Healthcare Data Privacy

Termination for Nurse HIPAA Violation Upheld by Court

Posted by HIPAA Journal

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’

The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician.

Alleged Improper Disclosure of Sensitive Health Information

Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked and made sure appropriate diagnostic tools were available. Hereford also told the technician and the physician that they should wear gloves because the patient had hepatitis C.

After the procedure the patient filed a complaint, alleging Hereford had spoken sufficiently loudly so that other patients and medical staff in the vicinity would have heard that she had hepatitis C. While the complaint was investigated Hereford was placed on administrative leave, and was later terminated for the HIPAA violation – An unnecessary disclosure of confidential health information.

In her action for unfair dismissal, Hereford claimed this was an ‘incidental disclosure’, which is not a violation of HIPAA Rules. Hereford also obtained the professional opinion of an unemployment insurance referee that a HIPAA violation had not occurred. She also claimed defamatory statements had been made about her to the Metropolitan Louisville Healthcare Consortium.

Norton filed a motion to dismiss or, as an alternative, a motion for summary judgement. The Circuit Court granted the motion to dismiss the claim for wrongful termination, as it was deemed there was an unnecessary disclosure of PHI as a physician should not need to be reminded to wear gloves for a procedure to prevent the contraction of an infectious disease. However, the motion to dismiss the defamation claim was denied.

Norton sought summary judgement on the defamation claim and in October 2015, the defamation claim was dismissed with prejudice. The court determined that speaking the truth about the nurse HIPAA violation being the reason for termination could not have defamed Hereford.

Appeals Court Confirms Nurse HIPAA Violation

Hereford subsequently took her case to the Kentucky Court of Appeals. The Court of Appeals found that Hereford could not rely on HIPAA for a wrongful discharge claim as “HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”

With respect to the wrongful dismissal claim, the court based its decision on the minimum necessary standard, which requires any disclosure of PHI to be limited to the minimum necessary to accomplish the necessary purpose – 45 CFR 164.502 – explaining, “Under “HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning.” The court concluded a nurse HIPAA violation had occurred. The Court of Appeals also found the decision of the lower court to dismiss the defamation claim to be correct as there could be no defamation when the Metropolitan Louisville Healthcare Consortium was told the truth about the reason for dismissal.

What Are the Potential HIPAA Violation Penalties for Nurses?

HIPAA violation penalties for nurses who breach HIPAA Rules are tiered, based on the level of negligence. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules.

The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. The penalty amounts are determined by the Department of Health and Human Services, or by state attorneys general when they decide to issue penalties for HIPAA violations.

What is the Maximum HIPAA Violation Penalty for Nurses

The maximum penalty for a single HIPAA violation is $50,000 per violation or per record, with an annual maximum of $1.5 million per violation category.

Serious violations of HIPAA Rules can warrant criminal charges for HIPAA violations, and in addition to financial penalties jail time is possible. Criminal violations of HIPAA Rules are handled by the U.S. Department of Justice.

Nurses who knowingly obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and up to one year in jail. If an offense is committed under false pretenses, the criminal penalties rise to a fine of up to $100,000 and up to 5 years in jail. If there is intent to sell, transfer, or illegally use PHI for personal gain, commercial advantage, or malicious harm, the maximum penalty is a fine up to $250,000 and up to 10 years in jail.

When there has been aggravated identity theft, the Identity Theft Penalty Enhancement Act requires a mandatory minimum prison term of two years

Nurse HIPAA Violation Cases

Listed below are some of the recent nurse HIPAA violation cases covered on HIPAA Journal.

Glendale Adventist Medical Center Nurse Fired for HIPAA Violation

Minnesota BCBS Nurse Accused of Unauthorized Accessing of Minnesota Board of Pharmacy Database

Virginia Nurse Charged with Bank Fraud and Identity Theft

Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access

Minnesota Hospital Fires 32 Over HIPAA Violation

Employees Fired over Sharing of Degrading Photos of Patients on Snapchat

The post Termination for Nurse HIPAA Violation Upheld by Court appeared first on HIPAA Journal.

