HIPAA Breach News

Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has imposed a $2.15 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

In July 2015, OCR became aware of several media reports in which the PHI of a patient was impermissibly disclosed. The individual was a well-known NFL football player. Photographs of an operating room display board and schedule had also been shared on social media by a reporter. OCR launched an investigation in October 2015 and opened a compliance review in relation to the impermissible disclosure.

JHS investigated and submitted a report confirming a photograph was taken in which two patients PHI was visible, including the PHI of a well-known person in the community. The internal investigation revealed an employee had been accessing patient information without authorization since 2011. During that time, the employee had accessed the records of 24,188 patients without any legitimate work reason for doing so and had been selling that information.

HIPAA requires covered entities to implement policies and procedures to prevent, contain, and correct security violations – 45 C.F.R. § 164.308(a)(l) – however, before risks can be managed and reduced to a reasonable and acceptable level, a covered entity must conduct a comprehensive risk analysis – 45 C.F .R. §164.308(a)(l)(ii){A) – to ensure that all risks to the confidentiality, integrity, and availability of PHI are identified.

On several occasions, OCR requested documentation on risk analyses at JHS. JHS supplied documentation on internal assessments from 2009, 2012, and 2013, and risk analyses conducted by third parties in 2014, 2015, 2016, and 2017.

OCR discovered that prior to 2017, JHS had erroneously marked several aspects of the HIPAA Security Rule as non-applicable in the risk analyses. A risk analysis failure occurred in 2014 as it had failed to cover all ePHI and did not identify all risks to ePHI contained within JHS systems. JHS had also failed to provide documentation confirming measures had been implemented to reduce all risk to ePHI to a reasonable and appropriate level, even though recommendations had been made by the company that performed the 2014 risk analysis.

Similar risk analysis failures occurred in 2015. Some sections of the risk analysis conducted by a third party had not been completed, the risk analysis failed to cover all ePHI, and documentation could not be supplied confirming risk management efforts had taken place. It was a similar story in 2016, and the 2017 risk analysis was not comprehensive.

OCR investigators also discovered reviews of information system activity such as audit logs had not been regularly reviewed, in violation of 45 C.F.R. § 164.308(l)(ii)(D).

OCR also determined that between July 22, 2013 and January 27, 2016, policies and procedures had not been implemented to prevent, detect, contain, and correct security violations. The HIPAA Privacy Rule had also been violated, as reasonable efforts were not made to limit certain employees’ access to PHI, which had led to unauthorized access and impermissible disclosures. Access to PHI was also not limited to the minimum necessary information, in violation of 45 C.F.R. §164.308(a)(4) and 45 C.F.R. § 164.514(d).

On multiple occasions employees had accessed records without authorization when there was no treatment relationship with a patient, and also after a treatment relationship had come to an end.

JHS had also violated the HIPAA Breach Notification Rule by failing to report a breach within 60 days of discovery in violation of 45 C.F.R. § 164.408(b). The loss of boxes of files in 2013 was not reported for 160 days. JHS also admitted that it did not have policies in place covering PHI breaches prior to October 2013.

OCR attempted to resolve the HIPAA violations via informal means, but JHS failed to comply, which led to OCR issuing a Notice of Proposed Determination. JHS waived its right to a hearing and OCR issued a Notice of Final Determination, which was not contested and JHS paid the full financial penalty of $2,154,000.

“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” explained OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”

This is the second financial penalty for a HIPAA covered entity to be announced this month and the fifth penalty to be issued in 2019. Earlier this month, Elite Dental Associates settled its HIPAA case with OCR for $10,000 following disclosures of patients’ PHI on the Yelp review site.

Settlements were also agreed with Bayfront Health St Petersburg ($85,000), Medical Informatics Engineering ($100,000), and Touchstone Medical Imaging ($3,000,000) earlier in the year.

The post Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System appeared first on HIPAA Journal.

129,000 Patients Notified of Kalispell Regional Healthcare Phishing Attack

Posted by HIPAA Journal

Kalispell Regional Healthcare in Montana is in the process of notifying approximately 129,000 patients that some of their protected health information (PHI) was potentially compromised in a security breach over the summer.

