Healthcare Data Privacy

HIMSS Survey Reveals Top Healthcare Security Threats

Posted by HIPAA Journal

HIMSS has published the results of its annual healthcare cybersecurity survey, which provides insights into the state of cybersecurity in healthcare and identified the top healthcare security threats.

The HIMSS 2018 cybersecurity survey was conducted on 239 respondents from the healthcare industry between December 2017 and January 2018. The results of the survey were announced at the HIMSS 2018 Conference & Exhibition in Las Vegas.

36.8% of respondents had positions in executive management and 37.2% were employed in non-executive management positions. The remaining 25.9% were in non-management positions such as cybersecurity specialists and analysts. 41.2% of respondents were primarily responsible for cybersecurity, 32.6% had some responsibility, and 11.8% sometimes had responsibility for cybersecurity.

Most Healthcare Organizations Have Experienced a Significant Security Incident in the Past 12 Months

The threat of healthcare cyberattacks is greater than ever and the past 12 months has been a torrid year. In the past 12 months, 75.7% of respondents said they had experienced a recent significant security incident. 96% of those respondents were able to characterize the threat actor responsible, with the top three being online scam artists such as phishers (37.6%), negligent insiders (20.8%), and hackers (20.1%).

61.4% of respondents said email was the main initial point of compromise. In second place was ‘other’ which included compromised customer networks, web application attacks, guessed passwords, misconfigured software/cloud services, and human error. In joint third – both with 3.2% of responses – was a compromised organizational website and hardware/software pre-loaded with malware.  11.6% said they did not know how the attackers gained access to their networks/data.

In the majority of cases (68.2%), incidents were discovered internally (40.7% by security teams / 27.5% by non-security personnel). 67.7% of breaches were detected within 7 days, with 47.1% detected within 24 hours.

Healthcare Cybersecurity Is Improving

The past 12 months have seen an increase in healthcare security incidents, although the severity of data breaches has reduced year over year. This indicates cybersecurity in healthcare is improving, which was backed up by the HIMSS survey results.

84.3% of respondents said more resources are now being used to address cybersecurity with only 3.3% saying resources have decreased year over year.  60% of respondents said their organization now employs a senior information security leader.

55.8% of respondents said a dedicated or defined amount of the current budget is allocated for cybersecurity. 26.5% of respondents said there was no specific carve out for cybersecurity but money was being spent as needed or could be requested. Only 2.8% said no money is spent on cybersecurity.

HIPAA requires healthcare organizations to conduct regular risk assessments to identify potential threats to the confidentiality, integrity, and availability of protected health information. The survey revealed healthcare organizations are being proactive and are conducting risk assessments and using the results to direct their cybersecurity efforts.

45.5% said they are performing security risk assessments annually, 5.6% were conducting risk assessments every 6 months, 9% performed risk assessments once a month, and 9.6% said they performed risk assessments daily. Alarmingly, 5.1% said they do not perform risk assessments and 4.5% conducted risk assessments less frequently than once a year.

Actions Directed by Risk Assessments

Source: HIMSS

Plenty of Room for Improvement

While cybersecurity is improving, there are still multiple areas where improvements can and should be made and too little is being done to deal with the main healthcare security threats. The recent HIPAA compliance audits and penalties for HIPAA violations have prompted many healthcare organizations to concentrate on HIPAA compliance, which has been a greater priority than security.

HIMSS says compared to other industry sectors, healthcare cybersecurity programs lack maturity and that typically cybersecurity programs have only been running for five or fewer years. HIMSS suggests that even with the healthcare industry being heavily targeted by cybercriminals, “many cybersecurity professionals are still getting used to the idea that there are bad actors out there that are directly or indirectly targeting healthcare organizations.”

The main barriers for remediating and mitigating cyberattacks were a lack of appropriate personnel (52.4%) and a lack of financial resources (46.6%). Other barriers were too many application vulnerabilities (28.6%), too many endpoints (27.5%), too many new and emerging threats (27%) not enough cyber security intelligence (23.3%) and a network infrastructure that was too complex to secure (20.6%).

