Healthcare Data Privacy

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

Posted by HIPAA Journal

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019.

The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring.

To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention.

Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions that could realistically be taken to reduce any impact on patient care.

Unsurprisingly, given the volume of cyberattacks on healthcare organizations, the high potential for harm, and the number of individuals that could be affected, the remote accessing of healthcare systems by hackers was rated as the number one hazard for 2019.

There is considerable potential for the remote access functionality of medical devices and systems to be exploited by hackers. A cyberattack could render medical devices and systems inoperative or could degrade their performance, which could have a major negative impact on patient care and could place patients’ lives at risk. Cyberattacks could also result in the theft of health data, which could also have a negative effect on patients.

ECRI notes that while cyberattacks can have a negative impact on healthcare providers, resulting in reputation damage and significant fines, cybersecurity is also a critical patient safety issue.

Hackers can easily take advantage of unmaintained and vulnerable remote access systems to gain access to medical devices and healthcare systems. They can move laterally within the network and gain access to medical and nonmedical assets and connected devices and systems. Patient data can be stolen, malware installed, computing resources can be hijacked, and ransomware can be installed which could render systems inoperable. In the most part, these attacks are preventable.

“Safeguarding assets requires identifying, protecting, and monitoring all remote access points, as well as adhering to recommended cybersecurity practices, such as instituting a strong password policy, maintaining and patching systems, and logging system access,” suggests ECRI.

The full Top Ten List of Health Technology Hazards for 2019 are:

  1. Hackers Can Exploit Remote Access to Systems, Disrupting Healthcare Operations
  2. “Clean” Mattresses Can Ooze Body Fluids onto Patients
  3. Retained Sponges Persist as a Surgical Complication Despite Manual Counts
  4. Improperly Set Ventilator Alarms Put Patients at Risk for Hypoxic Brain Injury or Death
  5. Mishandling Flexible Endoscopes after Disinfection Can Lead to Patient Infections
  6. Confusing Dose Rate with Flow Rate Can Lead to Infusion Pump Medication Errors
  7. Improper Customization of Physiologic Monitor Alarm Settings May Result in Missed Alarms
  8. Injury Risk from Overhead Patient Lift Systems
  9. Cleaning Fluid Seeping into Electrical Components Can Lead to Equipment Damage and Fires
  10. Flawed Battery Charging Systems and Practices Can Affect Device Operation

The post Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards appeared first on HIPAA Journal.

FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

Posted by HIPAA Journal

On October 1, 2018, the U.S. Food and Drug Administration released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook for healthcare delivery organizations to help them prepare for and respond to medical device cybersecurity incidents.

The playbook is intended to help healthcare delivery organizations develop a preparedness and response framework to ensure they are prepared for medical device security incidents, can detect and analyze security breaches quickly, contain incidents, and rapidly recover from attacks.

The playbook was developed by MITRE Corp., which worked closely with the FDA, healthcare delivery organizations, researchers, state health departments, medical device manufacturers and regional healthcare groups when developing the document.

The past 12 months have seen many vulnerabilities identified in medical devices which could potentially be exploited by hackers to gain access to healthcare networks, patient health information, or to cause harm to patients. While the FDA has not received any reports to suggest an attack has been conducted on medical devices to cause patients harm, the number of cyberattacks on healthcare organizations has increased significantly in recent years and concerns have been raised with the FDA about the potential for cybercriminals to attack patient medical devices.

“The playbook supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents,” said MITRE. “The playbook outlines how hospitals and other HDOs can develop a cybersecurity preparedness and response framework, which starts with conducting device inventory and developing a baseline of medical device cybersecurity information.”

In addition to releasing the guidance for HDOs, the FDA has developed its own internal playbook to ensure that it can respond rapidly to any medical device cybersecurity incident. “Our internal playbook establishes an effective and appropriate incident plan that’s flexible and clear. It aims to help the agency respond in a timely manner to medical device cybersecurity attacks – mitigating impacts to devices, healthcare systems and ultimately, patients,” said Scott Gottlieb, MD, Commissioner of the FDA.

The Playbook includes several recommendations for healthcare delivery organizations, although it may not be possible for all recommendations to be executed by healthcare delivery organizations due to operational constraints. However, the document does serve as a starting point for developing a response plan for medical device security incidents and will include recommendations that could be incorporated into existing disaster recovery plans.

The FDA has also announced it has signed two memoranda of understanding which will establish information sharing analysis organizations (ISAOs) that will be tasked with gathering, analyzing, and distributing important information about new cyber threats to medical device security. Through the sharing of timely information it is hoped that device manufacturers will be able to address security issues more rapidly before they can be exploited.

