HIPAA Compliance News

Report Provides Insights into Recent HIPAA Enforcement Activity

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance. Up until 2016, financial penalties for HIPAA violations were rare. Then there was a doubling of financial penalties in 2016 and enforcement actions continued at an elevated level in 2017.

2018 got off to a slow start with few penalties issued and there was speculation that OCR was scaling back its enforcement activities. However, there was a flurry of announcements about settlements in the latter half of the year, including the largest ever HIPAA penalty.

The recently published Beazley Breach Insights Report includes an analysis of OCR enforcement activities in 2018 and confirms that OCR is not easing up on healthcare organizations. In 2018, settlements and civil monetary penalties ranged from $100,000 to $16 million, with an average penalty of $2.8 million, up from $1.9 million in 2017,

The Beazley Breach Response (BBR) team also found it is taking much longer for OCR to close its investigations and settle HIPAA cases. Cases now take an average of 4.3 years to close compared to 3.6 years in 2018.

The Beazley report contains a warning for healthcare organizations. It doesn’t require a major breach to trigger an OCR investigation.  OCR is now scrutinizing all breach reports and is attempting to identify patterns that could indicate non-compliant behavior.

In the case of Fresenius Medical Care, five breaches were experienced, but each involved fewer than 250 records. The pattern was identified, noncompliance was discovered, and the case was finally settled for $3.5 million.

There were many common themes in 2018 HIPAA enforcement actions, one of the most prevalent being risk analysis failures. Covered entities must regularly perform and document security risk analyses and develop risk management plans to address vulnerabilities and reduce them to an acceptable level.

Access controls must be set appropriately and maintained, and encryption must be considered for all ePHI. If the decision is taken not to encrypt, that decision must be documented and alternative measures must be implemented in its place. The settlements also highlight how important it is to have business associate agreements in place with all vendors who are provided with access to PHI.

While there were many Security Rule failures, the HIPAA settlements in 2018 also highlight the importance of respecting patient rights and complying with the HIPAA Privacy Rule. Multiple settlements resolved privacy violations such as filming patients and disclosing PHI without consent.

The post Report Provides Insights into Recent HIPAA Enforcement Activity appeared first on HIPAA Journal.

Study Reveals Widespread Noncompliance with HIPAA Right of Access

A recent study conducted by the health manuscript archiving company medRxiv has revealed widespread noncompliance with the HIPAA right of access.

For the study, the researchers sent medical record requests to 51 healthcare providers and assessed the experience of obtaining those records. The companies were also assessed on their response versus the requirements of HIPAA.

In each case, the record request was a legitimate request for access to patient data. The requests were made to populate a new consumer platform that helps patients obtain their medical records. Record requests were sent for 30 patients at a rate of 2.3 medical requests per patient.

Each of the providers was scored based on their response to the request and whether they satisfied four requirements of HIPAA – Accepting a request by email/fax, sending the records in the format requested by the patient, providing records within 30 days, and only charging a reasonable fee.

Providers were given a 1-star rating for simply accepting a patient record request. Providers received a second star for satisfying the request and meeting all four requirements of HIPAA, but only after the researchers had escalated the request to a supervisor on more than one occasion.

A three-star rating was given to providers that required a single escalation phone call to a supervisor. A four-star rating was given to providers that were fully compliant with the HIPAA right of access. A five-star rating was given to providers that went above and behind the requirements of HIPAA by sending copies of records within 5 days, accepting non-standard forms, and providing patients with copies of their records at no cost.

More than half (51%) of the providers assessed were either not fully compliant with the HIPAA right of access or it too several attempts and referrals to supervisors before requests were satisfied in a fully compliant manner. 27%  of providers were given a one-star rating, 24% received a 2-star rating, and 20% received a 3-star rating. Only 30% of providers were fully compliant. 12% were given a 4-star rating and 18% received 5-stars.

The researchers also conducted a telephone survey on 3,003 healthcare providers and asked about policies and procedures for releasing patient medical records. The researchers suggest as many as 56% of healthcare providers may not be fully compliant with the HIPAA right of access. 24% did not appear to be fully aware of the fee limitations for providing copies of medical records.

The main area of noncompliance was the failure to send medical records electronically, even if it was specifically requested by the patient. 12 of the 14 providers who received a 1-star rating did not email medical records, one refused to send the records to the patient’s nominated representative, and one charged an unreasonable fee.