13.3% said they had no cybersecurity staff and 43.2% said their ratio of cybersecurity staff to IT users was greater than 1:500.

The majority of organizations are spending 6% or less of their IT budgets on cybersecurity, 16.9% of organizations had not adopted a cybersecurity framework, and 37.1% of organizations only conducted penetration tests annually. Even though the threat from within is significant, 24.2% of healthcare organizations did not have an insider threat management program and 27% said they had such a program but it was informal.

Phishing and email attacks are major concerns and are behind the majority of healthcare security breaches and OCR has also made it clear that phishing and security awareness training should be an ongoing process, yet 51.8% of healthcare organizations are still only conducting security awareness training annually. Only 32.9% said they test their employees phishing awareness with phishing simulations.

Top Healthcare Security Threats

There are many healthcare security threats, although some are perceived to pose more of a threat than others. There was little to choose between the three main threats to network and data security. Data breaches and data leakage were ranked as top healthcare security threats by 11.8% of respondents, ransomware was in second place rated as a top cybersecurity threat by 11.3% of respondents, with credential stealing malware in third place on 11%. Malicious insiders were seen as a major threat by 10.1% of respondents and wiper malware was rated as a serious threat by 10% of respodents.

When asked about future cybersecurity priorities the top areas were incident response (11.9%), risk assessment and management (11.9%), business continuity and disaster recovery (11.8%), awareness training programs (11.6%), cloud security (11.2%), website security (10.8%), physical security (10.7%), and information sharing (10.4%).

The full results of the HIMSS 2018 Cybersecurity survey can be viewed here.

The post HIMSS Survey Reveals Top Healthcare Security Threats appeared first on HIPAA Journal.

Why is HIPAA Important to Patients?

Posted by HIPAA Journal

Most Americans have heard of HIPAA and know that the legislation applies to healthcare organizations, but may not understand why HIPAA is important to patients.

The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 – or HIPAA – is a federal law that applies to healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically. HIPAA also applies to vendors – business associates – that perform functions on behalf of HIPAA-covered entities that requires them to have access to protected health information (PHI) or be provided with copies of PHI. (See What is Protected Health Information).

HIPAA was signed into law by Bill Clinton in 1996, although the legislation has had some significant updates over the years, notably the HIPAA Privacy Rule in 2000, the Security Rule in 2003, and the Breach Notification Rule in 2009. (See our HIPAA History page for more information)

Initially HIPAA was intended to improve the health insurance system and simplify the administration of healthcare, but it has since been expanded considerably. Now HIPAA covers patient privacy, uses and disclosures of health data, and data security.

HIPAA was primarily penned to benefit consumers rather than healthcare organizations, yet the legislation itself is long, complicated and is not well understood by many patients and health plan members. This post greatly simplifies HIPAA and explains why HIPAA is important to patients.

Why is HIPAA Important to Patients?

There are four key aspects of HIPAA that make it important for patients: Privacy of health information, security of health data, notification of breaches of medical records, and the right to obtain copies of healthcare data.

Privacy of Health Data

The HIPAA Privacy Rule restricts the individuals who are able to view healthcare data and who healthcare data can be shared with without first obtaining permission from patients. Generally speaking, access to health data is restricted to healthcare employees who need to view health and personal information in order to provide healthcare services and perform any administration duties.

Healthcare organizations can only share PHI with business associates that perform for healthcare operations services on behalf of a covered entity that require access to PHI: Transcription service providers, payment processors, or mailing vendors for example. In such cases, those business associates must agree to keep data secure and the same rules apply for access and disclosures of PHI to other individuals or companies. Any PHI provided must be limited to the minimum necessary amount to perform the specific services the business associate is contracted to perform.

Permission must be obtained from patients before their PHI can be shared with companies for other reasons, including research and marketing.

