Healthcare Data Privacy

Federal Judge Tentatively Advances Meta Pixel Medical Privacy Class Action

Posted by Steve Alder

A class action lawsuit against Meta over the disclosure of health data to the social media giant has been allowed to proceed by a federal judge. The judge issued a tentative order allowing the lawsuit to advance for several of the claims made by the plaintiffs; however, the number of claims has been reduced by around half.

The consolidated lawsuit, John Doe v Meta Platforms Inc., filed in the U.S. District Court for the Northern District of California, alleges the plaintiffs and class members had their medical privacy violated by Facebook’s Meta Pixel tracking tool. The lawsuit alleges that Meta knew, or should have known, that the Pixel tool was being used improperly on the websites of hospitals. The lawsuit alleges at least 664 hospital systems and medical providers were sending medical information to Facebook through the Meta Pixel tool. According to the lawsuit, the improper use of the tracking tool resulted in “the wrongful, contemporaneous, re-direction to Facebook of patient communications to register as a patient, sign-in or out of a supposedly “secure” patient portal, request or set appointments, or call their provider via their computing device.” The data was then used to create and serve individuals with personalized ads.

As the HHS’ Office for Civil Rights confirmed in 2022 guidance on HIPAA and tracking technologies, these tools can only be used if there is a HIPAA-compliant business relationship with the tracking technology vendor or if valid HIPAA authorizations have been obtained. Since Meta is not a business associate and there were no HIPAA authorizations, the disclosures were impermissible under HIPAA.

Meta states in its terms and conditions that partners are required to have a lawful right to collect and share data before providing it to Meta. Meta argued that it is the responsibility of web developers to ensure that appropriate permission is obtained before Meta Pixel is used on websites and said that it explains to web developers how they can meet their legal obligations when using the Pixel tool. “There’s no statutory or common law doctrine that would allow the plaintiffs to impose liability upon Meta for the decision of third parties to send Meta data that it doesn’t want, that it has contractually barred them from sending in,” said Meta attorney, Lauren Goldman.

U.S. District Judge William Orrick III denied Meta’s motion to dismiss on several counts, allowing the lawsuit to proceed for the alleged violations of federal and state wiretap laws, as the plaintiffs had sufficiently argued that Meta had not done enough to prevent the transmission of sensitive health data. Orrick found the plaintiffs had plausibly argued that the data collection occurred in California and Meta had not met its burden of proof to show that healthcare providers were given sufficient consent by Meta to collect sensitive medical information.

The extraterritoriality, Wiretap Act, California Invasion of Privacy Act (CIPA), unjust enrichment, and larceny claims were advanced; however, Orrick granted the motion to dismiss the privacy, contract, California Comprehensive Computer Data Access and Fraud (CDAFA) Act, negligence per se, trespass to chattels, Unfair Competition Law (UCL), and Consumer Legal Remedies Act (CLRA) claims. The plaintiffs’ attorneys are required to refile the lawsuit as some of the privacy claims lack sufficient detail about the types of information that were allegedly transmitted to Meta. The judge stated in the hearing on Wednesday in San Francisco federal court that a final order would be issued as soon as possible.

The post Federal Judge Tentatively Advances Meta Pixel Medical Privacy Class Action appeared first on HIPAA Journal.

Vanderbilt University Medical Center Investigated by OCR over Disclosure of Transgender Patients’ Medical Records

Posted by Steve Alder

Vanderbilt University Medical Center is being investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) over the disclosure of the medical records of transgender patients to Tennessee Attorney General, Jonathan Skrmetti. VUMC provided the medical records of transgender patients to AG Skrmetti after receiving civil investigative demands for the data as part of an investigation into potential medical billing fraud. VUMC recently sent notifications to the affected patients informing them about the disclosure of their records, which started to be provided to AG Skrmetti in December last year.

The HIPAA Privacy Rule permits, but does not require, healthcare providers to disclose patients’ medical records for law enforcement purposes in certain circumstances, such as in response to an administrative request if the information being sought is relevant and material to a legitimate law enforcement inquiry. VUMC and AG Skrmetti both maintain that the disclosures were legal. AG Skrmetti said the records were requested in response to a run-of-the-mill investigation he was involved with. The investigation was launched in September 2022 after a VUMC doctor publicly described having manipulated medical billing codes to evade coverage limitations on gender-related treatments.

