Healthcare Data Security

Analysis of February 2018 Healthcare Data Breaches

Posted by HIPAA Journal

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018.

Summary of February 2018 Healthcare Data Breaches

February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches.

Healthcare Data Breaches by Month

While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed.

Records exposed in Healthcare Data Breaches

Largest Healthcare Data Breaches of February 2018

The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below.

Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident Network Server
Tufts Associated Health Maintenance Organization, Inc. Health Plan 70,320 Unauthorized Access/Disclosure Paper/Films
Triple-S Advantage, Inc. Health Plan 36,305 Unauthorized Access/Disclosure Paper/Films
CarePlus Health Plan Health Plan 11,248 Unauthorized Access/Disclosure Paper/Films
Union Lake Supermarket, LLC Healthcare Provider 9,956 Improper Disposal Other Portable Electronic Device

The top five data breaches were responsible for 85% of all exposed healthcare records in February. The largest data breach – a malware-related incident at St. Peter’s Surgery & Endoscopy Center – accounted for 43.6% of the exposed healthcare records in February.

Main Causes of February 2018 Healthcare Data Breaches

Unauthorized access/disclosures topped the list of the main causes of healthcare data breaches in February 2018 with 12 incidents and included three of the most serious breaches. Hacking incidents were in close second with 9 breaches, followed by three loss/theft incidents and one case of improper disposal of ePHI.

Causes of February 2018 Healthcare Data Breaches

Records Exposed by Breach Type

Hacking/IT incidents were the second biggest cause of healthcare data breaches in February, but the incidents resulted in the exposure/theft of the largest amount of healthcare data.

Records Exposed by Breach Type

Location of Breached Records

Overall, there were more breaches involving electronic health data than physical records, although breaches involving paper/films were the most numerous with 6 incidents. The breach reports show that while technological controls are essential to prevent hacks and unauthorized access/disclosures of electronic records, physical security is important for paper records and administrative safeguards are necessary to prevent unauthorized access. All six of the breaches involving paper/films were unauthorized access/disclosures.

Location of breached healthcare records (February 2018)

Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in February with 15 incidents (reported by 14 healthcare providers). There were three breaches reported by pharmacies in February. 8 data breaches were reported by 7 health plans and two security incidents were reported by business associates.

Data Breaches by Covered Entity (February 2018)

Healthcare provider breaches exposed the most health records in February. 168,732 records were exposed by healthcare providers. The mean breach size was 11,248 records and the median breach size was 1,670 records.

Health plans experienced fewer breaches, but the incidents were more severe. 133,580 records were exposed by health plans. The mean breach size was 16,698 records and the median breach size was 6,075 records. The mean and median breach size for business associate data breaches was 3,234 records.

Records exposed by covered entity (February 2018)

February 2018 Healthcare Data Breaches by State

Healthcare organizations based in 18 states reported data breaches in February 2018. There were six states that experienced 2 data breaches– Alabama, California, Massachusetts, Mississippi, Rhode Island, and Wisconsin.

Arkansas, Connecticut, Illinois, Kentucky, Maine, Michigan, Missouri, North Carolina, New Jersey, New York, Tennessee, and Virginia each had one data breach reported.

Financial Penalties for HIPAA Covered Entities in February 2018

The Office for Civil Rights settled one HIPAA violation case in February. Filefax Inc, agreed to settle potential HIPAA violations with OCR for $100,000. The financial penalty sent a message to HIPAA-covered entities and their business associates that HIPAA responsibilities do not end when a business ceases trading. The fine relates to HIPAA violations that occurred after the business closed – the improper disposal of paperwork containing protected health information.

The post Analysis of February 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

NH-ISAC Partnership with Anomali Helps Accelerate Threat Detection and Information Sharing in Healthcare

Posted by HIPAA Journal

Anomali has partnered with the National Health Information Sharing and Analysis Center (NH-ISAC) and will be providing threat intelligence to healthcare organizations through NH-ISAC. Anomali will be providing NH-ISAC with the required tools and infrastructure to allow its members to collaborate and share threat intelligence with other members.

