HIPAA Compliance News

99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties

Posted by HIPAA Journal

New research indicates virtually all U.S. hospitals have been using tracking software on their websites that captures visitor data, including health information, and transfers that information to third parties. The study – published this month in Health Affairs – was conducted by researchers at the University of Pennsylvania. They used the 2019 American Hospital Association (AHA) Annual Survey to identify hospitals and narrowed their study to nonfederal acute care hospitals with an emergency department, which were not ambulatory surgery centers or freestanding long-term care facilities – The websites of 3,747 U.S. hospitals were assessed in the study.

The researchers used an open-source tool called WebXray to identify third-party tracking code and recorded data requests on the hospital websites over a 3-day period in 2021. The researchers also recorded cookies and data stored on browsers that would allow visitors to the websites to be tracked across the Internet.  They found 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties and 94.3% used cookies that allowed visitors to the websites to be tracked across the Internet. Over the three-day study period, the home pages of the websites initiated a median of 16 data transfers.

The tracking code, sometimes referred to as pixels, is provided by third parties for use on websites for tracking visitors and the code is incredibly common across the Internet. The code is used to record website interactions, such as the pages visited, how visitors arrived on the website, and the sites they visited when they left. The data collected through the code can be used by website operators to improve their websites and services, but the data collected is also transferred to the third parties that provide the code.

While these technologies can be found on virtually all websites, the Health Insurance Portability and Accountability Act (HIPAA) does not permit the use of these technologies unless certain conditions are met as the tracking code can collect individually identifiable health information, including visits to web pages about specific medical conditions such as HIV, cancer, and Alzheimer’s disease, and information entered into web forms.

The third parties receiving the information are typically not HIPAA-regulated entities, which means uses and disclosures of the transferred data are largely unregulated. The transferred information could be used for a variety of purposes, such as serving targeted advertisements related to medical conditions, health insurance, or medications. What actually happens to the transferred data is unclear.

The HHS’ Office for Civil Rights (OCR) recently issued guidance for HIPAA-regulated entities on the use of tracking technologies on websites and apps and confirmed that the use of these technologies is not permitted by the HIPAA Privacy Rule unless the third parties receiving protected health information are legitimate business associates and a business associate agreement has been signed. Alternatively, authorizations are required before protected health information is transferred.

According to the study, hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving urban patient populations had more third-party data transfers than other hospitals, which it was hypothesized could be due to the websites providing a more extensive range of services, the inclusion of third-party apps on the website – Google Maps for example – or them having a higher level of website advertising.

The third parties that most commonly received data were Alphabet (Google) – 98.5% of websites, Meta (Facebook) – 55.6% of websites, and Adobe Systems – 31.4% of websites. Other third parties commonly sent visitor data include AT&T, The Trade Desk, Oracle, Verizon, Rubicon Project, Amazon, Microsoft, Hotjar, StackPath, Siteimprove, Cloudflare, and Acxiom.

“By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties,” wrote the researchers. “These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.”

In 2021, three Boston hospitals – Massachusetts General Hospital, Brigham and Women’s Hospital, and Dana Farber Cancer Institute – agreed to pay more than $18 million to settle allegations they had shared website user data with third parties without consent, and many more lawsuits against healthcare providers are pending.

Given the recent guidance from OCR and the extent to which tracking code has been used, all hospitals should review their websites for tracking code and ensure that business associate agreements are in place, patient authorizations are obtained, or that the code is removed from the websites or is made HIPAA-compliant. If tracking code is found and protected health information has been impermissibly disclosed it is a reportable data breach and the HHS must be informed and notifications sent to affected patients.

The post 99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties appeared first on HIPAA Journal.

New York Law Firm Pays $200,000 to State AG to Resolve HIPAA Violations

Posted by HIPAA Journal

A New York law firm that suffered a LockBit ransomware attack has agreed to pay a financial penalty of $200,000 to the New York Attorney General to resolve alleged violations of New York General Business Law and the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA).

Heidell, Pittoni, Murphy & Bach LLP (HPMB) is a New York City-based medical malpractice law firm. On or around Christmas Day 2021, the LockBit ransomware gang gained access to its network and encrypted files. The investigation confirmed that files were exfiltrated in the attack, including legal documents, patient lists, and medical records. The patient information included names, birthdates, medical histories, treatment information, Social Security numbers, and health insurance information. The incident was reported to the HHS’ Office for Civil Rights on May 16, 2022, as affecting 114,979 individuals. HPMB engaged a third-party ransomware remediation firm to negotiate with the threat actor and ended up paying $100,000 for the keys to decrypt files and to prevent the release of the stolen data. The investigation confirmed the LockBit gang gained access to its network in November 2021 by exploiting unpatched Microsoft Exchange vulnerabilities.

