Healthcare Data Privacy

Final Rule Updating Common Rule Regulations Issued by HHS

The Department of Health and Human Services has published its Final Common Rule (45 CFR part 46). The Final Rule makes considerable changes to the Common Rule, although some of the most controversial elements which were included in September 2015 proposed rule have been dropped.

One of the proposed changes would have made it much harder for research organizations to use biomedical samples for research. Rather than allowing a general consent form to be used, HHS proposed that written consent be obtained from patients prior to their samples being used for further studies, requiring additional consent to be obtained from the patient in writing for every step of research.

If a tissue or blood sample was left over from a previous research study, additional written consent would have been required before that sample could be used, even when consent to use the sample for research had already been obtained from the patient in the first place.

The proposed change was included following a high-profile case of a woman – Henrietta Lacks – whose cancer cells were used in multiple research studies without her knowledge or consent. While the proposed change was important for patient privacy, it would have been a major headache that could have slowed research and reduced the number of tissue samples that could be used for essential biomedical research.

The proposed change attracted a huge number of negative comments (more than 2,100) from researchers  who felt it would slow their research. Additionally, there were cost considerations. The change would have made it difficult for small hospitals to provide samples for research due to the costs involved.

After reviewing the comments, the HHS decided to drop the change for the Final Rule. Now, samples can be used for research without obtaining additional consent from the donor of the sample, provided the samples are de-identified by removing names and other identifying information. Essentially, research can continue to be conducted as it currently is.

Another proposed change that attracted considerable criticism was the need for all researchers who received federal funding for clinical research to abide by the Common Rule. Critics pointed out that this requirement would not tackle the biggest problem – organizations that received no federal funding. It was believed that the change would also have hampered student research and social studies. This change was also dropped from the Final Rule.

When the Final Rule comes into effect, consent forms will need to include a concise summary at the start of the document explaining the most important information that potential research participants will need to know to give informed consent. The summary will need to include alternate treatments, and the risks and benefits of participation. Consent forms for certain federally funded programs will also need to be posted on public websites.

One controversial change that has not been dropped is the requirement for a single institutional review board (IRB) to be used for multi-institutional research studies to streamline oversight. However, a number of exceptions have now been included in the Final Rule to add greater flexibility.

The HHS says the Final Rule strengthens patient privacy protections while reducing the administrative burden on research institutions.

The changes were required because the Common Rule became effective in 1991 when most research was conducted at single sites by universities and medical institutions. However, today, the landscape is very different. Studies are now commonly spread across multiple institutions now that data have been digitalized. Large scale studies are now commonplace.

Jerry Menikoff, MD, Director of the HHS Office for Human Research Protections, said “We are very hopeful that these changes and all the others that reduce unnecessary administrative burdens will be beneficial to both researchers and research participants.

The 543-page Final Rule, which was produced with assistance from 15 federal agencies, will be effective from 2018.

The post Final Rule Updating Common Rule Regulations Issued by HHS appeared first on HIPAA Journal.

No HIPAA Violation Fine for Virginia State Senator

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign.

Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information was also disclosed to a direct mail company: A violation of the HIPAA Privacy Rule. At least two complaints were received by the Department of Health and Human Services’ Office for Civil Rights about the privacy violation last year.

An OCR regional office contacted Dunnavant after being alerted to the privacy violation and informed her that her actions constituted an impermissible use and disclosure of PHI – violations of the HIPAA Privacy Rule.  Such violations can result in financial penalties being issued.

Dunnavant, who was later elect to the state senate, could have been fined up to $250,000 for the HIPAA violation and could potentially have been imprisoned for up to 10 years. However, OCR has chosen not to take further action.

No financial penalty was deemed appropriate as Dunnavant took immediate action to minimize damage. The investigation into the HIPAA violations has now been closed.

HIPAA violations are not always punishable with civil monetary penalties and do not always require resolution agreements. OCR prefers to resolve HIPAA violations through voluntary compliance and by issuing technical assistance. Civil monetary penalties and resolution agreements are typically reserved for the most serious violations of HIPAA Rules.

While Dunnavant’s use of patient contact information to solicit contributions did violate HIPAA Rules, the privacy violation was relatively minor and no patients came to harm as a result. Dunnavan believed her actions were permitted under HIPAA Rules as she had obtained a business associate agreement prior to disclosing the information.

