Healthcare Data Privacy

Patient Privacy and Security Are Greatest Healthcare Concerns for Consumers

Posted by HIPAA Journal

A recent survey conducted by the health insurer Aetna explored consumers’ attitudes to healthcare, their relationships with their providers, and what they view as the most important aspects of healthcare.

The Health Ambitions Study was conducted on 1,000 consumers aged 18 and above, with a corresponding survey conducted on 400 physicians – 200 primary care doctors and 200 specialists.

The consumer survey showed consumers are paying attention to their healthcare. A majority pay attention to holistic health and seek resources that support better health and wellbeing. 60% of respondents to the survey said that if they were given an extra hour each day they would spend it doing activities that improved their health or mental health. 67% of women and 44% of men would devote the hour to these activities.

Fewer women believed their physicians understood their health needs than men. 65% of women and 80% of men said their doctor is familiar with their health goals. Women find it harder than men to talk to their physicians about their lifestyle habits (70% vs 81%) and women were much less likely than men to take their doctor’s advice. Only 50% of women said they would be very likely to take their doctor’s advice compared with 81% of men.

“Women are often the primary caregiver for their families,” said Aetna President Karen Lynch. “So, when it comes to health and lifestyle goals, women need more support to feel confident in their health decisions for themselves and others.

One of the main areas where improvements are seen to be needed are reducing stress – a major goal for 45% of women and 28% of men – and getting help with mental health issues – improving mental health was a major goal of 36% of respondents.

70% of patients said they wanted their physicians to speak to them in language that they can easily understand, 66% want to be able to get face to face appointments when they need them, and 66% want access to other healthcare professionals to help coordinate their care.

Offering digital health services is important for patients, especially the younger generation. 35% of respondents under the age of 35 said digital messaging would be valuable and 36% said they would like the option of having virtual office visits. The same percentage said telehealth would be useful. Digital messaging would also be valuable to older patients, with 32% of over 65s saying the service would be useful. Only 17% of patients in that age range thought they would benefit from virtual office visits and just 14% would benefit from telehealth.

Consumers were asked about their biggest concerns about healthcare, and while rising health care costs are an issue, the cost of healthcare was not the biggest concern for consumers. Patient privacy and data security were more important to consumers than the cost of healthcare.

80% rated patient privacy as very important, 76% of consumers rated data security as very important, and 73% rated the cost of health care as very important. Patient privacy was more important to women (84%) than men (71%). Women were also more concerned than men about data security (80%/66%).  Getting personalized care was rated as very important by 71% of respondents, and coordination among healthcare providers was very important for 68% of patients.

The survey on physicians revealed only half of physicians felt that mental health counselors were important for patients, substance abuse counselors were only seen as important by 41% of physicians, 37% said nutritionists were important, 35% said social workers were important, and only 32% said in-home aids and liaisons are important.

Access to these healthcare professionals was better for providers involved in value-based care models. For example, 61% of physicians in value-based care models had good or very good access to nutritionists compared to 46% of physicians who were not in value-based care models.

The post Patient Privacy and Security Are Greatest Healthcare Concerns for Consumers appeared first on HIPAA Journal.

Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data

Posted by HIPAA Journal

The UK’s National Health Service (NHS) has announced that approximately 150,000 patients who had opted out of having their health data shared for the purposes of clinical research and planning have had their data shared against their wishes.

In the UK, there are two types of opt-outs patients can choose if they do not want their confidential health data shared. A type 1 opt-out allows patients to stop the health data held in their general practitioner (GP) medical record from being used for anything other than their individual care. A Type 2 opt-out is used to prevent health care data being shared by NHS Digital for purposes other than providing individual care.

150,000 patients who had registered a Type 2 opt-out have had their data shared. The impermissible sharing of health data occurred as a result of an error by one of its EHR vendors, TPP. TPP provides the NHS with the SystmOne EHR system, which is use in many GP practices throughout the UK.

A coding error in the system meant that these Type 2 requests were not passed on to NHS Digital, and as a result, NHS Digital was unaware that opt-outs had been registered. Patients affected had opted out after March 31, 2015.

Action has now been taken to correct the error and all patients affected have been notified. NHS Digital has also contacted all organizations with whom the data were shared and they have been instructed to permanently delete the data received since the opt-outs were registered.