The incident was investigated by the Office of the New York Attorney General to determine whether the law firm had violated state laws and the HIPAA Rules. The NY AG determined the vulnerabilities exploited by the LockBit gang had been identified by Microsoft in April and May 2021 and patches had been released shortly thereafter to fix those vulnerabilities. Despite the vulnerabilities being well known, they remained unpatched for more than 6 months, which left firm’s email server vulnerable to attack.

The NY AG determined 17 provisions of the HIPAA Privacy and Security Rules had been violated and there were also violations of New York General Business law by failing to implement reasonable security practices to protect private information and the failure to issue timely notifications to 61,438 New York residents.

The alleged HIPAA violations were:

  • The failure to safeguard electronic protected health information (ePHI).
  • The failure to protect against reasonably anticipated threats to ePHI.
  • The failure to review and modify data protection practices.
  • The failure to conduct an accurate and thorough risk assessment.
  • The failure to implement appropriate security measures to reduce risks to ePHI.
  • The failure to regularly review records of information system activity.
  • The failure to implement procedures sufficient to guard against, detect, and report malicious software.
  • The failure to implement procedures sufficient for periodic testing and revision of contingency plans.
  • The failure to perform a periodic technical and nontechnical evaluation.
  • The failure to sufficiently implement technical policies and procedures for ePHI to limit access by unauthorized individuals.
  • The failure to encrypt ePHI.
  • The failure to implement a centralized logging system for information systems to allow unauthorized system activity to be detected.
  • The failure to implement a system for detecting the alteration or destruction of ePHI.
  • The failure to implement procedures sufficient to verify that a person or entity seeking access to ePHI is the one claimed.
  • The failure to implement reasonable and appropriate policies and procedures to comply with the standards of 45 C.F.R. Part 164, Subpart C.
  • The failure to prevent unauthorized access to ePHI.
  • The failure to adhere to the minimum necessary standard.

In addition to paying a financial penalty, HPMB has agreed to implement a comprehensive information security program that includes risk analyses at least annually, implement appropriate administrative, technical, and physical safeguards, and conduct regular tests of those safeguards. HPMB will appoint a Chief Information Security Officer (CISO), encrypt all ePHI at rest and in transit, implement a centralized logging system, conduct system activity reviews, establish a patch management program, and develop a penetration testing program.

“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” said Attorney General Letitia James. “Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”

The post New York Law Firm Pays $200,000 to State AG to Resolve HIPAA Violations appeared first on HIPAA Journal.

February 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

The number of healthcare data breaches reported over the past three months has remained fairly flat, with only a small uptick in breaches in February, which saw 43 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), well below the 12-month average of 57.4 reported breaches a month. An average of 41 data breaches have been reported each month over the past 3 months, compared to an average of 50.6 breaches per month for the corresponding period last year.

February 2023 Healthcare Data Breach Report - Records breached

The downward trend in breached records did not last long. There was a sizeable month-over-month increase in breached records, jumping by 418.7% to 5,520,291 records. February was well above the monthly average of 4,472,186 breached records a month, with the high total largely due to a single breach that affected more than 3.3 million individuals.

February 2023 Healthcare Data Breach Report - Records Breached

 

Largest Healthcare Data Breaches Reported in February 2023

17 healthcare data breaches of 10,000 or more records were reported in February, all of which were hacking incidents. The largest data breach affected 3,300,638 patients of 4 medical groups in California that are part of the Heritage Provider Network – Regal Medical Group, Inc.; Lakeside Medical Organization, A Medical Group, Inc.; ADOC Acquisition Co., A Medical Group Inc.; & Greater Covina Medical Group, Inc. This was a ransomware attack with confirmed data theft and was, at the time of reporting, the largest data healthcare data breach of the year. That record did not stand for long, as a 4.4 million-record breach was reported this month (Independent Living Systems).

Hacking incidents were reported by CentraState Healthcare System in New York (617,901 records), Cardiovascular Associates in Alabama (441,640 records), and the Florida-based revenue cycle management company, Revenetics (250,918 records), all of which saw sensitive data exfiltrated. It is unclear whether these incidents were ransomware or extortion attacks. An email account breach at Highmark Inc. rounds out the top five. That incident was reported to the HHS’ Office for Civil Rights as two separate breaches, affecting 239,039 and 36,600 individuals -275,639 in total. The breach occurred as a result of an employee clicking a link in a phishing email.