De-identification of Protected Health Information: How to Anonymize PHI

Posted by HIPAA Journal

Healthcare organizations and their business associates that want to share protected health information (PHI) in a HIPAA-compliant way must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, whereas de-identification of PHI means HIPAA Privacy Rule restrictions no longer apply.

Guide To De-identify Your Protected Health InformationYou can use our free Protected Health Information Guide to learn how to de-identify and anonymize PHI. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared.

HIPAA Privacy Rule restrictions only covers individually identifiable protected health information. The de-identification of protected health information enables HIPAA covered entities to share health data for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed.

HIPAA-Compliant De-identification of Protected Health Information

HIPAA-compliant de-identification of protected health information is possible using two methods: Safe Harbor and Expert Determination.

Neither method of de-identification of protected health information will remove all risk of re-identification of patients, but both methods will reduce risk to a very low and acceptable level.

Use either of the two methods below and PHI will no longer be considered ‘protected health information’ and not be subject to HIPAA Privacy Rule restrictions.

1.     Safe Harbor – The Removal of Specific Identifiers

How to de-identify protected health informationThe first HIPAA compliant way to de-identify protected health information is to remove specific identifiers from the data set. The identifiable data that must be removed according to 45 CFR §164.514(b)(2) are:

  • Names
  • Geographic subdivisions smaller than a state
  • All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age)
  • Telephone, cellphone, and fax numbers
  • Email addresses
  • IP addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Device identifiers and serial numbers
  • Certificate/license numbers
  • Account numbers
  • Vehicle identifiers and serial numbers including license plates
  • Website URLs
  • Full face photos and comparable images
  • Biometric identifiers (including finger and voice prints)
  • Any unique identifying numbers, characteristics or codes

In the case of zip codes, covered entities are permitted to use the first three digits provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals. When that geographical unit contains fewer than 20,000 individuals it should be changed to 000. According to the Bureau of the Census, that means 17 zip codes must have the first three digits changed to zero:

036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831

Covered entities should not that the above list of zip codes may change after future censuses. The list is based on 5-digit zip codes from the 2000 census.

IMPORTANT NOTE: The list of HIPAA identifiers was compiled in 1999 and is now out-of-date. Additional identifiers that must be removed from a designated record set before it can be considered de-identified include social media aliases, Medicare Beneficiary Numbers, and details relating to an emotional support animal if the animal could be used to identify the subject of the PHI.

2. Expert Determination

De-identify Protected Health InformationThe expert determination method carries a small risk that an individual could be identified, although the risk is so low that it meets HIPAA Privacy Rule requirements.

This method of de-identification of protected health information requires a HIPAA covered entity or business associate to obtain an opinion from a qualified statistical expert that the risk of re-identifying an individual from the data set is very small. In such cases, the methods used to make that determination and justification of the expert’s opinion must be documented and retained by the covered entity or business associate and made available to regulators in the event of an audit or investigation.

The expert must be a person with appropriate knowledge and experience of using generally accepted statistical and scientific principles and methods for removing or altering information to ensure that it is no longer individually identifiable.

When those methods and principles have been applied, the expert must determine that the risk of reidentification of an individual is very small. In such cases, the risk of reidentification must be very small when the information is used alone, and must remain very small should the data be combined with other reasonably available information by an anticipated recipient to identify an individual who is a subject of the information.

HIPAA does not define the level of risk of re-identification other than to say it should be ‘very small’. The expert should define ‘very small’ in relation to the context of the data set, the specific environment, and the ability of an anticipated recipient to be able to reidentify individuals.

Experts may come from a number of different fields and do not require any specific qualifications. What is important is experts have experience of deidentifying data. It is that experience that regulators will look at in the event of an audit, not specific qualifications or certifications.

For further information on de-identification of protected health information by expert determination see 45 CFR § 164.514(b)(1).