The FDA is also working closely with the Department of Homeland Security and is holding joint cybersecurity exercises to simulate attacks on medical devices with a view to improving medical device security. The FDA has also made significant updates to its premarket guidance for medical device manufacturers which is expected to be released in the next few weeks.

The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook can be downloaded from MITRE on this link (PDF – 543.73 KB)

The post FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook appeared first on HIPAA Journal.

Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency

Posted by HIPAA Journal

Phishing is one of the leading causes of healthcare data breaches. The healthcare industry is extensively targeted by phishers who frequently gain access to healthcare data stored in email accounts. In some cases, those email accounts contain considerable volumes of highly sensitive protected health information.

In August 2018, Augusta University Healthcare System announced that it was the victim of a phishing attack that saw multiple email accounts compromised. The breached email accounts contained the PHI of 417,000 patients. The incident stood out due to the number of individuals impacted by the breach, but it was just one of several healthcare organizations to fall victim to phishing attacks in August.

Data from the HHS’ Office for Civil Rights shows email is the most common location of breached PHI. In July, 14 healthcare data breaches out of 28 involved email, compared to 6 network server PHI breaches – The second most common location of breached PHI. It was a similar story in May and June with 9 and 11 email breaches reported respectively.

Cofense Research Shows Healthcare Industry Lags Behind Other Industries in Resiliency to Phishing

The anti-phishing solution provider Cofense (Formerly PhishMe) recently published an Industry Brief which explored the problem of phishing in the healthcare industry.

The report, entitled ‘Say “Ah!” – A Closer Look at Phishing in the Healthcare Industry’, confirmed the extent to which the healthcare industry is targeted by cybercriminals. The healthcare industry accounts for 1/3 of all data breaches, which have resulted in the exposure or theft of more than 175 million records.

It is no surprise that the healthcare industry is targeted by hackers as healthcare organizations store vast amounts of extremely valuable data: Health information, insurance information, Social Security numbers, dates of birth, contact information, and financial data. Information that can easily be sold to identity thieves and fraudsters.

Further, the healthcare industry has historically underinvested in cybersecurity with security budgets typically much lower than in other industry sectors such as finance.

Cofense data shows that healthcare organizations fare worse than other industries in terms of susceptibility and resiliency to phishing attacks. To measure susceptibility, Cofense used data from its phishing simulation platform – Susceptibility being the percentage of healthcare employees that were fooled by a phishing simulation. Resiliency to phishing attacks is the ratio of users who reported a phishing attempt through the Cofense Reporter email add-on versus those that did not.

Across all industries, the susceptibility rate was 11.9% and the resiliency rate was 1.79. For healthcare, susceptibility was 12.4% and resiliency was 1.34. The insurance industry had a resiliency rate of 3.03 while the energy sector had a resiliency rate of 4.01.

The past few years have seen cybersecurity budgets increase and a greater emphasis placed on security and risk management. The extra funding for anti-phishing defenses is having a positive effect, although there is considerable room for improvement.

Source: Cofense

How Are Healthcare Employees Being Fooled by Phishers?

An analysis of the phishing email simulations that most commonly fooled healthcare employees reveals a mix of social and business emails. The type of email most likely to fool a healthcare employee was a requested invoice, followed by a manager evaluation, package delivery notification, and a Halloween eCard alert, all of which had a click rate above 21%. Emails about holiday eCard alerts, HSA customer service emails, and employee raffles also commonly fooled employees.

Data from Cofense Intelligence shows invoice requests to be one of the most common active threats, often used to deliver ransomware. 32.5% of healthcare employees were fooled by those emails in simulations and only 7.2% reported the emails as suspicious.

The Cofense report includes further information on the most commonly clicked phishing emails and advice for healthcare companies to help reduce susceptibility to phishing attacks. The Cofense Healthcare Industry Brief can be downloaded on this link (PDF).

The post Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency appeared first on HIPAA Journal.

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce.

The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail.

“IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST.

In the guidance document, NIST identifies three high-level considerations that can affect the management of risks that IoT devices can introduce. First, IoT devices tend to interact with the physical world in ways that conventional IT devices do not. Second, IoT devices cannot typically be accessed, managed, and monitored in the same way as conventional IT devices. Third, the availability, efficiency and effectiveness of cybersecurity and privacy controls are different for IoT devices than conventional IT devices.