The medical record disclosures have been condemned by many members of the LGBTQ+ community. AG Skrmetti and other authorities in the state have expressed a hostile attitude regarding the rights of transgender individuals and a federal appeals panel recently approved a law in the state that bans hormone therapy and puberty blockers for transgender youth. There are fears that the information disclosed may be used against the patients. Two patients recently lawsuit against VUMC over the disclosures that alleges the records of 106 patients were provided to AG Skrmetti. Given the attitude of state authorities regarding transgender rights, the patients believe VUMC should have provided unidentified data – patient data that has had all personally identifiable information removed.

VUMC’s Chief Communications Officer, John Howser, recently confirmed that VUMC is assisting OCR with a civil rights investigation over the disclosures, although he did not provide any further information as the investigation is ongoing.

The post Vanderbilt University Medical Center Investigated by OCR over Disclosure of Transgender Patients’ Medical Records appeared first on HIPAA Journal.

95% of Patients are Worried About Medical Record Breaches

Posted by Steve Alder

Given the number of healthcare data breaches that are now being reported it is no surprise that patients are concerned that their sensitive health information will be obtained by cybercriminals or leaked on the Internet. In the first half of 2023, 339 data breaches of 500 or more records had been reported to the HHS’ Office for Civil Rights, and while that represents a year-over-year decline in data breach incidents, more than 41,450,000 healthcare records have been reported as breached in the first 6 months of the year – 10 million less than the number of breached records in all of 2022.

The health information network and interoperability provider, Health Gorilla, recently conducted a study that explored patients’ views on health information privacy and data sharing. 1,213 patients were surveyed who had seen a physician at least once in the previous 12 months. 95% said they were concerned that their medical records would be stolen or leaked online, 70% of whom had extreme or moderate concerns about healthcare data breaches. More than half of respondents expressed concern about the privacy and security protections that companies that handle their health data are putting in place.

The survey also revealed there is widespread mistrust in big tech companies such as Amazon, Google, Microsoft, and Facebook, which are increasingly gaining access to healthcare information through products and services that store healthcare data. 65% of respondents said they do not trust or slightly distrust those companies. That distrust is fueled by data breaches and a lack of transparency about data handling and storage practices, and since big tech firms are heavily reliant on data monetization, there are fears that attempts may be made to commercialize the health data they store or sell that information to third parties.

Patients expressed a greater level of confidence in health data exchange facilitated by government-approved entities. 60% of respondents said they feel significantly more or much more confident about health information exchange facilitated by government-approved entities, although regardless of who is sharing or exchanging health data, there are fears that health data may be used for purposes other than the reasons for which it is being shared.

71% of respondents said they were comfortable with sharing health data with healthcare providers for treatment purposes and 39% were comfortable with health plans accessing their medical records. Only 28% of respondents were comfortable with their health data being shared for operations-related purposes, and only 23% said they were comfortable with government agencies accessing their health data for public health reasons.

One solution to the distrust issue is to share de-identified data – health data that has been stripped of all personal identifiers; however, only 64% of respondents said they were comfortable with deidentified data being shared for research purposes. 13% of individuals said they did not want their health data to be shared for research purposes even if the information contained no personal identifiers.

HIPAA gives patients the right to access their own medical records and 94% of individuals feel that is very or at least somewhat important. 88% of respondents said they had exercised that right and have accessed their medical records at least once in the past 12 months, with 48% saying they accessed their medical records in the past 3 months. While there have been many enforcement actions by the HHS’ Office for Civil Rights over failures to provide access to medical records, the survey suggests patients tend not to have problems accessing their health data. 72% of patients said accessing their records was extremely or somewhat easy, with only 4% of patients finding it extremely difficult.

“The results of this privacy report indicate the urgent need to build trust with patients. As we make progress in setting a universal floor for interoperability, patients must have confidence in the system for healthcare interoperability to work,” added Steve Yaskin, Co-Founder and Chief Executive Officer at Health Gorilla. “The majority of patients don’t believe that vendors are doing enough to protect their health data and have serious concerns about a potential breach of their medical records. Patients must serve as a prominent voice in our national dialogue on health data privacy. The actual solutions will come in many forms, but one thing is abundantly clear — it’s time to act.”