The Privacy Rule also allows patients to designate which individuals are permitted to obtain their health data on behalf of patients – friends, family, or caregivers for instance.

Security of Health Data

HIPAA requires healthcare organizations to implement safeguards to ensure any health data created, stored, maintained, or transmitted is kept secure at all times. Those controls include administrative measures, physical security for paper records and electronic devices that store health data, and technical controls such as encryption, anti-virus software, and firewalls. Healthcare employees must also be trained how to recognize threats such as phishing emails and other email and web-based threats. These measures ensure that hackers and other cybercriminals cannot gain access to patients’ and plan members’ health information.

Notification of Data Breaches

While HIPAA protects patient privacy by placing restrictions on who can access health data and healthcare organizations are required to implement security controls to keep PHI secure, privacy and security breaches may still likely to occur.

HIPAA requires healthcare organizations and their business associates to issue notifications to patients when health data is compromised or stolen. This allows breach victims to take action to protect their identities and reduce the risk of becoming a victim of fraud. HIPAA requires notifications to be issued within 60 days of a breach being discovered.

Copies of Medical Records

HIPAA gives patients the right to obtain copies of the health information created or held by healthcare organizations. By obtaining copies of heath data patients can take a much more active role in their own healthcare. While in theory, one healthcare provider should be able to send health data to another provider that is also treating the same patient, there are still some issues that prevent all health data from being transferred.

By obtaining copies of health information, patients can easily share that information with any healthcare organizations, including research organizations to help in studies that benefit the population as a whole.

One other important reason for obtaining copies of health data is to check health records for errors. If a mistake is made recording health data, it could have an impact on decisions about the best treatment for patients. It is therefore important for patients to check their medical records for errors and to correct any mistakes.

Not all Healthcare Organizations Are Covered by HIPAA Rules

While the above rights and protections apply to most healthcare providers and health insurers, they do not apply to ALL healthcare organizations, even if those organizations appear to provide similar services to HIPAA covered entities and collect the same types of data.

HIPAA does not apply to health app developers for instance, unless they are contracted to develop apps or provide apps to patients by a HIPAA covered entity. HIPAA does not apply to life insurance companies, workers compensation schemes, employers, schools, many state agencies, law enforcement agencies, the media, and many municipal offices.

Consequently, the protections of HIPAA and the rights afforded by the legislation do not apply to those organizations.

The post Why is HIPAA Important to Patients? appeared first on HIPAA Journal.

Alabama Data Breach Notification Act Passed by State Senate

Posted by HIPAA Journal

The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week.

Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents.

The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm.

Entities that would be required to comply with the Alabama Data Breach Notification Act are persons,

sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive personally identifying information.

Sensitive personally identifying information is defined as a first name/first initial and last name combined with any of the following data elements, provided they are not truncated, encrypted, or hashed:

  • Social Security number
  • Tax ID number
  • Driver’s license number
  • State identification card number
  • Military identification number
  • Passport number
  • Other unique government identification number
  • Medical information such as health history, treatment or diagnosis or mental/physical condition
  • Health insurance number or unique identifiers used by health insurers for identification of an individual
  • Financial account number (bank account, credit card, or debit card) combined with an expiry date, security code, PIN, password, or other information that would allow a financial transaction to be conducted
  • Username or email address along with a password or security question answer that would allow an account to be accessed

The Alabama Data Breach Notification Act also calls for entities holding the above information to implement and maintain reasonable security measures to protect sensitive personally identifiable information. A risk analysis must be conducted to identity potential security risks and safeguards would need to be adopted reduce those risks to a reasonable level. Measures to protect data should be appropriate for the sensitivity of the data, the amount of data held, the size of the organization, and the cost of safeguards relative to the company’s resources.

