HIPAA Breach News

Healthcare Phishing Attack Potentially Impacts 16,500 Patients

Posted by HIPAA Journal

Phishing is arguably the biggest data security threat faced by healthcare organizations. The past few weeks have seen several attacks reported by healthcare organizations, with the latest healthcare phishing attack one of the most serious, having affected as many as 16,562 patients.

Chase Brexton Health Care reports that the attack occurred on August 2 and August 3, 2017, when multiple phishing emails were delivered to the inboxes of its employees. Phishing attacks commonly take the form of bogus invoices and fake package delivery notifications, although these emails purported to be surveys. After employees completed the surveys they were required to enter their login information. Four employees fell for the scam and divulged their user account credentials.

The phishing attack was discovered on August 4 and access to the employees’ accounts was blocked.  However, on August 2 and 3, the accounts of those employees were accessed and the attackers re-route employee payments to their own bank account.

While the aim of the phishing attack did not appear to be to gain access to patient information, it is possible that some patients’ PHI was viewed and potentially stolen. Chase Brexton Health Care has notified patients of the breach and informed them that PHI access is not suspected, although out of an abundance of caution, patients are being offered complimentary identity theft repair services.

The types of information potentially compromised was limited to names, addresses, dates of birth, patient ID numbers, provider name, diagnosis codes, service location, line of service, visit descriptions, medication details, and insurance information.

The investigation into the attack is continuing, and while details of the attackers’ bank account are known, the individuals responsible for the attack have not been identified. A third-party has been contracted to conduct an investigation into the attack.

Aside from blocking access to the compromised accounts by changing passwords, Chase Brexton Health Care has implemented a new email spam filtering solution to improve protection against phishing attacks, staff have received additional training, and new security protocols have been implemented.

The post Healthcare Phishing Attack Potentially Impacts 16,500 Patients appeared first on HIPAA Journal.

Healthcare Data Breaches in September Saw Almost 500K Records Exposed

Posted by HIPAA Journal

Protenus has released its Breach Barometer report which shows there was a significant increase in healthcare data breaches in September. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and security incidents tracked by databreaches.net. The latter have yet to appear on the OCR ‘Wall of Shame.’

In total, Protenus/databreaches.net tracked 46 healthcare data breaches in September. While the total number of breach victims has not been confirmed for all incidents, at least 499,144 healthcare records are known to have been exposed or stolen. The number of records exposed or stolen in four of the month’s breaches has yet to be disclosed.

The high number of incidents makes September the second worst month of 2017 for healthcare industry data breaches. Only June was worse, when 52 data breaches were reported. In August, 33 data breaches were reported by healthcare organizations.

The report confirms the worst incident of the month was a ransomware attack that saw the records of 128,000 individuals made inaccessible. It is not known if those records were accessed or stolen.

The main causes of healthcare data breaches in September were hacking (50%) and insiders (32.6%). The hacking total includes extortion attempts by TheDarkOverlord hacking group, ransomware incidents, and malware attacks. Hacking incidents accounted for 80% of breached records for the month – 401,741 records – although figures for 4 of the incidents have not yet been disclosed. The hacking incidents in September included one confirmed ransomware incident, eight extortion attempts, and seven phishing attacks.

The 15 insider incidents resulted in the exposure of 73,926 records. Those incidents included six insider errors and eight instances of insider wrong doing. Four theft incidents were reported which impacted 17,295 patients.

The breaches occurred at 31 healthcare providers, 6 health plans, 6 business associates of HIPAA-covered entities, and 3 schools, with California the worst affected with 5 incidents.

While most healthcare organizations discovered their data breaches within 6 weeks – the medial time for discovery was 38 days – it took one healthcare provider 2108 days to discover that one of its employees had been improperly accessing medical records.

Most healthcare organizations reported their breaches inside the HIPAA Breach Notification Rule deadline of 60 days, although there were two exceptions. One healthcare organization took 249 days to report its breach, risking a significant HIPAA violation penalty.

The post Healthcare Data Breaches in September Saw Almost 500K Records Exposed appeared first on HIPAA Journal.