The post 95% of Patients are Worried About Medical Record Breaches appeared first on HIPAA Journal.

700,000 Highly Sensitive School Records Exposed Online

Posted by Steve Alder

Highly sensitive information on 682,438 teachers and students at independent schools has been left exposed to the Internet and could be accessed by anyone without a password. The exposed 572.8 GB database was discovered by security researcher Jeremiah Fowler who traced documents in the database to the Southern Association of Independent Schools, Inc (SAIS).

“In my many years as a security researcher, I have seen everything from millions of credit card numbers and health records to internal documents from organizations of all sizes. However, this discovery is among the most sensitive data collections I have ever encountered,” said Fowler. The database contained highly sensitive teacher and student records. Each student record included a photograph of the student, along with their home address, date of birth, age, Social Security number, and health information. Fowler said he discovered third-party security reports that included details of weaknesses in school security, the locations of cameras, access and entry points, active shooter and lockdown notifications, school maps, financial budgets, teacher background checks, and much more. Fowler quickly notified SAIS and the database was rapidly secured.

Fowler was unable to determine how long the database had been exposed and if it was accessed by unauthorized individuals. He said the database was a goldmine for criminals on many levels. The database was hosted in a cloud storage repository and had been mistakenly configured to be non-password protected. The database appeared to be on SAIS’s primary server, and the exposure did not appear to be due to a vendor configuration issue.

Harris Health Systems Confirms Breach of Almost 225,000 Patient Records

Harris County Hospital District, doing business as Harris Health System, has recently reported a data breach affecting 224,703 individuals. On June 2, 2023, Harris Health System was notified about a zero-day vulnerability in the MOVEit Transfer file transfer solution. The vulnerability was immediately addressed; however, the forensic investigation revealed hackers had exploited the vulnerability on May 28, 2023, and downloaded files from the system.

The review of the affected files revealed they contained information such as names, addresses, birth dates, Social Security numbers, medical record numbers, immigration status, driver’s license numbers/ other government-issued identification numbers, health insurance information, procedure information, treatment costs, diagnoses, medications, provider names, and dates of service.

Harris Health System said the vulnerability has been patched and additional steps have been taken to improve the security of its MOVEit server. Affected individuals were notified about the breach on July 21, 2023, and individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services.

New England Life Care Reports 51,854-Record Data Breach

New England Life Care in Portland, ME, says it detected a security breach on May 24, 2023, that disrupted its IT systems. The incident was rapidly contained a third-party cybersecurity firm was engaged to conduct a forensic investigation. The analysis confirmed that the exposed files contained patient data such as names, addresses, service/equipment information, and patient status (active/discharged).

The 51,854 affected individuals were notified by mail on July 21, 2023. New England Life Care said additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.

Park Royal Hospital Discovers Unauthorized Email Account Access

Park Royal Hospital in Fort Myers, FL, has discovered unauthorized access to an employee email account. The security breach was detected on May 15, 2023, and the forensic investigation confirmed that the email account was compromised on May 8, 2023. The email account contained protected health information such as patient names, provider names, dates of treatment, and diagnosis and treatment information. The hospital said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

The incident is still being investigated and notification letters will be mailed when that process is completed. The breach has been reported to the HHS’ Office for Civil Rights as affecting at least 500 individuals.

Email Accounts Compromised at Unified Pain Management

Konen & Associates, doing business as Unified Pain Management in Texas, has recently notified the HHS’ Office for Civil Rights about an email account breach involving at least 500 records. Suspicious activity was detected within its corporate email accounts on March 21, 2023. Steps were immediately taken to prevent further unauthorized access and a third-party digital forensic firm was engaged to conduct an investigation; however, it was not possible to determine if any information within the email accounts had been accessed or downloaded.

The review of the emails confirmed that they contained information such as patient names, addresses, health insurance policy numbers, Social Security numbers, payment information, and health information such as treatment and diagnosis information.  Steps have been taken to improve email security and affected individuals have been offered credit monitoring and identity theft restoration services at no cost.

The post 700,000 Highly Sensitive School Records Exposed Online appeared first on HIPAA Journal.