Kalispell Regional Healthcare operates Kalispell Regional Medical Center, a 138-bed hospital in Kalispell, MT. The breach has affected most of its patients.

The breach affected Kalispell Regional’s email system and was the result of multiple employees being fooled by a “highly sophisticated” phishing scam. Employees responding to the phishing email inadvertently disclosed their login credentials to the attacker who used the credentials to remotely access their email accounts. Kalispell Regional learned of the breach on August 28.

Upon discovery of the breach, all affected email accounts were disabled to prevent further unauthorized access, the security breach was reported to law enforcement, and an internal investigation was launched to determine the extent of the breach. The investigation revealed the email account was breached on May 24, 2019 and the compromised accounts contained messages and email attachments that included patients’ PHI.

The types of data exposed varied from patient to patient and may have included names, addresses, email addresses, telephone numbers, dates of service, treatment information, health insurance information, treating and referring physicians’ names, and medical bill account numbers. 250 or fewer patients also had their Social Security number exposed.

Unauthorized PHI access was possible, but no evidence has been uncovered to suggest any patient information has been misused; however, out of an abundance of caution, affected individuals have been offered complimentary membership to credit monitoring and identity theft protection services with Kroll for 12 months, regardless of the types of information that were exposed.

It took several weeks to discover which patients had been affected and the types of information that had been exposed, hence the delay in issuing breach notification letters. The breach investigation concluded last week.

Kalispell Regional had implemented a range of cybersecurity measures prior to the breach and uses a third-party firm to conduct annual threat assessments to proactively identify vulnerabilities and improve its security posture. Those measures were insufficient to block the phishing attack in this instance. Kalispell Regional will continue to review its security measures and enhancements will be made to better protect patient data against phishing attacks.

The post 129,000 Patients Notified of Kalispell Regional Healthcare Phishing Attack appeared first on HIPAA Journal.

Sensitive Data of Millions of Patients Discovered to Be Freely Accessible Over the Internet

Posted by HIPAA Journal

The sensitive health information of millions of patients has been exposed over the internet as a result of the failure of nine companies to secure their medical databases.

The exposed patient data was discovered by security researchers at WizeCase. The research team, led by Avishai Efrat, used publicly available tools to search for exposed data that could be accessed without the need for any usernames or passwords. The firm then offers to help those organizations fix their data leaks and better secure their data.

In all cases, the researchers attempted to contact the healthcare organizations concerned to advise them about the misconfigured databases to allow steps to be taken to secure the data and prevent unauthorized access, but in several cases no response was received.

The researchers contacted databreaches.net and received assistance in contacting the companies concerned. When no response was received, the researchers contacted local authorities and hosting companies for assistance. Several attempts were made to get the data secured over the space of a month before the decision was taken to go public and name the companies concerned to spur them into taking action.

The databases belonged to healthcare organizations in Brazil, Canada, France, Nigeria, Saudi Arabia, two in China, and two in the United States. Seven of the nine exposed databases were on public facing Elasticsearch servers and two were misconfigured MongoDB databases.

The databases contained a range of sensitive information including names, addresses, contact telephone numbers, email addresses, dates of birth, tax ID numbers, insurance details, employer details, occupations, diagnoses, details of medical complaints, prescription information, HIV test results, pregnancy status, lab test results, Social Security numbers, and other types of personal and health information.

The two U.S. databases belonged to DeepThink Health – formerly Jintel Health – and VScript. DeepThink Health has developed a precision intelligence platform that captures and structures clinical and genomic datasets and analyzes the data to enable precision medicine. The 2.7GB Elasticsearch database contacted approximately 700,000 records. Those records contained the names and contact information of medical personnel, medical observations including details of the stages and types of cancers of patients, and cancer treatment information.

VScript is a pharmacy software firm. The researchers found an Elasticsearch server hosting 81MB of data of around 800 patients and a GoogleAPI bucket containing thousands of images of prescriptions along with the names, contact information, and dates of birth of the patients who had received them.

VScript was one of the companies that did not respond to either WizeCase or databreaches.net emails and phone calls. Databreaches.net also reached out to Google about the exposed data, but the data remained accessible even after Google had made contact. Databreaches.net notes that it is unclear whether the data belonged to VScript. The database may have been the responsibility of one of its vendors.