The NHS had implemented changes prior to the discovery of this breach that will prevent such an incident from occurring in the future. The type 2 opt outs have now been replaced with a national opt out system, in which patients are able to control their data sharing preferences via a secure website, by phone, or by submitting a written request. This system ensures that NHS Digital receives the requests directly, rather than the previous system which saw the requests recorded via GP practices on a third-party systems.

While the issue has now been corrected and similar privacy breaches should be prevented, what is of particular concern is the length of the breach. This suggests the appropriate processes were not in place to continuously monitor the EHR system for errors.

Healthcare organizations in the U.S. should take note of the breach and take steps to ensure similar privacy breaches cannot occur at their own organization. It is important to ensure that current and future vendors have appropriate systems in place to monitor for errors and security flaws and that they meet all appropriate standards.

While EHR vendors, as business associates, can be fined directly for errors and mistakes that lead to the exposure of PHI, healthcare providers can similarly be fined if they have failed to obtain assurances that HIPAA Rules will be followed by their vendors, and breaches can also cause significant damage to reputation.

The post Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data appeared first on HIPAA Journal.

HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks

Posted by HIPAA Journal

HIMSS has released its June Healthcare and Cross-Sector Cybersecurity Report in which healthcare organizations are warned about the risk of exploitation of vulnerabilities in application programming interfaces, man-in the middle attacks, cookie tampering, and distributed denial of service (DDoS) attacks. Healthcare organizations have also been advised to be alert to the possibility of USB devices being used to gain access to isolated networks and the increase in used of Unicode characters to create fraudulent domains for use in phishing attacks.

API Attacks Could Be the Next Big Attack Vector

Perimeter defenses are improving, making it harder for cybercriminals to gain access to healthcare networks. However, alternative avenues are being explored by hackers looking for an easier route to gain access to sensitive data. Vulnerabilities in API’s could be a weak point and several cybersecurity experts believe APIs could well prove to be the next biggest cyber-attack vector.

API usage in application development has become the norm, after all, it is easier to use a third-party solution that to develop a solution from scratch. APIs allow healthcare organizations to integrate third-party services. A study by One-Poll suggests that on average, businesses are managing 363 different APIs and two thirds of organizations expose the APIs to the public or their partners. As with any software solution, if vulnerabilities exist, it is only a matter of time before they are exploited.

Torsten George at Security Week has explained several ways that APIs can be exploited to gain access to sensitive data.

Unicode Characters Used in Convincing Impersonation Attacks

The ability to include Unicode characters in domain names is allowing cybercriminals to easily create highly convincing domains using homographs. These domains can be virtually indistinguishable to the genuine domain to the casual eye, making them ideal for use in phishing attacks. Examples include use of the Cyrillic small letter a in place of a standard a, or the use of the Latin small letter iota or the Latin small letter dotless i, in place of an i. Farsight Security has released a useful report on the matter in its Global Internationalized Domain Name Homograph Report.

New USB-Based Attack Method Identified

A new attack method has been detailed by Eleven Paths on the exploitation of hidden networks created via USB devices. This attack method could allow access to be gained to isolated computers not connected to the Internet. Simply disconnecting a computer from WiFi or not connecting the device to a network via an Ethernet cable may not be sufficient at preventing a malicious actor from gaining access to the device and sensitive data, as was demonstrated by the infection of an isolated computer with Stuxnet malware at a Nuclear power plant.

The post HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks appeared first on HIPAA Journal.

AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule

Posted by HIPAA Journal

The American Hospital Association (AHA) has voiced the concerns of its members about the HHS’ Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system proposed rule for fiscal year 2019, including the requirement to allow any health app of a patient’s choosing to connect to healthcare providers’ APIs.

Consumer Education Program Required to Explain that HIPAA Doesn’t Apply to Health Apps

Mobile health apps can con collect and store a considerable amount of personal and health information – in many cases, the same information that would be classed as protected Health Information (PHI) under Health Insurance Portability and Accountability Act (HIPAA) Rules.

However, HIPAA does not usually apply to health app developers and therefore the health data collected, stored, and transmitted by those apps may not be protected to the level demanded by HIPAA. When consumers enter information into the apps, they may not be aware that the safeguards in place to protect their privacy may not be as stringent as those implemented by their healthcare providers.

There is even greater cause for concern when PHI flows from a healthcare provider to a health app. Consumers may not be aware that their PHI ceases to be PHI when it is transferred to the app and that app developers would not be bound by HIPAA Privacy Rule requirements that prohibit the sharing of health data with third parties.