Anomali will be providing up to date threat intelligence on new and current external threats specific to the healthcare industry allowing NH-ISAC members to take proactive steps to minimize risk. Anomali’s early warning system helps healthcare organizations respond to threats quickly when suspicious activity is detected on a network.

NH-ISAC members include hospitals, health insurers, medical research institutions, pharma companies, ambulatory providers, medical device manufacturers and other healthcare stakeholders. NH-ISAC community members help each other use physical and cyber threat intelligence to inform security decisions and mitigate threats.

The new collaboration between NH-ISAC and Anomali will help empower the healthcare community to identify and respond to cyber threats. Anomali provides actionable threat intelligence that can be consumed by healthcare organizations and used to compliment internal security threat monitoring programs

The Anomali platform automates collection, normalization, and integration of threat intelligence from a wide range of different sources. The platform allows seamless collaboration with peers in other organizations through Anomali Trusted Circles and gives healthcare organizations complete visibility into attacks that threaten the confidentiality of protected health information and the security of the networks on which the information is stored. A threat detection by one member helps other organizations take preventative steps to block attacks before they occur.

“Sharing threat intelligence among member firms is one of the most essential services of any ISAC. The NH-ISAC Board is pleased with the opportunity to work with the Threatstream platform to enhance threat intelligence sharing for the healthcare sector,” said Jim Routh, NH-ISAC board member.

The post NH-ISAC Partnership with Anomali Helps Accelerate Threat Detection and Information Sharing in Healthcare appeared first on HIPAA Journal.

OIG FISMA Compliance Review of HHS Shows Improvements Made but Vulnerabilities Remain

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General has published the findings of its 2017 fiscal review of HHS compliance with the Federal Information Security Modernization Act of 2014.

The FISMA compliance review revealed the HSS is continuing to make improvements to its information security program, although OIG identified several areas of weakness. The findings from the latest FISMA compliance review highlighted similar vulnerabilities and weaknesses to the review conducted for fiscal 2016.

A department-wide Continuous Diagnostics and Mitigation (CDM) program is being developed by the HHS which will allow it to monitor its networks, information systems, and personnel activity and information security programs have been strengthened since the review was last conducted. However, OIG identified several areas where improvements could be made. Weaknesses and vulnerabilities were found in HHS risk management, identity and access management, configuration management, security training, incident response, contingency planning and information security continuous monitoring.

There were several areas of concern in configuration management. At all four of the operational divisions (OPDIVs) there were instances of noncompliance with configuration management policies and procedures. OIG identified failures to ensure all software was up to date and patches were applied promptly and vulnerability scans using Security Content Automation Protocol (SCAP) tools were missed. OIG also found some operating systems in use that were not supported by the vendors. At some OPDIVs, configuration management personnel were not tracking the approvals, testing results, and migration dates within change management tracking tools.

Weaknesses were found in the detect function, the purpose of which is to develop and implement appropriate activities to identify the occurrence of cybersecurity events.

Training issues were identified with some OPDIVs having failed to train all staff, including new recruits. While the number of employees that had not been sufficiently trained was low, those individuals pose a considerable risk to the security of HHS systems and network. Two OPDIVs were not effectively tracking the security training status of personnel and contractors.

Risk management issues were identified at some of the operating divisions, with risk management policies and procedures not yet finalized. OIG also reports that some OPDIVs could not provide a list of all devices and software used on the network, and neither were they able to provide details of unauthorized software used on the network.

Issues with identity and access management included account management procedures not always being followed, including the monitoring and maintenance of shared accounts. There were failures to remove inactive accounts and enforce resets of active account passwords, and to disable accounts in a timely manner when employees were transferred or terminated.

The flaws and weaknesses identified in the report are common across the entire healthcare industry. The HHS’ Office for Civil Rights has fined HIPAA covered entities for similar flaws to those identified by OIG.

OIG has made several recommendations to the HSS to improve security, processes and procedures to further reduce risk and ensure compliance with FISMA. The HHS concurred with all of OIG’s recommendations and will work at implementing further controls and updating its policies and procedures accordingly.

The post OIG FISMA Compliance Review of HHS Shows Improvements Made but Vulnerabilities Remain appeared first on HIPAA Journal.

Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year

Posted by HIPAA Journal

A recent Ponemon Institute survey has revealed 62% of healthcare organizations have experienced a data breach in the past 12 months. More than half of those organizations experienced data loss as a result.

The Merlin International sponsored survey was conducted on 627 healthcare industry leaders from hospitals and payer organizations. 67% of respondents worked in hospitals with 100-500 beds and had an estimated 10,000 to 100,000 networked devices.

Last year more than 5 million healthcare records were exposed or stolen, and the healthcare was the second most targeted industry behind the business sector. 2017 was the fourth consecutive year that the healthcare industry has been second for data breaches and there are no signs that cyberattacks are likely to reduce over the coming year.

Even though there is a high probability of experiencing a cyberattack, 51% of surveyed organizations have yet to implement an incident response program. This lack of preparedness can hamper recovery if a cyberattack is experienced. As the Cost of a Data Breach Study by the Ponemon Institute showed, a fast response to a data breach can limit the harm caused to breach victims and reduce the cost of mitigating such an attack. Respondents reported that the cost of mitigating an attack and dealing with the fallout from a network compromise was approximately $4 million.

When asked about the biggest threats to their organization and the types of attack that caused the most concern there was little to choose between internal and external threats, which were rated as a top concern by 64% and 63% of respondents respectively. The main perceived targets for hackers were electronic medical records (77%), patient billing information (56%), login credentials (54%), other authentication credentials (49%), and research information (45%).

The methods used to gain access to networks and data were highly varied. The main method of attack was the exploitation of software and operating system vulnerabilities and the use of malware. 71% of respondents said vulnerabilities were exploited while 69% said attacks involved the use of malware. 37% of organizations had experienced ransomware attacks.

The security of medical devices is a major concern, especially since they are a blind spot in many organizations. 65% of respondents said medical devices were not included in their overall cybersecurity strategy or they didn’t know if they were. 31% of respondents said they did not have any plans to include medical devices in their cybersecurity strategies in the near future.

The HHS’ Office for Civil Rights has raised awareness of the need to provide ongoing security awareness training to staff and companies such as Cofense have published data to show how security awareness training and phishing simulations can greatly reduce susceptibility to phishing attacks. However, many healthcare organizations are not heeding that advice and are not providing training regularly. Many healthcare organizations are still only providing security awareness training to employees annually. It is therefore unsurprising that 52% of respondents said a lack of employee security awareness was hampering their ability to improve their security posture.

74% believed the biggest obstacle preventing them from improving security was staffing issues and 60% said they do not have staff with the right cybersecurity qualifications in-house. 51% of respondents said that have not yet appointed a Chief Information Security Officer (CISO).

The post Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year appeared first on HIPAA Journal.

Is it a HIPAA Violation to Email Patient Names?

Posted by HIPAA Journal

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information.

Is it a HIPAA Violation to Email Patient Names?

Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule.

HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data.

It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected with encryption in transit, message headers – which include the subject line and to and from fields – are often not encrypted and could potentially be intercepted and viewed.

Patients names and other PHI should only be sent to individuals authorized to receive that information, so care must be taken to ensure the email is addressed correctly. Sending an email containing PHI to an incorrect recipient would be an unauthorized disclosure and a violation of HIPAA.

Must all Emails Containing PHI be Encrypted?

HIPAA does not require the use of encryption. Encryption is only an addressable standard. However, if, following a risk assessment, the decision is taken not to use encryption, an alternative and equivalent security measure must be used in its place.

In the case of internal emails, it would not be necessary for messages containing ePHI to be encrypted provided the messages are only sent via an internal email system and do not leave the protection of a firewall. Access controls would also need to be in place to prevent messages from being opened by individuals not authorized to receive the information.

If emails containing PHI are sent outside the protection of an internal network there is considerable potential for PHI to be viewed by unauthorized individuals. This is not a problem when emailing patients, provided consent to use email to send PHI has been obtained from the patient in advance. The patient must have been made aware of the risks of sending PHI via unencrypted email and must have given authorization to use such a potentially insecure method of communication.

Emailing ePHI to all other individuals using unencrypted email is a risky strategy. While HIPAA encryption requirements are somewhat vague, in the event of a HIPAA audit or data breach investigation, it would be hard to argue that ePHI sent via unencrypted mail was reasonably protected, especially when there are many secure methods of data sharing available – Dropbox, Google Drive, Box etc.