The other databases were owned by BioSoft in Brazil, ClearDent in Canada, the Nigeria HIV/AIDS Indicator and Impact Survey (NAIIS), Stella Prism in Saudi Arabia, Tsinghua University Clinical Medical College and Sichuan Lianhao Technology Group Co., Ltd in China, and Essibox, the French division of the international ophthalmic optics group Essilor.

“Technology is moving at a fast pace and the security systems don’t seem like they can keep up. This is especially troubling when dealing with a company that is supposed to protect sensitive user data,” explained WizeCase in a recent blog post. “Since some of these databases were created and maintained by third party companies, it is possible that the patients concerned are unaware that their data is being held and used by these companies.”

The exposure of sensitive medical data places patients at risk of blackmail, identity theft, and fraud, but many may never learn that their sensitive information has been exposed. The WizeCase researchers may not be the only individuals to have discovered the databases. It is possible that multiple individuals have stolen the databases and are using them for nefarious purposes.

The post Sensitive Data of Millions of Patients Discovered to Be Freely Accessible Over the Internet appeared first on HIPAA Journal.

South Texas Dermatopathology Notifies 15,982 Patients About AMCA Data Breach

Posted by HIPAA Journal

South Texas Dermatopathology is the last known victim of the data breach at American Medical Collection Agency (AMCA) to report the breach to the Department of Health and Human Services Office for Civil Rights (OCR) and notify affected patients. The breach appeared on the OCR breach portal on October 7, 2019 and indicates 15,982 patients have been affected.

AMCA was a business associate of the San Antonio, TX-based medical testing laboratory and provided billings and collection services. South Texas Dermatopathology was informed about the security breach at AMCA in May 2019 and was told that some of its patients’ information was potentially compromised as a result of the hacking of AMCA systems.

An unauthorized individual first gained access to AMCA systems on August 1, 2018. Access remained possible up to March 30, 2019 when the breach was detected and its systems were secured. During that time, the unauthorized individual had access to parts of AMCA systems that contained information such as names, addresses, phone numbers, dates of birth, balance information, dates of service, credit card or banking information and treatment provider information.

After learning about the breach, South Texas Dermatopathology stopped sending patient data to AMCA and terminated its business relationship with the firm. Another vendor is now provided billings and collection services.  All patients affected by the breach have now been notified.

HIPAA Journal has been tracking the AMCA breach reports and South Texas Dermatopathology is the last known victim to report the incident to OCR. In total, 24 laboratories and healthcare facilities have had patient data exposed as a result of the AMCA breach, which has now been confirmed to have involved the protected health information of 26,059,725 individuals.

The full list of healthcare organizations affected by the AMCA breach is listed below. The number of patients affected has been taken from the HHS’ Office for Civil Rights’ breach portal.

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
South Texas Dermatopathology LLC 15,982
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
Total Records Breached 26,059,725

 

The post South Texas Dermatopathology Notifies 15,982 Patients About AMCA Data Breach appeared first on HIPAA Journal.

September 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

September saw 36 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 26.53% decrease in breaches from the previous month.

1,957,168 healthcare records were compromised in those breaches, an increase of 168.11% from August. The large number of breached records is largely down to four reported incidents, each of which involved hundreds of thousands of healthcare records. Three of those incidents have been confirmed as ransomware attacks.

Largest Healthcare Data Breaches in September 2019

The largest breach of the month was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were potentially compromised as a result of the attack. Sarrell Dental also experienced a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also potentially compromised in a ransomware attack. The University of Puerto Rico reported a network server hacking incident involving 439,753 records of Intramural Practice Plan members. The exact nature of the breach is unclear.

Those four breaches accounted for 85.80% of the healthcare records breached in September.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
Magellan Healthcare Business Associate 55637 Hacking/IT Incident Email
CHI Health Orthopedics Clinic -Lakeside Healthcare Provider 48000 Hacking/IT Incident Desktop Computer, Electronic Medical Record, Network Server
Kilgore Vision Center Healthcare Provider 40000 Hacking/IT Incident Network Server
Peoples Injury Network Northwest Healthcare Provider 27000 Hacking/IT Incident Network Server
Sweetser Healthcare Provider 22000 Hacking/IT Incident Email
Perfect Teeth Yale, P.C. Healthcare Provider 15000 Loss Other Portable Electronic Device

Causes of September 2019 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in September with 24 incidents reported. There were 9 unauthorized access/disclosure incidents and three cases of loss/theft of physical and electronic records.