Theft of Unencrypted Laptop Potentially Results in PHI Exposure

Posted by HIPAA Journal

An unencrypted laptop computer has been stolen from the vehicle of an employee of Bassett Family Practice in Virginia, potentially resulting in the exposure of patients’ protected health information.

The theft is understood to have occurred over the weekend of 12/13 August. Patients were notified of the exposure of their data on October 13, 2017. The delay in issuing notifications was due to the time taken to recover the missing files from backups and to analyse those files to determine which patients had been affected and the types of PHI stored on the device.

The laptop computer was discovered to contain some information about patients’ visits to the practice, along with their names, date of birth, account number, and their insurance provider’s name. The laptop also contained information related to account balances. No Social Security numbers or credit or debit card information were stored on the device.

It is not company practice to store any protected health information on laptop computers. The files were transferred to the device as Bassett Family Practice was transitioning to a new IT system. The practice was also in the process of encrypting all of its laptop computers.

HIPAA does not demand that data encryption is used to protect stored data, even when PHI is stored on portable devices that are removed from healthcare facilities. Data encryption must be addressed, and if the decision is taken not to encrypt data, the decision must be documented. An alternate, equivalent measure must then be used in place of encryption.

Bassett Family Practice had installed a system that would send a notification if any data access occurred, and no notification has been received. In the event that the thief does attempt to access sensitive data stored on the device, the practice can remotely wipe the device. The risk of patients’ PHI being accessed and misused is therefore believed to be low.

The post Theft of Unencrypted Laptop Potentially Results in PHI Exposure appeared first on HIPAA Journal.

Namaste Health Care Pays Ransom to Recover PHI

Posted by HIPAA Journal

A hacker gained access to a file server used by Ashland, MI-based Namaste Health Care and installed ransomware, encrypting a wide range of data including patients’ protected health information.

Access was gained to the file server over the weekend of August 12-13 and ransomware was installed; however, prior to the installation of ransomware it is unclear whether patients’ PHI was accessed or stolen. The Ashland clinic discovered its data had been encrypted when staff returned to work on Monday, August 14.

Prompt action was taken to prevent any further accessing of its file server, including disabling access and taking the server offline. An external contractor was brought in to help remediate the attack and remove all traces of malware from its system.

In order to recover data, Namaste Health Care made the decision to pay the attacker’s ransom demand. In this case, a valid key was supplied by that individual and it was possible to unlock the encrypted files. The clinic was able to recover data and bring its systems back online after a few days. The incident prompted the clinic to conduct a review of its security protections and make “robust upgrades” to its “firewall and remote access technology.”

The investigation into the breach did not uncover any evidence to suggest PHI had been accessed by the attacker, and no evidence was found to suggest any PHI was stolen. That said, it was also not possible to determine with a high degree of certainty that data access and theft did not occur.

The file server contained a wide range of PHI, including names, addresses, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information relating to appointments and visits to the clinic, including the reasons for those appointments/visits. The exposed data related to all patients who had visited the clinic, or arranged an appointment to visit, prior to August 14, 2017.

Due to the sensitive nature of data stored on the server, all patients have been offered identity theft protection services through AllClear ID. Notifications about the ID protection services have been sent on behalf of the clinic by AllClear ID.

While the substitute breach notice posted on the Namaste Health Care website does not specifically mention that financial information was potentially compromised, the clinic said, “we recommend that you notify your banking institutions and request a change of any account numbers, if you provided us with such information.”

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is unclear exactly how many patients have been impacted.

The post Namaste Health Care Pays Ransom to Recover PHI appeared first on HIPAA Journal.

8,362 Patients Potentially Impacted by Advanced Spine & Pain Center Breach

Posted by HIPAA Journal

The San Antonio, TX, Advanced Spine & Pain Center (ASPC) has notified patients of a potential breach and unauthorized use of their protected health information. Potentially, as many as 8,362 patients have been affected by the incident.

ASPC became aware of a potential breach of ePHI on July 31, 2017 when some patients reported receiving a telephone call claiming payment for an outstanding bill was required. An investigation was launched to determine whether ASPC systems had been breached.