The U.S. Department of Health and Human Services’ Office for Civil Rights has issued guidance on de-identification of protected health information which can be viewed on this link.

De-identification of Protected Health Information FAQs

Why is the list of Safe Harbor identifiers the same as many definitions of PHI?

The list of Safe Harbor identifiers is the same as many definitions of PHI because some sources have mistakenly used the list to answer the question “what is PHI?” It is important to be aware this is not the case.

PHI – or Protected Health Information – is individually identifiable health information that relates to an individual’s past, present, or future health condition, treatment for the condition, or payment for the treatment. Only when identifiers are maintained in the same designated record set as PHI do the identifiers assume protected status.

The list of Safe Harbor identifiers is a (now incomplete) list of possible identifiers that could be maintained in the same designated record set as PHI. If so, they (and any other identifiers not included on the list) must be removed from the designated record set before any remaining PHI is considered de-identified.

Do doctors´ names have to be removed from a data set for PHI to be de-identified?

Doctors’ names have to be removed from a data set for PHI to be de-identified if the name of a doctor – individually or with other information – could be used to identify the subject of the data set. If there is very little chance of a patient being identified by a doctor´s name, then the name can remain in the de-identified data set subject to any state laws or confidentiality concerns.

Generally, with regards to the removal of names from designated data sets, the name of the patient (including nicknames, pet names, and any other names they may be known by) have to be removed, along with the names of relatives, employers, and household members. There is no requirement in HIPAA to remove the names of healthcare providers or any workforce members.

Must a Business Associate Agreement or Data Use Agreement be in place before disclosing de-identified health data to a business partner?

A Business Associate Agreement or Data Use Agreement does not have to be in place before disclosing de-identified health data to a business partner. However, covered entities can, if they wish, enter into a Data Use Agreement with the recipient of the data to specify how the recipient can use the data and prohibit its re-identification.

What is considered “appropriate knowledge and experience” for expert determination?

There is no definition of appropriate knowledge and experience for expert determination in HIPAA. However, in the event of a HIPAA compliance audit, the Department of Health & Human Services´ Office for Civil Rights would review the expert´s professional experience and academic training of the expert, and the processes used in the de-identification of the data set to assess their capabilities.

Is there an expiration date for de-identified health data?

There is no expiration date for de-identified health data stipulated in the Privacy Rule. However, the Department for Health & Human Services recognizes that “technology, social conditions, and the availability of information changes over time” and has suggested that covered entities periodically review the chosen de-identification method to ensure it meets the very low risk requirement.

Why is the list of Safe Harbor identifiers incomplete?

The list of Safe Harbor identifiers is incomplete because it was published quarter of a century ago in a time before (for example) social media and emotional support animals. If a patient has a social media handle maintained with PHI in a designated record set – or information relating to an emotional support animal – that information also needs to be removed from a designated record set before it can be considered de-identified.

What is the benefit of de-identifying Protected Health Information?

The benefit of de-identifying Protected Health Information is that the de-identified data can be used for medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating patient privacy or requiring individual authorizations. Effectively, one PHI is de-identified, the restrictions of the Privacy Rule no longer apply.

What are the two HIPAA-compliant methods for de-identifying PHI?

The two HIPAA-compliant methods of de-identifying PHI are the Safe Harbor method and the Expert Determination method. It is important to be aware that the list of identifiers listed in the Safe Harbor method is out of date, and organizations considering this method of de-identification are advised to seek professional compliance advice before relying on the content of §164.514 to de-identify PHI.

How does the Expert Determination method of de-identifying PHI work?

The Expert Determination method of de-identifying PHI works by obtaining an opinion from a qualified statistical expert indicating that the risk of re-identifying an individual from the de-identified data set is very small. The methods used for this determination and justification of the expert’s opinion must be documented and retained by the covered entity or business associate.

Does the Privacy Rule define the level of risk of re-identification in the Expert Determination method?