“Most individuals will not be aware of this change and may be surprised when commercial app companies share their sensitive health information obtained from a hospital, such as diagnoses, medications or test results, in ways that are not allowed by HIPAA,” explained AHA in its comments.

AHA suggests the CMS work closely with the Office for Civil Rights and the Federal Trade Commission to develop a consumer education program to communicate this to consumers.

AHA suggests that the education program should explain to consumers the distinction between PHI and health data in health apps, that app developers may choose to share health data with third parties, and that it is important for consumers to carefully review the privacy policies and terms of conditions of the apps to find out what is likely to happen to their data and with whom the information is likely to be shared.

A Secure App Ecosystem Must Be Developed

Health apps can allow patients to engage with their healthcare providers and encourages them to take greater interest in their own health care. AHA notes that “America’s hospitals and health systems are committed to moving forward with new forms of sharing health information with individuals.”

The CMS has proposed that healthcare providers should allow any application of a patient’s choice to connect with their APIs, provided they meet the technical specifications of the API. While sharing healthcare information in this manner will help to engage patients in their own health, there are security issues to consider. “We believe that CMS must balance the pace for moving in this positive direction with the real and developing risks that this approach raises for systems security and the confidentiality of health information,” wrote AHA.

To improve confidence in the security of provider to patient exchange, AHA suggests stakeholders should work together to develop a secure app ecosystem for the sharing of health data. Standards should be developed to ensure a baseline of security, similar to the Payment Card Industry Data Security Standard (PCI DSS) and that there should be a vetting process for apps, similar to that used by the CMS before apps can connect to Medicare claims data via the Blue Button 2.0 API.

In the case of PCI DSS, safeguards need to be incorporated to ensure the security of payment card data. In the case of the Blue Button 2.0 system, an app evaluation process exists to assess apps before they are permitted to connect. Developers must also agree to the terms and conditions of the CMS. It is not possible to connect any app that meets the technical specifications of its API.

The AHA suggests the protections put in place by the CMS could serve as a basis for a sector-wide approach to developing a trusted app ecosystem.

Concern has also been raised about the potential for healthcare organizations that deny an app from connecting to their API out of security concerns to be seen to be information blocking, thus placing them at risk of a meaningful use payment penalty. CMS suggests, “To ensure that reasonable actions to secure systems are not considered noncompliant, we recommend that CMS work with ONC and OIG to ensure that these protective measures are included in the forthcoming guidance on actions that do not constitute information blocking.” Further, CMS recommends “CMS work with ONC and FTC to develop a place for hospital and health systems to report suspect apps so that others can be aware and take needed steps.”

The post AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule appeared first on HIPAA Journal.

Healthcare Worker Charged with Criminally Violating HIPAA Rules

Posted by HIPAA Journal

A former University of Pittsburgh Medical Center patient information coordinator has been indicted by a federal grand jury over criminal violations of HIPAA Rules, according to an announcement by the Department of Justice on June 29, 2018.

Linda Sue Kalina, 61, of Butler, Pennsylvania, has been charged in a six-count indictment that includes wrongfully obtaining and disclosing the protected health information of 111 patients.

Kalina worked at the University of Pittsburgh Medical Center and the Allegheny Health Network between March 30, 2016 and August 14, 2017. While employed at the healthcare organizations, Kalina is alleged to have accessed the protected health information (PHI) of those patients without authorization or any legitimate work reason for doing so.

Additionally, Kalina is alleged to have stolen PHI and, on four separate occasions between December 30, 2016, and August 11, 2017, disclosed that information to three individuals with intent to cause malicious harm.

Kalina was arrested following an investigation by the Federal Bureau of Investigation. The case was taken up by the Department of Justice and she is being prosecuted by Assistant United States Attorney, Carolyn Bloch, on behalf of the federal government.

If found guilty on all counts, Kalina faces up to 11 years in jail and could be ordered to pay a fine of up to $350,000. The sentence will be dictated by the seriousness of the offenses and any prior criminal history.

The Department of Justice is taking a hard line on individuals who violate HIPAA Rules and impermissibly access and disclose PHI with malicious intent. There have been several other cases in 2018 that have seen former healthcare workers indicted for criminal HIPAA violations, with three cases resulting in imprisonment.

In June 2018, a former employee of the Veteran Affairs Medical Center in Long Beach, CA, Albert Torres, 51, was sentenced to serve 3 years in jail for the theft of protected health information and identity theft. Torres pleaded guilty to the charges after law enforcement officers discovered the records of 1,030 patients in his home.

