and ineffective communication is likely to add insult to injury following a data breach. 66% of respondents said slow breach notification and poor communication would likely see them stop doing business with the breached entity, and 45% of respondents would not only seek an alternative service provider, they would also instruct their friends and family members to do the same.

*Data for the report came from an Experian survey of 1,000 adults in the United States by consultancy firm KRC Research in July 2019.

The post Study Confirms Why Prompt Data Breach Notifications Are So Important appeared first on HIPAA Journal.