The Privacy Rule does not define the level of risk of re-identification in the Expert Determination method other that stating it should be “very small”. This means the expert is required to define “very small” in relation to the context of the data set, the specific environment, what the data set will be used for, and the recipient’s reasonably anticipated ability to reidentify individuals.

The post De-identification of Protected Health Information: How to Anonymize PHI appeared first on HIPAA Journal.

Namaste Health Care Pays Ransom to Recover PHI

Posted by HIPAA Journal

A hacker gained access to a file server used by Ashland, MI-based Namaste Health Care and installed ransomware, encrypting a wide range of data including patients’ protected health information.

Access was gained to the file server over the weekend of August 12-13 and ransomware was installed; however, prior to the installation of ransomware it is unclear whether patients’ PHI was accessed or stolen. The Ashland clinic discovered its data had been encrypted when staff returned to work on Monday, August 14.

Prompt action was taken to prevent any further accessing of its file server, including disabling access and taking the server offline. An external contractor was brought in to help remediate the attack and remove all traces of malware from its system.

In order to recover data, Namaste Health Care made the decision to pay the attacker’s ransom demand. In this case, a valid key was supplied by that individual and it was possible to unlock the encrypted files. The clinic was able to recover data and bring its systems back online after a few days. The incident prompted the clinic to conduct a review of its security protections and make “robust upgrades” to its “firewall and remote access technology.”

The investigation into the breach did not uncover any evidence to suggest PHI had been accessed by the attacker, and no evidence was found to suggest any PHI was stolen. That said, it was also not possible to determine with a high degree of certainty that data access and theft did not occur.

The file server contained a wide range of PHI, including names, addresses, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information relating to appointments and visits to the clinic, including the reasons for those appointments/visits. The exposed data related to all patients who had visited the clinic, or arranged an appointment to visit, prior to August 14, 2017.

Due to the sensitive nature of data stored on the server, all patients have been offered identity theft protection services through AllClear ID. Notifications about the ID protection services have been sent on behalf of the clinic by AllClear ID.

While the substitute breach notice posted on the Namaste Health Care website does not specifically mention that financial information was potentially compromised, the clinic said, “we recommend that you notify your banking institutions and request a change of any account numbers, if you provided us with such information.”

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is unclear exactly how many patients have been impacted.

The post Namaste Health Care Pays Ransom to Recover PHI appeared first on HIPAA Journal.

HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California

Posted by HIPAA Journal

The Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires.

As was the case with the waivers issued after Hurricanes Irma and Maria, the limited waiver of HIPAA sanctions and penalties only applies when healthcare providers have implemented their disaster protocol, and then only for a period of up to 72 hours following the implementation of that protocol. In the event of the public health emergency declaration ending, healthcare organizations must then comply with all provisions of the HIPAA Privacy Rule for all patients still under their care, even if the 72-hour period has not yet ended.

Whenever the HHS issued a limited waiver of HIPAA sanctions and penalties, healthcare organizations must still comply with the requirements of the HIPAA Security Rule and the Privacy Rule is not suspended.  The HHS simply exercises its authority under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) (7) of the Social Security Act, and will not impose sanctions or penalties against healthcare organizations for the following provisions of the HIPAA Privacy Rule:

  • 45 CFR 164.510(b) – The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • 45 CFR 164.510(a) – The requirement to honor a request to opt out of the facility directory.
  • 45 CFR 164.520 – The requirement to distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

Even in emergency situations, the HIPAA Privacy Rule permits HIPAA-covered entities to share patients’ PHI to assist in disaster relief efforts and to help ensure patients receive the care they need.

PHI may also be disclosed for the purpose of providing treatment to patients, in order to coordination patient care, or when referring patients to other healthcare providers.  PHI can be shared for public health activities to allow organizations to carry out their public health missions. Disclosures can be made to family members, friends, and other individuals involved in a patients’ care, as necessary, to identify, locate, or notify family members of the patient’s location, condition, or loss of life. Disclosures can be made to anyone, as necessary, to prevent or lessen a serious injury and disclosures can be made to the media about a patient’s general health status and limited facility directory information can also be disclosed for a named patient, provided the patient has not objected to such disclosures.