If the Alabama Data Breach Notification Act is passed, state residents would have to be notified of data breaches within 45 days of discovery of a breach. Companies that fail to issue the notifications could potentially be fined up to $5,000 per day for any delay in issuing notifications up to a maximum of $500,000 per breach. Lawsuits could be filed by the attorney general’s office on behalf of breach victims, although private actions would not be possible.

Breach notices would be required to include the date or estimated date of the breach, a description of the information exposed, details of the steps that can be taken by breach victims to protect themselves against harm, details of the steps taken by the breached entity to restore security and confidentiality of data, and contact information for further information about the breach. A breach notice would also need to be submitted to the state attorney general’s office if the breach impacts more than 1,000 individuals.

In contrast to data breach notification laws in some US states that exempt HIPAA covered entities that are in compliance with HIPAA laws, the Alabama Data Breach Notification Act would apply to HIPAA covered entities.

The current maximum time frame for HIPAA covered entities is 60 days from the date of discovery of a breach. For Alabama residents at least, that time frame would be reduced by 15 days.

The post Alabama Data Breach Notification Act Passed by State Senate appeared first on HIPAA Journal.

Is a HIPAA Violation Grounds for Termination?

Posted by HIPAA Journal

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules?

Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy?

Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination?

Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations.

When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for patients whose privacy has been violated, potential legal issues arising from the violation and possible action by regulators. Healthcare organizations will be keen to take action to ensure that similar violations are prevented in the future.

When an employee is discovered to have knowingly or unknowingly violated HIPAA Rules there are likely to be repercussions for the individual concerned.

An unintentional acquisition, access, or use of protected health information by a workforce member in which the acquisition, access, or use was made in good faith and within the scope of authority would not be a reportable breach and may not necessarily result in disciplinary action.

Some healthcare organizations have strict rules on violations of HIPAA Rules and regularly terminate employees for HIPAA violations. Others have a policy of dealing with minor HIPAA violations internally. Depending on the nature of the violation, the incident may warrant disciplinary action against the individual concerned which could see the employee suspended pending an investigation. Termination for a HIPAA violation is a possible outcome.

Ultimately the repercussions for a HIPAA violation will depend on the polices in place at an organization and the severity of the violation. A violation of the Minimum Necessary Information Standard may, depending on the circumstances, be considered a matter for internal disciplinary action and not termination. Viewing the medical records of any patient without authorization is likely to result in termination unless the incident is reported quickly, no harm was caused to the patient, and access was accidental or made in good faith.

Recent Cases Where Healthcare Providers Deemed a HIPAA Violation Grounds for Termination

Criminal Penalties for HIPAA Violations

Termination may not be the worst that can happen when HIPAA Rules are violated by employees. Healthcare employees may be found criminally liable for HIPAA violations and cases can be referred to the Department of Justice for prosecution.

Criminal violations of HIPAA Rules can result in financial penalties and jail time for healthcare employees. A fine of up to $50,000 and one year in jail is possible when PHI is knowingly obtained and impermissibly disclosed. A fine of up to $100,000 and five years in jail is possible for violations involving false pretenses, and a fine of up to $250,000 and up to 10 years in jail is possible when HIPAA Rules have been violated for malicious reasons or for personal gain. A further 2 years can be added onto the sentence for aggravated identity theft.

The post Is a HIPAA Violation Grounds for Termination? appeared first on HIPAA Journal.

Is Google Calendar HIPAA Compliant?

Posted by HIPAA Journal

Is Google Calendar HIPAA compliant? Can the time management and calendar scheduling service be used by healthcare organizations or would use of the service be considered a violation of HIPAA Rules? This post explores whether Google supports HIPAA compliance for the Google Calendar service.  

Google Calendar was launched in 2006 and is part of Google’s G Suite of products and services. Google Calendar could potentially be used for scheduling appointments, which may require protected health information to be added.

Uploading any protected health information to the cloud is not permitted by the HIPAA Privacy Rule unless certain HIPAA requirements have first been satisfied.

A risk analysis must be conducted to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and reduced to an acceptable level. Access controls must be implemented to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to prevent unauthorized disclosures, and an audit trail must be maintained.