Senator Dunnavant told the Richmond-Times Dispatch that the mailings were intended to advise patients of her political activity and reassure them that it would not have an impact on the provision of medical services. Dunnavant said she sought advice from her lawyers and medical practice board before sending the letter and no HIPAA issues were raised.  She also said she regretted adding an appeal for political support to the letters.

The post No HIPAA Violation Fine for Virginia State Senator appeared first on HIPAA Journal.

HHS Issues Final Rule on Confidentiality of Alcohol and Drug Abuse Patient Records Regulations

In February 2016, the Department of Health and Human Services published a proposed change to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, (42 CFR Part 2) to facilitate health integration and information exchange. HHS has now finalized the Part 2 changes following an extensive evaluation of public comments, according to a recent press release from the Substance Abuse and Mental Health Services Administration (SAMHSA).

The Confidentiality of Alcohol and Drug Abuse Patient Records regulations were introduced in 1975 to protect the privacy of patients receiving treatment for substance abuse and mental health disorders. At the time there was concern that the revelation of patients’ identities would have serious social consequences and a lack of privacy may deter individuals from seeking treatment.

The healthcare delivery system has changed considerably during the past 40 years and Part 2 regulations were in need of modernization. While the privacy of patients must and will still be protected, the Part 2 changes will help to promote health integration and allow information exchange with research institutions.

According to HHS Deputy Assistant Secretary, Kana Enomoto, the Part 2 changes “will further enhance health services research, integrated treatment, quality assurance and health information exchange activities while at the same time safeguarding the essential privacy rights of people seeking treatment for substance use disorders.” Enomoto went on to explain that “These efforts clear the way for integrated health care models that can provide a better, more cost-effective health care system that also empowers people to make key decisions about their health care.”

A number of new provisions have been finalized in the HHS Final Rule:

  • Any lawful holder of patient identifying information will be permitted to disclose Part 2 identifying information to qualified individuals for purposes of scientific research, provided the research meets certain regulatory requirements. The sharing of data will enable organizations to conduct essential research on substance use disorders. SAMHSA will also permit data linkages between data sets and data repositories holding Part 2 data, if certain regulatory requirements are met.
  • In certain circumstances, patients will be permitted to use general designations such as “My Treating Providers” when giving consent to share personal information. Patients are not required to agree to disclosures of their personal information, although by doing so they will be able to benefit from integrated healthcare systems. If patients do use the general disclosure designation, they can request a list of individuals and entities with whom their information has been shared.
  • Changes have been made that outline audit/evaluation procedures necessary to meet the requirements of CMS-regulated accountable care organization and other CMS-regulated organizations. The changes permit financial and quality assurance functions critical to ACOs and other healthcare organizations.
  • Part 2 has been updated to cover physical and electronic documentation
  • SAMHSA will develop additional sub-regulatory guidance on the finalized provisions and will monitor the implementation of the Final Rule.

HHS has also issued a Supplemental Notice of Proposed Rulemaking (SNPRM) and is seeking input and comments from the public on additional clarifications and suggestions on a number of new provisions including:

  • Clarifying and limiting the circumstances under which contractors, subcontractors and legal representatives of lawful holders of Part 2 data can receive information for payment and healthcare operations activities.
  • An abbreviated alternative statement for the notice to accompany disclosure.
  • The use of contractors, sub-contractors, and legal representatives by CMS-regulated entities to carry out audit and evaluation activities necessary to meet the requirements of a CMS-regulated program.

The post HHS Issues Final Rule on Confidentiality of Alcohol and Drug Abuse Patient Records Regulations appeared first on HIPAA Journal.

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000.

In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily.

Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.

While largescale breaches of PHI may warrant financial penalties and will have an impact on the final settlement amount, OCR has resorted to financial penalties when relatively few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.

A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:

 

Summary of 2016 HIPAA Settlements

 

Covered Entity Date Amount Breach that triggered OCR investigation Individuals impacted
University of Massachusetts Amherst (UMass) November, 2016 $650,000 Malware infection 1,670
St. Joseph Health October, 2016 $2,140,500 PHI made available through search engines 31,800
Care New England Health System September, 2016 $400,000 Loss of two unencrypted backup tapes 14,000
Advocate Health Care Network August, 2016 $5,550,000 Theft of desktop computers, loss of laptop, improper access of data at business associate 3,994,175 (combined total of three separate breaches)
University of Mississippi Medical Center July, 2016 $2,750,000 Unprotected network drive 10.,000
Oregon Health & Science University July, 2016 $2,700,000 Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 (combined total of two breaches)
Catholic Health Care Services of the Archdiocese of Philadelphia June, 2016 $650,000