Majority of Americans Mistakenly Believe Health App Data is Covered by HIPAA

Posted by Steve Alder

There is a common misconception that the Health Insurance Portability and Accountability Act (HIPAA) applies to health apps; however, the majority of health apps are not covered by HIPAA nor is the health information collected, stored, or transmitted by the apps.

HIPAA applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and vendors used by those entities, which are classed as business associates. While health apps may collect some of the exact same health data that is maintained by HIPAA-covered entities, the information collected by health apps is not subject to the same privacy and security standards. As such, health information collected by health apps may be transmitted to third parties, sold, or used for purposes that are not permitted under HIPAA.

According to a recent ClearDATA Harris Poll survey of 2,000 U.S. adults, 68% of respondents said they were very or somewhat familiar with HIPAA, yet 81% of respondents believed that the health data collected by digital health apps is covered by HIPAA and subject to its Privacy and Security Rules. As such, many users of health apps are likely to be unaware that any health data entered into the apps could be legally sold to third parties.

The survey also revealed health information privacy is not a key factor for Americans when choosing personal health apps. 58% of respondents that have used digital health apps said they had not considered how the information entered into those apps would be used. Health information privacy is also not a major concern when seeking healthcare services, with only 27% of respondents considering whether their data is secure when choosing a provider.

The main considerations are whether the provider accepts their insurance (68%), whether they can see a doctor face to face (49%), and if they can be treated quickly (41%). This was especially true with younger Americans, with 54% of respondents in that age range saying health data privacy is less important to them than convenience, compared to 69% of those over 65 who place greater value on privacy and security than convenience.

While HIPAA does not apply to most digital health apps, digital health companies are required to comply with Federal Trade Commission (FTC) Act and must issue notifications to consumers in the event of a breach of health data under the Health Breach Notification Rule. The FTC has only recently started enforcing the Health Breach Notification Rule, despite the rule being in effect for a decade, and its recent enforcement actions indicate digital health companies have been disclosing sensitive health data to third parties and have not been informing consumers.

The FTC recently published a notice of proposed rulemaking that seeks to clarify that the Health Breach Notification Rule applies to health apps and other similar direct-to-consumer technologies such as fitness trackers. “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

Representative Adam Schiff (D-CA), Seth Magaziner (D-RI), André Carson (D-IN), Sara Jacobs (D-CA), Greg Casar (D-TX), Kim Schrier, M.D. (D-WA) recently expressed their support for the proposed changes to strengthen the Health Breach Notification Rule given that the FTC’s recent enforcement actions uncovered disclosures of sensitive health information and deceptive business practices. “We agree with the assertion by FTC that apps that provide health services to users and have personal health records (PHR) qualify as vendors of personal health records and must be regulated as such,” wrote the congress members. “There is a need for much greater transparency when this data is mishandled, and the FTC rule will require these apps to notify individuals, the FTC, and in some cases the media of a breach of unsecured personally identifiable health information.,” They also expressed their support for the FTC’s requirement for health app providers to clearly explain the potential harm that could stem from data breaches and name the third parties that may have acquired unsecured personal health information.

The post Majority of Americans Mistakenly Believe Health App Data is Covered by HIPAA appeared first on HIPAA Journal.

VUMC Faces Lawsuit Over Disclosure of Medical Records of Transgender Patients to State AG

Posted by Steve Alder

Vanderbilt University Medical Center (VUMC) in Nashville, TN, has confirmed that the medical records of transgender patients have been provided to Tennessee Attorney General, Jonathan Skrmetti, in connection with an investigation of medical billing fraud.

According to AG Skrmetti’s Chief of Staff, Brandon Smith, the medical records were requested as part of an investigation into medical billing fraud focused on VUMC and related healthcare providers, rather than patients. The AG’s office has not explained the nature of the fraud investigation to ensure the integrity of the investigative process.

VUMC has provided gender-affirming care to minors since 2018 and typically performs around 5 surgeries a year. VUMC said all procedures, none of which were genital procedures, were performed on minors over 16 years of age with parental consent. On Tuesday this week, VUMC confirmed that it provided patient records to the state Attorney General after receiving two civil investigative demands (CIDs); a move that has resulted in considerable backlash from the LGBTQ+ community. “The Tennessee Attorney General has legal authority in an investigation to require that VUMC provide complete copies of patient medical records that are relevant to its investigation. VUMC was obligated to comply and did so,” said VUMC spokesperson, John Howser.