In all cases, the ‘minimum necessary’ standard applies. Information should be restricted to the minimum necessary information to achieve the specific purpose for which it is disclosed.

Further information on the waiver can be found in the HHS bulletin on this link.

The post HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California appeared first on HIPAA Journal.

Q3, 2017 Healthcare Data Breach Report

Posted by HIPAA Journal

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 resulted in the theft/exposure of 1,767,717 individuals’s PHI. Up until the end of September, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches.

Q3 Data Breaches by Covered Entity

Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities.

There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228.

The Ten Largest Healthcare Data Breaches in Q3, 2017

The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in Q3 were attributed to hacking/IT incidents.

Covered Entity Entity Type Number of Records Breached

Type of Breach
Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
Network Health Health Plan 51,232 Hacking/IT Incident
St. Mark’s Surgical Center, LLC Healthcare Provider 33,877 Hacking/IT Incident
Sport and Spine Rehab Healthcare Provider 31,120 Hacking/IT Incident

Main Cause of Healthcare Data Breaches in Q3, 2017

For much of 2017, the main cause of healthcare data breaches was unauthorized disclosures by insiders, although in Q3, 2017, hacking was the biggest cause of healthcare data breaches. These incidents involve phishing attacks, malware and ransomware incidents, and the hacking of network servers and endpoints. These hacking incidents involved the exposure/theft of considerably more data than all of the other breach types combined. In Q3, 1,767,717 healthcare records were exposed/stolen, of which 1,578,666 – 89.3% – were exposed/stolen in hacking/IT incidents.

Location of Breached PHI

If vulnerabilities exist, it is only a matter of time before they will be discovered by hackers. It is therefore essential for HIPAA covered entities and their business associates conduct regular risk assessments to determine whether any vulnerabilities exist. Weekly checks should also be conducted to make sure the latest versions of operating systems and software are installed and no patches have been missed. Misconfigured servers, unsecured databases, and the failure to apply patches promptly resulted in 31 data breaches in Q3, 2017.

In Q3, 34 incidents were reported that involved email. While some of those incidents involved misdirected emails and the deliberate emailing of ePHI to personal email accounts, the majority of those breaches saw login details disclosed or ransomware/malware installed as a result of employees responding to phishing emails.  The high number of phishing attacks reported in Q3 shows just how important it is to train employees how to recognize phishing emails and how to report suspicious messages. Training should be an ongoing process, involving classroom-based training, CBT sessions, and phishing simulations, with email updates sent to alert employees to specific threats.

The post Q3, 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.

Former Nurse Convicted of Theft of Patient Information and Tax Fraud

Posted by HIPAA Journal

A former nurse from Midway, FL has been convicted of wire fraud, theft of government funds, possession of unauthorized access devices and aggravated identity theft by a court in Tallahassee.

41-year old Tangela Lawson-Brown was employed as a nurse in a Tallahassee nursing home between October 2011 and December 2012. During her time at the nursing home, Lawson-Brown stole the personal information of 26 patients, although she was discovered to have a notebook containing the personal information of 150 individuals.

According to a press release issued by the United States Attorney’s Office for the Northern District of Florida, Lawson-Brown’s husband was arrested in January 2013 and items were seized from Lawson-Brown’s vehicle by the Tallahassee Police Department, including the notebook.

The police investigation revealed that in 2011, Lawson-Brown used the stolen credentials to file fraudulent tax returns in the names of 105 individuals, including 24 patients of the nursing home. Lawson-Brown filed claims totaling more than $1 million. The IRS detected many of the claims as fraudulent, although $141,790 in tax refunds was issued by the IRS.

The refunds were deposited in multiple bank accounts controlled by Lawson-Brown and the funds were used to pay personal expenses, cover car repairs, and to pay off her mortgage.