The full list of 10,000+ record data breaches and their causes are detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Present
Regal Medical Group, Inc., Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., A Medical Group Inc. & Greater Covina Medical Group, Inc. CA Healthcare Provider 3,300,638 Ransomware attack (data theft confirmed)
CentraState Healthcare System, Inc. NJ Healthcare Provider 617,901 Hacking incident (data theft confirmed)
Cardiovascular Associates AL Healthcare Provider 441,640 Hacking incident (data theft confirmed)
Reventics, LLC FL Business Associate 250,918 Hacking incident (data theft confirmed)
Highmark Inc PA Health Plan 239,039 Phishing attack
90 Degree Benefits, Inc. WI Business Associate 175,000 Hacking incident
Hutchinson Clinic, P.A. KS Healthcare Provider 100,000 Hacking incident
Lawrence General Hospital MA Healthcare Provider 76,571 Hacking incident
Sharp Healthcare CA Healthcare Provider 62,777 Hacked web server (data theft confirmed)
Rise Interactive Media & Analytics, LLC IL Business Associate 54,509 Hacking incident
Highmark Inc PA Business Associate 36,600 Phishing attack
Teijin Automotive Technologies Welfare Plan MI Health Plan 25,464 Ransomware attack – Access gained through phishing
Evergreen Treatment Services WA Healthcare Provider 21,325 Hacking incident
Aloha Nursing Rehab Centre HI Healthcare Provider 20,216 Hacking incident (data theft confirmed)
NR Pennsylvania Associates, LLC PA Healthcare Provider 14,335 Hacking incident (data theft confirmed)
Intelligent Business Solutions NC Business Associate 11,595 Ransomware attack
Arizona Health Advantage, Inc. dba Arizona Priority Care; AZPC Clinics, LLC; and health plans for which APC has executed a BAA AZ Healthcare Provider 10,978 Ransomware attack

Causes of Healthcare Data Breaches in February 2023

Hacking and other IT incidents dominated the breach reports in February with 33 such incidents reported, accounting for 76.7% of all breaches reported in February. Across those incidents, the records of 5,497,797 individuals were exposed or stolen – 99.59% of the breached records in February. The average breach size was 166,600 records and the median breach size was 10,978 records.

There were 8 unauthorized access/disclosure incidents reported involving a total of 13,950 records. The average breach size was 1,744 records and the median breach size was 689 records. One of the incidents – reported by Asante – involved a physician accessing the records of patients when there was no treatment relationship. The unauthorized access occurred for 9 years before it was detected, during which time the records of 8,834 patients were impermissibly viewed. Incidents such as this show why it is important to maintain logs of medical record access and to review those logs regularly, ideally automating the process using a monitoring and alerting system.

February 2023 Healthcare Data Breach Report - Causes

One theft incident was reported involving a portable electronic device containing the PHI of 986 patients and one incident involved the improper disposal of paper records that contained the PHI of 7,558 patients.

February 2023 Healthcare Data Breach Report - Location PHI

What HIPAA-Regulated Entities were Affected?

Healthcare providers were the worst affected HIPAA-regulated entity in February, with 31 data breaches of 500 or more records. Seven data breaches were reported by business associates and five were reported by health plans. When data breaches involve business associates, they are often reported by the covered entity. In February, 6 data breaches involved business associates but were reported by the affected healthcare providers and health plans. The two charts are based on where the breach occurred rather than who reported it.

February 2023 Healthcare Data Breach Report - Reporting Entities

The average healthcare provider breach exposed 178,046 records (median: 3,061 records), the average health plan data breach exposed 67,236 records (median: 3,909 records), and the average business associate data breach involved 47,859 records (median: 8,500 records).

February 2023 Healthcare Data Breach Report - records by reporting entity

Where Did the Breaches Occur?

Data breaches were reported by HIPAA-covered entities and business associates in 28 states, with California being the worst affected state with 4 breaches reported in February.

State Breaches
California 4
Pennsylvania & Texas 3
Arizona, Illinois, Kansas, Massachusetts, New Jersey, Oregon, Virginia & Washington 2
Alabama, Colorado, Connecticut, Florida, Georgia, Hawaii, Iowa, Maryland, Michigan, New Hampshire, New Mexico, North Carolina, Rhode Island, Tennessee, Utah, Wisconsin & Wyoming 1

HIPAA Enforcement Activity in February 2023

The HHS’ Office for Civil Rights announced one enforcement action in February to resolve alleged violations of the HIPAA Rules. OCR investigated Banner Health over a 2016 breach of the protected health information of 2.81 million individuals and identified multiple potential HIPAA violations related to risk analyses, system activity reviews, verification of identity for access to PHI, and technical safeguards. Banner Health agreed to settle the case and paid a $1,125,000 financial penalty.

DNA Diagnostics Center was investigated by the Attorneys General in Pennsylvania and Ohio after a reported breach of the personal and health information of 45,600 state residents. The investigation determined there was a lack of safeguards, a failure to update its asset inventory, and a failure to disable or remove assets that were not used for business purposes. While these failures would have been HIPAA violations, the settlement resolved violations of state laws. DNA Diagnostics Center paid a financial penalty of $400,000, which was split equally between the two states.