That investigation revealed unauthorized individuals had gained access to an ASPC server. Unauthorized access occurred even though extensive protections had been put in place, including firewalls, network filtering, security monitoring, password protection, and antivirus software.

While unauthorized access was confirmed, it was unclear whether any sensitive information was accessed by those individuals. It was also not possible to determine whether the telephone calls received by some patients were linked to the security breach.

Since it is possible that patients’ ePHI was viewed or obtained by unauthorized individuals, ASPC has offered all affected patients identity theft protection services and coverage with a $1,000,000 insurance reimbursement policy. A full network scan has been conducted and steps have been taken to ensure the network is secured. Recent monitoring of the network has not uncovered any evidence of continued unauthorized access, and the breach is believed to have been contained.

An analysis of the compromised server has shown the following PHI may have been viewed: Names, addresses, telephone numbers, state and zip codes, Social Security numbers, birth dates, medical records, x-ray images and lab test results, scheduling notes, billing information, insurance information, CPT codes, ID numbers, group numbers, and patients’ gender. No payment information or credit/debit cards were compromised.

The incident has been reported to law enforcement and the Department of Health and Human Services’ Office for Civil Rights has been notified.

The post 8,362 Patients Potentially Impacted by Advanced Spine & Pain Center Breach appeared first on HIPAA Journal.

Q3, 2017 Healthcare Data Breach Report

Posted by HIPAA Journal

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 resulted in the theft/exposure of 1,767,717 individuals’s PHI. Up until the end of September, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches.

Q3 Data Breaches by Covered Entity

Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities.

There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228.

The Ten Largest Healthcare Data Breaches in Q3, 2017

The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in Q3 were attributed to hacking/IT incidents.

Covered Entity Entity Type Number of Records Breached

Type of Breach
Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
Network Health Health Plan 51,232 Hacking/IT Incident
St. Mark’s Surgical Center, LLC Healthcare Provider 33,877 Hacking/IT Incident
Sport and Spine Rehab Healthcare Provider 31,120 Hacking/IT Incident

Main Cause of Healthcare Data Breaches in Q3, 2017

For much of 2017, the main cause of healthcare data breaches was unauthorized disclosures by insiders, although in Q3, 2017, hacking was the biggest cause of healthcare data breaches. These incidents involve phishing attacks, malware and ransomware incidents, and the hacking of network servers and endpoints. These hacking incidents involved the exposure/theft of considerably more data than all of the other breach types combined. In Q3, 1,767,717 healthcare records were exposed/stolen, of which 1,578,666 – 89.3% – were exposed/stolen in hacking/IT incidents.

Location of Breached PHI

If vulnerabilities exist, it is only a matter of time before they will be discovered by hackers. It is therefore essential for HIPAA covered entities and their business associates conduct regular risk assessments to determine whether any vulnerabilities exist. Weekly checks should also be conducted to make sure the latest versions of operating systems and software are installed and no patches have been missed. Misconfigured servers, unsecured databases, and the failure to apply patches promptly resulted in 31 data breaches in Q3, 2017.

In Q3, 34 incidents were reported that involved email. While some of those incidents involved misdirected emails and the deliberate emailing of ePHI to personal email accounts, the majority of those breaches saw login details disclosed or ransomware/malware installed as a result of employees responding to phishing emails.  The high number of phishing attacks reported in Q3 shows just how important it is to train employees how to recognize phishing emails and how to report suspicious messages. Training should be an ongoing process, involving classroom-based training, CBT sessions, and phishing simulations, with email updates sent to alert employees to specific threats.

The post Q3, 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.

Bill Introduced to Standardize State Data Breach Notification Laws

Posted by HIPAA Journal

The HIPAA Breach Notification Rule explains how HIPAA covered entities and their business associates’ data breach response should include issuing notifications to patients, plan members and the HHS’ Office for Civil Rights. Healthcare organizations must also comply with state data breach notification laws, which in some U.S. states, requires notifications to be issued more rapidly. Those laws cover different types of information, have additional notification requirements, and in some states, require credit monitoring and identity theft protection services to be offered to breach victims.

