Healthcare Data Privacy

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

Posted by HIPAA Journal

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto.

For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study.

The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine.

When asked about the consequences of a cyberattack on IoT devices, the biggest concern was theft of patient data, which was rated as the main threat by 39% of healthcare respondents. Attacks on IoT devices can also threaten patient safety. 20% of respondents considered patient safety a major risk and 30% of healthcare providers that experienced an IoT cyberattack said patient safety was actually put at risk as a direct result of the attack.

12% of respondents said theft of intellectual property was a major risk, and healthcare security professionals were also concerned about downtime and damage to their organization’s reputation.

The main impact of these attacks is operational downtime, which was experienced by 43% of companies, theft of data (42%), and damage to the company’s reputation (31%).

Mitigating IoT cyberattacks comes at a considerable cost. The average cost to resolve a healthcare IoT cyberattack was $346,205, which was only beaten by attacks on the transport sector, which cost an average of $352,639 to mitigate.

Even though there are known risks associated with IoT devices, it does not appear to have deterred hospitals and other healthcare organizations from using the devices. It has been estimated up to 15 million IoT devices are now used by healthcare providers. Hospitals typically use an average of 10-15 devices per hospital bed.

Securing the devices can be a challenge, but most healthcare organizations know exactly where the vulnerabilities are. They just lack the resources to correct those vulnerabilities.

Manufacturers need to do more to secure their devices. Security is often an afterthought and safeguards are simply bolted on rather than being incorporated during the design process. Fewer than half of device manufacturers (49%) said security is factored in during the design of the devices and only 53% of device manufacturers conduct code reviews and continuous security checks.

82% of device manufacturers expressed concern about the security of their devices and feared safeguards may not be enough to prevent a successful cyberattack. 93% of device manufacturers said security of their devices could be improved a little to a great deal, as did 96% of device users.

“The previous mindset of security as an afterthought is changing. 99 percent agree that a security solution should be an enabler of new business models, not just a cost,” explained the researchers in their recent report. “This clearly indicates that businesses realize the value add that security can bring to their organization.”

The post 82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices appeared first on HIPAA Journal.

UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

Posted by HIPAA Journal

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data.

Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared.

Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is sufficiently low.

The lawsuit alleges UCMC failed to remove all the necessary information from the data prior to it being shared with Google. In addition to the dates and times when patients checked in/out of hospital, the lawsuit alleges “copious free-text notes” were also shared with Google.

The time stamps place each patient at the hospital at a specific time, which places patient privacy at risk. The lawsuit alleges the inclusion of time stamps violates the provisions of the safe harbor de-identification method and that UCMC did not obtain consent from patients to share their data with Google.

The main issue is Google already stores vast quantities of user data from its “prolific data mining” activities and that the tech giant is in a position where it could identify all individuals from the medical records provided by UCMC.

The lawsuit even goes as far as to suggest the collaboration between the medical center and the hospital is an attempt to “pull off what is likely the greatest heist of consumer medical records in history.”

Last week, UCMC and Google filed motions to have the lawsuit dismissed. The defendants claim that a secure process was employed to de-identify patient data and that the process was fully compliant with HIPAA Rules. Further, Google argues that the plaintiff and other class members do not allege Google has used its data to re-identify patients, only that the company has the capability of doing so. Consequently, no injury has been sustained as a result of the sharing of information and even if an injury had been sustained, the case should be dismissed as there is no private right of action under HIPAA.

The defendants also argue that the definition of the intrusion provided by the plaintiffs does not fall under HIPAA as each patient voluntarily provided their medical information to the medical center. Instead, it falls under the Consumer Fraud and Deceptive Business Practices Act.

The post UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit appeared first on HIPAA Journal.

OCR Offers Advice on Managing Malicious Insider Threats

Posted by HIPAA Journal

Healthcare organizations can implement robust defenses to prevent hackers from gaining access to sensitive data, but not all threats come from outside the organization. It is also important to implement policies, procedures, and technical solutions to detect and prevent attacks from within.

Healthcare employees require access to protected health information (PHI) to perform their work duties. While those individuals may be deemed trustworthy, providing access to PHI exposes the organization to risk. Workers can go rogue and access patient information without authorization and could easily abuse their access rights and steal patient data for financial gain.