Cybersecurity and privacy risks need to be addressed for the entire lifecycle of IoT devices and can be considered in terms of three high-level mitigation goals:

  • Preventing IoT devices from being used to conduct attacks
  • Protecting the confidentiality, integrity, and availability of data stored on the devices
  • Protecting the privacy of individuals

The guidance document suggests various ways that the above goals can be met and the challenges that organizations may face achieving those goals. However, since IoT devices are so diverse, it is difficult for recommendations to be made that can be applied for all use cases, levels of risk and device types.

NIST is seeking public comments on the document and will be accepting feedback until October 24, 2018. The draft document can be downloaded on this link (PDF).

The post NIST Releases Guidance on Managing IoT Cybersecurity and Privacy appeared first on HIPAA Journal.

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

Posted by HIPAA Journal

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health.

The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017.

“While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study.

Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 176.4 million healthcare records. 75% of those records were exposed or stolen as a result of hacking or IT incidents.

While the number of hacking and IT incidents continues to increase each year, the number of theft incidents has declined by two thirds since 2010 when it was the leading cause of healthcare data breaches. This is due to healthcare organizations transitioning to electronic health records and encrypting health data stored on portable electronic devices.

In 2010, the most common location of breached health data was laptop computers followed by paper records and films. In 2017, the most common locations of breached health data were network servers and email, both of which are targeted by hackers.

The study covered healthcare providers, health plans and business associates of HIPAA covered entities. Healthcare providers experienced the most breaches (70%) over the period of study, which stands to reason given that there are many more healthcare providers than health plans in the United States. However, while there were fewer health plan data breaches – 13% of the total – they resulted in the exposure of more records – 63% of all breached records between 2010 and 2017.

“More breaches happen—for the sake of argument—in doctor’s offices, quote-on-quote ‘healthcare providers,’ but more records get lost by big insurance companies,” said McCoy.

The high number of records exposed by health plan data breaches is largely due to three health plan data breaches which resulted in the theft of 99.8 million records: The 78.8 million record breach at Anthem Inc., the 11 million record breach at Premera Blue Cross, and the 10 million record breach at Excellus Blue Cross Blue Shield. Those three breaches accounted for more than half of all exposed health records between 2010 and 2017.

The most serious healthcare data breaches involve records stored on network servers. There were 410 data breaches involving network servers over the period of study and they impacted almost 140 million patients, compared to 510 breaches involving paper/films which impacted 3.4 million patients.

“For me, the message is that working with big data carries big responsibility. This is an area where health plans, health systems, clinicians and patients need to work together. We hear a lot about the huge opportunity to improve how we care for patients – but there is also risk, which we need to manage responsibly,” said Roy Perlis, MD, MSc, director of the Center for Quantitative Health, and co-author of the study.

The post Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017 appeared first on HIPAA Journal.

HIPAA Quiz Launched by Compliancy Group

Posted by HIPAA Journal

A new HIPAA Quiz has been launched by the Compliancy Group, which serves as a quick and easy free tool to assess the current state of HIPAA compliance in an organization.  

Healthcare organizations that have implemented policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA) Rules may think that they are fully compliant with all provisions of the HIPAA Privacy, Security, and Breach Notification Rules. However, HHS’ Office for Civil Rights (OCR) compliance audits and investigations into data breaches and complaints often reveal certain requirements of HIPAA have been missed or misinterpreted.

OCR investigates all breaches of more than 500 records and so far in 2018, six financial penalties have been issued to HIPAA covered entities to resolve HIPAA violations. The average settlement/civil monetary penalty in 2018 is $1,491,166.

State attorneys general also investigate data breaches and complaints and can also issue fines for noncompliance with HIPAA Rules. There have been five fines issued by state attorneys general in 2018 to resolve HIPAA violations. The average settlement amount is $514,563 in 2018 and was $718,800 in 2017.

To help healthcare organizations comply with HIPAA Rules and avoid financial penalties, the Compliancy Group, a team of HIPAA compliance experts that help healthcare organizations meet HIPAA requirements, has released a free HIPAA Quiz that allows healthcare organizations to conduct a quick assessment to determine whether they are meeting the basic requirements of HIPAA. The quiz consists of yes/no questions that have been designed to get a baseline reading of HIPAA compliance against the fundamental elements of HIPAA.

“We designed the Compliancy Group HIPAA Quiz to empower health care professionals,” said Joe Bilello, Vice President of Compliancy Group. “Too often we see misconceptions around HIPAA compliance in the health care market. We hope the HIPAA Quiz will give users the chance to find out what’s really required for HIPAA compliance, rather than relying on hearsay and outdated information. Compliancy Group is always here to help address HIPAA concerns for anyone from single-doctor practices, to large-scale technology providers.”