In February, the Federal Trade Commission (FTC) announced its first-ever settlement to resolve a violation of the FTC Health Breach Notification Rule. While the Rule has been in effect for a decade, the FTC has never enforced it. That has now changed. The FTC stated last year that it would be holding non-HIPAA-covered entities accountable for impermissible disclosures of health information and breach notification failures. GoodRx Holdings Inc. was found to have used tracking technologies on its website that resulted in unauthorized disclosures of personal and health information to Facebook, Google, and other third parties and failed to issue notifications to affected individuals. The allegations were settled and GoodRx paid a $1,500,000 financial penalty.

The post February 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Settlement Agreed with Florida Children’s Health Insurance Website Contractor to Resolve False Claims Act Allegations

Posted by HIPAA Journal

The United States Department of Justice has agreed to settle alleged False Claims Act violations with Jelly Bean Communications Design LLC and manager Jeremy Spinks related to the failure to protect HIPAA-covered data.

Jelly Bean Communications Design is a Tallahassee, FL-based company co-owned by Jeremy Spinks, who is the company’s manager and sole employee. The company provides web hosting functions and services for its clients, one of which was the Florida Healthy Kids Corporation (FHKC). FHKC is a state-created entity that offers health and dental insurance to children in Florida between the ages of 5 and 18. FHKC receives Medicaid funds and state funds for providing health insurance programs for children in Florida.

On July 1, 2012, the Agency for Health Care Administration (AHCA) in Florida contracted with FHKC to provide services for the State Children’s Health Insurance Plan (SCHIP) Program, which included implementing technical safeguards to ensure the confidentiality, integrity, and availability of the electronic protected health information that was received, maintained, or transmitted on behalf of AHCA. FHKC contracted with Jelly Bean Communications Design on October 13, 2013, to provide web design, programming, and hosting services. Under that contract, Jelly Bean Communications Design was required to provide a fully functioning hosting environment that complied with the standards of the HIPAA Security Rule, thus requiring Jelly Bean Communications Design to create appropriate code to ensure the secure communication of HIPAA-protected data. The contract was renewed by FHKC through 2020, with the federal government covering 86% of the payments to Jelly Bean Communications Design.

Between 2013 and 2020, the online application system created by Jelly Bean Communications Design collected data from parents and other individuals that were provided when submitting applications for Medicaid insurance coverage for children. Jelly Bean Communications Design issued invoices to FHKC for its services, which included “HIPAA-compliant hosting” and a monthly retainer fee for hosting and other tasks.

In early December 2020, it became clear that the website had been hacked and unauthorized individuals accessed the application data of more than 500,000 individuals submitted through the HealthyKids.org website. FHKC initiated an investigation that revealed hackers had altered applications allowing data to be stolen. The review of the website found multiple outdated and vulnerable applications and the website had not been patched since November 2013. Further, the website did not maintain audit logs showing who had accessed the personal information of applicants. The types of information compromised included names, dates of birth, email addresses, telephone numbers, addresses, Social Security numbers, financial information, family relationship information, and secondary insurance information. The application portal was shut down by FHKC in December 2020 in response to the cybersecurity failures.

The civil litigation alleged that Jelly Bean Communications Design and Jeremy Spinks failed to follow cybersecurity standards resulting in the exposure of sensitive HIPAA-covered data while submitting false claims that data would be safeguarded, while knowingly failing to properly maintain, patch, and update software systems. While Jelly Bean Communications Design acted as a business associate under HIPAA, the action was taken over violations of the False Claims Act under the Department of Justice’s 2021 Civil Cyber-Fraud Initiative. The Civil Cyber-Fraud Initiative utilizes the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients, and was the result of a coordinated effort by the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section, and the U.S Attorney’s Office for the Middle District of Florida, with assistance provided by HHS-OIG.

The claims were settled by Jelly Bean Communications Design and Jeremy Spinks, who agreed to pay $293,771 to resolve the allegations, of which $130,565.00 is restitution. The settlement was agreed to avoid the delay, uncertainty, inconvenience, and expense of protracted litigation, with no admission of liability or wrongdoing and no concession by the United States that its claims were not well founded.

“Companies have a fundamental responsibility to protect the personal information of their website users. It is unacceptable for an organization to fail to do the due diligence to keep software applications updated and secure and thereby compromise the data of thousands of children,” said Special Agent in Charge Omar Pérez Aybar of the Department of Health and Human Services, Office of Inspector General (HHS-OIG). “HHS-OIG will continue to work with our federal and state partners to ensure that enrollees can rely on their health care providers to safeguard their personal information.”

The post Settlement Agreed with Florida Children’s Health Insurance Website Contractor to Resolve False Claims Act Allegations appeared first on HIPAA Journal.