There will always be the occasional bad apple, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more prevalent. According to the report, 59% of all security incidents and data breaches analyzed for the report were caused by insiders.

Many of those breaches were due to mistakes made by healthcare employees, but a significant percentage were caused by malicious insiders who stole patient information for financial gain. Common malicious insider attacks include accessing the medical records of celebrities for financial gain and stealing patient data to commit identity theft and fraud.

These attacks can have grave implications for patients, who may suffer huge losses from identity theft and other misuses of their PHI. The attacks can also cause financial and reputational harm to the healthcare organization and expose the organization to regulatory fines. Memorial Healthcare System was fined $5.5 million for HIPAA violations related to the inappropriate access and theft of health data by some of its employees in 2012.

This week, the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued advice to healthcare organizations on how they can reduce the risk of insider breaches and ensure they are detected rapidly when they do occur.

In its 2019 Summer Cybersecurity Newsletter, OCR offers tips on overcoming the challenges associated with protecting patient data from attacks from within and explains how risk can be managed to comply with HIPAA Rules.

In order to protect patient data, healthcare providers must know all locations whether patient information is stored and how that information flows throughout the organization. Without such knowledge it is impossible to conduct a thorough and accurate risk analysis to determine all risks to the confidentiality, integrity, and availability of patient data and reduce those risks to a reasonable an appropriate level.

Physical, technical and administrative access controls must be implemented to protect patient data against unauthorized access from within. Role-based access controls can help to reduce risk by preventing employees from accessing resources they are not authorized to use. Those controls should limit access to the minimum necessary information required to perform that individuals work duties.

OCR also reminds covered entities that they should control what individuals are able to do with patient data. If view only access is required, users should not be able to modify, delete, or download data. Controls should be implemented to prevent access from certain devices such as smartphones and the copying of data to portable storage devices such as zip drives.

The complex nature of healthcare IT systems makes it hard to achieve total visibility into the entire network and see every device in use. However, without full visibility, it is difficult to identify unauthorized data access quickly. OCR reminds covered entities that they must overcome the challenges and gain visibility into what users are doing on the network. Security teams must regularly check system, event, application, and audit logs in order to quickly detect suspicious activity and unusual patterns of data access. It may not be possible to prevent insider breaches, but when they occur, they must be identified and rectified promptly. There have been many cases of insiders accessing patient records without authorization for several years before the breach is detected.

Safeguards can be implemented, and policies and procedures developed to reduce risk, but those measures may not remain effective forever. Security is a dynamic process. Safeguards, policies and procedures need to be regularly assessed to ensure they continue to be effective. Access rights should be monitored and changed as appropriate when employees change role or transfer to a different department, and physical and electronic access to data must be terminated quickly when employees leave the organization.

Preventing and detecting attacks by malicious insiders is certainly a challenge, but by recognizing the risks and implementing appropriate safeguards, the risk of a breach can be managed and reduced to an acceptable level.

The post OCR Offers Advice on Managing Malicious Insider Threats appeared first on HIPAA Journal.

Ransomware Attack Impacts More Than 400 U.S. Dental Practices

Posted by HIPAA Journal

A ransomware attack on a medical record backup service has prevented hundreds of dental practices in the United States from accessing their patients’ records.

The attack occurred on August 26, 2019 and affected the DDS Safe backup solution developed by Wisconsin-based software company, Digital Dental Record (DDS). The DDS system was accessed via an attack on its cloud management provider, West Allis, WI-based PerCSoft. Ironically, the DDS website states DDS Safe helps to protect dental practices against ransomware attacks.

The attack did not affect all dental practices using the DDS Safe solution. Initial reports suggest between 400 and 500 of the 900 dental practices using the solution have been affected by the REvil/Sodinokibi ransomware attack.

PerCSoft, assisted by a third-party software company, has obtained a decryptor and is in the process of recovering the encrypted files. According to a statement from DDS, recovery of files is estimated to take between 30 minutes to 4 hours per client.

Some dental practices have reported file loss as a result of the attack and others have said the decryption process did not work. With the attack coming so close to the end of the month, several dental practices have expressed concern that the attack would prevent them from processing payroll payments. At the time of writing, around 100 dental practices have successfully recovered their files.