The HIPAA compliance assessment tool can be accessed on this link.

The post HIPAA Quiz Launched by Compliancy Group appeared first on HIPAA Journal.

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Posted by HIPAA Journal

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents.

A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information.

In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names.

It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security laws, the Consumer Protection Act, and the Health Insurance Portability and Accountability Act.

UMass Memorial Health Care cooperated fully with the state attorney general’s investigation into the data breaches and agreed to settle the resulting lawsuit. In addition to paying the $230,000 fine, UMass Memorial Health Care will ensure that employee background checks are conducted prior to hiring new staff, all employees will receive further training on the correct handling of PHI, employee access to patient health information will be limited, risk analyses will be conducted to identify potential security issues, and any issues that are found will be subjected to a HIPAA-compliant risk management process. UMass Memorial Health Care will also ensure proper employee discipline and any suspected cases of improper accessing of ePHI will be investigated promptly.

Both UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., are also required to hire an independent firm to conduct a thorough review of data security policies and procedures and must report back to the Mass attorney general’s office on the findings of those reviews.

“Massachusetts residents rely on their health care providers to keep private health information safe and secure,” said Maura Healey. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”

“In the four years since [these breaches] took place we have taken steps aimed at further strengthening our privacy and information security program,” said a UMass Memorial Health Care spokesperson in a written statement. “This includes the implementation of additional technical tools that safeguard patient information, and enhancement of our existing privacy and information security procedures.”

State Attorneys General Pick Up the Slack in HIPAA Enforcement

After two years of increased enforcement of HIPAA Rules the HHS’ Office for Civil Rights has eased up on settlements and civil monetary penalties to resolve HIPAA violations, with only five settlements reached in 2018 and one civil monetary penalty issued. While OCR has eased up on financial penalties for HIPAA violations, state attorneys general fines are on track to make 2018 a record year for HIPAA enforcement.

UMass Memorial Health Care is the fifth healthcare organization to settle a HIPAA violation case with a state attorney general in 2018, joining The Arc of Erie County ($200,000), EmblemHealth ($575,000), and Aetna ($1,150,000) which have all been fined by the New York AG this year, and Virtua Medical Group which settled HIPAA violations with the New Jersey AG for $417,816 in April.

The post UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations appeared first on HIPAA Journal.

August 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches.

Healthcare Data Breaches by Month

There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached.

HEalthcare Records Exposed by Month

Causes of Healthcare Data Breaches in August 2018

Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks.

Causes of Healthcare Data Breaches in August 2018

Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare records – 2.96% of the monthly total.

There were two breaches involving the loss of PHI, one case of lost physical records and one lost portable electronic device containing electronic protected health information. The two theft incidents in August involved paper records.

Largest Healthcare Data Breaches in August 2018

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
AU Medical Center, INC Healthcare Provider 417000 Hacking/IT Incident
Fetal Diagnostic Institute of the Pacific Healthcare Provider 40800 Hacking/IT Incident
Legacy Health Healthcare Provider 38000 Hacking/IT Incident
Acadiana Computer Systems, Inc. Business Associate 31151 Hacking/IT Incident
Carpenters Benefit Funds of Philadelphia Health Plan 20015 Hacking/IT Incident
University Medical Center Physicians Healthcare Provider 18500 Hacking/IT Incident
Simon Orthodontics Healthcare Provider 15129 Hacking/IT Incident
Wells Pharmacy Network Healthcare Provider 10000 Unauthorized Access/Disclosure
St. Joseph’s Medical Center Healthcare Provider 4984 Loss
Central Colorado Dermatology, PC Healthcare Provider 4065 Hacking/IT Incident

Location of Breached PHI

Email-related data breaches continue to dominate the healthcare data breach reports. A further 14 email-related data breaches were reported in August, the majority of which saw email accounts accessed by unauthorized individuals as a result of healthcare employees falling for phishing emails. Phishing attacks on healthcare providers are being reported regularly, highlighting just how important it is for healthcare organizations to provide ongoing security awareness training for employees to teach them the skills they need to identify phishing attempts.
There were six incidents involving PHI stored on network servers in August, including two confirmed ransomware attacks. There were five breaches involving paper records.
Location of Breached PHI in August 2018 Healthcare Data Breaches

August Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of data breaches in August with 21 reported breaches. There were two health plan breaches and business associates of HIPAA-covered entities reported 5 breaches, with one further breach having some business associate involvement.