The researchers note that had they not escalated the requests to supervisors, 71% of all requests would not have been satisfied in a way that was fully compliant with HIPAA.

The post Study Reveals Widespread Noncompliance with HIPAA Right of Access appeared first on HIPAA Journal.

Direct Connect Computer Systems Inc. Recognized as HIPAA Compliant

The Cleveland, OH-based technology solution provider, Direct Connect Computer Systems, Inc., has demonstrated the company is fully compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules.

Companies that provide technology solutions and services to healthcare clients that require contact with electronic protected health information (ePHI) are classed as ‘business associates’ under HIPAA.

Business associates of HIPAA covered entities must ensure they are fully compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules, and must ensure the confidentiality, integrity, and availability of ePHI at all times. Business associates face substantial fines if they are discovered not to be compliant with HIPAA Rules.

In order to start providing products and services to healthcare organizations, companies must be able to provide reasonable assurances that they are fully compliant with HIPAA Rules. To help provide those assurances and demonstrate the company’s commitment to privacy and security, Direct Connect Computer Systems, Inc., partnered with Compliancy Group and completed its Six Stage Risk Analysis and remediation process.

Using Compliancy Group’s proprietary software, The Guard, and assisted by Compliancy Group Compliance Coaches, Direct Connect Computer Systems successfully completed the program and was awarded Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance recognizes Direct Connect’s good faith efforts to comply with all HIPAA and HITECH Act requirements and confirms the company has met its regulatory obligations as a HIPAA business associate.

The post Direct Connect Computer Systems Inc. Recognized as HIPAA Compliant appeared first on HIPAA Journal.

State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA

The National Association of Attorneys General (NAAG) has urged leaders of the House and Senate to make changes to Confidentiality of Substance Use Disorder Patient Records regulations known as 42 CFR Part 2.

The regulations in question, which NAAG called “cumbersome [and] out-of-date,” restrict the uses and disclosures of substance abuse treatment records.

Under HIPAA, protected health information (PHI) can be shared between providers and caregivers for purposes related to treatment, payment, and healthcare operations without first obtaining consent from the patient. 42 CFR Part 2 prohibits the sharing of addiction treatment information by federally assisted treatment programs unless consent to do so has been obtained from the patient.

The Part 2 regulations were created more than 40 years ago to ensure the privacy of patients was protected and to ensure that patients would not face any legal or civil consequences from seeking treatment for substance abuse disorder.

NAAG argues that the regulations were created at a time when there was an “intense stigma” surrounding substance abuse disorder but says that the continued separation of substance abuse disorder from other diseases perpetuates that stigma. “The principle underlying these rules is that substance use disorder treatment is shameful and records of it should be withheld from other treatment providers in ways that we do not withhold records of treatment of other chronic diseases,” wrote NAAG.

NAAG wants substance abuse disorder to be recognized as the chronic disorder that it is, which would mean aligning the rules covering substance abuse treatment records with those of HIPAA. That would allow substance abuse treatment information to be shared along with other health information, provided protections are in place to keep that information private and confidential.

As it stands, Part 2 regulations are a barrier to treating opioid use disorder. Providers are used to complying with HIPAA, but the requirements of Part 2 can be intimidating. As such, many providers do not offer medicated-assisted treatment (MAT) for substance abuse disorder.

MAT providers are not required to comply with Part 2 requirements if they do not advertise their MAT services, but that means fewer people will take up those services. To effectively tackle the opioid epidemic in the United States, MAT services need to be promoted and should be easily accessible. Currently, many providers are keeping it a secret that they provide MAT programs to patients due to the restrictions of Part 2 regulations.

42 CFR Part 2 privacy regulations were updated in 2018, although the changes made were relatively minor. NAAG is not the only organization calling for more substantial changes and closer alignment between Part 2 and HIPAA regulations. A growing coalition of more than 40 national health care organizations support the changes and there is some support in the House and the Senate.

Reps. Markwayne Mullin (R-OK) and Earl Blumenauer (D-OR) introduced the Overdose Prevention and Patient Safety Act (OPPS Act) (H.R. 2062) and Sens. Joe Manchin (D-WV) and Shelley Moore Capito (RWV) introduced the Protecting Jessica Grubb’s Legacy Act (Legacy Act) (S. 1012) which both align HIPAA with Part 2. However, getting enough people to back the changes is likely to be a major challenge.