Currently, there are 48 separate state data breach notification laws. For a small health system operating in one or two states, keeping up to date with relevant state data breach notification laws is straightforward. For large health systems and health plans that operate in multiple states, keeping up to date with changes to state laws, and ensuring compliance with those laws, can be a challenge.

Bill Proposes Standardization of State Data Breach Notification Laws

Congressman Jim Langevin (D-RI) has recently re-proposed a bill (H.R. 3806) – The Personal Data Breach Notification Act – that will standardize data breach protection laws and will ensure all consumers are notified of breaches promptly, regardless of where they live.

Rather than have separate state data breach notification laws, the Personal Data Breach Notification Act will introduce a national data breach notification standard that must be followed by all states. The Personal Data Breach Notification Act would apply to all organizations or entities that collect the data of more than 10,000 individuals over a 12-month period and the provisions of the Personal Data Breach Notification Act will supersede any provision of the law of any State.

Not only will the bill make it easier for businesses to understand what they are required to do following a data breach, Langevin explains it will “strengthen companies’ obligations to report intrusions that compromise consumers’ personal information.”

30 Day Time Limit for Issuing Breach Notifications

Currently, state data breach notification laws require notifications to be issued to consumers as soon as possible following the discovery of a breach, although the maximum timescale for issuing those notifications differs from state to state, and the speed of notification also depends on which entity experienced the breach.

The Personal Data Breach Notification Act will standardize notifications and will ensure consumers are informed of a breach of their personal information faster. The proposed maximum time limit to issue notifications is 30 days from the discovery of the breach, although the bill states there should be no unreasonable delay in issuing notifications.

Additional time may be granted to breached entities in certain circumstances, although a request for an extension would have to be made to the Federal Trade Commission, which would be responsible for enforcing the Personal Data Breach Notification Act.

As with HIPAA breach notifications, a request could be made by law enforcement to delay the issuing of notifications so as not to impede with an investigation. In such cases, the Director of the United States Secret Service or the Director of the Federal Bureau of Investigation would be permitted to authorize a delay of up to 30 days – meaning a maximum time frame of 60 days from the discovery of a breach.

Data Elements Covered by the Personal Data Breach Notification Act

The definition of a breach is defined as “a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in: i) the unauthorized acquisition of sensitive personally identifiable information; or (ii) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.”

The exposure of the following information would require breach notifications to be issued.

Currently, state data breach laws require the breached entity to issue a notification to state attorneys general of any breach of personal information. If the Personal Data Breach Notification Act is passed, a government agency would be required to be designated to receive the breach notification reports.

Notifications could be made by mail, telephone, or email, with the latter only permissible if individuals consent to receiving electronic notifications.

As with HIPAA, a media notice must also be issued, although rather than the threshold being 500 individuals, the Personal Data Breach Notification Act would only require a media notice to be issued if the breach impacts 5,000 or more individuals.

The failure to comply with the Personal Data Breach Notification Act could result in financial penalties. The FTC would be able to issue financial penalties with the penalty structure the same as for Federal Trade Commission Act violations. State attorneys general would also be permitted to enforce compliance and take action against entities that breach the Personal Data Breach Notification Act.

The post Bill Introduced to Standardize State Data Breach Notification Laws appeared first on HIPAA Journal.

How Should You Respond to an Accidental HIPAA Violation?

Posted by HIPAA Journal

The majority of HIPAA-covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA

The majority of HIPAA-covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is an accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond?

How Should Employees Report an Accidental HIPAA Violation?

Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, if an email containing PHI is sent to the wrong person, or if any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer.

The first thing a Privacy Officer should determine is whether the accidental HIPAA violation is indeed a HIPAA violation or a violation of the organization´s policies. For example, forgetting to document a patient´s agreement to be included in a hospital directory is not a violation of HIPAA but could be a violation of the hospital´s policies.

If the accidental violation is indeed a violation of HIPAA, the Privacy Office will need to determine whether or not the violation constitutes an impermissible use or disclosure which qualifies as a data breach.

