Healthcare Data Privacy

Is Google Slides HIPAA Compliant?

Posted by HIPAA Journal

Is Google Slides HIPAA compliant? Can Google Slides be used by healthcare organizations without violating HIPAA Rules? This post explores whether Google Slides is HIPAA compliant and whether it is possible to use the presentation editor in connection with electronic protected health information.

Google Slides is a presentation editor that allows users to create slide shows, training material, and project presentations. It is an ideal option for users who do not regularly create slide shows or presentations and do not have a software package that offers the same functionality. Google Slides is available free of charge for consumers to use and is equivalent to Microsoft’s PowerPoint.

Healthcare organizations that are looking to create training courses and slideshows that involve the use of data protected by HIPAA need to exercise caution. Use of Google Slides with electronic protected health information could potentially violate HIPAA Rules and patient privacy. That could all too easily result in a financial penalty.

Google Slides is a web-based presentation program that is not exempt from HIPAA under the HIPAA Conduit Exception Rule. The use of any ePHI with Google Slides is prohibited by the Privacy Rule unless healthcare organizations enter into a business associate agreement with Google prior to the use of Google Slides.

How to Make Google Slides HIPAA Compliant

The first step to take before using Google Slides in connection with any ePHI is to enter into a business associate agreement with Google. Google offers a BAA for healthcare organizations covering G Suite and Google Drive, which includes Google Docs, Google Sheets, Google Forms, and Google Slides.

As with all Google Drive services, it is essential to control who has access to files created on Google Drive. Healthcare organizations must ensure that any files created can only be accessed by individuals authorized to view the files and links to the files can only be shared with specific people. Sharing permissions should be carefully configured to prevent any accidental disclosures of ePHI.

It is important that no ePHI is included in the titles of any files created on Google Drive and third-party applications should be disabled. If applications need to be used, the security of those applications must be assessed and the developer’s documentation carefully checked. Third-party application developers would also be considered business associates and BAAs would be necessary.

Provided a BAA has been obtained from Google, Google Drive permissions are configured correctly, and best practices are followed, the Google Drive suite of products can be used by healthcare organizations in connection with ePHI.

The post Is Google Slides HIPAA Compliant? appeared first on HIPAA Journal.

Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members

Posted by HIPAA Journal

Tufts Health Plan is alerting 70,320 of its members that their health plan member ID numbers have been exposed.

A mailing vendor used by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage members between December 11, 2017 and January 2, 2018.

Window envelopes were used which naturally allowed plan members’ names and addresses to be seen, but Tufts Health Plan member IDs were also visible through the plastic windows of the envelopes. The mailing error was discovered by Tufts Health Plan on January 18.

Tufts Health Plan notes that its member IDs are not comprised of Social Security numbers or Medicare numbers, but potentially the member ID numbers could be misused by individuals to receive services covered by the health plan.

Legal experts were consulted about the breach to assess the potential risk to plan members. The risk of misuse of the numbers is believed to be very low as the only individuals likely to see the member IDs would be employees of the postal service. Plan members have been told that in the unlikely event that their member IDs are misused they will not be responsible for any charges.

Plan members should check their Explanation of Benefits statements carefully and should report any services detailed on the statements that have not been received.

The health plan reports that it has been working closely with its vendor to ensure similar incidents do not occur in the future. The mailing vendor has confirmed that the error that caused the privacy incident has now been fixed.

In this case, the privacy breach was limited and patients should not be adversely affected, but similar incidents have occurred at other healthcare organizations that have caused serious problems for some individuals.

On July 28, 2017, a business associate of Aetna sent a mailing to approximately 12,000 plan members detailing a change to pharmacy benefits for individuals who were receiving HIV medications. The medications are prescribed to treat HIV and as Pre-exposure Prophylaxis (PrEP) to prevent contraction of HIV. Information about those medications were clearly visible through the plastic windows of the envelopes. The disclosure was not limited to the postal service. In some cases, the information was inadvertently disclosed to family members and roommates.