 

Theft of mobile device 412 (Combined total)
New York Presbyterian Hospital

 

April, 2016 $2,200,000 Filming of patients by TV crew Unconfirmed
Raleigh Orthopaedic Clinic, P.A. of North Carolina April, 2016 $750,000 Improper disclosure to business associate 17,300
Feinstein Institute for Medical Research March, 2016 $3,900,000 Improper disclosure of research participants’ PHI 13,000
North Memorial Health Care of Minnesota March, 2016 $1,550,000 Theft of laptop computer / Improper disclosure to business associate (discovered during investigation) 299,401
Complete P.T., Pool & Land Physical Therapy, Inc. February, 2016 $25,000 Improper disclosure of PHI (website testimonials) Unconfirmed
Lincare, Inc.

 

February, 2016* $239,800 Improper disclosure (unprotected documents) 278

*Civil monetary penalty confirmed as lawful by an administrative law judge

 

The largest HIPAA settlement of 2016 –  and the largest HIPAA settlement ever agreed with a single covered entity – was announced in August. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.

The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.

2017 has started with an early settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – The first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.

Looking forward into 2017 and beyond, the future of HIPAA enforcement activities is unclear. The new administration may cut funding for OCR which would likely have an impact on HIPAA enforcement.

This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will commence this year.

Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”

However, Jocelyn Samuels will be standing down as head of OCR and it is currently unclear who will take her place. While there are a number of suitable candidates for the position, incoming president Trump has a lot on his hands and the appointment of an OCR director is likely to be relatively low down the to do list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.

What we can expect to see in 2017 is a continuation of enforcement actions that have already commenced. HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.

The post OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements appeared first on HIPAA Journal.

Warning for Healthcare Organizations that use MongoDB Databases

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing.

Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted. In their place was a new database containing nothing but a ransom demand. The hacker responsible offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175).

The number of affected organizations has rapidly increased over the past few days. Today, more than 32,000 organizations have been issued with ransom demands and have had their databases deleted, including Emory Healthcare.

Emory Healthcare is not the only U.S. healthcare organization to have left databases exposed. MacKeeper security researcher Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which operates the website militarysleep.org – has also been left exposed.

The database, which contains 2GB of information, includes details of 1,200 veterans who suffer from sleep disorders and have registered with the Sleep Clinic. The database contains sensitive information such as veterans’ names, email addresses, home addresses, former rank in the military, and their history of use of the site. The database also contains chat logs of conversations between doctors and veterans. Those logs contain highly sensitive details of patients’ medical conditions.

As with other organizations that have left their MongoDB databases in the default configuration, information can be accessed by anyone who knows where to look. No login credentials are required. Databases can be accessed without the need for usernames or passwords or any authentication.

The problem affects organizations that are using older versions of MongoDB. MongoDB had, in previous versions, been set with unrestricted remote access turned on as default. While later versions of the database platform had this changed with remote access set to off in the default configuration, many organizations are still using older versions and not changed the configuration settings to prevent unrestricted data access.

Unfortunately, many individuals have started to access unprotected MongoDB databases and have deleted data and issued ransom demands. One well known organized ransomware gang has also got involved and is attempting to extort money from 21,000+ organizations.

While some of these ‘hackers’ have exfiltrated data prior to deleting databases, others have not. Ransom demands are being issued nonetheless, although since no copy of the data has been taken, recovery will be impossible even if a ransom payment is made.

Healthcare organizations that use MongoDB databases should ensure that their security settings are updated to prevent remote access by unauthorized individuals. Given the number of organizations already attacked, failure to do so is likely to result in data being hijacked, or worse, permanently deleted. Gevers suggests there are more than 99,000 organizations that have misconfigured MongoDB databases and are therefore at risk.

The post Warning for Healthcare Organizations that use MongoDB Databases appeared first on HIPAA Journal.

Warning for Healthcare Organizations that use MongoDB Databases

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing.

Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted. In their place was a new database containing nothing but a ransom demand. The hacker responsible offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175).

The number of affected organizations has rapidly increased over the past few days. Today, more than 32,000 organizations have been issued with ransom demands and have had their databases deleted, including Emory Healthcare.

Emory Healthcare is not the only U.S. healthcare organization to have left databases exposed. MacKeeper security researcher Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which operates the website militarysleep.org – has also been left exposed.