If so, the Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a HIPAA risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR).

You should explain that a mistake was made and what has happened. You will need to explain which patient’s records were viewed or disclosed. The failure to report such a breach promptly can turn a simple error into a major incident, one that could result in disciplinary action and potentially, penalties for your employer.

How Should Covered Entities Respond to an Accidental HIPAA Violation?

Any accidental HIPAA violation that may qualify as a data breach must be treated seriously and warrants a risk assessment to determine the probability of PHI having been compromised, the level of risk to individuals whose PHI has potentially been compromised, and the risk of further disclosures of PHI.

The risk assessment should determine:

  • The nature of the breach
  • The person who viewed or acquired PHI
  • The types of information involved
  • The patients potentially impacted
  • To whom information has been disclosed
  • The potential for re-disclosure of information
  • Whether PHI was actually acquired or viewed
  • The extent to which risk has been mitigated

Following the risk assessment, risk must be managed and reduced to an appropriate and acceptable level. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) also requires notifications to be issued. Not all breaches of PHI are reportable. There are three exceptions when there has been an accidental HIPAA violation.

1) An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. 

Example: A fax or email is sent to a member of staff in error. The information is accessed and viewed, but the mistake is realized and the fax is securely destroyed or the email is deleted and no further disclosure is made.

2) An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.

Example: Providing the medical information of a patient to another individual authorized to receive it, but a mistake is made and the information of a different patient is disclosed.

3) If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Example: A physician gives X-ray films or a medical chart to a person not authorized to view the information but realizes that a mistake has been made and retrieves the information before it is likely that any PHI has been read and information retained.

In each case, while breach notifications are not required, any member of staff that finds themselves in one of the above situations should still report the incident to their Privacy Officer.

In all other cases when there has been a breach of unsecured PHI, the incident must be reported to OCR, and individuals impacted by the breach should be notified within 60 days of the discovery of the breach. HIPAA breach reporting requirements have been summarized here.

Examples of Unintentional HIPAA Violations

Lost or stolen USB flash drives could be considered by some to be examples of unintentional HIPAA violations as nobody intended for the USB flash drives to be lost or stolen. However, the loss or theft could have been reasonably foreseen and potential breaches of ePHI avoided by encryption. The following examples of unintentional HIPAA violations were less foreseeable.

In 2022, an investigation was conducted by The Markup into the use of third-party tracking technologies on hospital websites, namely a code snippet provided by Meta Platforms called Meta Pixel. The code snippet is used for tracking visitor activity on websites and provides insights into how the website users are accessing the sites. The data provided can be used to improve the website, services, and user experience. The analysis was conducted on the top 100 hospitals in the United States, and one-third were found to have used the code on their websites. The problem? The code was transmitting individually identifiable information to Meta, which could potentially be used to serve Facebook users with targeted advertisements related to their health conditions. No business associates were in place, no patient authorizations were obtained, and those disclosures were therefore impermissible under HIPAA. The code acted as it should. The problem was where it was added and how it was configured. Several hospitals and health systems accidentally violated HIPAA as a result, including Novant Health, WakeMed Health and Hospitals, and Advocate Aurora Health. Millions of patients of these and other healthcare providers have been affected.

In May 2017, Olivia O’Leary – a twenty-four-year-old medical technician – claims to have been dismissed from her job at the Onslow Memorial Hospital in Jacksonville, NC, after commenting on a Facebook post. Her warning that the victim of an auto accident should have worn a seat belt was not seen by her employer as a reminder to always wear a seatbelt – O´Leary alleges – but rather as a HIPAA violation.

In April 2016, the Raleigh Orthopedic Clinic in North Carolina was fined $750,000 for contracting an outside vendor to convert X-ray films to digital form and then allowing the vendor to harvest the silver from the films. The clinic´s error was not having a Business Associate Agreement in place; and, as well as the fine, the clinic had to implement a Corrective Action Plan overseen by OCR.