A class-action lawsuit was filed against Aetna which was recently settled for $17 million. Aetna was also fined $1.15 million by the New York Attorney General over the privacy breach and further actions may be taken against the health insurer by other state attorneys general and the HHS’ Office for Civil Rights.

A similar privacy incident affected Amida Care in 2017, again involving information related to HIV. In that case, the words “Your HIV detecta” were visible through the clear plastic windows of envelopes next to the name and the address, even though an additional sheet of paper had been inserted to prevent information on the enclosed double-sided flyer from being visible.

These incidents clearly highlight the risks of using window envelopes for healthcare mailings. If the decision is taken to use this type of envelope, stringent checks should be conducted to ensure that the letters cannot slip to reveal sensitive information and that the content of the mailings cannot be seen.

The post Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members appeared first on HIPAA Journal.

Hacking Responsible for 83% of Breached Healthcare Records in January

Posted by HIPAA Journal

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records.

The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches.

While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing.

Protenus has drawn attention to one particular insider breach. A nurse was discovered to have accessed the health information of 1,309 patients without authorization over a period of 15 months. If the healthcare organization had technology in place to monitor for inappropriate access, the privacy of hundreds of patients would not have been violated.

The second biggest cause of healthcare data breaches in January were hacking/IT incidents. There were 11 hacking/IT incidents reported by healthcare organizations in January – 30% of all breaches. In contrast to insider incidents, these were not small breaches. They accounted for 83% of all breached records in January. One single hacking incident involved 279,865 records. That’s 59% of all breached records in the month.

In total, 393,766 healthcare records were exposed by hacks and other IT incidents. The final figure could be substantially higher as figures for five of those breaches have not been obtained. One of the incidents involving an unknown number of records was the ransomware attack on the EHR company Allscripts, which resulted in some of its applications being unavailable for several days. That incident could well be the biggest breach of the month.

Ransomware attacks are still a major problem in healthcare, with six of the 11 incidents involving ransomware or malware. Phishing – the subject of February’s cybersecurity letter from the HHS’ Office for Civil Rights – was involved in at least two breaches.

The loss or theft of electronic devices containing ePHI or physical records accounted for 22% of the breaches. Two incidents involving the loss of patient records impacted 10,590 individuals and four out of the six theft incidents impacted 50,929 individuals. The number of individuals affected by the other two theft incidents is unknown. The cause of 16% of January’s data breaches has not yet been disclosed.

The types of breached entities followed a similar pattern to previous months, with healthcare providers accounting for the majority of breaches (84%). 5% of the breaches had some BA involvement and 3% affected health plans. 8% affected other entities.

Information on the length of time it took to detect breaches was only obtained for 11 of the 37 incidents. The median time from the incident to detection was 34 days and the average was 252 days. The average was affected by one incident that took 1445 days to discover.

The median time from discovery of a breach to reporting the incident was 59 days; one day shy of the 60-day absolute limit of the Breach Notification Rule. The average was 96 days. Four healthcare organizations took longer than 60 days to report their breaches, with one taking more than 800 days.

The post Hacking Responsible for 83% of Breached Healthcare Records in January appeared first on HIPAA Journal.

Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year

Posted by HIPAA Journal

According to a recent report in the Post and Courier, the Medical University of South Carolina (MUSC) terminated 13 employees last year for violating HIPAA Rules by snooping on patient records. In total, there were 58 privacy violations in 2017 at MUSC, all of which have been reported to the Department of Health and Human Services’ Office for Civil Rights.

All of the breaches affected only small numbers of patients. Out of the 58 breaches, 11 incidents were categorized as snooping on medical records. Other breaches were unauthorized disclosures such as when the health information of a patient is accidentally sent or faxed to the wrong person.

Over the past five years, there have been 307 breaches detected at MUSC, resulting in 30 members of non-physician staff being fired. None of the breaches have been listed on the OCR breach portal, which only shows breaches impacting 500 or more individuals. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of more than 500 records that are made public and are detailed on the breach portal.

The revelations were made at a recent meeting of the hospital’s board of trustees. MUSC opted for transparency, which is considered important to help prevent future privacy breaches. The medical university has made it abundantly clear what actions will be taken against employees discovered to have violated HIPAA Rules.