Further, healthcare organizations covered by HIPAA Rules are required to enter into a HIPAA-compliant business associate agreement with any vendor before any electronic protected health information is disclosed, even if the service provider says it does not access customer data.

Google has appropriate security controls in place to protect data uploaded to Google Calendar and access and audit controls can be configured, so Google Calendar HIPAA compliance hinges on whether Google is willing to enter into a business associate agreement with HIPAA-covered entities or their business associates.

Google’s Business Associate Agreement

Google is willing to sign a business associate agreement with healthcare organizations for its paid services, but not for any of its free services. The business associate agreement covers the use of G Suite, and includes Google Calendar, Google Drive, the chat messaging feature of Google Hangouts, Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.

HIPAA-covered entities must enter into a BAA with Google prior to any of the above services being used with ePHI. Once a signed BAA has been obtained the services can be used, although it is the responsibility of the covered entity to ensure that the services are used in a manner compliant with HIPAA Rules. Google provides a HIPAA-compliant service, but it is still possible for organizations and employees to violate HIPAA Rules using its services.

Is Google Calendar HIPAA Compliant?

So, is Google Calendar HIPAA compliant? Provided a BAA has been obtained, Google Calendar can be considered a HIPAA compliant time management and calendar scheduling service.

The post Is Google Calendar HIPAA Compliant? appeared first on HIPAA Journal.

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

Posted by HIPAA Journal

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General.

While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members.

Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information.

The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law § 399-ddd(2)(e).

In addition to the $575,000 settlement, EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents. The results of that risk analysis must be reported to the Attorney General’s office within 180 days. Policies and procedures related to mailings must also be reviewed and updated based on the findings of the risk analysis.

EmblemHealth must catalogue, review, and monitor mailings and ensure that all employees involved in mailings receive appropriate training. They must also be instructed to report any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow prompt action to be taken manage risks to plan members. EmblemHealth is also required to report all security incidents to the Attorney General’s office for a period of 3 years from the date of the settlement.

According to Attorney General Schneiderman, New York has “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017. There will now be a further push to get the SHIELD Act passed. Schneiderman claims the SHIELD Act will improve protections for state residents. Businesses will also be held accountable for data breaches that result in customers’ personal data being exposed.

“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

The post EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach appeared first on HIPAA Journal.

What is HIPAA Certification?

Posted by HIPAA Journal

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services.

What is HIPAA Certification?

Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors.

Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services (HHS), this is the next best thing.

Why there is No HHS-Endorsed HIPAA Certification

The Department of Health and Human Services does not endorse any type of HIPAA certification because HIPAA compliance is an on-going progress. A HIPAA certified company may have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the company will remain HIPAA compliant in the future.

There are multiple reasons why a company may not remain HIPAA compliant in the future. It may change the technologies it uses or the ways in which technologies are used. It may change business objectives, operational procedures, or change staff management policies. Any of these changes might invalidate a HIPAA certification – notwithstanding that HIPAA regulations may also change in the future.

HIPAA Training and Certification

HIPAA does not require employees to complete any specific training program and obtain HIPAA certification. However it is necessary for HIPAA training to be provided “as necessary and appropriate for members of the workforce to carry out their functions.” It is also necessary for the date and nature of the training to be documented, and the documentation maintained for at least six years.

Since HIPAA Rules are complex and far-reaching, HIPAA training companies are often used as an alternative to in-house training. The training companies employ HIPAA compliance experts to train employees on the aspects of HIPAA relevant to their roles – such as the correct ways of handling protected health information (PHI), and allowable uses and disclosures of PHI.

One of the benefits to Covered Entities of using a third-party HIPAA training company is that, at the successful conclusion to a training course, they are issued with a HIPAA certification to verify and validate that employees have attended a HIPAA training course. While the certification may not be endorsed by the HHS, it will be beneficial to the Covered Entity in the event of a HIPAA audit.