Concerns have been raised about the disclosures in light of the soon-to-be-introduced ban on gender-affirming care for minors in Tennessee. The state law is due to take effect on July 1, 2023, and will prevent doctors from providing gender-affirming care to individuals under the age of 18. The law has been challenged and while the ban was partially blocked, prohibiting surgical procedures on minors but allowing puberty blockers and hormone therapies to be prescribed, the 6th Circuit Court of Appeals lifted that block, reinstating the ban on all gender-affirming care for minors.

Since the VUMC announcement, several individuals have taken to social media platforms alleging the medical record disclosures violated HIPAA and patient privacy. HIPAA places restrictions on disclosures of medical records but permits disclosures in response to “an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law.” In such cases, the information provided must be relevant to the inquiry and if de-identified protected health information could not reasonably be provided. VUMC has not confirmed how many records were disclosed in response to the CIDs but said the records requested by the Attorney General dated back to 2018 and that the patients concerned had been enrolled in TennCare insurance plans. The individuals concerned were notified by VUMC that their records had been provided to the state Attorney General as part of a civil investigation.

HIPAA permits but does not require healthcare providers to disclose patient data and VUMC has been criticized for not making a stand, although refusing the request would only likely have delayed the disclosures. The affected patients are fearful that regardless of the outcome of the fraud investigation, the Attorney General’s office will still have a list of individuals who have received gender-affirming care. Brandon Smith expressed concern about the decision of VUMC to make the disclosures public knowledge, stating “We are surprised that VUMC has deliberately chosen to frighten its patients like this,” and claimed the VUMC investigation has been running since September 2022 and VUMC has been providing information pertinent to the investigation since December 2022.

The medical record disclosures have prompted a class action lawsuit by two of the affected patients who allege VUMC was aware that the state has been targeting the transgender community, yet still provided patient records to the Attorney General and violated the HIPAA Rules by doing so. The lawsuit claims VUMC disclosed the information of 106 individuals, including individuals “on the state employees’ health plan and their family members, and people who receive their health care through TennCare,” as well as the information of some individuals who were not VUMC Transgender Health Clinic patients. According to the lawsuit, an additional CID was issued for all communications between VUMC’s Dr. Melissa Ciperski and others working at Centerstone regarding or related to a potential gender dysphoria diagnosis of a person receiving mental health treatment at Centerstone.

The lawsuit, filed by the law firm Herzfeld, Suetholtz, Gastel, Leniski & Wall, and Abby Rubenfeld, takes issue with the amount of data provided, which included highly sensitive health information including photographs of genitalia, private communication with clinicians, sexual histories, and the identities of intimate partners, and the failure to provide de-identified information in response to the CIDs.

The post VUMC Faces Lawsuit Over Disclosure of Medical Records of Transgender Patients to State AG appeared first on HIPAA Journal.

What is a HIPAA Compliant Cloud Drive?

Posted by Steve Alder

There is no doubt that data storage in the cloud has many benefits for healthcare organizations; however, if electronic protected health information (ePHI) is to be stored in the cloud, it is necessary to use a HIPAA compliant cloud drive – a HIPAA compliant cloud storage solution from a cloud service provider (CSP).

HIPAA and Cloud Computing

The Health Insurance Portability and Accountability Act was enacted just as the use of virtual computers started to gain popularity in the 1990s; however, it was not until the early 2000s that cloud computing really took off, although healthcare organizations were slow to embrace the cloud. The situation is very different today. According to Market Data Forecast, in 2022 the healthcare cloud computing market was worth $5.22 billion and it is expected to reach $201.1 billion by 2032. 90% of healthcare organizations are already using cloud-based services or plan to use them by 2025.

Even though cloud computing services have now been widely adopted by healthcare organizations, there is no mention of cloud computing in the HIPAA text. HIPAA was written in a way to ensure that it is technology agnostic to ensure that when new technologies were introduced, the HIPAA Rules could be easily applied to those technologies. Cloud services can be used by HIPAA-regulated entities, as long as they are fully compliant with the HIPAA Privacy and Security Rules. Healthcare organizations that have yet to transition to the cloud may be unaware what a HIPAA compliant cloud drive is, how HIPAA compliant cloud storage differs from other cloud storage services, and how they can ensure HIPAA compliance in the cloud, all of which are explained below.