Since there is no free decryptor for REvil ransomware available through the NoMoreRansom project, it is highly probably that the ransom was paid. That has not been confirmed publicly by either company, although Brian Krebs of Krebs on Security said several sources have confirmed that PerCSoft paid the ransom to obtain the decryptor.

The ransom amount is unknown, but one Reddit user claims PerCSoft – or its insurer – paid $5,000 per client for the decryptor. That would put the total ransom demand at $2.5 million, which is the same as the demand for the coordinated Sodinokibi ransomware attack that affected 22 government entities in Texas earlier this month.

Both attacks impacted multiple entities by attacking a software provider or managed service provider (MSP). This appears to be the modus oprandi of the threat actors behind the attack. Another attack in June targeted the MSP platform, Webroot SecureAnywhere, which allowed REvil/Sodinokibi ransomware to be deployed on clients’ systems.

The threat actors behind REvil ransomware are running a ransomware-as-a-service operation using a limited number of affiliates to distribute the ransomware. By using a small number of experienced affiliates, the threat actors hope to stay under the radar.

On hacking forums, the threat actors have been trying to recruit affiliates, five of whom have been guaranteed earnings of $50,000. Other affiliates have been told they will earn a minimum of $10,000. The threat actors are offering affiliates 60% of any ransom payments they generate and claim to be experienced, ‘professional’ ransomware developers that have been working in the field for the past five years.

While the code for REvil ransomware differs significantly from other ransomware variants, Tesorion researchers have found code similarities with the now defunct GandCrab ransomware, which was decommissioned this year. The threat actors behind GandCrab claimed to have retired after earning so much money from their ransomware-as-a-service operation over the past 18 months, although Tesorion researchers suspect at least some of the individuals involved in GandCrab may have got involved with or are responsible for REvil ransomware.

Regardless of who is behind the attacks, they are unlikely to windup such a profitable operation any time soon. As long as ransom demands continue to be paid by businesses and their insurers, the attacks will continue.

The post Ransomware Attack Impacts More Than 400 U.S. Dental Practices appeared first on HIPAA Journal.

Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages

Posted by HIPAA Journal

A class action lawsuit filed by victims of a June 2016 cyberattack on Athens Orthopedic in Georgia has gone before the Georgia Supreme Court to determine whether breach victims are entitled to recover damages.

The cyberattack in question saw the personal information, Social Security numbers, and health insurance information of approximately 200,000 individuals stolen by the hacking group, Dark Overlord.

The Dark Overlord has conducted numerous attacks on healthcare organizations in the United States over the past three years. Initially, attacks were conducted to steal sensitive data, which was subsequently sold on dark web marketplaces. More recently, attacks have involved data theft and extortion. A ransom demand is issued to breached entities that must be paid in order to prevent publication of the stolen data.  Athens Orthopedic did not pay the ransom demand.

The Dark Overlord gained access to Athens Orthopedic’s systems via an attack on a “nationally-known health care information management contractor,” the login credentials of which were used to steal patient data.

Athens Orthopedic monitored websites to determine whether patient data had been published and took steps to take down a list containing the PHI of 500 of its patients, which had been posted on PasteBin. The information was eventually removed, but during the time it was accessible online it is possible that multiple individuals copied the data. The Dark Overlord also listed data for sale online, although it is unclear whether anyone bought the dataset.

Athens Orthopedic notified its patients about the breach and advised them to contact one of the three credit reporting agencies to place a fraud alert on their credit file. Even though Social Security numbers were stolen, affected patients were not offered credit monitoring or identity theft restoration services.

A class action lawsuit was filed on behalf of three victims of the breach – Christine Collins, Paulette Moreland, and Kathryn Strickland – shortly after the breach was announced. The plaintiffs seek compensation for the time spent protecting their identifies and reimbursement of legal fees and the cost of past and future credit monitoring services.

The plaintiffs allege negligence, breach of implied contract, unjust enrichment, and violation of the Georgia Uniform Deceptive Trade Practices Act.

While victims of the breach have incurred costs, there is the issue of whether an injury has been suffered. Collins alleges she had fraudulent charges on her credit card shortly after the breach but failed to allege they were the result of the cyberattack and did not demonstrate PHI had been misused as a direct result of the breach.