The post Is it a HIPAA Violation to Email Patient Names? appeared first on HIPAA Journal.

2018 HIPAA Changes and Enforcement Outlook

Posted by HIPAA Journal

Are there likely to be major 2018 HIPAA changes? What does this year have in store in terms of new HIPAA regulations? OCR Director Roger Severino has hinted there could be some 2018 HIPAA changes and that HIPAA enforcement in 2018 is unlikely to slowdown.

Are Major 2018 HIPAA Changes Likely?

The Trump administration has made it clear that there should be a decrease rather than an increase in regulation in the United States. In January 2017, Trump signed an executive order calling for a reduction in regulation, which was seen to be hampering America’s economic growth. At the time Trump said, “If there’s a new regulation, they have to knock out two. But it goes far beyond that, we’re cutting regulations massively for small business and for large business.”

While Trump was not specifically referring to healthcare, it is clear we are currently in a period of deregulation. Trump’s words were recently echoed by Severino at the HIMSS conference who confirmed the HSS understands deregulation in some areas is required before further regulations can be introduced.

Therefore, there are unlikely to be major 2018 HIPAA changes, at lease not in terms of increased regulation. What is more likely is an easing of the administrative burden on healthcare organizations in 2018.

OCR is currently reviewing existing HIPAA regulations to determine whether all aspects of HIPAA Rules are still relevant and if there are any areas where the administrative burden on healthcare organizations can be eased. OCR is looking at the benefit of various provisions of HIPAA and whether those benefits outweigh the costs.

The HHS has said its goals are “reducing the burden of compliance” and “streamlining its regulations,” while promoting “meaningful information sharing”.

2018 HIPAA changes could make life simpler for many healthcare organizations as the HHS attempts to minimize duplication and burdensome requirements and eliminate outdated restrictions and obsolete regulations.

HIPAA Enforcement in 2018

In 2016 there was a significant increase in HIPAA enforcement activities by OCR with more settlements reached with covered entities and business associates than any other year since the HIPAA Enforcement Rule was signed into law. In 2016 there were 12 settlements and one civil monetary penalty issued and 2017 HIPAA settlements were well above average levels, with 9 settlements and one civil monetary penalty. So, what can we expect for HIPAA enforcement in 2018?

At HIMSS 2018, Roger Severino gave a presentation on HIPAA compliance, enforcement, and policy updates from the Office for Civil Rights and made it clear OCR will continue to pursue settlements with HIPAA covered entities for egregious violations of HIPAA Rules. Severino said OCR still has the same enforcement mindset and that there will be “no slowdown in our enforcement efforts,” and “we’re still looking for big, juicy, egregious cases.” That does not necessarily mean large healthcare organizations. OCR treats potential HIPAA violations on a case by case basis, and smaller healthcare organizations may similarly be punished if they are discovered to have violated HIPAA Rules.

Severino said OCR does not want to fine healthcare organizations for violating HIPAA Rules and wants the settlements to reduce, but for that to happen, healthcare organizations must improve their compliance programs. 2018 HIPAA enforcement is likely to continue to see financial penalties issued for common HIPAA violations such as the failure to conduct regular risk assessments.  Already, 2018 has seen two settlements announced. A $100,000 penalty for Filefax, Inc., and a $3,500,000 settlement with Fresenius Medical Care North America. Time will tell if this was a blip or if that pace will be maintained throughout the year.

OCR is not the only enforcer of HIPAA Rules. State attorneys general can also issue fines for HIPAA violations, and the New York AG has been active in this area in recent weeks, fining EmblemHealth $575,000 in March and Aetna $1,150,000 in January. Further financial settlements are likely to be pursued in NY and other states to resolve HIPAA violations and privacy and security-related breaches of state laws.

The post 2018 HIPAA Changes and Enforcement Outlook appeared first on HIPAA Journal.

HIMSS Survey Reveals Top Healthcare Security Threats

Posted by HIPAA Journal

HIMSS has published the results of its annual healthcare cybersecurity survey, which provides insights into the state of cybersecurity in healthcare and identified the top healthcare security threats.