Third Party Audits Confirming HIPAA Compliance

With regards to HIPAA audits, it is important to note the HHS states on its website that “Certifications do not absolve Covered Entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

Nonetheless, it is common for potential Business Associates of HIPAA Covered Entities to undergo audits by third party HIPAA compliance experts in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for Covered Entities´ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.

However, for Business Associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party organization that not only offers HIPAA certification services, but one that can help Business Associates implement effective HIPAA compliance programs.

The post What is HIPAA Certification? appeared first on HIPAA Journal.

How to Report a HIPAA Violation Anonymously

Posted by HIPAA Journal

One of the questions we are sometimes asked is how to report a HIPAA violation anonymously. This is because, in many cases, complaints and reports will not be reviewed or investigated without your contact details.

When you file a health information privacy complaint or a security rule violation complaint via the Office for Civil Rights´ (OCR) online Complaints Portal, the first page you are asked to complete is your name and contact details. The reason for this is because, if OCR reviews your complaint and decides to investigate it, the agency may want to contact you for further information.

You cannot go beyond the first page of the complaints process without entering any contact details; and, if you complete the form using fictitious contact details, OCR will be unable to contact you to obtain the information it needs to conduct an investigation. Consequently, it is not possible to report a HIPAA violation anonymously via the OCR Complaints Portal.

There are Other Ways of Filing a Complaint with OCR

The Complaints Portal is not the only way to file a complaint with OCR. You can download a complaint form, complete it, send it to OCR by mail or as an email attachment. The form allows you to deny consent for revealing your name or any identifying information – which is not the same as reporting a HIPAA violation anonymously and “may result in the closure of the investigation”.

You can also write anonymously to OCR, send an email from a disposable temporary email address, or call the agency directly on (800) 368-1019. If you find none of these approaches work because OCR does not want people to report a HIPAA violation anonymously, you could try one of OCR´s Regional Offices to see if one of these are willing to accept an anonymous report.

OCR is Not the Only Agency You Can Complain To

HHS´ Office for Civil Rights is not the only “enforcer” of HIPAA. Violations of the Administrative Requirements can be reported to the Centers for Medicare and Medicaid Services (CMS), violations of the Breach Notification Rule by organizations not covered by HIPAA can be reported to the Federal Trade Commission, and criminal violations can be reported to the Department of Justice.

All these agencies have complaints processes similar to OCR inasmuch as it is difficult to report a HIPAA violation anonymously. This is also usually the case with Offices of State Attorneys General. However, if you have a strong case for an investigation and explain why you are unwilling to reveal your identity, you may be able to report a HIPAA violation anonymously to a state agency.

How Else to Report a HIPAA Violation Anonymously

State and federal agencies are not the only bodies you can approach with a health information privacy complaint or a security rule violation complaint. You can also directly approach the organization responsible for the HIPAA violation. This gives you more options to report a HIPAA violation anonymously and a greater likelihood the violation you are reporting is addressed.

It is important to note that, unless the complaint involves a data breach subsequently reported to OCR by the organization, there will be no enforcement action taken by any state or federal agency. However, while there will be no record of an organization “getting into trouble” for failing to comply with HIPAA, your anonymous report may prevent somebody else experiencing an adverse event attributable to a privacy or security violation.

How to Report a HIPAA Violation Anonymously FAQs

Why doesn´t OCR want people to report a HIPAA violation anonymously?

Not only does it make it very difficult to investigate a privacy complaint without knowing who the complaint relates to, but malicious individuals could make unsubstantiated complaints that waste the time of both OCR investigators and the organization being investigated. By insisting on verifiable contact details, OCR can prevent malicious and unsubstantiated complaints – even though this requirement could dissuade some individuals from making justifiable complaints.

If I have to give my name, what protection do I have against retaliation?