The case was dismissed by the Trial Court and the Georgia Court of Appeals as the plaintiffs could demonstrate no financial loss or harm as a direct result of the cyberattack. Consequently, they are not entitled to claim damages under Georgia law. The decision was appealed, and it is now down to the Georgia Supreme Court to determine whether there are any compensable  injuries. Oral arguments were heard this week.

“By ruling that the plaintiffs have failed to allege a compensable injury, the message delivered thus far in this case has been that data-breach victims in Georgia have no legal rights, regardless of how careless the defendant’s data security practices may have been,” argued the plaintiffs’ attorneys.

The plaintiffs allege Athens Orthopedic Clinic as not taken any steps to improve security and that “It continues to store the plaintiffs’ personally identifiable information on computer systems that employ the same lax security measures that permitted the hacker to access and steal the plaintiffs’ information.”

They also maintain their claims should not have been dismissed as “a present injury is not a required element for the plaintiffs’ breach of contract, unjust enrichment, declaratory judgment, or injunctive relief claims under Georgia law.”

The Supreme Court is expected to issue a ruling on the case – Collins Et Al. Vs. Athens Orothpedic Clinic, P.A – within the next six months. Should the Supreme Court overturn the decision of the Court of Appeals, it will have implications for data breach victims not only in the state of Georgia, but throughout the United States.

The post Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages appeared first on HIPAA Journal.

July 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July.

July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018.

July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July.

There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year.

Causes of July 2019 Healthcare Data Breaches

 

The main reason for the increase in reported data breaches in July is the colossal data breach at American Medical Collection Agency (AMCA). AMCA provides medical billing and collection services and its clients included some of the largest medical testing laboratories in the United States. Those clients have now been lost as a result of the breach.

The final victim count is not yet known, nor the number of records compromised in the breach. To date, 22 healthcare organizations have confirmed they have been affected and more than 24 million records are known to have been exposed. At least 8 healthcare organizations have not yet submitted their breach reports to OCR.

Healthcare Providers Impacted by the American Medical Collection Agency Data Breach

  Healthcare Organization Estimated Records Exposed Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,900,000 11,500,000
2 LabCorp 7,700,000 10,251,784
3 Clinical Pathology Associates 2,200,000 1,733,836
4 Carecentrix 500,000 467,621
5 American Esoteric Laboratories 541,900 409,789
6 Inform Diagnostics 173,617 173,617
7 Laboratory Medicine Consultants 147,600 140,590
8 Integrated Regional Laboratories 29,644 29,644
21 Penobscot Community Health Center 13,000 13,299
9 West Hills Hospital and Medical Center / United West Labs 10,650 10,650
10 Seacoast Pathology, Inc 10,000 8,992
11 Arizona Dermatopathology 7,000 5,903
12 Western Pathology Consultants 4,550 4,079
13 Natera 3,000 3,035
14 Sunrise Medical Laboratories 427,000 TBC
15 BioReference Laboratories/Opko Health 422,600 TBC
16 CBLPath Inc. 148,900 TBC
17 CompuNet Clinical Laboratories 111,000 TBC
18 Austin Pathology Associates 46,500 TBC
19 South Texas Dermatopathology PLLC 16,100 TBC
20 Pathology Solutions 13,300 TBC
22 Laboratory of Dermatology ADX, LLC 4,240 TBC

 

Hacking and IT incidents dominated the breach reports in July with 35 incidents reported. Those breaches resulted in the exposure of 23,203,853 healthcare records. The average breach size was 662,967 records and the mean breach size was 4,559 records.

There were 9 unauthorized access/disclosure incidents in July involving 2,160,699 healthcare records. The average breach size was 240,077 records and the mean breach size was 3,881 records.

There were three theft incidents reported that involved 3,584 records, 2 loss incidents that exposed 4,593 records, and one improper disposal incident that exposed 3,000 records.