The Dallas, TX-based dental practice Elite Dental Associates responded to a post by a patient on the Yelp review website. The patient who posted on the site had identified herself as a patient of the practice, but when the practice responded, information was included in the post that revealed her health condition, treatment plan, insurance, and payment information. In October 2019 the practice was fined $10,000 for the HIPAA violation.

If an intern requires access to systems containing protected health information and a colleague allows their own credentials to be used, the intern can get the information they need to complete their work tasks. However, the sharing of login credentials is not permitted by HIPAA as it makes it impossible to track information system activity accurately. The sharing of login credentials contributed to a $202,400 financial penalty for the City of New Haven in Connecticut.

The HIPAA Right of Access provision of the HIPAA Privacy Rule gives patients the right to obtain a copy of their health information. There is an exception to this right concerning psychotherapy notes, which should not be provided. Riverside Psychiatric Medical Group received such a request from a patient and did not provide a copy of the requested records. Not providing psychotherapy notes doesn’t violate HIPAA but failing to respond to the request and notify the patient why the records are not being provided does. In such cases, records can be provided minus the psychotherapy notes. In November 2020, OCR fined the practice $25,000.

In a further example of an unintentional HIPAA violation listed on the OCR’s website, the staff was required to undergo HIPAA training when one member of staff discussed HIV testing procedures with a patient in a waiting room – disclosing the patient´s PHI to other patients in the waiting room. After the OCR investigation, computer monitors were also repositioned to prevent the accidental disclosure of PHI.

How Should Business Associates Respond to an Accidental HIPAA Violation?

The correct response to an accidental HIPAA violation should be detailed in your business associate agreement. The HIPAA Rules require all accidental HIPAA violations and security incidents that result in data breaches to be reported to the covered entity within 60 days of discovery, although the covered entity should be notified as soon as possible and notification should not be unnecessarily delayed. Business associates should provide their covered entity with as many details of the accidental HIPAA violation or breach as possible to allow the covered entity to make a determination on the best course of action to take.

HIPAA Compliance Infographics

Have You Mitigated Your Mobile Security Risks?Have You Mitigated Your Mobile Security Risks?

Milestones of the Health Insurance Portability and Accountability ActMilestones of the Health Insurance Portability and Accountability Act

The Cost of HIPAA Non-ComplianceThe Cost of HIPAA Non-Compliance

How to Spot a Phishing EmailHow to Spot a Phishing Email

How to Respond to a Healthcare Data BreachHow to Respond to a Healthcare Data Breach

10 HIPAA Breach Costs You Should Be Aware Of10 HIPAA Breach Costs You Should Be Aware Of

Accidental HIPAA Violations: FAQs

Can I get fired for an accidental HIPAA violation?

Although it sounds unlikely that a member of the workforce is fired for an accidental HIPAA violation, this will depend on the nature of the violation, its consequences, and the content of your employer´s sanctions policy. It may also be the case that you have a history of accidental HIPAA violations and have received prior warnings about what might happen when you next violate HIPAA.

What happens if you accidentally violate HIPAA and nobody notices?

If you accidentally violate HIPAA, and nobody notices, it is still in your best interest to report it. Not only will your report indicate your willingness to be a compliant employee, but the circumstances that led to the accidental violation may have been overlooked in a risk assessment. Your report could help your employer fill a gap in their compliance efforts which – if left unfilled – may lead to further accidental violations with more serious consequences.

What happens if someone accidentally, or unknowingly, violates the Privacy Rule?

These are really two different questions. If somebody accidentally violates the Privacy Rule, it is better for them to admit the error so potential consequences can be preempted (i.e., a complaint to HHS´ Office for Civil Rights). If somebody unknowingly violates the Privacy Rule, how do they know they have violated it unless a colleague or supervisor tells them? If the person finds out later they have accidentally violated the Privacy Rule, the previous answer applies.

Why would a report of an accidental HIPAA violation need to be sent to OCR?

A report of an accidental HIPAA violation only needs to be sent to the Department of Health and Human Services´ Office for Civil Rights (OCR) if it results in the unauthorized disclosure of unsecured PHI – for example, an email containing PHI being sent to the wrong patient. An accidental violation of HIPAA that does not result in a data breach does not have to be reported to OCR.