The HIMSS 2018 cybersecurity survey was conducted on 239 respondents from the healthcare industry between December 2017 and January 2018. The results of the survey were announced at the HIMSS 2018 Conference & Exhibition in Las Vegas.

36.8% of respondents had positions in executive management and 37.2% were employed in non-executive management positions. The remaining 25.9% were in non-management positions such as cybersecurity specialists and analysts. 41.2% of respondents were primarily responsible for cybersecurity, 32.6% had some responsibility, and 11.8% sometimes had responsibility for cybersecurity.

Most Healthcare Organizations Have Experienced a Significant Security Incident in the Past 12 Months

The threat of healthcare cyberattacks is greater than ever and the past 12 months has been a torrid year. In the past 12 months, 75.7% of respondents said they had experienced a recent significant security incident. 96% of those respondents were able to characterize the threat actor responsible, with the top three being online scam artists such as phishers (37.6%), negligent insiders (20.8%), and hackers (20.1%).

61.4% of respondents said email was the main initial point of compromise. In second place was ‘other’ which included compromised customer networks, web application attacks, guessed passwords, misconfigured software/cloud services, and human error. In joint third – both with 3.2% of responses – was a compromised organizational website and hardware/software pre-loaded with malware.  11.6% said they did not know how the attackers gained access to their networks/data.

In the majority of cases (68.2%), incidents were discovered internally (40.7% by security teams / 27.5% by non-security personnel). 67.7% of breaches were detected within 7 days, with 47.1% detected within 24 hours.

Healthcare Cybersecurity Is Improving

The past 12 months have seen an increase in healthcare security incidents, although the severity of data breaches has reduced year over year. This indicates cybersecurity in healthcare is improving, which was backed up by the HIMSS survey results.

84.3% of respondents said more resources are now being used to address cybersecurity with only 3.3% saying resources have decreased year over year.  60% of respondents said their organization now employs a senior information security leader.

55.8% of respondents said a dedicated or defined amount of the current budget is allocated for cybersecurity. 26.5% of respondents said there was no specific carve out for cybersecurity but money was being spent as needed or could be requested. Only 2.8% said no money is spent on cybersecurity.

HIPAA requires healthcare organizations to conduct regular risk assessments to identify potential threats to the confidentiality, integrity, and availability of protected health information. The survey revealed healthcare organizations are being proactive and are conducting risk assessments and using the results to direct their cybersecurity efforts.

45.5% said they are performing security risk assessments annually, 5.6% were conducting risk assessments every 6 months, 9% performed risk assessments once a month, and 9.6% said they performed risk assessments daily. Alarmingly, 5.1% said they do not perform risk assessments and 4.5% conducted risk assessments less frequently than once a year.

Actions Directed by Risk Assessments

Source: HIMSS

Plenty of Room for Improvement

While cybersecurity is improving, there are still multiple areas where improvements can and should be made and too little is being done to deal with the main healthcare security threats. The recent HIPAA compliance audits and penalties for HIPAA violations have prompted many healthcare organizations to concentrate on HIPAA compliance, which has been a greater priority than security.

HIMSS says compared to other industry sectors, healthcare cybersecurity programs lack maturity and that typically cybersecurity programs have only been running for five or fewer years. HIMSS suggests that even with the healthcare industry being heavily targeted by cybercriminals, “many cybersecurity professionals are still getting used to the idea that there are bad actors out there that are directly or indirectly targeting healthcare organizations.”

The main barriers for remediating and mitigating cyberattacks were a lack of appropriate personnel (52.4%) and a lack of financial resources (46.6%). Other barriers were too many application vulnerabilities (28.6%), too many endpoints (27.5%), too many new and emerging threats (27%) not enough cyber security intelligence (23.3%) and a network infrastructure that was too complex to secure (20.6%).

13.3% said they had no cybersecurity staff and 43.2% said their ratio of cybersecurity staff to IT users was greater than 1:500.

The majority of organizations are spending 6% or less of their IT budgets on cybersecurity, 16.9% of organizations had not adopted a cybersecurity framework, and 37.1% of organizations only conducted penetration tests annually. Even though the threat from within is significant, 24.2% of healthcare organizations did not have an insider threat management program and 27% said they had such a program but it was informal.