Lawson-Brown will be sentenced on January 4, 2018. She faces a maximum jail term of 20 years for each count of wire fraud, 10 years for each count of theft of government funds and possession of unauthorized access devices, and an additional 2 years will be added to her sentence for aggravated identity theft.

U.S. Attorney for the Northern District of Florida, Christopher P. Canova, said, “This case illustrates the vulnerability of elderly and disabled persons.  Relatives and other caregivers should be alert to unauthorized tax returns, bank accounts, credit cards, and financial transactions, and should immediately report identity theft crimes to law enforcement agencies.”

The post Former Nurse Convicted of Theft of Patient Information and Tax Fraud appeared first on HIPAA Journal.

Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?

Posted by HIPAA Journal

Should covered entities monitor business associates for HIPAA compliance or is it sufficient just obtain a signed, HIPAA-compliant business associate agreement?

If a business associate provides reasonable assurances to a covered entity that HIPAA Rules are being followed, and errors are made by the BA that result in the exposure, theft, or accidental disclosure of PHI, the covered entity will not be liable for the BA’s HIPAA violations – provided the covered entity has entered into a business associate agreement with its business associate.

It is the responsibility of the business associate to ensure compliance with HIPAA Rules. The failure of a business associate to comply with HIPAA Rules can result in financial penalties for HIPAA violations for the business associate, not the covered entity.

A covered entity should ‘obtain satisfactory assurances’ that HIPAA Rules will be followed prior to disclosing PHI. While covered entities are not required by HIPAA to monitor business associates for HIPAA compliance, they should obtain proof that their business associate has performed an organization-wide risk analysis, has developed a risk management plan, and is reducing risks to an acceptable and appropriate level.

If information is provided to a covered entity which suggests noncompliance, a covered entity must act on that information. The failure of a covered entity to take appropriate action to resolve a known breach of HIPAA Rules by a business associate would be a violation of HIPAA Rules. If the business associate cannot resolve that breach, it is the responsibility of the covered entity to terminate the business associate agreement. 45 CFR § 164.504(e)

A covered entity will be in violation of HIPAA Rules if it “knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation.” If termination of the BAA is not feasible, the problem must be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Even though a covered entity is not liable for business associate HIPAA violations, any business associate breach is likely to reflect badly on the covered entity and is likely to cause harm to its patients or members. It is therefore in the interests of both parties to ensure HIPAA Rules are being followed. It may help to provide business associates with a HIPAA compliance checklist to assist them with their compliance efforts, and access to other resources to help them prevent breaches and mitigate risk.

The post Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance? appeared first on HIPAA Journal.

Summary of September 2017 Healthcare Data Breaches

Posted by HIPAA Journal

There were 35 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Those breaches resulting in the theft/exposure of 435,202 patients’ protected health information.

September 2017 Healthcare Data Breaches

September 2017 healthcare data breaches followed a similar pattern to previous months. Healthcare providers suffered the most breaches with 25 reported incidents, followed by health plans with 8 breaches, and 2 breaches reported by business associates of covered entities.

There was a fairly even split between unauthorized access/disclosures (16 incidents) and hacking/IT incidents (15 incidents). There were three theft incidents and one lost device, all of which involved laptop computers. One incident also involved a desktop computer and another the theft of physical records. There were no reported cases of improper disposal of PHI.

 

September 2017 Healthcare Data Breaches - Breach Type

There were five attacks on network servers in September, but email attacks topped the list with 13 incidents. 6 were attributed to hacking, including two confirmed phishing attacks and one ransomware incident. The ransomware attack is also understood to have occurred as a result of an employee responding to a phishing email.

There were 7 cases of unauthorized access/disclosures via email. One of those incidents involved an employee emailing PHI to a personal email account. Another saw a healthcare employee email PHI to a relative to receive assistance with a work-related action.

September 2017 Healthcare Data Breaches - Breach Location

 

Healthcare organizations in 24 states reported data breaches in September. The worst affected states were California, Florida and Texas, with three breaches each. Arkansas, Minnesota, North Carolina, Pennsylvania, Washington and Wisconsin each had two reported incidents.