HHS Requests Additional $78 Million in Funding for OCR in Fiscal Year 2024

Posted by HIPAA Journal

The Department of Health and Human Services has requested an additional $78 million in federal funding for the Office for Civil Rights (OCR), almost doubling the appropriations OCR currently receives. OCR enforces 55 privacy, security, civil rights, and religious freedoms statutes and its caseload continues to increase, but its budget has remained flat for many years, only increasing in line with inflation. The years of flat budget have seen its resources and staff become increasingly strained.

Ahead of the funding request, the HHS announced that it has restructured OCR to improve efficiency and get more out of its limited resources. The restructuring will help OCR to reduce the current backlog of investigations, but restructuring alone is not enough. “Since FY 2017, OCR has received a 28 percent increase in HIPAA complaints, and a 100 percent increase in HIPAA large breach reports, while OCR’s enforcement staff decreased by 45 percent due to flat budgets and inflationary increases,” explained the HHS in the report. OCR has also seen declining civil monetary collections since 2019 and its caseload in 2024 is expected to be twice that of 2018.

OCR's Funding Crisis

OCR’s Funding Crisis. Source: HHS FY 2024 Budget in Brief

OCR has increased the number of enforcement actions for non-compliance with the HIPAA Rules but despite twice as many penalties being paid in 2022 as in 2018, supplemental funds from its enforcement actions have fallen significantly. In 2022, OCR saw a 92.6% reduction in total penalties compared to 2018 despite a 100% increase in the number of penalties. The reduction in penalty amounts is due to a reexamination of the text of the HITECH Act. The HITECH Act called for an increase in civil monetary penalties for HIPAA violations, but after reexamining the text of HITECH, OCR determined the language had been misinterpreted and reduced the maximum penalty amounts in three of the four penalty tiers.

Since 2019, the majority of civil monetary penalties and settlements have been for violations of the HIPAA Right of Access. These settlements and civil monetary penalties typically resolve cases involving HIPAA violations related to a single patient by small healthcare providers. The penalties agreed to resolve these HIPAA violations total just $2,440,150, with the penalties imposed ranging from $3,500 to $240,000 with an average payment of $56,748 and a median payment of $36,000. These investigations are far less complicated than investigations of cyberattacks, which are much more in-depth and resource intensive.

Declining funds from civil monetary penalties and settlements. Source: HHS FT 2024 Budget in Brief

In 2021 and 2022, there were 36 civil monetary penalties and settlements, with just 5 resolving HIPAA violations other than HIPAA Right of Access failures. Increasing investigations of hacking incidents to determine whether there have been HIPAA Security Rule violations – which often result in multi-million-dollar penalties – is simply not possible with the limited resources at OCR’s disposal. OCR has already had one such penalty overturned by a federal appeals court, which ruled that OCR’s approach was arbitrary, capricious, and contrary to law. Further, OCR will soon also have to share a percentage of the funds it receives from its enforcement activities with individuals who have been harmed by HIPAA violations. That will reduce the supplemental funds OCR receives, and implementing that HITECH Act provision will also take a chunk out of OCR’s budget. It is clear that civil monetary settlement funding is no longer sufficient to address OCR’s budget shortfall.

OCR explained in the report that its 2024 legislative proposals seek an increase in the maximum penalties it can impose for HIPAA violations per calendar year, which will help to increase funding. The proposals also authorize OCR to work with the Department of Justice to strengthen OCR’s enforcement of the HIPAA Rules by obtaining injunctive relief, requiring HIPAA-regulated entities to take steps to prevent additional or further harm to individuals resulting from non-compliance with the HIPAA Rules in the most egregious and urgent cases. Even with the increase in penalty amounts, OCR is still likely to struggle to pursue those cases with its budgetary restrictions.

The $78 million budget increase includes funding for implementing a methodology for sharing funds from enforcement actions with victims of HIPAA violations and $6 million in funding to support enforcement activities related to substance use disorder records, as mandated by the CARES Act. The increase will also help OCR to boost its policy, education, and outreach efforts in non-discrimination areas including race, color, national origin, disability, sex, age, and religion.

While the increase in funding is desperately needed, this is not the first time that the HHS has requested additional funding to support OCR’s increasing caseload. Previous attempts have failed and there is little to suggest this year’s proposal will fare any better.

The post HHS Requests Additional $78 Million in Funding for OCR in Fiscal Year 2024 appeared first on HIPAA Journal.

HHS Announces Restructuring Effort to Trim Backlog of HIPAA and Civil Rights Complaints

Posted by HIPAA Journal

The U.S. Department of Health and Human Services (HHS) has restructured its Office for Civil Rights (OCR) and has created new divisions that will help improve the enforcement of HIPAA and civil rights laws and clear the current backlog of complaints and investigations. OCR is the main law enforcement agency of the HHS and is responsible for enforcing 55 civil rights, conscience, and privacy statutes, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

In a recent report to Congress, OCR explained that its caseload has increased significantly in recent years, yet appropriations have not risen, which has placed the department under great strain. Reported data breaches increased by 58% between 2017 and 2021, and complaints about potential HIPAA have also been soaring, rising 25% year-over-year to 34,077 complaints in 2021. Complaints about civil rights violations have also increased, rising by 69% between 2017 and 2022. In 2022, 51,000 complaints were received by OCR, 66% for alleged violations of HIPAA, 27% for alleged civil rights violations, and 7% for alleged violations of conscience/religious freedom.