Phishing and email attacks are major concerns and are behind the majority of healthcare security breaches and OCR has also made it clear that phishing and security awareness training should be an ongoing process, yet 51.8% of healthcare organizations are still only conducting security awareness training annually. Only 32.9% said they test their employees phishing awareness with phishing simulations.

Top Healthcare Security Threats

There are many healthcare security threats, although some are perceived to pose more of a threat than others. There was little to choose between the three main threats to network and data security. Data breaches and data leakage were ranked as top healthcare security threats by 11.8% of respondents, ransomware was in second place rated as a top cybersecurity threat by 11.3% of respondents, with credential stealing malware in third place on 11%. Malicious insiders were seen as a major threat by 10.1% of respondents and wiper malware was rated as a serious threat by 10% of respodents.

When asked about future cybersecurity priorities the top areas were incident response (11.9%), risk assessment and management (11.9%), business continuity and disaster recovery (11.8%), awareness training programs (11.6%), cloud security (11.2%), website security (10.8%), physical security (10.7%), and information sharing (10.4%).

The full results of the HIMSS 2018 Cybersecurity survey can be viewed here.

The post HIMSS Survey Reveals Top Healthcare Security Threats appeared first on HIPAA Journal.

Why is HIPAA Important to Patients?

Posted by HIPAA Journal

Most Americans have heard of HIPAA and know that the legislation applies to healthcare organizations, but may not understand why HIPAA is important to patients.

The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 – or HIPAA – is a federal law that applies to healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically. HIPAA also applies to vendors – business associates – that perform functions on behalf of HIPAA-covered entities that requires them to have access to protected health information (PHI) or be provided with copies of PHI. (See What is Protected Health Information).

HIPAA was signed into law by Bill Clinton in 1996, although the legislation has had some significant updates over the years, notably the HIPAA Privacy Rule in 2000, the Security Rule in 2003, and the Breach Notification Rule in 2009. (See our HIPAA History page for more information)

Initially HIPAA was intended to improve the health insurance system and simplify the administration of healthcare, but it has since been expanded considerably. Now HIPAA covers patient privacy, uses and disclosures of health data, and data security.

HIPAA was primarily penned to benefit consumers rather than healthcare organizations, yet the legislation itself is long, complicated and is not well understood by many patients and health plan members. This post greatly simplifies HIPAA and explains why HIPAA is important to patients.

Why is HIPAA Important to Patients?

There are four key aspects of HIPAA that make it important for patients: Privacy of health information, security of health data, notification of breaches of medical records, and the right to obtain copies of healthcare data.

Privacy of Health Data

The HIPAA Privacy Rule restricts the individuals who are able to view healthcare data and who healthcare data can be shared with without first obtaining permission from patients. Generally speaking, access to health data is restricted to healthcare employees who need to view health and personal information in order to provide healthcare services and perform any administration duties.

Healthcare organizations can only share PHI with business associates that perform for healthcare operations services on behalf of a covered entity that require access to PHI: Transcription service providers, payment processors, or mailing vendors for example. In such cases, those business associates must agree to keep data secure and the same rules apply for access and disclosures of PHI to other individuals or companies. Any PHI provided must be limited to the minimum necessary amount to perform the specific services the business associate is contracted to perform.

Permission must be obtained from patients before their PHI can be shared with companies for other reasons, including research and marketing.

The Privacy Rule also allows patients to designate which individuals are permitted to obtain their health data on behalf of patients – friends, family, or caregivers for instance.

Security of Health Data

HIPAA requires healthcare organizations to implement safeguards to ensure any health data created, stored, maintained, or transmitted is kept secure at all times. Those controls include administrative measures, physical security for paper records and electronic devices that store health data, and technical controls such as encryption, anti-virus software, and firewalls. Healthcare employees must also be trained how to recognize threats such as phishing emails and other email and web-based threats. These measures ensure that hackers and other cybercriminals cannot gain access to patients’ and plan members’ health information.