What is a HIPAA Compliant Cloud Drive?

Technically, there is no such thing as a HIPAA compliant cloud drive as no cloud server can be truly HIPAA compliant. HIPAA compliance depends on the actions of the people. Even if appropriate security is applied to secure ePHI in the cloud, if healthcare organizations misconfigure settings or do not implement appropriate access controls, ePHI could easily be exposed over the Internet, thus violating the HIPAA Rules.

That said, many CSPs offer HIPAA compliant cloud storage to HIPAA-regulated entities. What this means is the service they offer incorporates all of the necessary security controls to ensure the confidentiality, integrity, and availability of ePHI and prevent impermissible disclosures. Those controls apply to ePHI at rest (stored on cloud servers) and in motion to and from the cloud server or service. Access controls can be configured to restrict access to ePHI to ensure only authorized individuals can view, alter, or transmit data, and audit logs are maintained of successful and unsuccessful access attempts and any alterations to ePHI.

A HIPAA compliant cloud service provider will ensure that safeguards are incorporated into the platform to ensure that it can be used in a HIPAA-compliant way; however, it is up to each HIPAA-regulated entity to ensure that the controls are correctly configured and the service is used in a manner that is compliant with the HIPAA Privacy and Security Rules.

A Business Associate Agreement Must be Obtained from a Cloud Service Provider

If a HIPAA-regulated entity engages the services of any vendor to create, receive, maintain, or transmit ePHI on their behalf, that vendor is classed as a business associate under HIPAA. If cloud services are used in connection with any ePHI, including the processing and storage of ePHI in the cloud, the CSP is a business associate and has responsibilities under HIPAA, even if the CSP only stores encrypted ePHI and does not hold an encryption key for the data. Any subcontractors used by the CSP are also business associates of the CSP and must also comply with certain requirements of the HIPAA Rules.

HIPAA-regulated entities must obtain a HIPAA compliant business associate agreement from the CSP before any HIPAA-covered data is uploaded to the cloud, and a CSP must obtain a HIPAA compliant business associate agreement from any third-party vendor before allowing them access to a HIPAA-regulated entity’s environment. The CSP and any subcontractors used are contractually liable for meeting the terms of the business associate agreement and are directly liable for compliance with the applicable requirements of the HIPAA Rules. If a CSP is not prepared to sign a business associate agreement, their services must not be used in connection with any ePHI.

In addition to a business associate agreement (BAA), many covered entities address other requirements through a service-level agreement (SLA). The BAA outlines the responsibilities of the CSP with respect to HIPAA, while the SLA deals with technical aspects such as availability and reliability of the service, data backups and recovery, the security responsibilities of each party, and how any stored data will be returned when the service is no longer used.

HIPAA Compliant Cloud Storage Requires More than a BAA!

Covered entities must obtain a BAA prior to any cloud service being used in conjunction with ePHI, but having a BAA is not sufficient to avoid a penalty for noncompliance with HIPAA Rules. Before any cloud service is used, covered entities must conduct a comprehensive risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and must subject any identified risks to a risk management process to reduce them to a low and acceptable level. Policies and procedures must be developed and implemented covering the use of the cloud service, and training must be provided to the workforce on the HIPAA-compliant use of cloud services.

Access controls must be configured correctly to ensure that only authorized individuals are able to access cloud-stored data. Even though a HIPAA compliant cloud drive may meet the requirements of the HIPAA Security Rule, covered entities must ensure they are fully compliant with the requirements of the HIPAA Privacy Rule. Covered entities should apply single sign-on controls, use multifactor authentication, automatic logoff controls, and secure passwords, and procedures should be developed to ensure ePHI is available in emergencies.

Audit controls are required to ensure all activities in relation to ePHI are recorded. HIPAA-regulated entities are required to conduct regular checks of logs to monitor for unauthorized activity and regulators may require access to those logs in the event of an audit or compliance investigation. Any data stored in the cloud should be encrypted and covered entities must ensure data uploaded to the cloud is encrypted in transit. The encryption algorithms used should meet the standards of the National Institute of Standards and Technology (NIST).

What Cloud Storage is HIPAA Compliant?