To ensure that complaints can be investigated in a timely manner, the HHS has created three new divisions within OCR – an Enforcement Division, a Policy Division, and a Strategic Planning Division. The enforcement division will be dedicated to investigating HIPAA complaints, with a focus on cybersecurity breaches, which have soared in recent years to over 660 in 2020 and more than 700 in 2022. Approximately 80% of all reported data breaches are due to hacking.

The current Health Information Privacy Division (HIP) will be renamed the Health Information Privacy, Data, and Cybersecurity Division (HIPDC), to better reflect the role it plays in cybersecurity and investigating data breaches related to hacking. OCR will also reorganize the responsibilities of other divisions into new, crosscutting divisions to improve efficiency, with staff in those divisions working in areas of expertise where they have the right skill sets, which it is hoped will drive greater implementation and enforcement of the law. The new divisions will provide a more integrated operational structure for civil rights, conscience protection, and privacy/cybersecurity protections, with the department’s new structure reflecting that of other federal civil rights offices, such as the Office for Civil Rights of the Department for Education.

OCR still desperately needs more funding to allow it to better achieve its objectives; however, the restructuring will allow the department to get better use of its limited resources. OCR has confirmed that the Enforcement Division will be a standalone division that will operate under the direction of Luis Perez, who has spent 4 years as Deputy Director for Conscience and Religious Freedom at OCR. The Enforcement division, under Perez’s leadership, will provide vital integration between OCR’s regional offices and headquarters to ensure complaints can be swiftly investigated.

“This structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing,” said HHS’ Office of Civil Rights Director, Melanie Fontes Rainer in a statement.

The post HHS Announces Restructuring Effort to Trim Backlog of HIPAA and Civil Rights Complaints appeared first on HIPAA Journal.

January 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

January is usually one of the quietest months of the year for healthcare data breaches and last month was no exception. In January, 40 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights, the same number as in December 2022. January’s total is well below the 53 data breaches reported in January 2022 and the 12-month average of 58 data breaches a month.

For the second successive month, the number of breached records has fallen, with January seeing just 1,064,195 healthcare records exposed or impermissibly disclosed – The lowest monthly total since June 2020, and well below the 12-month average of 4,209,121 breached records a month.

Largest Healthcare Data Breaches in January 2023

In January there were 13 data breaches involving 10,000 or more records, 8 of which involved hacked network servers and email accounts. The largest data breach of the month affected Mindpath Health, where multiple employee email accounts were compromised. 5 unauthorized access/disclosure incidents were reported that impacted more than 10,000 individuals, three of which were due to the use of tracking technologies on websites. The tracking code collected individually identifiable information – including health information – of website users and transmitted that information to third parties such as Google and Meta, including the month’s second-largest breach at BayCare Clinic. Another notable unauthorized access incident occurred at the mobile pharmacy solution provider, mscripts. Its cloud storage environment had been misconfigured, exposing the data of customers of its pharmacy clients on the Internet for 6 years.

HIPAA-Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Community Psychiatry Management, LLC (Mindpath Health) NC Healthcare Provider 193,947 Compromised email accounts
BayCare Clinic, LLP WI Healthcare Provider 134,000 Impermissible disclosure of PHI due to website tracking technology
DPP II, LLC (Home Care Providers of Texas) TX Healthcare Provider 125,981 Ransomware attack (data theft confirmed)
Jefferson County Health Center (Jefferson County Health Department) MO Healthcare Provider 115,940 Hacked network server
UCLA Health CA Healthcare Provider 94,000 Impermissible disclosure of PHI due to website tracking technology
mscripts®, LLC CA Business Associate 66,372 PHI exposed due to misconfigured cloud storage
Circles of Care, Inc. FL Healthcare Provider 61,170 Hacked network server
Howard Memorial Hospital AR Healthcare Provider 53,668 Hacked network server
Stroke Scan Inc TX Healthcare Provider 50,000 Hacking Incident – No public breach announcement
University of Colorado Hospital Authority CO Healthcare Provider 48,879 Hacking incident at business associate (Diligent)
Insulet Corporation MA Healthcare Provider 29,000 Impermissible disclosure of PHI due to website tracking technology
City of Cleveland OH Health Plan 15,206 Unauthorized access/disclosure incident – No public breach announcement
DotHouse Health Incorporated MA Healthcare Provider 10,000 Hacked network server

Causes of January 2023 Healthcare Data Breaches

Just over half of the 40 data breaches reported in January were hacking/IT incidents, the majority of which involved hacked network servers. Ransomware attacks continue to be conducted, although the extent to which ransomware is used is unclear, as many HIPAA-regulated entities do not disclose the exact nature of their hacking incidents, and some entities have not made public announcements at all. Across the 23 hacking incidents, the records of 698,295 individuals were exposed or stolen. The average breach size was 30,61 records and the median breach size was 5,264 records.