Notification of Data Breaches

While HIPAA protects patient privacy by placing restrictions on who can access health data and healthcare organizations are required to implement security controls to keep PHI secure, privacy and security breaches may still likely to occur.

HIPAA requires healthcare organizations and their business associates to issue notifications to patients when health data is compromised or stolen. This allows breach victims to take action to protect their identities and reduce the risk of becoming a victim of fraud. HIPAA requires notifications to be issued within 60 days of a breach being discovered.

Copies of Medical Records

HIPAA gives patients the right to obtain copies of the health information created or held by healthcare organizations. By obtaining copies of heath data patients can take a much more active role in their own healthcare. While in theory, one healthcare provider should be able to send health data to another provider that is also treating the same patient, there are still some issues that prevent all health data from being transferred.

By obtaining copies of health information, patients can easily share that information with any healthcare organizations, including research organizations to help in studies that benefit the population as a whole.

One other important reason for obtaining copies of health data is to check health records for errors. If a mistake is made recording health data, it could have an impact on decisions about the best treatment for patients. It is therefore important for patients to check their medical records for errors and to correct any mistakes.

Not all Healthcare Organizations Are Covered by HIPAA Rules

While the above rights and protections apply to most healthcare providers and health insurers, they do not apply to ALL healthcare organizations, even if those organizations appear to provide similar services to HIPAA covered entities and collect the same types of data.

HIPAA does not apply to health app developers for instance, unless they are contracted to develop apps or provide apps to patients by a HIPAA covered entity. HIPAA does not apply to life insurance companies, workers compensation schemes, employers, schools, many state agencies, law enforcement agencies, the media, and many municipal offices.

Consequently, the protections of HIPAA and the rights afforded by the legislation do not apply to those organizations.

The post Why is HIPAA Important to Patients? appeared first on HIPAA Journal.

Alabama Data Breach Notification Act Passed by State Senate

Posted by HIPAA Journal

The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week.

Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents.

The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm.

Entities that would be required to comply with the Alabama Data Breach Notification Act are persons,

sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive personally identifying information.

Sensitive personally identifying information is defined as a first name/first initial and last name combined with any of the following data elements, provided they are not truncated, encrypted, or hashed:

  • Social Security number
  • Tax ID number
  • Driver’s license number
  • State identification card number
  • Military identification number
  • Passport number
  • Other unique government identification number
  • Medical information such as health history, treatment or diagnosis or mental/physical condition
  • Health insurance number or unique identifiers used by health insurers for identification of an individual
  • Financial account number (bank account, credit card, or debit card) combined with an expiry date, security code, PIN, password, or other information that would allow a financial transaction to be conducted
  • Username or email address along with a password or security question answer that would allow an account to be accessed

The Alabama Data Breach Notification Act also calls for entities holding the above information to implement and maintain reasonable security measures to protect sensitive personally identifiable information. A risk analysis must be conducted to identity potential security risks and safeguards would need to be adopted reduce those risks to a reasonable level. Measures to protect data should be appropriate for the sensitivity of the data, the amount of data held, the size of the organization, and the cost of safeguards relative to the company’s resources.

If the Alabama Data Breach Notification Act is passed, state residents would have to be notified of data breaches within 45 days of discovery of a breach. Companies that fail to issue the notifications could potentially be fined up to $5,000 per day for any delay in issuing notifications up to a maximum of $500,000 per breach. Lawsuits could be filed by the attorney general’s office on behalf of breach victims, although private actions would not be possible.

Breach notices would be required to include the date or estimated date of the breach, a description of the information exposed, details of the steps that can be taken by breach victims to protect themselves against harm, details of the steps taken by the breached entity to restore security and confidentiality of data, and contact information for further information about the breach. A breach notice would also need to be submitted to the state attorney general’s office if the breach impacts more than 1,000 individuals.

In contrast to data breach notification laws in some US states that exempt HIPAA covered entities that are in compliance with HIPAA laws, the Alabama Data Breach Notification Act would apply to HIPAA covered entities.

The current maximum time frame for HIPAA covered entities is 60 days from the date of discovery of a breach. For Alabama residents at least, that time frame would be reduced by 15 days.

The post Alabama Data Breach Notification Act Passed by State Senate appeared first on HIPAA Journal.