The database, which contains 2GB of information, includes details of 1,200 veterans who suffer from sleep disorders and have registered with the Sleep Clinic. The database contains sensitive information such as veterans’ names, email addresses, home addresses, former rank in the military, and their history of use of the site. The database also contains chat logs of conversations between doctors and veterans. Those logs contain highly sensitive details of patients’ medical conditions.

As with other organizations that have left their MongoDB databases in the default configuration, information can be accessed by anyone who knows where to look. No login credentials are required. Databases can be accessed without the need for usernames or passwords or any authentication.

The problem affects organizations that are using older versions of MongoDB. MongoDB had, in previous versions, been set with unrestricted remote access turned on as default. While later versions of the database platform had this changed with remote access set to off in the default configuration, many organizations are still using older versions and not changed the configuration settings to prevent unrestricted data access.

Unfortunately, many individuals have started to access unprotected MongoDB databases and have deleted data and issued ransom demands. One well known organized ransomware gang has also got involved and is attempting to extort money from 21,000+ organizations.

While some of these ‘hackers’ have exfiltrated data prior to deleting databases, others have not. Ransom demands are being issued nonetheless, although since no copy of the data has been taken, recovery will be impossible even if a ransom payment is made.

Healthcare organizations that use MongoDB databases should ensure that their security settings are updated to prevent remote access by unauthorized individuals. Given the number of organizations already attacked, failure to do so is likely to result in data being hijacked, or worse, permanently deleted. Gevers suggests there are more than 99,000 organizations that have misconfigured MongoDB databases and are therefore at risk.

The post Warning for Healthcare Organizations that use MongoDB Databases appeared first on HIPAA Journal.

FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked

The U.S. Food and Drug Administration (FDA) issued a safety communication Tuesday about cybersecurity flaws in certain St. Jude Medical cardiac devices and the Merlin@home transmitter after it was confirmed the devices could potentially be remotely accessed by unauthorized individuals.

The FDA confirmed that unauthorized users could “remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” potentially causing patients to be harmed. The flaws would allow an attacker to deplete the battery on implanted devices, alter pacing, or trigger shocks.

The FDA confirmed that there have been no reported instances of the cybersecurity flaws being exploited to cause harm to patients to date and patients have been advised to continue using the devices as instructed by their healthcare providers.

A patch to address the flaws has been developed and will be automatically applied this week. However, in order for the Merlin@home device to receive the update it must be left plugged in and connected to the Merlin Network.

The cybersecurity vulnerabilities were discovered by researchers at MedSec as part of a study into cybersecurity measures used to protect implantable medical devices. MedSec passed on details of the research to Muddy Waters last summer. In August 2016, Muddy Waters published a report criticizing St. Jude Medical for allowing ‘stunning cybersecurity flaws’ to remain unaddressed in its Merlin@home system and its associated defibrillators and pacemakers. St. Jude Medical denied the claims and sued Muddy Waters for disseminating ‘false and misleading’ information.

However, since the revelations were made in August, Abbott Laboratories, which recently acquired St. Jude Medical in a $25 billion deal, has been conducting its own investigations into device security. Abbott Laboratories has worked closely with both the FDA and the Department of Homeland Security to ensure that its pacemakers, defibrillator devices, and their associated systems are adequately protected and access by unauthorized individuals is blocked. The FDA has reviewed the software patch and has confirmed that it addresses the “greatest risks” and reduces the potential for exploitation and patient harm.

Carson Block, founder of Muddy Waters, issued a statement about the FDA announcement saying it “reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.” However, while critical security vulnerabilities have been addressed, Block said “the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”

In the safety communication, the FDA reminded consumers that “any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users.” The FDA went on to say “the increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.”

Cybersecurity Guidance for Medical Device Manufacturers

In December 2016, the FDA published its final cybersecurity guidance for medical device manufacturers. The document details measures that medical device manufacturers should adopt to ensure post-market devices are routinely assessed for vulnerabilities that could be exploited by hackers. The FDA released guidance in 2014 covering pre-market submissions for the management of cybersecurity in medical devices.

The post FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked appeared first on HIPAA Journal.

Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach

The massive 2015 data breach at Anthem Inc., which resulted in the theft of more than 78.8 million health plan members’ records, was likely the work of a foreign government-backed hacker, according to a recent report issued by the California Department of Insurance.

Anthem Inc., the second largest health insurer in the United States, announced the massive cyberattack in February 2015, almost a month after the breach was discovered. However, the cyberattack occurred almost a year earlier with Anthem’s database discovered to have been infiltrated on February 18, 2014.