There was an increase in unauthorized access/disclosure incidents in January, with 15 incidents reported. The nature of 7 of the unauthorized access/disclosure incidents is unknown at this stage, as announcements have not been made by the affected entities. 5 of the 15 incidents were due to the use of tracking technologies on websites and web apps. Across the 15 unauthorized access/disclosure incidents, 362,629 records were impermissibly accessed or disclosed. The average breach size was 24,175 records and the median breach size was 3,780 records. There were two theft incidents reported, one involving stolen paper records and one involving a stolen portable electronic device. Across those two incidents, 3,271 records were stolen. No loss or improper disposal incidents were reported.

Where Did the Data Breaches Occur?

Healthcare providers were the worst affected HIPAA-covered entity with 31 reported data breaches and 5 data breaches were reported by health plans. While there were only 4 data breaches reported by business associates of HIPAA-covered entities, 14 data breaches had business associate involvement. 10 of those breaches were reported by the covered entity rather than the business associate. The chart below shows the breakdown of data breaches based on where they occurred, rather than which entity reported the breach.

The chart below highlights the impact of data breaches at business associates. 23 data breaches occurred at health plans, involving almost 275,000 records. The 14 data breaches at business associates affected almost three times as many people.

Geographical Spread of January Data Breaches

California was the worst affected state with 7 breaches reported by HIPAA-regulated entities based in the state, followed by Texas with 6 reported breaches. January’s 40 data breaches were spread across 40 U.S. states.

State Breaches
California 7
Texas 6
Georgia, Massachusetts, Missouri & Pennsylvania 3
Florida, New York & North Carolina 2
Alabama, Arkansas, Colorado, Illinois, Indiana, Minnesota, New Jersey, Ohio & Wisconsin 1

HIPAA Enforcement Activity in January 2023

The Office for Civil Rights announced one settlement in January to resolve potential violations of the HIPAA Right of Access. OCR investigated a complaint from a personal representative who had not been provided with a copy of her deceased father’s medical records within the allowed 30 days. It took 7 months for those records to be provided. Life Hope Labs agreed to pay a $16,500 financial penalty and adopt a corrective action plan that will ensure patients are provided with timely access to their medical records in the future. This was the 43rd penalty to be imposed under OCR’s HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. No HIPAA enforcement actions were announced by state attorneys general in January.

The post January 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Biden Administration Considers HIPAA Update to Better Protect Reproductive Health Information

Posted by HIPAA Journal

The Biden Administration is considering new rulemaking to update HIPAA to better protect reproductive health information, following the Supreme Court Decision in Dobbs v. Jackson Women’s Health Organization, which removed the federal right to abortion and left it to individual states to decide on the legality of abortions for state residents. Currently, at least 24 U.S. states have implemented bans on abortions or are likely to do so, with 12 states already having a near-total ban.

The Health Insurance Portability and Accountability Act classes reproductive health information as protected health information (PHI), so uses and disclosures are restricted by the HIPAA Privacy Rule. Following the Supreme Court decision, the HHS issued guidance to HIPAA-regulated entities on how the HIPAA Privacy Rule applies to reproductive healthcare data, confirming uses and disclosures of reproductive health information are restricted, and that the information can only be used or disclosed without a valid patient authorization for purposes related to treatment, payment, or healthcare operations.

The HHS also confirmed that while the HIPAA Privacy Rule permits disclosures of PHI “as required by law,” the HIPAA Privacy Rule does not require such disclosures, and that ‘required by law’ is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law,” an that when such a disclosure is required, it is limited to the relevant requirements of such a law. There is concern, however, that disclosures of reproductive health information may be made by HIPAA-regulated entities to law enforcement in states that have imposed bans or severe restrictions on abortions to support enforcement of the bans and allow individuals seeking abortion care to be prosecuted.

There have been calls for HIPAA to be updated to improve privacy protections with respect to reproductive health information. Currently, there are restrictions on disclosures of certain subclasses of PHI such as psychotherapy notes and information related to substance use disorder (SUD) treatment records, and similar restrictions could potentially be applied to reproductive health information. It has now been confirmed that the Department of Health and Human Services has drafted Proposed Modifications to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (RIN 0945-AA20), and that proposal is currently under White House review. The HHS has also proposed a change to a rule introduced by the Trump Administration that made it easier for healthcare providers to decline to provide abortions due to religious objections.