1,917,657 healthcare records were compromised in the 24 hacking/IT incidents which accounted for 97.98% of breached records in September. The mean breach size was 958,829 records and the median breach size was 5,255 records.

Unauthorized access/disclosure incidents in September accounted for 1% or 19,741 breached records. The mean breach size was 2,193 records and the median breach size was 998 records. There were two reported theft incidents involving 4,770 physical and electronic records and a single loss incident involving 15,000 records stored on a portable electronic device.

Location of Breached Protected Health Information

Phishing continues to be a major problem area for the healthcare industry. In September, 44.44% of all breaches – 16 incidents – involved PHI stored in email accounts. There were 13 network server incidents, a large percentage of which were ransomware attacks.

September 2019 Healthcare Data Breaches by Covered Entity Type

28 data breaches were reported by healthcare providers in September, four incidents were reported by health plans/health insurers, and four incidents were reported by business associates of HIPAA covered entities. A further four breaches had some business associate involvement but were reported by the covered entity.

States Affected by September 2019 Healthcare Data Breaches

September’s data breaches were reported by entities in 23 states and Puerto Rico. California, Maryland, and Washington were the worst affected with three breaches each. There were two breaches reported by entities based in Arkansas, Arizona, Colorado, Georgia, Indiana, and South Carolina, and one breach was reported in each of Alabama, Florida, Iowa, Illinois, Maine, Michigan, Nebraska, New Jersey, Ohio, Oklahoma, Tennessee, Texas, Utah, West Virginia, and Puerto Rico.

HIPAA Enforcement Activity in September 2019

In September 2019, the HHS’ Office for Civil Rights announced its third HIPAA violation penalty of the year. Bayfront Health St Petersburg in Florida was issued with an $85,000 financial penalty for the failure to provide a patient with a copy of her child’s fetal heart monitor records within a reasonable time frame. It took 9 months and multiple attempts by the patient before she was provided with the records.

This month, OCR Director Roger Severino gave an update on OCR’s main enforcement priorities and confirmed that noncompliance with the HIPAA right of access is still a major focus for OCR. Further financial penalties can be expected over the coming weeks and months for healthcare organizations that fail to provide individuals with copies of their health information within a reasonable time frame and at a reasonable cost.

There were no financial penalties issued by state attorneys general in September over HIPAA violations.

The post September 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives

Posted by HIPAA Journal

Internal communications, disability claims, and health information of thousands of veterans have been exposed internally and could be accessed by Department of Veteran Affairs employees who were not authorized to view the information, according to the findings of a Department of Veteran Affairs’ Office of Inspector General (VA OIG) audit.

VA OIG conducted an audit of the VA’s Milwaukee Regional Office following a tipoff by a whistleblower in September 2018 about the exposure of sensitive information on shared network drives, which the whistleblower claimed could be accessed by employees unauthorized to view the information.

VA OIG audit visited the Milwaukee offices in January 2019 and confirmed that sensitive information had been stored on two shared network drives on the VA Enterprise network, which could be accessed by veterans service organization (VSO) officers, even if those officers did not represent those veterans.

The auditors determined that any Veterans Benefits Administration employee who had permission to access the VA network remotely could have accessed the files stored on the shared drives. That means around 25,000 VBA employees could have accessed the drives.

The files stored on those drives contained information such as veterans’ names, addresses, dates of birth, contact telephone numbers, disability claims information, and other highly sensitive and confidential information. Some of the files on the network drives dated back to 2016. VA OIG did not disclose how many veterans have been affected by the security lapse.

The failure to restrict access to the records was a violation of HIPAA and the VA’s policies, which require administrative, technical, and physical safeguards to be implemented to protect the privacy of veterans. The exposure of data was not limited the Milwaukee regional office and was therefore classed as a national issue.