In April, 2018, former receptionist at a New York dental practice, Annie Vuong, 31, was sentenced to serve 2 to 6 years in jail for stealing the PHI of 650 patients and providing that information to two individuals who used the data to rack up huge debt’s in patients’ names.

In February, a former behavioral analyst at the Transformations Autism Treatment Center in Bartlett, TN, Jeffrey Luke, 29, was sentenced to 30 days in jail, 3 years supervised release, and was ordered to pay $14,941.36 in restitution after downloading the PHI of 300 current and former patients onto his personal computer.

The post Healthcare Worker Charged with Criminally Violating HIPAA Rules appeared first on HIPAA Journal.

California Passes GDPR-Style Data Privacy Law

Posted by HIPAA Journal

AB 375, the California Consumer Privacy Act of 2018, has been signed into law. The bill was signed by California governor Jerry Brown on Thursday after the state Senate and Assembly passed the bill unanimously.

California already has some of the strictest privacy laws in the United States. Under existing legislation, companies that experience a breach of personal information must notify affected individuals if their computerized data is exposed or stolen. This law takes privacy protections much further and gives state residents several new GDPR-style privacy rights, including:

  • The right to request information from businesses about the types of personal data that are collected and processed and the source of that information
  • Be informed about the purpose for collecting, using, and selling personal data
  • Categories of third parties with whom the information is shared
  • The right to request a copy of all personal information collected by a business
  • The right to have all personal information deleted on request
  • The right to request personal information is not sold
  • The right to initiate civil action if there has been a failure to protect an individual’s personal data

The law would also prohibit any business from discriminating against an individual who chooses to exercise the above rights, including charging such an individual more or providing a different quality of goods or services.

The Act also prohibits companies from selling the personal data of individuals between 13 and 16 years of age, unless authorized to through opting in. Individuals younger than 13 must have consent provided by a parent or legal guardian before personal information can be collected.

Businesses will be required to explain, at or before the collection of personal information, the categories of information that will be collected and the purpose for which that information is collected. Businesses will be prohibited from collecting more information than is stated in their consumer notices. Consumers must also be advised of the right to have their information deleted at the point of consent being obtained.

Businesses must place a clear link on the homepage of their websites titled “Do not Sell My Personal Information” which must direct the user to a webpage where they can opt out of the sale of their personal data.

The Act will not apply to protected health information collected by HIPAA-covered entities. “This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996.”

The California Consumer Privacy Act of 2018 has been criticized for being a rushed attempt to prevent a voter initiative that would’ve appeared on California ballots in November if the bill was not passed by 5pm on Thursday.

While the bill has been signed into law, the California Consumer Privacy Act of 2018 can be amended before its effective date of January 1, 2020.

The bill has been heavily criticized by the Internet Association, which has stated, “Data regulation policy is complex and impacts every sector of the economy, including the internet industry… That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.”

The Internet Association released a statement saying, “It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”

The post California Passes GDPR-Style Data Privacy Law appeared first on HIPAA Journal.

Protected Health Information Sent to Incorrect Fax Recipient Over Several Months

Posted by HIPAA Journal

Faxes containing the protected health information (PHI) of a patient have been sent to an incorrect recipient by OhioHealth’s Grant Medical Center over a period of several months – A violation of patient privacy and the Health Insurance Portability and Accountability Act (HIPAA).

The recipient of the faxes, Elizabeth Spilker, tried on numerous occasions to notify Grant Medical Center about the problem and stop the faxes being sent, but her efforts were unsuccessful. She tried faxing back a message on the same number requesting a change to the programmed fax number and tried contacting the medical center by telephone.

Spilker later notified ABC6 about the issue and the story was covered in a June 18 report. In the report, Spilker explained that faxes had been received from Grant Medical Center for more than a year. The messages contained a range of protected health information including name, age, weight, medical history, medications prescribed, and other sensitive health information.

Typically, the faxes were received at the end of the day. Repeated attempts were made to send the information. The only way to stop the calls was to plug in the fax machine and receive the fax message.

ABC6 reporters spoke with Grant Medical Center in Columbus, OH, and alerted staff to the problem. Subsequently, a statement was issued confirming the matter had been looked into and resolved. OhioHealth also confirmed that the faxes had been sent over a 6-month period, and not for a year as Elizabeth Spilker had explained in the ABC6 news report.