The post State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA appeared first on HIPAA Journal.

MU Health Patients Take Legal Action Over May 2019 Phishing Attack

A lawsuit has been filed against University of Missouri Health Care (MU Health) over an April 2019 phishing attack.

On May 1, 2019, MU Health learned that two staff email accounts had been compromised for a period of more than one week, starting on April 23, 2019. The email accounts contained a range of sensitive information including names, dates of birth, Social Security numbers, health insurance information, clinical and treatment information.

MU Health’s investigation concluded on July 27 and notification letters were sent to individuals whose protected health information (PHI) had been exposed and potentially stolen. Approximately 14,400 patients had been impacted by the breach.

The lawsuit was filed by MU Health patient Penny Houston around a week after the notifications were issued. The lawsuit states that, as a result of the breach, patients have been placed at an elevated risk of suffering identity theft and fraud. The types of data contained in the compromised accounts would allow criminals to steal identities, file fraudulent tax returns, and open financial accounts in the victims’ names.

As a result of the exposure of personal information, breach victims could face long-term issues and have to cover the cost of credit monitoring and identity theft protection services, as none were offered by MU Health.

The lawsuit also argues that patients have been paying for medical services and a proportion of that cost should have covered securing their information. Since sufficient protections had not been implemented, the plaintiffs claim they have been overpaying for medical services at MU Health.

At least 19 other patients have now added their names to the lawsuit. The plaintiffs seek reimbursement of out-of-pocket expenses to cover costs incurred as a direct result of the breach and for MU Health to pay for credit monitoring services for all victims of the breach.  Additionally, the plaintiffs want MU Health to invest more money in cybersecurity to strengthen its data security defenses, monitoring systems, and also to agree to undergo audits of its systems and procedures in the future.

The post MU Health Patients Take Legal Action Over May 2019 Phishing Attack appeared first on HIPAA Journal.

Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case

A preliminary settlement has been proposed by Allscripts Healthcare Solutions to resolve alleged violations of HIPAA, the HITECH Act’s electronic health record (EHR) incentive program, and the Anti-Kickback Statute related to the electronic health record (EHR) company Practice Fusion, which was acquired by Allscripts in 2018.

Prior to the acquisition, Practice Fusion has been investigated by the Attorney’s Office for the District of Vermont in March 2017 and had provided documentation and information. Between April 2018 and January 2019, the company received further requests for documents and information through civil investigative demands and HIPAA subpoenas.

Then in March 2019, the company received a grand jury subpoena over a Department of Justice (DOJ) investigation into the business practices of Practice Fusion, potential violations of the Anti-Kickback Statute, HIPAA, and the payments received under the HHS EHR incentive program. Scant information has been released about the nature of the alleged violations by Practice Fusion.

The proposed settlement will see Allscripts pay $145 million to the DOJ to resolve the company and Practice Fusion of all civil and criminal liability related to the investigation. Allscripts President Rick Poulton hopes the settlement will be sufficient to resolve the case. Since Practice Fusion was acquired, Allscripts has had to devote an increasing amount of resources the investigation. Poulton wants to reach an agreement as soon as possible so the company can move on.

“While the amount we have agreed to pay of $145 million is not insignificant, it is in line with other settlements in the industry, and we are happy to have reached the agreement in principle,” said Poulton. “We will work with the DOJ to finalize the details of the settlement over the coming months”.

Last year, the HHS agreed a settlement with EHR vendor eClinicalWorks over alleged false claims related to the HITECH Act EHR incentive program. eClinicalWorks paid $155 million to resolve the case.

The post Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case appeared first on HIPAA Journal.

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records.

US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation.

The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years.

Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that its systems had been compromised

“Improved data security benefits all class members, even if they are no longer insured by Premera or a related Blue Cross entity, because sensitive information remains stored on Premera’s servers,” wrote Judge Simon.

Considering the data breach affected 10.6 million individuals, a fund of $10 million to reimburse costs may not seem that much. However, Judge Simon determined the figure to be fair because relatively few of the plaintiffs had suffered identity theft as a result of the data breach and the settlement includes $3.5 million to cover the cost of additional credit monitoring services.