The privacy breach was attributed to failures in three areas: Knowing or inadvertent negligence by VBA staff who stored sensitive information on the network drives in violation of VA policies; a lack of technical controls to prevent “negligent individuals” from using the drives to store sensitive information, and a lack of oversight, which meant sensitive information stored on the drives was not identified and removed.

Because the information was only accessible internally, the VA’s Data Breach Response Service did not class the exposure as a data breach and notifications to veterans whose privacy has potentially been violated were not warranted because their data was not placed “at unnecessary risk.”

VA OIG said in the report “Veterans are at significant risk of unauthorized disclosure and misuse of their sensitive personal information. This has the potential to expose veterans to fraud and identity theft.”

VA OIG has recommended the assistant secretary for information and technology and the undersecretary for benefits provide remedial training to users on the correct handling of sensitive information and storage of information on shared network drives. VA OIG also recommended technical controls should be implemented to ensure that the sensitive information of veterans cannot be stored on shared network drives.  Oversight procedures are also required to ensure any failures by VA staff to abide by federal laws and VA policies are identified and corrected.

“Until VA officials take steps to guard against user negligence, implement technical controls that prevent users from storing sensitive personal information on shared network drives, and issue oversight procedures to adequately monitor shared network drives, veterans’ sensitive personal information remains at risk,” said the VA OIG in the report.

The assistant secretary for information and technology concurred with the recommendations.

The post VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives appeared first on HIPAA Journal.

Ransomware Attacks Reported by Monterey Health Center and Magnolia Pediatrics

Posted by HIPAA Journal

Monterey Health Center in Milwaukie, OR, has experienced a ransomware attack that encrypted its electronic medical records system. The attack commenced on August 12, 2019 and prevented patient data from being accessed.

Assisted by a third-party vendor, the health center successfully restored all patient data quickly and was able to continue providing care to its patients. It is unclear whether the medical records were restored from backups or if the ransom demand was paid.

Third party forensic investigators were retained to investigate the attack and determine whether patient data had been copied by the attackers. The investigation found no evidence of data exfiltration, although unauthorized data access could not be totally ruled out. To date, no reports have been received about any misuse of patient information.

The following information was potentially compromised: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical histories, diagnoses, lab test results, treatment information, medications, health insurance information, claims information, and financial account information.

All individuals affected by the breach have been notified and steps have been taken to improve security. The health center will continue to work with third-party experts to ensure its systems remain secure and patients’ health and personal information is protected from unauthorized access.

Ransomware Attack Impacts Magnolia Pediatrics Patients

Magnolia Pediatrics in Prairieville, LA, experienced a ransomware attack on August 23, 2019 that resulted in the encryption of files containing patients’ protected health information.

Assisted by a third-party computer forensics firm, the pediatric practice determined that patient information had not been removed from its systems during the attack. While data theft is not suspected, unauthorized data access and/or data theft could not be totally ruled out.

The encrypted computer system contained patient data such as names, addresses, telephone numbers, medical record numbers, Social Security numbers, clinical information, diagnoses, lab test results, diagnoses, medications, medical histories, insurance information, treating physicians’ names, and dates of service.

The incident has been reported to the Federal Bureau of Investigations and the FBI investigation of the attack is ongoing. Steps are being taken to improve security to prevent similar attacks in the future and all affected patients have now been notified.

The post Ransomware Attacks Reported by Monterey Health Center and Magnolia Pediatrics appeared first on HIPAA Journal.

Malicious Code on Mission Health E-Commerce Websites Potentially Stole Financial Data for 3 Years

Posted by HIPAA Journal

Mission Health in Western North Carolina has discovered malicious code has been installed on its e-commerce websites that were used by patients to purchase health products. The malicious code was capable of capturing payment information as it was entered on the websites. That information was then sent to an unauthorized third party.

The breach was discovered by Mission Health in June 2019. The breach investigation revealed the malicious code had been inserted into the genuine code of the website three years previously in March 2016. The affected websites were taken offline and are being rebuilt. At the time of writing, those websites are not operational.

Only limited information about the breach has been released and there is currently no substitute breach notification letter on the Mission Health website. It is unclear how the breach was discovered. Typically, when credit card information is stolen, credit card firms trace fraudulent activity back to a specific retailer or website and advise the company that their systems have been compromised. In such cases, the fraudulent activity is identified relatively quickly. It is unclear in this instance whether that occurred and why the breach took almost three years to detect.