Data stolen in the attack included members’ Social Security numbers, birth dates, employment details, addresses, email addresses, and Medical identification numbers. The attackers were able to bypass multiple layers of cybersecurity defenses with a single phishing email sent to an employee of one of Anthem’s subsidiaries. The response to the email allowed the attacker to download malware onto Anthem’s network, which in turn allowed access to Anthem’s database of members. The attackers also managed to infiltrate 90 other information systems used by the insurer.

Anthem employed cybersecurity firm Mandiant to investigate the breach, although the independent investigation conducted by California Department of Insurance, with assistance from cybersecurity firm CrowdStrike and Alvarez & Marsal Insurance and Risk Advisory Services, has taken considerably longer to conduct. While Mandiant’s investigation centered on how the breach occurred, the individuals affected, and the extent of the breach, the California Department of Insurance’s investigation probed deeper and attempted to determine who was responsible.

It was only recently that the California state agency discovered a credible link between the cyberattack and a foreign-government backed hacker. No announcement has been made as to which foreign government has been linked to the attack. The California Department of Insurance chose not to announce details of the government suspected to be linked to the attack as a federal investigation is still ongoing. However, a number of cybersecurity firms have linked the malware used in the attack to China.

The California Department of Insurance investigation was led by seven insurance commissioners and involved 40 other state and territorial insurance commissioners. One of those insurance commissioners, Dave Jones, said “our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government.”

The investigators were able to identify the attacker with “a significant degree of confidence”, although they only had “a medium degree of confidence” that the attacker was backed by a foreign government. Previous cyberattacks linked to the foreign government suspected of assisting in the attack have not resulted in any stolen data being passed on to non-state actors, yet the data from the Anthem attack appears to have been passed on to non-state groups.

Preventing cyberattacks such as Anthem’s is difficult. A coordinated effort between government agencies and private sector firms is required. Jones said “Insurers and regulators alone cannot stop foreign government-assisted cyberattacks.”

The California Department of Insurance investigation also looked at the cybersecurity defenses Anthem had put in place prior to the breach, the actions taken immediately after the breach was discovered, and the plans put in place to protect members from harm. The investigators determined that the defenses put in place to prevent cyberattacks were reasonable and the plan implemented to resolve the breach was rapid an effective.

Vulnerabilities were discovered during the course of the investigation and were communicated to the insurer and incorporated into its remediation plan. After cybersecurity defenses were improved post-breach, the investigators arranged for Anthem’s new cybersecurity defenses to be penetration tested. The California Department of Insurance found the improvements to be reasonable.

Early estimates on the breach resolution costs suggested Anthem would have to pay in excess of $100 million. However, the cost to the insurer has been significantly higher. Anthem Inc., has spent $260 million just to shore up its cybersecurity defenses and improve its information systems to prevent further attacks. All individuals affected by the breach have been offered 2 years credit monitoring/protection services free of charge, and the company is currently embroiled in numerous class-action lawsuits. There is also the possibility that the Department of Health and Human Services’ Office for Civil Rights may take action against the insurer. The final cost of the Anthem breach will not be known for many months to come.

The post Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach appeared first on HIPAA Journal.

Fetal Tissue Firms Guilty of Systemic HIPAA Violations

The U.S. House of Representatives Select Investigative Panel has published the findings from its investigation into the sale of fetal tissue by abortion clinics, revealing systemic HIPAA violations by both abortion clinics and tissue procurement businesses.

An investigation was requested by the Energy and Commerce Subcommittee on Oversight and Investigations following revelations made by undercover journalist David Daleiden.

In 2015, Daleiden arranged a serious of meetings with businesses involved in the fetal tissue procurement industry via the not-for-profit group Center for Medical Progress (CMP).

Daleiden secretly recorded abortion providers – and companies involved in the fetal tissue business – detailing the nature of the business of buying and selling tissues from aborted fetuses. Daleiden’s meetings uncovered some dark truths about the practices employed by abortion clinics to obtain fetal tissue, including how termination procedures were often changed in order to obtain more intact specimens, including the use of illegal abortion procedures. The investigation showed how abortion clinics were selling fetal tissue to improve their bottom lines with profit often placed above patient welfare.

The Select Investigative Panel’s 471-page report is the culmination of a yearlong investigation into the fetal procurement industry. The aim of the investigation was sixfold: To examine the medical procedures and business practices used by the industry; to investigate other relevant matters related to fetal procurement; to review federal funding and support for abortion service providers; to investigate the practice of second and third trimester abortions (including partial birth abortions); to assess medical procedures used to care for a child born alive; and to determine whether there was a need for law changes and/or further regulation of the industry.