According to the Post and Courier, one board member questioned whether the decision to terminate employees for minor privacy breaches was a Draconian measure; however, the threat of federal audits over data breaches involving employees has made such swift and decisive action necessary. Heavy fines can be imposed when audits reveal HIPAA Rules have not been followed. The actions taken by MUSC clearly show that it takes privacy and security seriously and that HIPAA violations by employees will not be tolerated.

OCR may be focused on pursuing financial penalties for serious breaches of PHI that affect large numbers of individuals, but that does not mean that investigations do not take place for smaller breaches. There have been multiple investigations of small breaches that have resulted in financial penalties for HIPAA violations by covered entities and their business associates.

The most recent example was in early February when a $3.5 million settlement between OCR and Fresenius Medical Care North America (FMCNA) was announced. FMCNA had experienced five small data breaches in a six-month period in 2012. In 2013, Hospice of North Idaho settled with OCR for $50,000 over a breach impacting 441 patients. Further, in 2016, OCR made it clear that it would be stepping up investigations of covered entities that had experienced small breaches of PHI.

While small breaches may not make the headlines, they are serious for the individuals concerned, which is something MUSC makes clear in its employee training sessions. Efforts to communicate the importance of privacy have also been stepped up, and it is made clear to employees that the hospital has a clear policy of terminating employees for violating HIPAA Rules.

It would be unreasonable to single out MUSC as having a poor record for privacy breaches, as many hospitals are likely to have similar stats. What is certainly commendable is the full transparency and swift and decisive action when patient privacy is violated with malicious intent or when the privacy of patients is violated by curious employees.

The post Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year appeared first on HIPAA Journal.

OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit

Posted by HIPAA Journal

The U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG) has issued a Flash Audit Alert alleging Health Net of California has refused to cooperate with a recent security audit.

Health Net provides benefits to federal employees, and under its contract with OPM, is required to submit to audits. OPM has been conducting security audits on FEHBP insurance carriers for the past 10 years, which includes scanning for vulnerabilities that could potentially be exploited to gain access to the PHI of FEHBP members.

When OPM conducts audits, it is focused on the information systems that are used to access or store the data of Federal Employee Health Benefit Program (FEHBP) members. However, OPM points out that many insurance carriers do not segregate the data of FEHBP members from the data of commercial and other Federal customers. Audits of technical infrastructure need to be conducted on all parts of the system that have a logical or physical nexus with FEHBP data. Consequently, systems containing data other than that of FEHBP members will similarly be assessed for vulnerabilities.

In its Flash Audit Alert, OPM said Health Net refused to allow OPM to conduct vulnerability and configuration management testing and documentation was not provided that would allow OPM to test whether Health Net was able to remove information system access for contractors who no longer needed data access and for terminated employees.

By refusing to cooperate, OPM was unable to determine whether Health Net has been acting as a responsible custodian of sensitive protected health information of FEHBP members.

Health Net maintains that it has cooperated with OPM and allowed the agency to conduct the audit, although the insurance carrier consulted with its external counsel and was advised that if it cooperated fully with OPMs requests and submitted to certain parts of the audit process, it would risk violating contracts with other third parties. Health Net has obligations to those third parties to ensure their data is protected.

Health Net maintains that it has – and will – be able to satisfy the requests of OPM and OIG without compromising the security of its system and the privacy and confidentiality of members’ and employees’ data. Health Net also claims that the allegations made in the OPM report are unfounded.

“We understand the concerns associated with work of this nature, we take great care to minimize risk. Our procedures were developed as part of a collaborative working group comprised of health insurance industry Chief Information Officers and Chief Information Security Officers,” said OPM in its report. “There is nothing unique about Health Net, its technical environment, or the nature of our proposed testing that would exempt Health Net from our oversight and this testing.”

At this stage it is unclear what, if any, action OPM will take against Health Net if the company continues to refuse to comply with its audit requests in full.

The post OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit appeared first on HIPAA Journal.

Is Google Sheets HIPAA Compliant?