Many CSPs offer HIPAA compliant cloud storage and file-sharing services and are willing to sign BAAs with HIPAA-regulated entities. Sync is one of the current market leaders and is used by many healthcare providers for storing files in the cloud and private and secure file sharing, including Mount Sinai Hospital, Doctorcare, Equalize Health, and the Canadian Red Cross. The platform allows mission-critical files to be accessed easily by authorized individuals from any computer, mobile device, or the web, no matter where care is provided. Sync signs business associates with HIPAA-regulated entities and supports HIPAA compliance, PIPEDA compliance for Canadian healthcare companies, GDPR compliance for European healthcare providers, and other privacy and security regulations. The platform integrates with Microsoft Office 365, Windows and macOS desktops, and mobile devices, and all data is protected with strong encryption, robust access controls, and state-of-the-art security.

Many cloud service providers offer a variety of plans to meet the needs of individuals and businesses; however, not all plans are covered by business associate agreements. For example, Sync offers a HIPAA compliant cloud drive and will sign a BAA, but only for the Sync Professional and Teams Plans. HIPAA-regulated entities must sign up for a Professional or Business Plan and obtain a signed BAA before the service is used.

Summary

While there is no mention of HIPAA cloud storage and cloud computing in the HIPAA text, healthcare organizations can engage the services of CSPs and use their platforms to reduce costs, improve productivity, and connect and communicate more easily, provided they use HIPAA-compliant cloud services and obtain a BAA from the CSP. You can find out more about HIPAA cloud storage from the HHS, which recently published guidance for HIPAA-regulated entities on HIPAA compliant data storage in the cloud and the use of other cloud services in connection with ePHI.

The post What is a HIPAA Compliant Cloud Drive? appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million

Posted by Steve Alder

The 2023 IBM Security Cost of a Data Breach Report shows the average data breach cost has increased to $4.45 million ($165 per record), with data breaches in the United States being the costliest at an average of $9.48 million, up 0.4% from last year. Data breaches are the costliest that they have ever been and have increased by 15% since 2020. The data for this year’s report was collected by the Ponemon Institute and included breach data from 553 organizations in 16 countries with interviews conducted with thousands of individuals. All data breaches studied for the report occurred between March 2022 and March 2023.

For the 13th year in a row, healthcare data breaches were found to be the costliest, with the average cost increasing to $10.93 million, which is a 53.3% increase over the past 3 years and an 8.22% increase from the $10.10 average breach cost in 2022. Small organizations with fewer than 500 employees saw average data breach costs increase by 13.35% year-over-year to $3.31 million. There was a 21.4% increase in costs for mid-sized organizations (501-1,000 employees) to an average of $4.06 million, a 20% rise in costs for large organizations (1,001-5,000 employees) to $4.87 million, but a 1.8% decrease in costs for very large organizations (10,001–25,000 employees), which fell to an average of $5.46 million. The time to identify and contain a breach remained the same as in 2022 with the decrease in detection time cancelled out by an increase in containment time. In 2023, the average detection (204 days) and containment (73 days) time was 277 days.

The most common causes of data breaches were phishing attacks and compromised credentials, with phishing the initial access vector in 16% of data breaches and compromised credentials the vector in 15% of breaches. The average cost of a phishing attack was $4.76 million and an attack caused by stolen or compromised credentials cost an average of $4.62 million. The costliest breaches were caused by malicious insiders, with those incidents costing an average of $4.90 million per breach, although these breaches were relatively rare, accounting for 6% of the total. Breaches stemming from stolen or compromised credentials took the longest to identify and contain, taking 328 days compared to the average of 277 days.

Only one-third (33%) of data breaches were detected by the breached entity, with a benign third party such as law enforcement or a security researcher notifying the victim about the breach in 40% of cases, and the attacker notifying the breached entity about the attack in 27% of cases. Breaches where the attacker informed the victim cost around $1 million more than breaches that were detected by the victim ($5.23 million vs. $4.3 million). Data breaches that were disclosed by an attacker also had a much longer lifecycle (detection to containment), taking 320 days – 79 days longer than breaches that were identified by the victim.