The investigation centered on the tissue procurement company StemExpress and three Californian abortion clinics: Two operated by Planned Parenthood and one operated by Family Planning Specialists Medical Group.

Planned Parenthood and StemExpress Violated the HIPAA Privacy Rule

The investigation revealed that StemExpress and the Californian abortion clinics: Planned Parenthood Mar Monte (PPMM), Planned Parenthood Shasta Pacific (PPSP), and Family Planning Specialists Medical Group (FPS), routinely violated the Health Insurance Portability and Accountability Act’s Privacy Rule. The organizations’ HIPAA violations were found to be systemic and occurred over a 6-year period between 2010 and 2015.

While HIPAA Rules are in place to protect the privacy of healthcare patients and prevent unauthorized disclosures of individuals’ identifiable protected health information, the above abortion clinics were discovered to have impermissibly disclosed individual’s PHI to facilitate the sale of human fetal tissue.

Further, some tissue procurement businesses misrepresented that the consent forms used, along with the methods employed to harvest fetal tissue, complied with federal regulations.

The Panel determined that tissue procurement businesses routinely violated the HIPAA privacy rights of women for the sole purpose of making money by selling fetal tissue, and were concerned with profit over patient welfare.

Impermissible Disclosures of PHI

The Panel determined that the fetal tissue trade “did not meet the exceptions for cadaveric organ, eye or tissue transplantation or for research,” and that the HIPAA Privacy Rule had been repeatedly violated. The abortion clinics were discovered to have allowed employees of StemExpress to enter their clinics, view patients’ PHI, interact with patients, and seek and obtain their consent to donate fetal tissues. However, consent to share PHI had not been obtained prior to sharing sensitive information with StemExpress. StemExpress was found to have violated HIPAA Rules by viewing the PHI of women without there being a medically valid reason for doing so.

No HIPAA Business Associate Agreements

The Panel also determined that the consent forms obtained by StemExpress “did not constitute sufficient authorizations for the disclosure of PHI,” and that the information disclosed to StemExpress was not “the minimum necessary information” as required by HIPAA. Abortion clinics are HIPAA-covered entities and their dealings with StemExpress made the company a HIPAA business associate, yet the clinics and StemExpress had not entered into a business associate agreement as required by HIPAA Rules.

While the clinics could have entered into a valid business associate agreement and provided PHI in accordance with HIPAA Rules, they did not, and instead impermissibly shared “the most intimate information about their patients,” and violated patients’ privacy.

The Select Investigative Panel determined that the disclosures were both deliberate and purposeful, with StemExpress employees being provided with full patient charts containing highly sensitive medical information.

While a contractual agreement between the abortion clinics and Planned Parenthood clinics existed, the agreements were not compliant with HIPAA Rules. The report says the agreements with StemExpress instructed the company to “treat the information obtained from patients’ charts in order to preserve the confidentiality of the patients,” but said this “cannot trump a law prohibiting the Planned Parenthood abortion clinics from permitting these disclosures in the first place.”

The Select Investigative Panel’s report says “The Panel’s work has revealed that this corruption extends to the method of obtaining consent from the patient, which is both deceptive and unlawful,”

Recommendations for the Department of Health and Human Services

The panel has made numerous recommendations, including a request that Planned Parenthood is stripped of all federal funding, including reimbursements for Medicaid services. Instead those funds should be made available to healthcare providers that “provide comprehensive preventive healthcare for their patients, and that do not perform abortions,” except in the case of rape or incest or when abortions are required to prevent women from being placed in danger of death.

The potential HIPAA violations have been referred to the Department of Health and Human Services and the Select Investigative Panel has recommended that HHS conducts “greater oversight over misleading consent forms, IRBs, HIPAA violations, and abortion provider competence to care for infants born alive during abortion procedures.”

The sale of fetal tissue by abortion clinics has been condemned by many pro-life groups. Kristan Hawkins, president of Students for Life of America (SFLA), said “It is our deepest hope that Planned Parenthood, StemExpress, their business partners, and these late-term abortionists be brought to swift justice by the immediate investigation and prosecution of the U.S. Department of Justice and various state Attorneys General to whom charges were referred.”

The Select Investigative Panel report can be downloaded on this link.

The post Fetal Tissue Firms Guilty of Systemic HIPAA Violations appeared first on HIPAA Journal.