The malicious code did not give the attackers access to any health information or medical records, only financial information such as credit card numbers, expiry dates, and CVV codes along with cardholders’ names and addresses. The breach only affected individuals who had purchased items on the e-commerce sites store.mission-health.org and shopmissionhealth.org. The main website used by the healthcare provider – missionhealth.org – was not affected by the breach.

Mission Health has reviewed all transactions that occurred during the period of time that the malicious code was present and notification letters were sent on October 11, 2019 to all individuals who made purchases on the affected websites. Those individuals have been provided with information on the steps they should take to secure their accounts and have been advised to monitor their accounts for signs of fraudulent activity. All affected individuals have been offered free membership to credit monitoring services for 12 months.

The breach has yet to appear on the HHS’ Office for Civil Rights’ breach portal. It is currently unclear exactly how many individuals have been affected.

The post Malicious Code on Mission Health E-Commerce Websites Potentially Stole Financial Data for 3 Years appeared first on HIPAA Journal.

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Posted by HIPAA Journal

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C.

Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost.

Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation.

More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that Bayfront Health’s financial penalty was the first in a series of penalties for covered entities that are not providing patients with access to their health data within 30 days of the request being received.

OCR has issued guidance to help covered entities comply with this aspect of HIPAA, but now the time has come “for serious enforcement,” explained Severino.

Severino also explained that patients must be allowed to have their health data sent to health apps. The requests should only be denied if the app poses a security risk to the covered entity. Severino confirmed a covered entity is not liable for what happens to PHI after a disclosure to a health app at the patient’s request.

In many cases, patients are not being denied access to their medical records and requests for copies of medical records are being honored, but patients are being charged excessive amounts. In 2016, OCR issued guidance on the amounts that healthcare organizations can charge for providing copies of medical records and further clarification was also issued on the fee structures that can be adopted. Financial penalties for overcharging for copies of medical records can be expected.

The crackdown on patient access issues is part of the HHS Regulatory Sprint to Coordinated Care initiative and fits in with the Trump Administration’s drive to improve transparency of healthcare costs and the reduction of the cost of healthcare in the United States.

A prop is always useful for getting a point across. In this case Severino used a medical boot that he purchased to aid recovery from a torn Achilles tendon. Severino said he was advised by his doctor to purchase the boot and paid his doctor $430 for the treatment aid. He explained that he later looked online and found the exact same boot for sale on Amazon for $70, saying “This boot represents what’s wrong with price transparency.”

OCR is looking at how HIPAA can be updated to address this problem, such as requiring healthcare providers and health plans to provide information about the expected out-of-pocket costs for medical services or equipment before those items or services are provided to patients.

Contractors provide quotes for work in advance and banks provide customers with information on the costs of mortgages before providing the funds, but that doesn’t always happen in healthcare. That is something that needs to change.

Severino also touched on the issue of cybersecurity. Phishing and ransomware attacks cause a high percentage of healthcare data breaches and in many cases the attacks can be prevented by practicing good cybersecurity hygiene.

Ransomware is often installed through the exploitation of vulnerabilities in Remote Desktop Protocol. The failure to address those RDP vulnerabilities has led to several major healthcare ransomware attacks and data breaches.

Phishing attacks have been a major cause of healthcare data breaches for several years. It is not possible to prevent all attacks, but by complying with HIPAA, risk can be significantly reduced. HIPAA calls for covered entities to provide employees with training to help them identify and avoid phishing threats. Severino explained that training is critical, as is conducting phishing simulation exercises to find out how susceptible employees are to phishing.

Other cybersecurity failures that could prevent data breaches include the lack of multi-factor authentication, poor access controls, and the failure to promptly terminate access to systems when employees leave the company.

2019 may have only seen four OCR financial penalties issued to date to resolve HIPAA violations but the year is far from over. Further penalties will be announced this year, including one $2.1 million civil monetary penalty.

Severino did not confirm the reason for the penalty or provide any details, other than saying a final determination has been reached and the penalty will be announced by the department soon.

The post Roger Severino Gives Update on OCR HIPAA Enforcement Priorities appeared first on HIPAA Journal.