Posted by HIPAA Journal

Is Google Sheets HIPAA compliant? Can HIPAA-covered entities use Google Sheets to create, view, or share spreadsheets containing identifiable protected health information or would using Google Sheets violate HIPAA Rules? In this post we assess whether Google Sheets supports HIPAA compliance. 

Under HIPAA Rules, healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of PHI. While it is straightforward to implement controls internally to keep data secure, oftentimes third parties are contracted to provide services that require access to PHI. They too must abide by HIPAA Rules covering privacy, security, and breach notifications.

A third-party that requires access to PHI – or copies of health data – to perform services on behalf of a covered entity is considered a business associate. A covered entity and business associate must enter into a contract – a business associate agreement – in which the business associate agrees to comply with certain aspects of the HIPAA Privacy, Security, and Breach Notification Rules. Without a business associate agreement in place, any sharing of PHI would be considered a HIPAA violation.

While Google does not look at the information uploaded to Google Sheets, since Google can potentially access the information, and data is stored on its servers, a business associate agreement would be required.

Will Google Sign a BAA with HIPAA Covered Entities for Google Sheets?

Google is committed to protecting the privacy of its customers’ data and ensuring all of its services are secure and data can always be accessed. Google is aware of the requirements of the Health Insurance Portability and Accountability Act and the firm is prepared to enter into a business associate agreement with HIPAA covered entities for certain services.

Google offers a BAA for G Suite, which includes Google Drive. Google Sheets, Google Docs, Google Slides, and Google Forms are all part of Google Drive and are covered by the BAA.

Google explains in its terms and conditions that any HIPAA covered entity or business associate of a HIPAA covered entity that wishes to use G Suite in connection with any PHI must enter into a BAA with Google before any of its services are used in connection with PHI.

Is Google Sheets HIPAA Compliant?

Since Google offers a BAA, is Google Sheets HIPAA compliant? Google can be considered a HIPAA compliant service provider as Google supports HIPAA compliance for G Suite Basic, G Suite for Education, G Suite Business, and G Suite Enterprise domains and will enter into a BAA with healthcare customers.

Once a BAA has been obtained, it is the responsibility of the covered entity or business associate to ensure that Google Sheets and all other Google Drive and G Suite products and services are used correctly in a manner that does not violate HIPAA Rules.

The post Is Google Sheets HIPAA Compliant? appeared first on HIPAA Journal.

Is IBM Cloud HIPAA Compliant?

Posted by HIPAA Journal

Is IBM Cloud HIPAA compliant? Is the cloud platform suitable for healthcare organizations in the United States to host infrastructure, develop health applications and store files? In this post we assess whether the IBM Cloud supports HIPAA compliance and the platform’s suitability for use by healthcare organizations.

IBM offers a cloud platform to help organizations develop their mobile and web services, build native cloud apps, and host their infrastructure along with a wide range of cloud-based services for the capture, analysis, and processing of data.

The platform has already been adopted by many healthcare providers, payers, and health plans, and applications and portals have been developed to provide patients with better access to their health information.

IBM Cloud Security

IBM is a leader in the field of network and data security, and its expertise has meant its cloud platform is highly secure. Security is built into the core of all of the firm’s software and services to ensure that sensitive data remains confidential and cannot be accessed by unauthorized individuals. Its audit and security reports are made available to its clients to assess during risk analysis and risk management processes.

Business Associate Agreement for the IBM Cloud Platform

Since 2014, IBM has been offering its cloud services to healthcare clients and has been entering into business associate agreements for its social, mobile, meetings, and mail cloud offerings.

IBM’s business associate agreements covers the IBM Cloud and details its responsibilities for security, including technical and physical controls in its data centers, permitted uses and disclosures of PHI, use of subcontractors, and its reporting requirements in the event of a security breach.

Healthcare customers must ensure they have a signed copy of the business associate agreement from IBM before any IBM cloud services are used in conjunction with protected health information.

IBM also offers HIPAA covered entities and their business associates services to help them configure their cloud applications correctly and create appropriate privacy and security solutions.

Is the IBM Cloud HIPAA Compliant?