 

August Healthcare Data Breaches by State

Healthcare organizations based in 19 states experienced data breaches in August. While California and Texas usually top the list for data breaches due to the number of healthcare organizations based in those states, atypically, in August Oregon was the worst affected state with four breaches reported.

California and Florida each had three breaches reported, Colorado and Texas had two, and there was one breach reported in Arizona, Georgia, Hawaii, Illinois, Indiana. Louisiana, Maryland, Michigan, Nevada, New York, Ohio, Pennsylvania, Tennessee, and Virginia.

HIPAA Enforcement Actions in August

In 2016 and 2017, the HHS’ Office for Civil Rights took a hard line on enforcement of HIPAA Rules and agreed 21 settlements with HIPAA-covered entities and issued two civil monetary penalties. There have only been three financial settlements reached between OCR and HIPAA-covered entities in 2018 and no further fines or settlements were announced in August.  While OCR enforcement activity appears to have slowed, that is not the case with state attorneys general, in particular New York. The New York attorney general’s office has agreed two settlements with HIPAA-covered entities in 2018 with a third agreed in August.

The Arc of Erie County resolved violations of HIPAA Rules and state laws by paying a penalty of $200,000 to the New York attorney general’s office following the exposure of 3,751 individual’s PHI. The PHI had been uploaded to a website and could be accessed without authentication.

The post August 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Posted by HIPAA Journal

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules.

This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients.

Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital

Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a).

Brigham and Women’s Hospital (BWH) settled its HIPAA violations with OCR for $384,000. BWH allowed an ABC film crew to record footage between October 2014 and January 2015. Prior to filming, BWH conducted a review of patient privacy issues and provided the ABC film crew with HIPAA privacy training – The same training that was provided to its workforce. BWH also obtained written authorizations from patients. However, OCR determined that despite those measures, HIPAA Rules were still violated. In the resolution agreement, OCR wrote, “Based on the timing of when BWH received some written patient authorizations, BWH impermissibly disclosed the PHI of patients to ABC employees,” in violation of 45 C.F.R. § I64.502(a). BWH also failed to reasonably safeguard the PHI of patients: A violation of 45 C.F.R. § 164.530(c).

Massachusetts General Hospital (MGH) settled its HIPAA violations with OCR for $515,000. The hospital similarly allowed a film crew to record footage between October 2014 and January 2015. A review of patient privacy issues was also conducted, and the film crew was provided with the same HIPAA privacy training that MGH provides to its employees.

As was the case with BWH, OCR determined that 45 C.F.R. § I64.502(a) was violated as authorizations were received after an impermissible disclosure and MGH failed to appropriately and reasonably safeguard patients’ PHI from disclosure during the filming of the series in violation of 45 C.F.R. § 164.530(c).

In addition to covering the financial penalty, each of the three hospitals must adopt a corrective action plan which includes providing further training to staff on the allowable uses and disclosures of PHI to film and media.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

HIPAA Enforcement in 2018

OCR had a record year for HIPAA penalties in 2016 when it agreed 12 settlements to resolve HIPAA violations and issued one civil monetary penalty. 2017 saw 9 settlements reached with HIPAA-covered entities and one civil monetary penalty issued.

2018 has seen a reduction in financial penalties for HIPAA violations, with only three penalties issued prior the September 20, 2018 announcement. These latest three settlements bring the total number of OCR HIPAA violation penalties for the year up to six.

HIPAA Penalties and Settlements Agreed with OCR in 2018

Entity Penalty Penalty Type Reason for Penalty
Boston Medical Center $100,000 Settlement Filming patients without consent
Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
Massachusetts General Hospital $515,000 Settlement Filming patients without consent
University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Lack of encryption and impermissible disclosure of ePHI
Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
Fresenius Medical Care North America $3,500,000 Settlement Multiple HIPAA Violations

 

HIPAA Settlements with State Attorneys General in 2018

In addition to the penalties issued by OCR, there have been four settlements reached between HIPAA covered entities and state attorneys general in 2018.

State Covered Entity Amount Reason for Penalty
New York Arc of Erie County $200,000 Online Exposure of PHI
New Jersey Virtua Medical Group $417,816 Online Exposure of PHI
New York EmblemHealth $575,000 Exposure of PHI in Mailing
New York Aetna $1,150,000 Exposure of PHI in Mailing

The post $999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations appeared first on HIPAA Journal.