Largest Healthcare Data Breaches in July 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Optum360, LLC Business Associate 11,500,000 Hacking/IT Incident Network Server
Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10,251,784 Hacking/IT Incident Network Server
Clinical Pathology Laboratories, Inc. Healthcare Provider 1,733,836 Unauthorized Access/Disclosure Network Server
CareCentrix, Inc. Healthcare Provider 467,621 Hacking/IT Incident Network Server
Bayamon Medical Center Corp. Healthcare Provider 422,496 Hacking/IT Incident Network Server
Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409,789 Unauthorized Access/Disclosure Network Server
Laboratory Medicine Consultants, Ltd. Healthcare Provider 140,590 Hacking/IT Incident Network Server
Imperial Health, LLP Healthcare Provider 116,262 Hacking/IT Incident Desktop Computer, Network Server
Puerto Rico Women And Children’s Hospital, LLC Healthcare Provider 99,943 Hacking/IT Incident Network Server
Ameritas Life Insurance Corp. Health Plan 39,675 Hacking/IT Incident Email

Location of Breached Protected Health Information

There was a major increase in network server incidents in July. The rise was due to the AMCA breach but also an uptick in ransomware attacks on healthcare providers. Phishing also continues to pose problems for healthcare organizations. 21 of the breaches reported in July involved PHI stored in email accounts.

The number of reported phishing attacks strongly suggests multi-factor authentication has not yet been implemented by many healthcare organizations. If credentials are compromised, MFA can help prevent the email account from being remotely accessed.

July 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in July with 39 breaches reported. Three health plans reported breaches and there were 8 breaches reported by business associates of HIPAA covered entities. A further 18 healthcare data breaches had some business associate involvement.

July 2019 Healthcare Data Breaches by State

July’s 50 data breaches were spread across 26 states and Puerto Rico. Typically, California experiences the most data breaches in any given month due to the number of healthcare organizations based in California; however, California only saw one healthcare data breach reported in July.

Minnesota was the worst affected state with 6 reported breaches. Four breaches were reported by healthcare organizations based in Michigan, Pennsylvania, and Texas. Three breaches were reported in Nevada and Tennessee, two breaches were reported in each of North Carolina, Ohio, Wisconsin, and Puerto Rico.

One breach was reported in each of Alabama, Arkansas, Arizona, California, Connecticut, Georgia, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Missouri, Nebraska, New Hampshire, New York, Oregon, and South Carolina.

HIPAA Enforcement Activity in July 2019

It has been a relatively quiet year for HIPAA enforcement by the HHS’ Office for Civil Rights. While there were two settlements agreed in May 2019 to resolve HIPAA violations, no further financial penalties have been announced.

State Attorneys General also have the authority to take action against healthcare organizations that have violated HIPAA Rules. July saw one settlement reached between Premera Blue Cross and 30 state attorneys general over its 10.4 million-record data breach in 2014.

Under the terms of the settlement agreement, Premera Blue Cross is required to pay a financial penalty of $10,000,000 to resolve the HIPAA violations discovered during the Washington Attorney General-led investigation.

In addition to the $10 million penalty, Premera Blue Cross settled a class action lawsuit for $74 million. $32 million will cover claims from breach victims and $42 million will be directed toward improving cybersecurity.

The post July 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records

Posted by HIPAA Journal

The Substance Abuse and Mental Health Services Administration (SAMHSA) has proposed a new rule that loosens restrictions on substance use disorder (SUD) treatment records, aligning Part 2 regulations more closely with HIPAA.

The new rule, proposed on August 22, is the first element of the HHS’s Regulatory Sprint to Coordinated Care initiative, which will also see changes made to HIPAA, the Anti-Kickback Statute, and Stark Law.

SUD treatment records are covered by Confidentiality of Substance Use Disorder Patient Records regulations – 42 CFR Part 2 (Part 2). Part 2 pre-dates HIPAA by two decades and was introduced at a time when there were no broader privacy and security standards for health data. Part 2 regulations were required to protect the privacy of patients by severely restricting the allowable uses and disclosures of SUD treatment records. When Part 2 was introduced, there was a stigma associated with SUD and without privacy protections, many individuals suffering from the disorder may have avoided seeking treatment.

Since 1975, further privacy and security laws have been introduced. The HIPAA Security Rule requires all HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) and the HIPAA Privacy Rule restricts uses and disclosures of that information. However, Part 2 requires additional protections for SUD records than those for PHI and ePHI.

It is important to protect the privacy of patients and ensure that SUD information is safeguarded against unauthorized access as the information could be misused, but it is also essential for SUD treatment information to be made available to healthcare providers to better support care coordination.