What is an example of an accidental violation of HIPAA that does not need reporting?

Patients must be given the opportunity to object to their religious affiliation being disclosed to members of the clergy. If a patient is not given the opportunity to object, it is a violation of HIPAA. However, if the patient´s religious affiliation is not disclosed to a member of the clergy, no data breach of unsecured PHI has occurred, and it is not necessary to report the violation to OCR.

What is the difference between an accidental disclosure and an incidental disclosure?

An accidental disclosure of PHI is an unintended disclosure – such as sending an email containing PHI to the wrong patient. An incidental disclosure is a by-product of a permissible disclosure – such as a hospital visitor overhearing a discussion about a patient´s healthcare. An incidental disclosure is not considered to be a violation of HIPAA by OCR if the disclosure could not reasonably be prevented if it was limited in nature, and if it occurs as a result of a disclosure permitted by the Privacy Rule.

What is the “burden of proof” in the Breach Notification Rule?

Prior to the Final Omnibus Rule in 2013, OCR had to prove a data breach resulted in a “significant risk of financial, reputational or other harm for the individual” before taking enforcement action. Since 2013, the burden of proof has shifted to Covered Entities and Business Associates – who can only refrain from reporting a breach if it can be proven there is a low probability PHI has been compromised in the breach (like the three exceptions to accidental HIPAA violations above).

Can OCR issue financial penalties to Business Associates for accidental HIPAA violations?

In May 2019, OCR issued a notice clarifying the circumstances in which a Business Associate is considered to be directly liable for a HIPAA violation; and, although it is hard to conceive how a HIPAA violation by a Business Associate might be accidental in these circumstances, the potential exists for Business Associates to be issued a financial penalty or required to comply with a corrective action plan.

The post How Should You Respond to an Accidental HIPAA Violation? appeared first on HIPAA Journal.

PHI of 10,500 Patients of an Illinois Psychiatrist Exposed

Posted by HIPAA Journal

The medical files of more than 10,000 patients of a Naperville, IL-based psychiatrist – Dr. Riaz Baber, M.D. – have been discovered in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored in the basement for at least 4 years.

The tenant, Barbara Jarvis-Neavins, was allegedly provided with a key to the basement by the psychiatrist’s wife as access was required when workmen had to visit the property. She was told that she was required to accompany workmen when they needed access.

Jarvis-Neavins said she wanted to report the presence of the files – and that she could access the storage area – but thought that by doing so she would be asked to vacate the property. When she was told that she had to move out as the house was being sold, she contacted law enforcement – including the FBI – and state regulators to report the unsecured files. The FBI referred her to the Department of Health and Human Services’ Office for Civil Rights and she filed a complaint. She also contacted NBC 5.

NBC 5 reporters followed up on the tip off and covered the story in March, 2017. She told reporters boxes of files were stored in the basement and that the files “has [patients] name, their address, their birthdate, their social security number, what’s wrong with them, what they’re being treated for, and what medication.”

NBC 5 reporters visited the property and contacted Dr. Baber. His attorney responded and issued a statement confirming the tenant should not have had access to the basement, that a key was never provided, and that the records were secured and the doors to the basement were locked. The files were allegedly removed from the property the day after NBC 5 contacted Dr. Baber.

On September 28, 2017, the Office for Civil Rights was informed of the breach of 10,500 records of Dr. Riaz Baber. It is unclear why it took 6 months for the breach to be reported, when HIPAA Rules require a breach report to be submitted within 60 days of discovery.

Covered entities and their business associates that decide to store physical records such as physicians’ notes, charts, x-ray films, or documents off site must implement administrative, technical, and physical controls to ensure the confidentiality, integrity, and availability of patients’ protected health information (PHI). Access to the facility must also be restricted to prevent unauthorized individuals from accessing PHI. In this case, some of the files were accessed by Jarvis-Neavins and the reporters, although no harm appears to have been caused to patients.

The post PHI of 10,500 Patients of an Illinois Psychiatrist Exposed appeared first on HIPAA Journal.