The case against Premera was complex and involved a considerable amount of technical information about the data security protections that were put in place. The evidence also spanned several years. “Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington’s Consumer Protection Act with respect to Premera’s provision of data security are relatively strong claims,” wrote Judge Simon.

The settlement resolves the lawsuit with no admission of liability. In addition to the $74 million, Premera also settled a multi-state lawsuit with 30 states for $10 million over the failure to address known data security risks.

The Premera data breach was also investigated by the HHS’ Office for Civil Rights. It remains to be seen whether a financial penalty will be deemed appropriate.

The post Judge Approves $74 Million Premera Blue Cross Data Breach Settlement appeared first on HIPAA Journal.

New York Governor Signs SHIELD Act into Law

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act has been signed into state law by New York Governor Andrew M. Cuomo. The Act improves privacy protections for state residents and strengthens New York’s data breach notification laws to ensure they maintain pace with current technology.

The SHIELD Act – S5575B/A5635B – was signed into law on July 25, 2019 and takes effect in 240 days. The Act makes several changes to existing state privacy and data breach notification laws:

The definition of covered entities has been broadened to include any person or entity that holds the private information of a New York State resident, irrespective of whether that person or entity does business in New York State.

All businesses must “develop, implement and maintain reasonable safeguards” to ensure the confidentiality, integrity, and availability of personal information. Those measures should reflect the size of the business. The SHIELD Act includes a list of factors considered to be ‘reasonable security protections’.

A written information security program must be developed which incorporates all SHIELD Act requirements. The responsibility for implementing and administrating the program must be assigned to an individual, who must also oversee employee receive training on SHIELD Act requirements.

The definition of a data breach has been expanded to include any unauthorized accessing of private information. Previously, notifications were only required when personal information had been acquired by an unauthorized individual.

The definition of a personal information has been expanded to include email addresses and usernames along with the associated password or security question answers that would allow the account to be accessed. The new law requires notifications to be issued if a financial account number is exposed along with any method of gaining access to the account. Biometric information is also now included in the definition of personal information warranting notifications.

As is the case with HIPAA, inadvertent and good faith disclosures of personal information are exempt from notifications provided there is little risk of harm.

Organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act, and financial service providers covered by the New York Department of Financial Services Cybersecurity Rule are given a safe harbour if they are in compliance with their respective regulations.

There is no change to the time scale for issuing notifications. They must be sent “in the most expedient time possible and without unreasonable delay.”

The post New York Governor Signs SHIELD Act into Law appeared first on HIPAA Journal.

Computer Doc Achieves HIPAA Compliance with Compliancy Group

Compliancy Group has announced that the Indian Trail, NC-based IT firm Computer Doc has completed the initial phase of its HIPAA compliance journey and has demonstrated compliance with the HIPAA Privacy, Security, Breach Notification, Omnibus Rules and the requirements of the HITECH Act.

Since 1997, Computer Doc has been providing IT support and consultancy services to businesses in and around Charlotte, NC. The firm focuses on providing IT support to small to medium sized businesses to help them increase productivity, improve efficiency, and boost profitability through the intelligent use of IT.

In order to reassure healthcare companies that the firm is aware of the requirements of HIPAA and is committed to providing a HIPAA-compliant IT support service, Computer Doc signed up with the Compliancy Group and was guided through the compliance process.

“With HIPAA violation fine enforcement up 400% in recent years and series of high-profile breaches and multi-million dollar settlements that drew national attention, the importance of HIPAA compliance for both IT service providers (BAs) and their healthcare IT clients (CEs) has never been more urgent,” explained Compliancy Group.

Using the Compliancy Group’s proprietary compliance tracking software, The Guard, and assisted by Compliancy Group coaches, Computer Doc completed the 6-stage implementation program and demonstrated compliance with all relevant provisions of HIPAA Rules.

“Achieving compliance with HIPAA has improved our business and opened the doors to many medical practices that we could not help before,” explained Computer Doc.

After demonstrating compliance with HIPAA, Computer Doc is entitled to display Compliancy’ Group’s HIPAA Seal of Compliance. The Seal of Compliance demonstrates to all HIPAA-covered entities that the firm is fully compliant with HIPAA regulations and patient’s ePHI is secure.

The post Computer Doc Achieves HIPAA Compliance with Compliancy Group appeared first on HIPAA Journal.