The proposed rule does not change the privacy framework of Part 2, it just eases restrictions on SUD treatment records and removes some of the complexity of Part 2 regulations. While there is closer alignment with HIPAA, the proposed changes fall short of full harmonization with HIPAA Rules.

One on the most important changes concerns the separation of SUD treatment records from an individual’s medical record. The proposed rule would allow a healthcare provider to record SUD information in that individual’s medical record, provided the SUD information was willingly given by the patient. SUD treatment records created by federally assisted substance use disorder (SUD) treatment programs still need to be segregated.

The language of Part 2 has been changed to clarify that, with written consent, SUD records can be shared for payment and healthcare operations. Another clarification has been made on procedures during emergency situations, when additional protections for SUD records are suspended.

Under the proposed rule, providers who do not provide opioid treatments would be permitted to access a central registry of patients who have enrolled in treatment programs. Enrollment in an opioid treatment program would involve consent to have treatment information shared with the central registry. This update is intended to help prevent accidental overdoses.  Opioid treatment programs will be permitted to sign up with a state prescription drug monitoring program and report on the Schedule II to V drugs that have been dispensed or prescribed.

Changes have also been proposed that make it easier for patients to share their SUD records with non-medical entities such as the Social Security Administration. Currently, a patient would need to provide the name of a person within a non-medical entity who is authorized to receive their records. Under the proposed rule, a patient could give consent to share the records with the entity as a whole.

Business associates that have been provided with SUD records for research purposes will be permitted to disclose that information to entities not covered by HIPAA for similar purposes.

Part 2 requires providers to sanitize devices containing SUD treatment records. Under the proposed rule, the information would only need to be deleted as sanitization typically involves the destruction of the device.

A restriction has been removed that prevented the courts from disclosing substance use records as part of an investigation into a serious crime that was not believed to have been committed by the patient. The time that undercover agents can stay in a Part 2 program has also been extended from 6 months to one year.

There have been calls from many healthcare associations and healthcare provider groups calling for Part 2 regulations to be aligned with HIPAA. Such a change would require approval on Capitol Hill. Recently, the National Association of Attorneys General (NAAG) called for leaders in the House and Senate to support changes to Part 2, and support is required. As HHS Secretary Alex Azar explained in a press meeting on Thursday, the HHS can only propose changes. In order to align Part 2 with HIPAA, House and Senate approval is required. Secretary Azar has expressed support for such changes.

“We do believe the proposed changes are very common sense, responsive changes to concerns by both patients and providers,” said Azar. While important changes have been made, many will feel the HHS has not done enough. Azar accepts that the proposed rule will not satisfy all calls for Part 2 reform, “We believe we’re going as far as we can.”

The post HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records appeared first on HIPAA Journal.

State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA

Posted by HIPAA Journal

The National Association of Attorneys General (NAAG) has urged leaders of the House and Senate to make changes to Confidentiality of Substance Use Disorder Patient Records regulations known as 42 CFR Part 2.

The regulations in question, which NAAG called “cumbersome [and] out-of-date,” restrict the uses and disclosures of substance abuse treatment records.

Under HIPAA, protected health information (PHI) can be shared between providers and caregivers for purposes related to treatment, payment, and healthcare operations without first obtaining consent from the patient. 42 CFR Part 2 prohibits the sharing of addiction treatment information by federally assisted treatment programs unless consent to do so has been obtained from the patient.

The Part 2 regulations were created more than 40 years ago to ensure the privacy of patients was protected and to ensure that patients would not face any legal or civil consequences from seeking treatment for substance abuse disorder.

NAAG argues that the regulations were created at a time when there was an “intense stigma” surrounding substance abuse disorder but says that the continued separation of substance abuse disorder from other diseases perpetuates that stigma. “The principle underlying these rules is that substance use disorder treatment is shameful and records of it should be withheld from other treatment providers in ways that we do not withhold records of treatment of other chronic diseases,” wrote NAAG.

NAAG wants substance abuse disorder to be recognized as the chronic disorder that it is, which would mean aligning the rules covering substance abuse treatment records with those of HIPAA. That would allow substance abuse treatment information to be shared along with other health information, provided protections are in place to keep that information private and confidential.

As it stands, Part 2 regulations are a barrier to treating opioid use disorder. Providers are used to complying with HIPAA, but the requirements of Part 2 can be intimidating. As such, many providers do not offer medicated-assisted treatment (MAT) for substance abuse disorder.