“We conducted a thorough review and audit of our fax system logs and found that three faxes were sent to the individual in error due to a transposed fax number in one patient’s medical record,” OhioHealth explained in a statement about the incident. “The fax number has been corrected and we’re reaching out to the patient involved to make him or her aware. Ensuring the privacy of our patients is a top priority at OhioHealth and we apologize for this error.” All faxes received by Ms. Spilker have now been shredded so there is no risk of further disclosures of PHI.

The post Protected Health Information Sent to Incorrect Fax Recipient Over Several Months appeared first on HIPAA Journal.

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Posted by HIPAA Journal

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems.

Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri.

Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software.

In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages containing highly sensitive information including the page below:

“RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (doctor’s name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA”

It was not necessary to be in close vicinity of a hospital to intercept the pages and view PHI. Pages were picked up from hospitals and medical centers in Blue Springs, MO; Harrisonville, MO; Liberty, MO; Kansas City, KS; Wichita, KS; and even hospitals further away in Kentucky and Michigan.

Reporters from the Kansas City Star made contact with several of the patients whose information was exposed to confirm the information was correct. Understandably, the patients were shocked to find out that their sensitive information had been obtained by unauthorized individuals, as were the hospitals.

While not all hospitals responded, some of those that did said they are working with their vendors to correct the problem to ensure that pages cannot be intercepted in the future.

Intercepting pages is illegal under the Electronic Communications Protection Act, although hacking healthcare networks or conducting phishing campaigns to obtain protected health information is similarly illegal, yet that does not stop hackers.

HIPAA-covered entities should take note of the recent privacy violations and should consider implementing a secure messaging solution in place of pagers; however, in the meantime they should contact their vendors and explore the options for encrypting pages to prevent ePHI from being intercepted.

The post Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist appeared first on HIPAA Journal.

District Court Ruling Confirms No Private Cause of Action in HIPAA

Posted by HIPAA Journal

Patients who believe HIPAA Rules have been violated can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights, but they do not have the right to take legal action, at least not for the HIPAA violation. There is no individual private cause of action under HIPAA law.

Several patients have filed lawsuits over alleged HIPAA violations, although the cases have not proved successful. A recent case has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed.

Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that while at the hospital on June 15, 2017, a LabCorp employee instructed her to enter her protected health information at a computer intake station.

Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different computer intake station and took a photograph of the two computer intake stations.

On July 3, 2017, Ms. Lee-Thomas submitted a complaint with the hospital alleging a violation of HIPAA and filed a complaint with the HHS’ Office for Civil Rights. Later, a complaint was filed with the District of Columbia Office of Human Rights (OHR) claiming the hospital had failed to make appropriate accommodations for patients to preserve their privacy.

On November 15, 2017, the HHS informed Ms. Lee-Thomas that her claim would not be pursued and OHR similarly dismissed her complaint on November 28, 2017, in both cases on the grounds that she failed to state a claim. OHR suggested Ms. Lee-Thomas had the right to bring a private action before the D.C. Superior Court and she proceeded to do so.

LabCorp removed the case to the U.S. Court of Appeals for the District of Columbia Circuit, and filed a motion to dismiss, again for the failure to state a claim. Ms. Lee-Thomas failed to respond to the motion to dismiss.

In a June 15 ruling, District Court Judge Rudolph Contreras confirmed that HIPAA does permit financial penalties to be issued when patients’ privacy is violated in breach of HIPAA Rules, but civil and criminal penalties are pursued by the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. In his ruling, Judge Contreras confirmed there is no private cause of action in HIPAA.

Even if there was a private cause of action, it would be unlikely that this case would have proved successful as no harm appears to have been caused as a result of the alleged HIPAA violation.

While lawsuits are likely to be dismissed when based on HIPAA violations alone, that does not mean legal action cannot be taken by patients whose privacy has been violated. There is no private cause of action in HIPAA, but the privacy of personal information is covered by state laws.

Laws have been passed in all 50 states that require notifications to be issued to consumers when their personal information has been exposed, and several states also require companies to implement ‘reasonable safeguards’ to ensure personal data of state residents are protected.

A HIPAA violation can be reported to OCR to investigate, and action may be taken against the covered entity in question by OCR, but if the sole basis of any legal action is a violation of HIPAA Rules, the case is unlikely to be successful.

Victims of privacy violations who wish to take legal action should look at potential violations of state laws rather than HIPAA violations.

The post District Court Ruling Confirms No Private Cause of Action in HIPAA appeared first on HIPAA Journal.