Largest Healthcare Data Breaches in September 2017

The largest healthcare data breaches in September 2017 have been detailed in the table below. Six of the top ten breaches in September were the result of hacking/IT incidents. Hacking/IT incidents resulted in the exposure of 355,084 records – 81.6% of the records exposed in all reported breaches in September. Unauthorized access/disclosures resulted in the exposure of 73,409 records – 16.87% of the total.

The largest reported data breach in September was a ransomware attack that potentially affected 128,000 patients. Data theft was not suspected, although it could not be ruled out with a high degree of certainty.

Covered Entity Entity Type Breached Records Breach Type Breach Information
Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident Ransomware attack
Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident Phishing attack
Network Health Health Plan 51,232 Hacking/IT Incident Phishing attack
ABB, Inc. Healthcare Provider 28,012 Hacking/IT Incident
Arkansas Department of Human Services Health Plan 26,000 Unauthorized Access/Disclosure Employee emailed PHI to a personal account
CBS Consolidated, Inc. Business Associate 21,856 Hacking/IT Incident Server hacked
MetroPlus Health Plan, Inc. Health Plan 15,212 Unauthorized Access/Disclosure Employee emailed PHI outside company
Mercy Health Love County Hospital and Clinic Healthcare Provider 13,004 Theft Paper records stolen from a storage unit
The Neurology Foundation, Inc. Healthcare Provider 12,861 Unauthorized Access/Disclosure Employee stole PHI
Hand & Upper Extremity Centers dba Hand Rehabilitation Specialists Healthcare Provider 12,806 Hacking/IT Incident Data theft and extortion attempt

The post Summary of September 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity

Posted by HIPAA Journal

A new partnership has been announced between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS). The aim of the new collaboration is to help advance medical device cybersecurity and improve patient safety.

The two organizations will work together to help members identify, mitigate, and prevent cybersecurity threats by issuing cybersecurity best practices, educating about the threats to device security, training members, and promoting information sharing.

For the past three years, AEHIS has been helping healthcare organizations improve their information security defences. More than 700 CISOs and other healthcare IT security leaders have benefited from the education and networking opportunities provided by AEHIS. AEHIS helps its members protect patients from cyber threats, including cyberattacks on their medical devices, though its educational efforts, sharing best practices, and many other activities.

MDISS now consists of more than 2,000 hospitals and dozens of medical device manufacturers who are working together to improve medical device cybersecurity. MDISS has helped to make medical device risk assessments cheaper, faster, and more accessible, while bringing together regulatory bodies, patient advocates, insurers, security researchers, medical device manufacturers, and healthcare providers to advance best practices in medical device cybersecurity and risk management.

It is hoped that the collective voice of AEHIS and MDISS will help to improve information security practices and ensure patients – and health data – are better protected.

“The scale and reach of AEHIS’ education network is a perfect complement to MDISS’ continuous release of envelope-pushing technologies and best practices,” said Dale Nordenberg, executive director of MDISS. “AEHIS will play a key role in accelerating the adoption of next-generation medical device security assessment platforms like MDRAP.”

“Together, AEHIS and MDISS joining forces to advocate and advance better medical device security will benefit AEHIS members and MDISS stakeholders alike,” said Sean Murphy, chair of the AEHIS collaborative relationships committee and vice president and CISO at Premera Blue Cross.

Key Goals of the New Partnership

  • Educating healthcare organizations about medical device cybersecurity strategies
  • Developing and sharing medical device cybersecurity best practices
  • Promoting the adoption of the NIST’s cybersecurity framework
  • Identifying new best practices for securing medical devices and mitigating vulnerabilities
  • Increasing awareness of medical device vulnerabilities among federal policymakers
  • Determining best practices to engage members in advocacy for cyber protection of medical devices
  • Examining the issues that are preventing the sharing of cybersecurity and medical device vulnerability information and helping to support information sharing through existing or modified information sharing efforts.

The post New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity appeared first on HIPAA Journal.