MAT providers are not required to comply with Part 2 requirements if they do not advertise their MAT services, but that means fewer people will take up those services. To effectively tackle the opioid epidemic in the United States, MAT services need to be promoted and should be easily accessible. Currently, many providers are keeping it a secret that they provide MAT programs to patients due to the restrictions of Part 2 regulations.

42 CFR Part 2 privacy regulations were updated in 2018, although the changes made were relatively minor. NAAG is not the only organization calling for more substantial changes and closer alignment between Part 2 and HIPAA regulations. A growing coalition of more than 40 national health care organizations support the changes and there is some support in the House and the Senate.

Reps. Markwayne Mullin (R-OK) and Earl Blumenauer (D-OR) introduced the Overdose Prevention and Patient Safety Act (OPPS Act) (H.R. 2062) and Sens. Joe Manchin (D-WV) and Shelley Moore Capito (RWV) introduced the Protecting Jessica Grubb’s Legacy Act (Legacy Act) (S. 1012) which both align HIPAA with Part 2. However, getting enough people to back the changes is likely to be a major challenge.

The post State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA appeared first on HIPAA Journal.

VA OIG Report Highlights Risk of Medical Device Workarounds

Posted by HIPAA Journal

A recent inspection of a California VA medical center by the Department of Veteran Affairs Office of Inspector General (VA OIG) has revealed security vulnerabilities related to medical device workarounds and multiple areas of non-adherence with Veterans Health Administration (VHA) and VA policies.

Tibor Rubin VA Medical Center in Long Beach, California was inspected by the VA OIG after VHA and VA privacy and security policy violations were identified during an unrelated investigation.

The auditors identified inappropriate staff workarounds for transferring and integrating information from patient medical devices into the medical center’s EHR system. The auditors also found two potential breaches of patient information while performing the inspection.

The medical center did not have an interface between VHA medical devices and its EHR system, which forced staff to use inappropriate workarounds. Biomedical engineering and IT assistance had not fully resolved software interface issues between VHA medical devices and the EHR, and facility staff were using unapproved communication modes which risked the accidental disclosure of sensitive patient information.

Inspectors discovered 9 out of 12 medical devices lacked an interface with the EHR system, including a high-resolution esophageal manometry (HRM) medical device. The interface with the VHA EHR stopped functioning when the medical center upgraded to Windows 7 from Windows XP in 2013. Biomed and IT had provided assistance initially when problems were first experienced, but additional software interface issues remained unaddressed.

The gastroenterology (GI) provider told the inspectors that the facility’s biomedical engineering and IT departments were involved in the decision to continue using the equipment even though there was no working interface. The GI provider developed two workarounds that were not in line with VHA and VA policies covering sensitive personal information. Those workarounds placed patient information at risk of exposure.

Those methods involved the use of the GI provider’s personal computer and the transfer of sensitive information via unencrypted email, the cloud, and a non-VA-issued unencrypted flash drive. Staff in the GI laboratory, pulmonary/sleep laboratory, and neurology departments had also developed workarounds as a result of interface issues following the operating system upgrade.

Staff were aware of the importance of patient privacy and securing patient information, and one staff member ensured information was only sent via secure, encrypted email. However, other staff members sent email using personal email accounts, unsecured devices, and via SMS text messages.

VA OIG found 99% of the emails sent from the GI provider’s email account contained sensitive patient information as did 91.7% of SMS text messages sent to staff. Inpatient and nursing staff were also discovered to be using non-secure methods of communicating patient information. The medical center was also discovered to still be using logbooks to record equipment taken home by staff, which is against VHA policy.

The report involved one VA medical center, but the findings are not surprising. Similar problems are experienced by many healthcare providers, which also use workarounds to solve software compatibility issues, even though those workarounds can introduce considerable risk.

The VA OIG has made several recommendations on how the medical center can correct the violations and improve security. Those recommendations include taking steps to ensure staff members only use secure methods to communicate patient information, and for the medical center director to conduct a review of communications processes between staff and IT/biomedical engineering and to take action to address interface issues and improve communication.  The medical center is currently in the process of implementing those recommendations.

The post VA OIG Report Highlights Risk of Medical Device Workarounds appeared first on HIPAA Journal.