The HHS has not released details of the proposed HIPAA update at this stage but has confirmed that prior to drafting the rule, the HHS participated in listening sessions and roundtable discussions with patients, healthcare providers, advocates, and state health officials and that the proposed rule was drafted under its statutory mandate to ensure non-discriminatory access to healthcare for all Americans.

The draft is not necessarily an attempt to impose restrictions on states that have introduced near-total bans on abortions and could be an attempt to ensure any actions by states are compliant with Federal law. It is worth noting that even if the HIPAA Privacy Rule is updated to better protect reproductive health data, HIPAA only applies to HIPAA-regulated entities, and no HIPAA update would be able to guarantee privacy for individuals seeking abortion care. For instance, geolocation data from mobile phones would allow individuals to be tracked when they visit reproductive health clinics.  Geolocation data is not protected by HIPAA and disclosure of such information are not restricted by the HIPAA Privacy Rule.

The post Biden Administration Considers HIPAA Update to Better Protect Reproductive Health Information appeared first on HIPAA Journal.

Lack of Funding Hampering OCR’s Ability to Enforce HIPAA

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has published a report it sent to Congress that details its HIPAA enforcement activities in 2021, which provides insights into the state of compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The report makes it clear that OCR’s resources are under considerable strain, and without an increase in funding from Congress, OCR will struggle to fulfill its mission to enforce HIPAA compliance, especially considering the large increase in reported data breaches and HIPAA complaints.

OCR reports significant increases in reported data breaches and HIPAA complaints, with large data breaches – 500 or more records – increasing by more than 58% between 2017 and 2021, and HIPAA complaints increasing by 25% between 2020 and 2021, yet between 2017 and 2021, OCR has not had any increases in appropriations, with Congress only increasing funding in line with inflation.

If Congress is unable to increase funding for OCR, the financial strain could be eased through enforcement actions; however, OCR has seen funding through enforcement decline after reassessing the language of the HITECH Act and determining it had been misinterpreted in 2009, resulting in the maximum penalty amounts in three of the four penalty tiers being significantly reduced. To address this and increase funding, OCR sent a request to Congress in September 2021 (HHS FY 2023 Discretionary A-19 Legislative Supplement) calling for an increase in HITECH civil monetary penalty caps), as without such an increase, OCR’s staff and resources will continue to be severely strained, especially during a time of substantial growth in cyberattacks on the healthcare sector.

25% Annual Increase in HIPAA Violation Complaints

There was a sizeable rise in complaints about potential HIPAA and HITECH Act violations in 2021, which increased by 25% year-over-year to 34,077 complaints, 77.5% of which (26,420) were resolved in 2021, 78% of which (20,611 complaints) were resolved without having to initiate an investigation. OCR explained that action can only be taken in response to complaints where the HIPAA violation occurred after the compliance deadline, where the complaint is against a HIPAA-regulated entity, where a HIPAA violation appears to have occurred, and when the complaint is submitted within 180 days of the complainant becoming aware of the violation (unless the complainant shows good cause why the violation was not reported within 180 days).

The most common reasons for closing complaints without an investigation were the complaint was made against a non-HIPAA-regulated entity or allegations were made about conduct that did not violate HIPAA (3%), and due to untimely complaints (1%). OCR said 4,139 complaints were resolved by providing technical assistance in lieu of an investigation, 714 complaints were resolved by the HIPAA-regulated entity taking corrective action, and 789 complaints were resolved through technical assistance taken after an investigation was initiated. There was a 10% year-over-year reduction in initiated compliance investigations, with 1,620 compliance investigations initiated in response to complaints. 50% were resolved as no violation was discovered, 44% were resolved through corrective action, and 6% were resolved through technical assistance after investigation. 13 complaints were resolved through settlements and corrective action plans with penalties totaling $815,150, and 2 were resolved through civil monetary penalties totaling $150,000.

674 compliance reviews were initiated for reasons other than complaints, 609 were initiated in response to large data breaches, 22 due to small data breaches, and a further 43 were initiated in response to incidents brought to OCR’s attention by other means, such as reports in the media. In 2021, OCR closed 573 compliance reviews, resulting in corrective actions or civil monetary penalties in 83% of the investigations. Two compliance reviews resulted in resolution agreements that included $5,125,000 in financial penalties and corrective action plans. The remaining 17% of compliance reviews were resolved through technical assistance (3%), insufficient evidence of HIPAA violations (11%), or where there was a lack of jurisdiction to investigate (3%). OCR said its HIPAA compliance audit program has stalled due to a lack of financial resources.

Click here to view OCR’s Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance

Click here to view a summary of OCR’s Report on Breaches of Unsecured PHI in 2021

The post Lack of Funding Hampering OCR’s Ability to Enforce HIPAA appeared first on HIPAA Journal.