Data breaches often occur in multiple locations such as on-premises as well as public and private clouds. IBM Security found attackers were able to breach multiple environments undetected, and when multiple environments were breached the costs soared. Multi-environment breaches cost an average of $750,000 more than data breaches in single environments and took 15 days longer to contain. Malicious attacks often rendered systems inoperable with destructive attacks accounting for 25% of all malicious attacks and ransomware accounting for 24% of attacks. Destructive attacks cost an average of $5.24 million and ransomware attacks cost an average of $5.13 million. 47% of ransomware victims chose to pay the ransom.

IBM Security was able to dispel a common myth – that involving law enforcement involvement in ransomware attacks increases the complexity and recovery time, when the reverse was found to be true. Ransomware attacks with law enforcement involvement took an average of 33 days less to contain than when law enforcement was not involved, and law enforcement involvement also shaved an average of $470,000 off the breach cost. Despite speeding up recovery and significantly reducing breach costs, 37% of ransomware victims did not seek help from law enforcement to contain a breach.

Law enforcement recommends not paying the ransom as there is no guarantee of a faster recovery and payment of a ransom encourages further attacks. IBM Security found that paying the ransom only resulted in minimal savings – a cost difference of $110,000 or $2.2%, although that does not include the ransom amount. Taking the ransom payment into consideration, many organizations ended up paying more than they would likely have spent had they chosen not to pay the ransom.

The biggest cost mitigators were the adoption of a DecSecOps approach (integrating security in the software development cycle), which saved almost $250,000 on average, employee training (-$233,000), incident response planning and testing (-$232,000), and AI and machine learning insights (-$225,000). AI and automation shaved an average of 108 days from identification and containment and attack surface management (ASM) solutions shaved an average of 83 days off of the response time. The biggest cost amplifiers were security systems complexity (+$241,000), security skills shortages (+$239,000), and non-compliance with regulations (+$219,000).

The report revealed 95% of organizations had suffered more than one breach and the costs of these breaches were passed onto consumers by 57% of organizations, with only 51% of organizations increasing security investments following a data breach.

The post IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million appeared first on HIPAA Journal.

OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have written to 130 hospitals and telehealth providers warning them about the risks of using tracking technologies such as pixels on their websites and web apps which may disclose sensitive health information to third parties in violation of the HIPAA Rules and the FTC Act.

A study published in Health Affairs suggests 98.6% of US nonfederal acute care hospitals have used tracking technologies on their websites, and a 2022 analysis by The Markup found one-third of the top 100 hospitals in the United States were using tracking technologies on their websites that could collect individually identifiable information, including information about health conditions. Following these discoveries, several hospitals and health systems reported breaches of protected health information, some of which involved impermissible disclosures of millions of patient records.

A later study by The Markup found that the technologies were also widely used by telehealth companies. Even companies that are not required to comply with the HIPAA Rules have an obligation to protect personal health information against impermissible disclosure. The FTC has already taken action against entities that are not covered by HIPAA, such as GoodRx, BetterHelp, and Premom, over the use of these tracking technologies for alleged violations of the FTC Act and Health Breach Notification Rule.

In December 2022, OCR issued guidance to HIPAA-regulated entities on HIPAA and tracking technologies. While these tools can provide valuable insights for improving the services provided to patients, these technologies can collect and transmit information protected by HIPAA. Further, these technologies also permit the tracking of users even after they navigate away from the website or mobile app where the tracking technology is used. Any information transmitted to a third party may then be used for a purpose not permitted under the HIPAA Rules, and the collected information may be further disclosed to other third parties.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

The letters were jointly sent by OCR and the FTC to 130 entities cautioning them about tracking technologies on websites and mobile apps that can potentially disclose sensitive health data. The organizations that were sent the letters are believed to have used or are using tracking technologies such as Pixel from Meta/Facebook and Google

Analytics code to collect and analyze user interactions on websites and web apps. The letters do not mean that an organization has been found to be in violation of violated HIPAA or the FTC Act nor does the failure to receive a letter mean that an organization is in the clear. All organizations that collect personal health information should review their websites and web apps to identify any tracking technologies and ensure they are fully compliant with all relevant laws. If tracking technologies are discovered to have been used on websites or apps that impermissibly disclosed personal health information or protected health information to third parties, then the breaches should be reported in accordance with the HIPAA Breach Notification Rule and FTC Health Breach Notification Rule.

“Both agencies are closely watching developments in this area,” explained the FTC and OCR in the letters. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

The post OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies appeared first on HIPAA Journal.