Is the IBM Cloud HIPAA compliant? IBM meets its responsibilities as a business associate by ensuring its cloud platform meets and exceeds the minimum requirements of the HIPAA Security Rule and IBM agrees to abide by the HIPAA Privacy Rule and Breach Notification Rule.

IBM will enter into a business associate agreement with HIPAA covered entities covering the IBM Cloud, So the IBM Cloud can be considered a HIPAA compliant cloud platform.

However, HIPAA compliance is a shared responsibility. IBM only provides the security and the tools to ensure its cloud platform can be used without violating HIPAA Rules. It is the responsibility of HIPAA-covered entities to ensure that cloud-based infrastructure and applications are not misconfigured, and that stored files are appropriately secured.

The post Is IBM Cloud HIPAA Compliant? appeared first on HIPAA Journal.

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Posted by HIPAA Journal

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection.

The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients.

The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician.

Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23, 2017, following an extensive investigation into the hacker’s activities. Patients impacted by the breach were notified by mail this month.

UVa has since implemented a number of additional security controls to prevent further incidents of this nature from occurring.

Thousands of Victims’ Sensitive Information Viewed

fruitfly malware

Phillip R. Durachinsky

UVa is only one victim of the hacker. Other businesses were also affected and had information compromised, although the extent of the hacker’s activities have not fully been determined. The FBI investigation is continuing, although the hacker has been arrested and charged in a 16-count indictment for numerous computer offenses including violations of the Computer Fraud and Abuse Act and Wiretap Act, in addition to aggregated identity theft and the production of child pornography.

The hacker has been identified as Phillip R. Durachinsky, 28, of North Royalton, Ohio. Durachinsky allegedly developed a Mac malware called FruitFly more than 13 years ago and used the malware to spy on thousands of individuals and companies. The malware provided Durachinsky with full access to an infected device, including access to the webcam. The malware took screenshots, allowed the uploading and downloading of files, and could log keystrokes. Durachinsky also developed the malware to give him a live feed from multiple infected computers simultaneously.

Victims include schools, businesses, healthcare organizations, a police department, and local, state, and federal government officials. Over 13 years, Durachinsky spied on thousands of individuals, mainly using the Mac form of the malware, although a Windows-based variant was also used.

In addition to gaining access to UVa patients records, Durachinsky used the malware to view highly sensitive information of other non-UVa victims. He was able to gain access to financial accounts, photographs, tax records, and internet search histories. Durachinsky also allegedly surreptitiously took photographs of his victims via webcams and kept notes on what he was able to view.

The FBI discovered that an IP address associated with the malware was also used to access Durachinsky’s alumni email account at Case Western Reserve University, which led to his arrest. More than 20 million images were discovered on Durachinsky’s devices by the FBI agents.

The post 1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware appeared first on HIPAA Journal.

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

Posted by HIPAA Journal

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data.

Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration.

The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just 30 days following the date of determination that a security breach has occurred.

Typically, when states propose legislation to improve protections for state residents whose personal information is exposed, organizations in compliance with federal data breach notification laws are deemed to be in compliance with state laws.

However, the new bill clarifies that will not necessarily be the case. Healthcare organizations covered by HIPAA laws have up to 60 days to issue notifications to breach victims. The amended bill states that when federal laws require notifications to be sent, the breached entity will be required to comply with the law with the shortest time frame for issuing notices.

That means HIPAA covered entities who experience a data breach that impacts Colorado residents would have half as long to issue notifications.

The original bill required breached entities to issue notifications to the state attorney general within 7 days of the discovery of a breach impacting 500 or more Colorado residents. The amended bill has seen that requirement relaxed to 30 days following the discovery of a breach of personal information. Further, the state attorney general does not need to be notified of a breach if there has been no misuse of breached data or if data misuse is unlikely to occur in the future.

If the new legislation is passed, Colorado residents will be among the best protected individuals in the United States. Only Florida has introduced such strict time scales for sending notifications to breach victims. Colorado residents would also be much better protected when their data is exposed by a healthcare organization, with the time frame for notification cut in half.

The post Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days appeared first on HIPAA Journal.