§160.316 of the HIPAA Administrative Simplification Regulations prohibits Covered Entities and Business Associates from threatening, intimidating, coercing, harassing, discriminating against, or taking any retaliatory action against an individual who reports a HIPAA violation. This not only applies to patients and health plan members, but to any individual – including members of a Covered Entity´s or Business Associate´s workforce.

Can I report a HIPAA violation anonymously if the violation affects someone else?

Even if you are reporting a HIPAA violation on behalf of another person, OCR, CMS, the Federal Trade Commission, and Department of Justice will require your verifiable contact details to ensure the report is not malicious and unsubstantiated. You may be able to report a HIPAA violation anonymously to a State Attorney General´s office; but the best way to make a report anonymously is to approach the noncompliant organization directly.

How do I report a criminal violation of HIPAA anonymously to the Department of Justice?

Unlike some crime “tip lines”, the Department of Justice does not accept anonymous reports. The only route to reporting a criminal violation anonymously is to contact the noncompliant organization´s Privacy Officer who should investigate your complaint (subject to you having a strong case). If the Privacy Officer believes a criminal violation has occurred, they will report it to OCR, who will refer it to the Department of Justice for investigation.

What should I do if I complain anonymously to an organization, but nothing happens?

It may be difficult to know if your complaint to an organization has been ignored because the organization has no way of contacting you to explain what it is doing to correct the violation – which may take some time if it involves the development of new policies and additional workforce training. However, if you are certain your complaint has been ignored and it is still within 180 days of the violation being identified, you can escalate your complaint to OCR – albeit not anonymously.

Are HIPAA complaints anonymous?

Although you can request that your name is withheld when you make a complaint to OCR, complaints made anonymously will not be investigated. This not only applies to complaints made to OCR, but also to State Attorneys General, county HHS offices, and – where applicable – CMS, and the FTC. The option exists to phone an agency and make a complaint anonymously, but without your name, it is unlikely any further action will be taken.

The post How to Report a HIPAA Violation Anonymously appeared first on HIPAA Journal.

New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach

Posted by HIPAA Journal

A malware infection at St. Peter’s Surgery & Endoscopy Center in New York has potentially allowed hackers to gain access to the medical records of as many as 135,000 patients.

This is the second largest healthcare data breach of 2018, the largest to hit New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016, and the fifth largest healthcare data breach in New York since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries in October 2009.

The data breach at St. Peter’s Surgery & Endoscopy Center was discovered on January 8, 2018: The same day as hackers gained access to its server. The rapid detection of the malware limited the time the hackers had access to the server and potentially prevented patients’ data from being viewed or copied. However, while no evidence of data access or data theft was discovered, it was not possible to rule either out with a high degree of certainty.

In its substitute branch notice, St. Peter’s Surgery & Endoscopy Center says the servers it uses are separate from St. Peter’s Hospital and Albany Gastroenterology Consultants. Protected health information held by those medical centers was not compromised as a result of the malware infection. Only patients who have previously visited St. Peter’s Surgery & Endoscopy Center for medical treatment have potentially been affected. Letters to affected patients were mailed on February 28, 2018 and the incident has been reported to the HHS’ Office for Civil Rights.

The information potentially accessed/copied was limited to patients’ names, addresses, dates of birth, dates of service, diagnosis codes, procedure codes, and insurance information. Some patients also had Medicare information exposed. Patients without Medicare did not have their social security numbers exposed and no patients’ banking or credit/debit card numbers were exposed.

Patients whose Medicare information was exposed have been offered one year of credit monitoring and identity theft protection services without charge “out of an abundance of caution” and all patients have been advised to check their health insurance statements carefully for any sign of fraudulent use of their information.

No information has been released on the exact nature of the security breach, such as how the hackers gained access to the server to install malware. St. Peter’s Surgery & Endoscopy Center said action is being taken to bolster security, which includes further staff training. The purchase of additional – and more elaborate – anti-virus and anti-malware solutions is also being evaluated.

The post New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach appeared first on HIPAA Journal.